12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154 |
- # Metrics settings
-
- metric {
- name = "default";
- # If this param is set to non-zero
- # then a metric would accept all symbols
- # unknown_weight = 1.0
-
- actions {
- reject = 15;
- add_header = 6;
- greylist = 4;
- };
-
- group {
- name = "header";
- symbol {
- weight = 2.0;
- description = "Subject is missing inside message";
- name = "MISSING_SUBJECT";
- }
- symbol {
- weight = 2.100000;
- description = "Message pretends to be send from Outlook but has 'strange' tags ";
- name = "FORGED_OUTLOOK_TAGS";
- }
- symbol {
- weight = 0.30;
- description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
- name = "FORGED_SENDER";
- }
- symbol {
- weight = 1.500000;
- description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
- name = "SUSPICIOUS_RECIPS";
- }
- symbol {
- weight = 6.0;
- description = "Fake reply (has RE in subject, but has not References header)";
- name = "FAKE_REPLY_C";
- }
- symbol {
- weight = 1.0;
- description = "Messages that have only HTML part";
- name = "MIME_HTML_ONLY";
- }
- symbol {
- weight = 2.0;
- description = "Forged yahoo msgid";
- name = "FORGED_MSGID_YAHOO";
- }
- symbol {
- weight = 2.0;
- description = "Forged The Bat! MUA headers";
- name = "FORGED_MUA_THEBAT_BOUN";
- }
- symbol {
- weight = 5.0;
- description = "Charset is missing in a message";
- name = "R_MISSING_CHARSET";
- }
- symbol {
- weight = 2.0;
- description = "Two received headers with ip addresses";
- name = "RCVD_DOUBLE_IP_SPAM";
- }
- symbol {
- weight = 5.0;
- description = "Forged outlook HTML signature";
- name = "FORGED_OUTLOOK_HTML";
- }
- symbol {
- weight = 5.0;
- description = "Recipients are absent or undisclosed";
- name = "R_UNDISC_RCPT";
- }
- symbol {
- weight = 2.0;
- description = "Fake helo for verizon provider";
- name = "FM_FAKE_HELO_VERIZON";
- }
- symbol {
- weight = 2.0;
- description = "Quoted reply-to from yahoo (seems to be forged)";
- name = "REPTO_QUOTE_YAHOO";
- }
- symbol {
- weight = 5.0;
- description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
- name = "MISSING_MIMEOLE";
- }
- symbol {
- weight = 2.0;
- description = "To header is missing";
- name = "MISSING_TO";
- }
- symbol {
- weight = 1.500000;
- description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "FROM_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "FROM_EXCESS_QP";
- }
- symbol {
- weight = 1.500000;
- description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "TO_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "TO_EXCESS_QP";
- }
- symbol {
- weight = 1.500000;
- description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "REPLYTO_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "REPLYTO_EXCESS_QP";
- }
- symbol {
- weight = 1.500000;
- description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- name = "CC_EXCESS_BASE64";
- }
- symbol {
- weight = 1.200000;
- description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- name = "CC_EXCESS_QP";
- }
- symbol {
- weight = 5.0;
- description = "Mixed characters in a message";
- name = "R_MIXED_CHARSET";
- }
- symbol {
- weight = 3.500000;
- description = "Recipients list seems to be sorted";
- name = "SORTED_RECIPS";
- }
- symbol {
- weight = 3.0;
- description = "Spambots signatures in received headers";
- name = "R_RCVD_SPAMBOTS";
- }
- symbol {
- weight = 2.0;
- description = "To header seems to be autogenerated";
- name = "R_TO_SEEMS_AUTO";
- }
- symbol {
- weight = 1.0;
- description = "Subject needs encoding";
