mirrors
/
rspamd
peilaus alkaen https://github.com/vstakhov/rspamd.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
							# Composites setup
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify 'local.d/composites.conf' to add and merge
# parameters defined inside this section
#
# You can modify 'override.d/composites.conf' to strictly override all
# parameters defined inside this section
#
# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
# for details
#
# See https://rspamd.com/doc/tutorials/writing_rules.html and
# https://rspamd.com/doc/configuration/composites.html for details

composites {

  FORGED_RECIPIENTS_MAILLIST {
    expression = "FORGED_RECIPIENTS & -MAILLIST";
  }
  FORGED_SENDER_MAILLIST {
    expression = "FORGED_SENDER & -MAILLIST";
  }
  FORGED_SENDER_FORWARDING {
    expression = "FORGED_SENDER & g:forwarding";
    description = "Forged sender, but message is forwarded";
    policy = "remove_weight";
  }
  SPF_FAIL_FORWARDING {
    expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
    policy = "remove_weight";
  }
  DMARC_POLICY_ALLOW_WITH_FAILURES {
    expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
    policy = "remove_weight";
  }
  FORGED_RECIPIENTS_FORWARDING {
    expression = "FORGED_RECIPIENTS & g:forwarding";
    policy = "remove_weight";
  }
  FORGED_SENDER_VERP_SRS {
    expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
  }
  FORGED_MUA_MAILLIST {
    expression = "g:mua & -MAILLIST";
  }
  AUTH_NA {
    expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
    score = 1.0;
    policy = "remove_weight";
    description = "Authenticating message via SPF/DKIM/DMARC/ARC not available";
  }
  AUTH_NA_OR_FAIL {
    expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) & (R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA | R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)";
    score = 1.0;
    policy = "remove_weight";
    description = "No authenticating method SPF/DKIM/DMARC/ARC was successful";
  }
  BOUNCE_NO_AUTH {
    expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)";
    score = 1.0;
  }
  DKIM_MIXED {
    expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
    policy = "remove_weight";
  }
  MAIL_RU_MAILER_BASE64 {
    expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
  }
  YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
    expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
  }
  MAILER_1C_8_BASE64 {
    expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
    description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
  }
  HACKED_WP_PHISHING {
    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
    description = "Phish message sent by hacked Wordpress instance";
    policy = "leave";
  }
  COMPROMISED_ACCT_BULK {
    expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
    description = "Likely to be from a compromised account";
    score = 3.0;
    policy = "leave";
  }
  UNDISC_RCPTS_BULK {
    expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
    description = "Missing or undisclosed recipients with a bulk signature";
    score = 3.0;
    policy = "leave";
  }
  RCVD_UNAUTH_PBL {
    expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
    description = "Relayed through Spamhaus PBL IP without sufficient authentication (possible indicating an open relay)";
    score = 2.0;
    policy = "leave";
  }
  RCVD_DKIM_ARC_DNSWL_MED {
    expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
    description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
    score = -0.5;
    policy = "leave";
  }
  RCVD_DKIM_ARC_DNSWL_HI {
    expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
    description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
    score = -1.0;
    policy = "leave";
  }
  AUTOGEN_PHP_SPAMMY {
    expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
    description = "Message was generated by PHP script and contains some spam indicators";
    score = 1.0;
    policy = "leave";
  }
  PHISH_EMOTION {
    expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
    description = "Phish message with subject trying to address users emotion";
    score = 1.0;
    policy = "leave";
  }
  HAS_ANON_DOMAIN {
    expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
    description = "Contains one or more domains trying to disguise owner/destination";
    score = 0.1;
    policy = "leave";
  }
  BAD_REP_POLICIES {
    description = "Contains valid policies but are also marked by fuzzy/bayes/SURBL/RBL";
    expression = "(~g-:policies) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)";
    score = 0.1;
  }
  VIOLATED_DIRECT_SPF {
    description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";
    expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";
    policy = "leave";
    score = 3.5;
  }
  IP_SCORE_FREEMAIL {
    description = "Negate IP_SCORE when message comes from FreeMail";
    expression = "FREEMAIL_FROM & SENDER_REP_SPAM";
    score = 0.0;
    policy = "remove_weight";
  }
  BROKEN_HEADERS_MAILLIST {
    description = "Negate BROKEN_HEADERS when message comes via some mailing list";
    expression = "BROKEN_HEADERS & -MAILLIST";
    score = 0.0;
    policy = "remove_weight";
  }
  LEAKED_PASSWORD_SCAM {
    description = "Contains BTC wallet address and scam patterns";
    expression = "BITCOIN_ADDR & (LEAKED_PASSWORD_SCAM_RE | R_MIXED_CHARSET | R_EMPTY_IMAGE)";
    policy = "leave";
    score = 7.0;
    group = "scams";
  }
  FREEMAIL_AFF {
    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
    score = 4.0;
    policy = "leave";
    description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
  }

  .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
  .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
}