mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6536 Commits
29 Branches
Tree: 3e1b2d44a1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3e1b2d44a1'
${ noResults }
rspamd/conf/metrics.conf

metrics.conf 33KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008 
  1. # Metrics settings

  2. # Please don't modify this file as your changes might be overwritten with

  3. # the next update.

  4. #

  5. # You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine

  6. # parameters defined on the top level

  7. #

  8. # You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add

  9. # parameters defined on the top level

  10. #

  11. # For specific modules or configuration you can also modify

  12. # '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults

  13. # '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults

  14. #

  15. # See https://rspamd.com/doc/tutorials/writing_rules.html for details

  16. 

  17. metric {

  18.     name = "default";

  19.     # If this param is set to non-zero

  20.     # then a metric would accept all symbols

  21.     # unknown_weight = 1.0

  22. 

  23.     actions {

  24.       reject = 15;

  25.       add_header = 6;

  26.       greylist = 4;

  27.     }

  28. 

  29.     group "header" {

  30.         symbol "MISSING_SUBJECT" {

  31.             weight = 2.0;

  32.             description = "Subject is missing inside message";

  33.         }

  34.         symbol "FORGED_OUTLOOK_TAGS" {

  35.             weight = 2.100000;

  36.             description = "Message pretends to be send from Outlook but has 'strange' tags ";

  37.         }

  38.         symbol "FORGED_SENDER" {

  39.             weight = 0.30;

  40.             description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";

  41.         }

  42.         symbol "SUSPICIOUS_RECIPS" {

  43.             weight = 1.500000;

  44.             description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";

  45.         }

  46.         symbol "FAKE_REPLY_C" {

  47.             weight = 6.0;

  48.             description = "Fake reply (has RE in subject, but has not References header)";

  49.         }

  50.         symbol "MIME_HTML_ONLY" {

  51.             weight = 1.0;

  52.             description = "Messages that have only HTML part";

  53.         }

  54.         symbol "FORGED_MSGID_YAHOO" {

  55.             weight = 2.0;

  56.             description = "Forged yahoo msgid";

  57.         }

  58.         symbol "FORGED_MUA_THEBAT_BOUN" {

  59.             weight = 2.0;

  60.             description = "Forged The Bat! MUA headers";

  61.         }

  62.         symbol "R_MISSING_CHARSET" {

  63.             weight = 5.0;

  64.             description = "Charset is missing in a message";

  65.         }

  66.         symbol "RCVD_DOUBLE_IP_SPAM" {

  67.             weight = 2.0;

  68.             description = "Two received headers with ip addresses";

  69.         }

  70.         symbol "FORGED_OUTLOOK_HTML" {

  71.             weight = 5.0;

  72.             description = "Forged outlook HTML signature";

  73.         }

  74.         symbol "R_UNDISC_RCPT" {

  75.             weight = 5.0;

  76.             description = "Recipients are absent or undisclosed";

  77.         }

  78.         symbol "FM_FAKE_HELO_VERIZON" {

  79.             weight = 2.0;

  80.             description = "Fake helo for verizon provider";

  81.         }

  82.         symbol "REPTO_QUOTE_YAHOO" {

  83.             weight = 2.0;

  84.             description = "Quoted reply-to from yahoo (seems to be forged)";

  85.         }

  86.         symbol "MISSING_MIMEOLE" {

  87.             weight = 5.0;

  88.             description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";

  89.         }

  90.         symbol "MISSING_TO" {

  91.             weight = 2.0;

  92.             description = "To header is missing";

  93.         }

  94.         symbol "FROM_EXCESS_BASE64" {

  95.             weight = 1.5;

  96.             description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  97.         }

  98.         symbol "FROM_EXCESS_QP" {

  99.             weight = 1.2;

  100.             description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  101.         }

  102.         symbol "TO_EXCESS_BASE64" {

  103.             weight = 1.5;

  104.             description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  105.         }

  106.         symbol "TO_EXCESS_QP" {

  107.             weight = 1.2;

  108.             description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  109.         }

  110.         symbol "REPLYTO_EXCESS_BASE64" {

  111.             weight = 1.5;

  112.             description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  113.         }

  114.         symbol "REPLYTO_EXCESS_QP" {

  115.             weight = 1.2;

  116.             description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  117.         }

  118.         symbol "CC_EXCESS_BASE64" {

  119.             weight = 1.5;

  120.             description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  121.         }

  122.         symbol "CC_EXCESS_QP" {

  123.             weight = 1.2;

  124.             description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  125.         }

  126.         symbol "R_MIXED_CHARSET" {

  127.             weight = 5.0;

  128.             description = "Mixed characters in a message";