- name = "SUBJECT_NEEDS_ENCODING";
- }
- symbol {
- weight = 3.840000;
- description = "Spam string at the end of message to make statistics faults 0";
- name = "TRACKER_ID";
- }
- symbol {
- weight = 1.0;
- description = "No space in from header";
- name = "R_NO_SPACE_IN_FROM";
- }
- symbol {
- weight = 8.0;
- description = "Subject seems to be spam";
- name = "R_SAJDING";
- }
- symbol {
- weight = 3.0;
- description = "Detects bad content-transfer-encoding for text parts";
- name = "R_BAD_CTE_7BIT";
- }
- symbol {
- weight = 10.0;
- description = "Flash redirect on imageshack.us";
- name = "R_FLASH_REDIR_IMGSHACK";
- }
- symbol {
- weight = 5.0;
- description = "Message id is incorrect";
- name = "INVALID_MSGID";
- }
- symbol {
- weight = 3.0;
- description = "Message id is missing ";
- name = "MISSING_MID";
- }
- symbol {
- weight = 1.0;
- description = "Recipients are not the same as RCPT TO: mail command";
- name = "FORGED_RECIPIENTS";
- }
- symbol {
- weight = 0.0;
- description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
- name = "FORGED_RECIPIENTS_MAILLIST";
- }
- symbol {
- weight = 0.0;
- description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
- name = "FORGED_SENDER_MAILLIST";
- }
- symbol {
- weight = 2.0;
- description = "Forged Exchange messages ";
- name = "RATWARE_MS_HASH";
- }
- symbol {
- weight = 1.0;
- description = "Reply-type in content-type";
- name = "STOX_REPLY_TYPE";
- }
- symbol {
- weight = 1.0;
- description = "One received header in a message ";
- name = "ONCE_RECEIVED";
- }
- symbol {
- weight = 4.0;
- description = "One received header with 'bad' patterns inside";
- name = "ONCE_RECEIVED_STRICT";
- }
- symbol {
- weight = 2.0;
- description = "Only Content-Type header without other MIME headers";
- name = "MIME_HEADER_CTYPE_ONLY";
- }
- symbol {
- weight = -1.0;
- description = "Message seems to be from maillist";
- name = "MAILLIST";
- }
- symbol {
- weight = 1.0;
- description = "Header From begins with tab";
- name = "HEADER_FROM_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header To begins with tab";
- name = "HEADER_TO_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header Cc begins with tab";
- name = "HEADER_CC_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header Reply-To begins with tab";
- name = "HEADER_REPLYTO_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header Date begins with tab";
- name = "HEADER_DATE_DELIMITER_TAB";
- }
- symbol {
- weight = 1.0;
- description = "Header From has no delimiter between header name and header value";
- name = "HEADER_FROM_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header To has no delimiter between header name and header value";
- name = "HEADER_TO_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header Cc has no delimiter between header name and header value";
- name = "HEADER_CC_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header Reply-To has no delimiter between header name and header value";
- name = "HEADER_REPLYTO_EMPTY_DELIMITER";
- }
- symbol {
- weight = 1.0;
- description = "Header Date has no delimiter between header name and header value";
- name = "HEADER_DATE_EMPTY_DELIMITER";
- }
- symbol {
- weight = 4.0;
- description = "Header Received has raw illegal character";
- name = "RCVD_ILLEGAL_CHARS";
- }
- symbol {
- weight = 4.0;
- description = "Fake helo mail.ru in header Received from non mail.ru sender address";
- name = "FAKE_RECEIVED_mail_ru";
- }
- symbol {
- weight = 4.0;
- description = "Fake smtp.yandex.ru Received";
- name = "FAKE_RECEIVED_smtp_yandex_ru";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED2";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED3";
- }
- symbol {
- weight = 3.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED4";
- }
- symbol {
- weight = 4.600000;
- description = "Forged generic Received";
- name = "FORGED_GENERIC_RECEIVED5";
- }
- symbol {
- weight = 3.0;
- description = "Invalid Postfix Received";
- name = "INVALID_POSTFIX_RECEIVED";
- }
- symbol {
- weight = 5.0;
- description = "Invalid Exim Received";
- name = "INVALID_EXIM_RECEIVED";
- }
- symbol {
- weight = 3.0;
- description = "Invalid Exim Received";
- name = "INVALID_EXIM_RECEIVED2";
- }
- }
-
- group {
- name = "mua";
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from The Bat! but has forged Message-ID";
- name = "FORGED_MUA_THEBAT_MSGID";
- }
- symbol {
- weight = 3.0;
- description = "Message pretends to be send from The Bat! but has forged Message-ID";
- name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN";
- }
- symbol {
- weight = 3.0;
- description = "Message pretends to be send from KMail but has forged Message-ID";
- name = "FORGED_MUA_KMAIL_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Message pretends to be send from KMail but has forged Message-ID";
- name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN";
- }
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from Opera Mail but has forged Message-ID";
- name = "FORGED_MUA_OPERA_MSGID";
- }
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
- name = "SUSPICIOUS_OPERA_10W_MSGID";
- }
- symbol {
- weight = 4.0;
- description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
- name = "FORGED_MUA_MOZILLA_MAIL_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
- name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN";
- }
- symbol {
- weight = 4.0;
- description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
- name = "FORGED_MUA_THUNDERBIRD_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
- name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN";
- }
- symbol {
- weight = 4.0;
- description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
- name = "FORGED_MUA_SEAMONKEY_MSGID";
- }
- symbol {
- weight = 2.500000;
- description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
- name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN";
- }
- symbol {
- weight = 3.0;
- description = "Forged outlook MUA";
- name = "FORGED_MUA_OUTLOOK";
- }
- }
- symbol {
- weight = 0.0;
- description = "Avoid false positives for FORGED_MUA_* in maillist";
- name = "FORGED_MUA_MAILLIST";
- }
-
- group {
- name = "body";
- symbol {
- weight = 9.0;
- description = "White color on white background in HTML messages";
- name = "R_WHITE_ON_WHITE";
- }
- symbol {
- weight = 3.0;
- description = "Short html part with a link to an image";
- name = "HTML_SHORT_LINK_IMG_1";
- }
- symbol {
- weight = 1.0;
- description = "Short html part with a link to an image";
- name = "HTML_SHORT_LINK_IMG_2";
- }
- symbol {
- weight = 0.5;
- description = "Short html part with a link to an image";
- name = "HTML_SHORT_LINK_IMG_3";
- }
- symbol {
- weight = 5.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY";
- }
- symbol {
- weight = 4.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY2";
- }
- symbol {
- weight = 3.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY3";
- }
- symbol {
- weight = 4.0;
- description = "Suspicious boundary in header Content-Type";
- name = "SUSPICIOUS_BOUNDARY4";