  129.         }

  130.         symbol "SORTED_RECIPS" {

  131.             weight = 3.500000;

  132.             description = "Recipients list seems to be sorted";

  133.         }

  134.         symbol "R_RCVD_SPAMBOTS" {

  135.             weight = 3.0;

  136.             description = "Spambots signatures in received headers";

  137.         }

  138.         symbol "SUBJECT_NEEDS_ENCODING" {

  139.             weight = 1.0;

  140.             description = "Subject needs encoding";

  141.         }

  142.         symbol "TRACKER_ID" {

  143.             weight = 3.84;

  144.             description = "Spam string at the end of message to make statistics faults 0";

  145.         }

  146.         symbol "R_NO_SPACE_IN_FROM" {

  147.             weight = 1.0;

  148.             description = "No space in from header";

  149.         }

  150.         symbol "R_SAJDING" {

  151.             weight = 8.0;

  152.             description = "Subject seems to be spam";

  153.         }

  154.         symbol "R_BAD_CTE_7BIT" {

  155.             weight = 3.0;

  156.             description = "Detects bad content-transfer-encoding for text parts";

  157.         }

  158.         symbol "R_FLASH_REDIR_IMGSHACK" {

  159.             weight = 10.0;

  160.             description = "Flash redirect on imageshack.us";

  161.         }

  162.         symbol "INVALID_MSGID" {

  163.             weight = 1.7;

  164.             description = "Message id is incorrect";

  165.         }

  166.         symbol "MISSING_MID" {

  167.             weight = 2.5;

  168.             description = "Message id is missing ";

  169.         }

  170.         symbol "FORGED_RECIPIENTS" {

  171.             weight = 2.0;

  172.             description = "Recipients are not the same as RCPT TO: mail command";

  173.         }

  174.         symbol "FORGED_RECIPIENTS_MAILLIST" {

  175.             weight = 0.0;

  176.             description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";

  177.         }

  178.         symbol "FORGED_SENDER_MAILLIST" {

  179.             weight = 0.0;

  180.             description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";

  181.         }

  182.         symbol "RATWARE_MS_HASH" {

  183.             weight = 2.0;

  184.             description = "Forged Exchange messages";

  185.         }

  186.         symbol "STOX_REPLY_TYPE" {

  187.             weight = 1.0;

  188.             description = "Reply-type in content-type";

  189.         }

  190.         symbol "ONCE_RECEIVED" {

  191.             weight = 0.1;

  192.             description = "One received header in a message";

  193.         }

  194.         symbol "RDNS_NONE" {

  195.             weight = 1.0;

  196.             description = "Cannot resolve reverse DNS for sender's IP";

  197.         }

  198.         symbol "ONCE_RECEIVED_STRICT" {

  199.             weight = 4.0;

  200.             description = "One received header with 'bad' patterns inside";

  201.         }

  202.         symbol "MIME_HEADER_CTYPE_ONLY" {

  203.             weight = 2.0;

  204.             description = "Only Content-Type header without other MIME headers";

  205.         }

  206.         symbol "MAILLIST" {

  207.             weight = -0.2;

  208.             description = "Message seems to be from maillist";

  209.         }

  210.         symbol "HEADER_FROM_DELIMITER_TAB" {

  211.             weight = 1.0;

  212.             description = "Header From begins with tab";

  213.         }

  214.         symbol "HEADER_TO_DELIMITER_TAB" {

  215.             weight = 1.0;

  216.             description = "Header To begins with tab";

  217.         }

  218.         symbol "HEADER_CC_DELIMITER_TAB" {

  219.             weight = 1.0;

  220.             description = "Header Cc begins with tab";

  221.         }

  222.         symbol "HEADER_REPLYTO_DELIMITER_TAB" {

  223.             weight = 1.0;

  224.             description = "Header Reply-To begins with tab";

  225.         }

  226.         symbol "HEADER_DATE_DELIMITER_TAB" {

  227.             weight = 1.0;

  228.             description = "Header Date begins with tab";

  229.         }

  230.         symbol "HEADER_FROM_EMPTY_DELIMITER" {

  231.             weight = 1.0;

  232.             description = "Header From has no delimiter between header name and header value";

  233.         }

  234.         symbol "HEADER_TO_EMPTY_DELIMITER" {

  235.             weight = 1.0;

  236.             description = "Header To has no delimiter between header name and header value";

  237.         }

  238.         symbol "HEADER_CC_EMPTY_DELIMITER" {

  239.             weight = 1.0;

  240.             description = "Header Cc has no delimiter between header name and header value";

  241.         }

  242.         symbol "HEADER_REPLYTO_EMPTY_DELIMITER" {

  243.             weight = 1.0;