- }
- symbol {
- weight = 3.0;
- description = "Text and HTML parts differ";
- name = "R_PARTS_DIFFER";
- }
-
- symbol {
- weight = 2.0;
- description = "Message contains empty parts and image";
- name = "R_EMPTY_IMAGE";
- }
- symbol {
- weight = 2.0;
- description = "Drugs patterns inside message";
- name = "DRUGS_MANYKINDS";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_ANXIETY";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_MUSCLE";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_ANXIETY_EREC";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_DIET";
- }
- symbol {
- weight = 2.0;
- description = "";
- name = "DRUGS_ERECTILE";
- }
- symbol {
- weight = 3.300000;
- description = "2 'advance fee' patterns in a message";
- name = "ADVANCE_FEE_2";
- }
- symbol {
- weight = 2.120000;
- description = "3 'advance fee' patterns in a message";
- name = "ADVANCE_FEE_3";
- }
- symbol {
- weight = 8.0;
- description = "Lotto signatures";
- name = "R_LOTTO";
- }
- }
-
- group {
- name = "rbl";
- symbol {
- name = "DNSWL_BLOCKED";
- weight = 0.0;
- description = "Resolver blocked due to excessive queries";
- }
- symbol {
- name = "RCVD_IN_DNSWL";
- weight = 0.0;
- description = "Unrecognised result from dnswl.org";
- }
- symbol {
- name = "RCVD_IN_DNSWL_NONE";
- weight = 0.0;
- description = "Sender listed at http://www.dnswl.org, low none";
- }
- symbol {
- name = "RCVD_IN_DNSWL_LOW";
- weight = 0.0;
- description = "Sender listed at http://www.dnswl.org, low trust";
- }
- symbol {
- name = "RCVD_IN_DNSWL_MED";
- weight = 0.0;
- description = "Sender listed at http://www.dnswl.org, medium trust";
- }
- symbol {
- name = "RCVD_IN_DNSWL_HI";
- weight = 0.0;
- description = "Sender listed at http://www.dnswl.org, high trust";
- }
-
- symbol {
- name = "RBL_SPAMHAUS";
- weight = 0.0;
- description = "Unrecognised result from Spamhaus zen";
- }
- symbol {
- name = "RBL_SPAMHAUS_SBL";
- weight = 2.0;
- description = "From address is listed in zen sbl";
- }
- symbol {
- name = "RBL_SPAMHAUS_CSS";
- weight = 2.0;
- description = "From address is listed in zen css";
- }
- symbol {
- name = "RBL_SPAMHAUS_XBL";
- weight = 4.0;
- description = "From address is listed in zen xbl";
- }
- symbol {
- name = "RBL_SPAMHAUS_PBL";
- weight = 2.0;
- description = "From address is listed in zen pbl";
- }
- symbol {
- name = "RECEIVED_SPAMHAUS_XBL";
- weight = 3.0;
- description = "Received address is listed in zen pbl";
- one_shot = true;
- }
-
- symbol {
- name = "RWL_SPAMHAUS_WL";
- weight = 0.0;
- description = "Unrecognised result from Spamhaus whitelist";
- }
- symbol {
- name = "RWL_SPAMHAUS_WL_IND";
- weight = 0.0;
- description = "Sender listed at Spamhaus whitelist";
- }
- symbol {
- name = "RWL_SPAMHAUS_WL_TRANS";
- weight = 0.0;
- description = "Sender listed at Spamhaus whitelist";
- }
- symbol {
- name = "RWL_SPAMHAUS_WL_IND_EXP";
- weight = 0.0;
- description = "Sender listed at Spamhaus whitelist";
- }
- symbol {
- name = "RWL_SPAMHAUS_WL_TRANS_EXP";
- weight = 0.0;
- description = "Sender listed at Spamhaus whitelist";
- }
-
- symbol {
- weight = 2.0;
- description = "From address is listed in senderscore.com BL";
- name = "RBL_SENDERSCORE";
- }
- symbol {
- weight = 1.0;
- description = "From address is listed in ABUSE.CH BL";
- name = "RBL_ABUSECH";
- }
- symbol {
- weight = 1.0;
- description = "From address is listed in UCEPROTECT LEVEL1 BL";
- name = "RBL_UCEPROTECT_LEVEL1";
- }
- symbol {
- name = "RBL_MAILSPIKE";
- weight = 0.0;
- description = "Unrecognised result from Mailspike blacklist";
- }
- symbol {
- name = "RWL_MAILSPIKE";
- weight = 0.0;
- description = "Unrecognised result from Mailspike whitelist";
- }
- symbol {
- name = "RBL_MAILSPIKE_ZOMBIE";
- weight = 2.0;
- description = "From address is listed in RBL";
- }
- symbol {
- name = "RBL_MAILSPIKE_WORST";
- weight = 2.0;
- description = "From address is listed in RBL";
- }
- symbol {
- name = "RBL_MAILSPIKE_VERYBAD";
- weight = 1.5;
- description = "From address is listed in RBL";
- }
- symbol {
- name = "RBL_MAILSPIKE_BAD";
- weight = 1.0;
- description = "From address is listed in RBL";
- }
- symbol {
- name = "RWL_MAILSPIKE_POSSIBLE";
- weight = 0.0;
- description = "From address is listed in RWL";
- }
- symbol {
- name = "RWL_MAILSPIKE_GOOD";
- weight = 0.0;
- description = "From address is listed in RWL";
- }
- symbol {
- name = "RWL_MAILSPIKE_VERYGOOD";
- weight = 0.0;
- description = "From address is listed in RWL";
- }
- symbol {
- name = "RWL_MAILSPIKE_EXCELLENT";
- weight = 0.0;
- description = "From address is listed in RWL";
- }
-
- symbol {
- weight = 0.0;
- name = "RBL_SORBS";
- description = "Unrecognised result from SORBS RBL";
- }
- symbol {
- weight = 2.5;
- name = "RBL_SORBS_HTTP";
- description = "List of Open HTTP Proxy Servers.";
- }
- symbol {
- weight = 2.5;
- name = "RBL_SORBS_SOCKS";
- description = "List of Open SOCKS Proxy Servers.";
- }
- symbol {
- weight = 1.0;
- name = "RBL_SORBS_MISC";
- description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";
- }
- symbol {
- weight = 3.0;
- name = "RBL_SORBS_SMTP";
- description = "List of Open SMTP relay servers.";
- }
- symbol {
- weight = 1.5;
- name = "RBL_SORBS_RECENT";
- description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";
- }
- symbol {
- weight = 0.4;
- name = "RBL_SORBS_WEB";
- description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";
- }
- symbol {
- weight = 2.0;
- name = "RBL_SORBS_DUL";
- description = "Dynamic IP Address ranges (NOT a Dial Up list!)";
- }
- symbol {
- weight = 1.0;
- name = "RBL_SORBS_BLOCK";
- description = "List of hosts demanding that they never be tested by SORBS.";
- }
- symbol {
- weight = 1.0;
- name = "RBL_SORBS_ZOMBIE";
- description = "List of networks hijacked from their original owners, some of which have already used for spamming.";
- }
-
- symbol {
- weight = 1.0;
- name = "RBL_SEM";
- description = "Address is listed in Spameatingmonkey RBL";
- }
-
- symbol {
- weight = 1.0;
- name = "RBL_SEM_IPV6";
- description = "Address is listed in Spameatingmonkey RBL (ipv6)";
- }
- }
-
- group {
- name = "bayes";
-
- symbol {
- weight = 3.0;
- description = "Message probably spam, probability: ";
- name = "BAYES_SPAM";
- }
- symbol {
- weight = -3.0;
- description = "Message probably ham, probability: ";
- name = "BAYES_HAM";
- }
- }
-
- group {
- name = "fuzzy";
- symbol {
- weight = 5.0;
- description = "Generic fuzzy hash match";
- name = "FUZZY_UNKNOWN";
- }
- symbol {
- weight = 10.0;
- description = "Denied fuzzy hash";
- name = "FUZZY_DENIED";
- }
- symbol {
- weight = 5.0;
- description = "Probable fuzzy hash";
- name = "FUZZY_PROB";
- }
- symbol {
- weight = -2.1;
- description = "Whitelisted fuzzy hash";
- name = "FUZZY_WHITE";
- }
- }
-
- group {
- name = "spf";
- symbol {
- weight = 1.0;
- description = "SPF verification failed";
- name = "R_SPF_FAIL";
- }
- symbol {
- weight = 0.0;
- description = "SPF verification soft-failed";
- name = "R_SPF_SOFTFAIL";
- }
- symbol {
- weight = 0.0;
- description = "SPF policy is neutral";