  244.             description = "Header Reply-To has no delimiter between header name and header value";

  245.         }

  246.         symbol "HEADER_DATE_EMPTY_DELIMITER" {

  247.             weight = 1.0;

  248.             description = "Header Date has no delimiter between header name and header value";

  249.         }

  250.         symbol "RCVD_ILLEGAL_CHARS" {

  251.             weight = 4.0;

  252.             description = "Header Received has raw illegal character";

  253.         }

  254.         symbol "FAKE_RECEIVED_mail_ru" {

  255.             weight = 4.0;

  256.             description = "Fake helo mail.ru in header Received from non mail.ru sender address";

  257.         }

  258.         symbol "FAKE_RECEIVED_smtp_yandex_ru" {

  259.             weight = 4.0;

  260.             description = "Fake smtp.yandex.ru Received";

  261.         }

  262.         symbol "FORGED_GENERIC_RECEIVED" {

  263.             weight = 3.6;

  264.             description = "Forged generic Received";

  265.         }

  266.         symbol "FORGED_GENERIC_RECEIVED2" {

  267.             weight = 3.6;

  268.             description = "Forged generic Received";

  269.         }

  270.         symbol "FORGED_GENERIC_RECEIVED3" {

  271.             weight = 3.6;

  272.             description = "Forged generic Received";

  273.         }

  274.         symbol "FORGED_GENERIC_RECEIVED4" {

  275.             weight = 3.6;

  276.             description = "Forged generic Received";

  277.         }

  278.         symbol "FORGED_GENERIC_RECEIVED5" {

  279.             weight = 4.6;

  280.             description = "Forged generic Received";

  281.         }

  282.         symbol "INVALID_POSTFIX_RECEIVED" {

  283.             weight = 3.0;

  284.             description = "Invalid Postfix Received";

  285.         }

  286.     }

  287. 

  288.     group "mua" {

  289.         symbol "FORGED_MUA_THEBAT_MSGID" {

  290.             weight = 4.0;

  291.             description = "Message pretends to be send from The Bat! but has forged Message-ID";

  292.         }

  293.         symbol "FORGED_MUA_THEBAT_MSGID_UNKNOWN" {

  294.             weight = 3.0;

  295.             description = "Message pretends to be send from The Bat! but has forged Message-ID";

  296.         }

  297.         symbol "FORGED_MUA_KMAIL_MSGID" {

  298.             weight = 3.0;

  299.             description = "Message pretends to be send from KMail but has forged Message-ID";

  300.         }

  301.         symbol "FORGED_MUA_KMAIL_MSGID_UNKNOWN" {

  302.             weight = 2.5;

  303.             description = "Message pretends to be send from KMail but has forged Message-ID";

  304.         }

  305.         symbol "FORGED_MUA_OPERA_MSGID" {

  306.             weight = 4.0;

  307.             description = "Message pretends to be send from Opera Mail but has forged Message-ID";

  308.         }

  309.         symbol "SUSPICIOUS_OPERA_10W_MSGID" {

  310.             weight = 4.0;

  311.             description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";

  312.         }

  313.         symbol "FORGED_MUA_MOZILLA_MAIL_MSGID" {

  314.             weight = 4.0;

  315.             description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";

  316.         }

  317.         symbol "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN" {

  318.             weight = 2.5;

  319.             description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";

  320.         }

  321.         symbol "FORGED_MUA_THUNDERBIRD_MSGID" {

  322.             weight = 4.0;

  323.             description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";

  324.         }

  325.         symbol "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN" {

  326.             weight = 2.5;

  327.             description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";

  328.         }

  329.         symbol "FORGED_MUA_SEAMONKEY_MSGID" {

  330.             weight = 4.0;

  331.             description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";

  332.         }

  333.         symbol "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN" {

  334.             weight = 2.5;

  335.             description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";

  336.         }

  337.         symbol "FORGED_MUA_OUTLOOK" {

  338.             weight = 3.0;

  339.             description = "Forged outlook MUA";

  340.         }

  341.         symbol "FORGED_MUA_MAILLIST" {

  342.             weight = 0.0;

  343.             description = "Avoid false positives for FORGED_MUA_* in maillist";

  344.         }

  345.     }

  346. 