- name = "R_SPF_NEUTRAL";
- }
- symbol {
- weight = -1.1;
- description = "SPF verification alowed";
- name = "R_SPF_ALLOW";
- }
- }
-
- group {
- name = "dkim";
- symbol {
- weight = 1.0;
- description = "DKIM verification failed";
- name = "R_DKIM_REJECT";
- }
- symbol {
- weight = 0.0;
- description = "DKIM verification soft-failed";
- name = "R_DKIM_TEMPFAIL";
- }
- symbol {
- weight = -1.1;
- description = "DKIM verification succeed";
- name = "R_DKIM_ALLOW";
- one_shot = true;
- }
- }
-
- group {
- name = "surbl";
- symbol {
- weight = 5.5;
- description = "SURBL: Phishing sites";
- name = "PH_SURBL_MULTI";
- }
- symbol {
- weight = 5.5;
- description = "SURBL: Malware sites";
- name = "MW_SURBL_MULTI";
- }
- symbol {
- weight = 5.5;
- description = "SURBL: AbuseButler web sites";
- name = "AB_SURBL_MULTI";
- }
- symbol {
- weight = 5.5;
- description = "SURBL: SpamCop web sites";
- name = "SC_SURBL_MULTI";
- }
- symbol {
- weight = 5.5;
- description = "SURBL: jwSpamSpy + Prolocation sites";
- name = "JP_SURBL_MULTI";
- }
- symbol {
- weight = 5.5;
- description = "SURBL: sa-blacklist web sites ";
- name = "WS_SURBL_MULTI";
- }
- symbol {
- weight = 4.5;
- description = "rambler.ru uribl";
- name = "RAMBLER_URIBL";
- }
-
- symbol {
- weight = 3.5;
- name = "SEM_URIBL";
- description = "Spameatingmonkey uribl";
- }
-
- symbol {
- weight = 3.0;
- name = "SEM_URIBL_FRESH15";
- description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
- }
-
- symbol {
- weight = 6.5;
- description = "DBL uribl spam";
- name = "DBL_SPAM";
- }
- symbol {
- weight = 6.5;
- description = "DBL uribl phishing";
- name = "DBL_PHISH";
- }
- symbol {
- weight = 6.5;
- description = "DBL uribl malware";
- name = "DBL_MALWARE";
- }
- symbol {
- weight = 5.5;
- description = "DBL uribl botnet C&C domain";
- name = "DBL_BOTNET";
- }
- symbol {
- weight = 6.5;
- description = "DBL uribl abused legit spam";
- name = "DBL_ABUSE";
- }
- symbol {
- weight = 1.5;
- description = "DBL uribl abused spammed redirector domain";
- name = "DBL_ABUSE_REDIR";
- }
- symbol {
- weight = 7.5;
- description = "DBL uribl abused legit phish";
- name = "DBL_ABUSE_PHISH";
- }
- symbol {
- weight = 7.5;
- description = "DBL uribl abused legit malware";
- name = "DBL_ABUSE_MALWARE";
- }
- symbol {
- weight = 5.5;
- description = "DBL uribl abused legit botnet C&C";
- name = "DBL_ABUSE_BOTNET";
- }
- symbol {
- weight = 0.00000;
- description = "DBL uribl IP queries prohibited!";
- name = "DBL_PROHIBIT";
- }
- symbol {
- weight = 7.5;
- description = "uribl.com black url";
- name = "URIBL_BLACK";
- }
- symbol {
- weight = 3.5;
- description = "uribl.com red url";
- name = "URIBL_RED";
- }
- symbol {
- weight = 1.5;
- description = "uribl.com grey url";
- name = "URIBL_GREY";
- }
- symbol {
- weight = 9.5;
- description = "rambler.ru emailbl";
- name = "RAMBLER_EMAILBL";
- }
-
- symbol {
- weight = 6.5;
- description = "Spamhaus SBL dnsbl";
- name = "URIBL_SBL";
- }
- }
-
- group {
- name = "phishing";
-
- symbol {
- weight = 5.0;
- description = "Phished mail";
- name = "PHISHING";
- }
- }
-
- group {
- name = "date";
-
- symbol {
- weight = 4.0;
- description = "Message date is in future";
- name = "DATE_IN_FUTURE";
- }
- symbol {
- weight = 1.0;
- description = "Message date is in past";
- name = "DATE_IN_PAST";
- }
- symbol {
- weight = 1.0;
- description = "Message date is missing";
- name = "MISSING_DATE";
- }
- }
-
- group {
- name = "hfilter";
-
- symbol {
- weight = 3.00;
- name = "HFILTER_HELO_BAREIP";
- description = "Helo host is bare ip";
- }
- symbol {
- weight = 4.50;
- name = "HFILTER_HELO_BADIP";
- description = "Helo host is very bad ip";
- }
- symbol {
- weight = 2.00;
- name = "HFILTER_HELO_UNKNOWN";
- description = "Helo host empty or unknown";
- }
- symbol {
- weight = 0.5;
- name = "HFILTER_HELO_1";
- description = "Helo host checks (very low)";
- }
- symbol {
- weight = 1.00;
- name = "HFILTER_HELO_2";
- description = "Helo host checks (low)";
- }
- symbol {
- weight = 2.00;
- name = "HFILTER_HELO_3";
- description = "Helo host checks (medium)";
- }
- symbol {
- weight = 2.50;
- name = "HFILTER_HELO_4";
- description = "Helo host checks (hard)";
- }
- symbol {
- weight = 3.00;
- name = "HFILTER_HELO_5";
- description = "Helo host checks (very hard)";
- }
- symbol {
- weight = 0.5;
- name = "HFILTER_HOSTNAME_1";
- description = "Hostname checks (very low)";
- }
- symbol {
- weight = 1.00;
- name = "HFILTER_HOSTNAME_2";
- description = "Hostname checks (low)";
- }
- symbol {
- weight = 2.00;
- name = "HFILTER_HOSTNAME_3";
- description = "Hostname checks (medium)";
- }
- symbol {
- weight = 2.50;
- name = "HFILTER_HOSTNAME_4";
- description = "Hostname checks (hard)";
- }
- symbol {
- weight = 3.00;
- name = "HFILTER_HOSTNAME_5";
- description = "Hostname checks (very hard)";
- }
- symbol {
- weight = 0.20;
- name = "HFILTER_HELO_NORESOLVE_MX";
- description = "MX found in Helo and no resolve";
- }
- symbol {
- weight = 0.3;
- name = "HFILTER_HELO_NORES_A_OR_MX";
- description = "Helo no resolve to A or MX";
- }
- symbol {
- weight = 1.00;
- name = "HFILTER_HELO_IP_A";
- description = "Helo A IP != hostname IP";
- }
- symbol {
- weight = 2.00;
- name = "HFILTER_HELO_NOT_FQDN";
- description = "Helo not FQDN";
- }
- symbol {
- weight = 0.5;
- name = "HFILTER_FROMHOST_NORESOLVE_MX";
- description = "MX found in FROM host and no resolve";
- }
- symbol {
- weight = 1.50;
- name = "HFILTER_FROMHOST_NORES_A_OR_MX";
- description = "FROM host no resolve to A or MX";
- }
- symbol {
- weight = 3.00;
- name = "HFILTER_FROMHOST_NOT_FQDN";
- description = "FROM host not FQDN";
- }
- symbol {
- weight = 0.00;
- name = "HFILTER_FROM_BOUNCE";
- description = "Bounce message";
- }
- symbol {
- weight = 0.50;
- name = "HFILTER_MID_NORESOLVE_MX";
- description = "MX found in Message-id host and no resolve";
- }
- symbol {
- weight = 0.50;
- name = "HFILTER_MID_NORES_A_OR_MX";
- description = "Message-id host no resolve to A or MX";
- }
- symbol {
- weight = 0.50;
- name = "HFILTER_MID_NOT_FQDN";
- description = "Message-id host not FQDN";
- }
- symbol {
- weight = 4.00;
- name = "HFILTER_HOSTNAME_UNKNOWN";
- description = "Unknown hostname (no PTR or no resolve PTR to hostname)";
- }
- symbol {
- weight = 1.50;
- name = "HFILTER_RCPT_BOUNCEMOREONE";
- description = "Message from bounce and over 1 recepient";
- }
- symbol {
- weight = 3.50;
- name = "HFILTER_URL_ONLY";
- description = "URL only in body";
- }
- symbol {
- weight = 2.20;
- name = "HFILTER_URL_ONELINE";
- description = "One line URL and text in body";
- }
- }
-
- group {
- name = "dmarc";
-
- symbol {
- weight = -1.0;
- name = "DMARC_POLICY_ALLOW";
- description = "DMARC permit policy";
- }
- symbol {
- weight = 2.0;
- name = "DMARC_POLICY_REJECT";
- description = "DMARC reject policy";
- }
- symbol {
- weight = 1.5;
- name = "DMARC_POLICY_QUARANTINE";
- description = "DMARC quarantine policy";
- }
- symbol {
- weight = 0.1;
- name = "DMARC_POLICY_SOFTFAIL";
- description = "DMARC failed";
- }
- }
- }
|