  347.     group "body" {

  348.         symbol "R_WHITE_ON_WHITE" {

  349.             weight = 9.0;

  350.             description = "White color on white background in HTML messages";

  351.         }

  352.         symbol "HTML_SHORT_LINK_IMG_1" {

  353.             weight = 3.0;

  354.             description = "Short html part with a link to an image";

  355.         }

  356.         symbol "HTML_SHORT_LINK_IMG_2" {

  357.             weight = 1.0;

  358.             description = "Short html part with a link to an image";

  359.         }

  360.         symbol "HTML_SHORT_LINK_IMG_3" {

  361.             weight = 0.5;

  362.             description = "Short html part with a link to an image";

  363.         }

  364.         symbol "SUSPICIOUS_BOUNDARY" {

  365.             weight = 5.0;

  366.             description = "Suspicious boundary in header Content-Type";

  367.         }

  368.         symbol "SUSPICIOUS_BOUNDARY2" {

  369.             weight = 4.0;

  370.             description = "Suspicious boundary in header Content-Type";

  371.         }

  372.         symbol "SUSPICIOUS_BOUNDARY3" {

  373.             weight = 3.0;

  374.             description = "Suspicious boundary in header Content-Type";

  375.         }

  376.         symbol "SUSPICIOUS_BOUNDARY4" {

  377.             weight = 4.0;

  378.             description = "Suspicious boundary in header Content-Type";

  379.         }

  380.         symbol "R_PARTS_DIFFER" {

  381.             weight = 1.0;

  382.             description = "Text and HTML parts differ";

  383.         }

  384. 

  385.         symbol "R_EMPTY_IMAGE" {

  386.             weight = 2.0;

  387.             description = "Message contains empty parts and image";

  388.         }

  389.         symbol "DRUGS_MANYKINDS" {

  390.             weight = 2.0;

  391.             description = "Drugs patterns inside message";

  392.         }

  393.         symbol "DRUGS_ANXIETY" {

  394.             weight = 2.0;

  395.             description = "";

  396.         }

  397.         symbol "DRUGS_MUSCLE" {

  398.             weight = 2.0;

  399.             description = "";

  400.         }

  401.         symbol "DRUGS_ANXIETY_EREC" {

  402.             weight = 2.0;

  403.             description = "";

  404.         }

  405.         symbol "DRUGS_DIET" {

  406.             weight = 2.0;

  407.             description = "";

  408.         }

  409.         symbol "DRUGS_ERECTILE" {

  410.             weight = 2.0;

  411.             description = "";

  412.         }

  413.         symbol "ADVANCE_FEE_2" {

  414.             weight = 3.300000;

  415.             description = "2 'advance fee' patterns in a message";

  416.         }

  417.         symbol "ADVANCE_FEE_3" {

  418.             weight = 2.120000;

  419.             description = "3 'advance fee' patterns in a message";

  420.         }

  421.         symbol "R_LOTTO" {

  422.             weight = 8.0;

  423.             description = "Lotto signatures";

  424.         }

  425.     }

  426. 

  427.     group "rbl" {

  428.         symbol "DNSWL_BLOCKED" {

  429.             weight = 0.0;

  430.             description = "Resolver blocked due to excessive queries";

  431.         }

  432.         symbol "RCVD_IN_DNSWL" {

  433.             weight = 0.0;

  434.             description = "Unrecognised result from dnswl.org";

  435.         }

  436.         symbol "RCVD_IN_DNSWL_NONE" {

  437.             weight = 0.0;

  438.             description = "Sender listed at http://www.dnswl.org, low none";

  439.         }

  440.         symbol "RCVD_IN_DNSWL_LOW" {

  441.             weight = 0.0;

  442.             description = "Sender listed at http://www.dnswl.org, low trust";

  443.         }

  444.         symbol "RCVD_IN_DNSWL_MED" {

  445.             weight = 0.0;

  446.             description = "Sender listed at http://www.dnswl.org, medium trust";

  447.         }

  448.         symbol "RCVD_IN_DNSWL_HI" {

  449.             weight = 0.0;

  450.             description = "Sender listed at http://www.dnswl.org, high trust";

  451.         }

  452. 

  453.         symbol "RBL_SPAMHAUS" {

  454.             weight = 0.0;

  455.             description = "Unrecognised result from Spamhaus zen";

  456.         }

  457.         symbol "RBL_SPAMHAUS_SBL" {

  458.             weight = 2.0;

  459.             description = "From address is listed in zen sbl";

  460.         }

  461.         symbol "RBL_SPAMHAUS_CSS" {

  462.             weight = 2.0;

  463.             description = "From address is listed in zen css";

  464.         }

  465.         symbol "RBL_SPAMHAUS_XBL" {

  466.             weight = 4.0;

  467.             description = "From address is listed in zen xbl";

  468.         }

  469.         symbol "RBL_SPAMHAUS_XBL1" {

  470.             weight = 4.0;

  471.             description = "From address is listed in zen xbl (obsoleted/reserved)";

  472.         }

  473.         symbol "RBL_SPAMHAUS_XBL2" {

  474.             weight = 4.0;

  475.             description = "From address is listed in zen xbl (obsoleted/reserved)";

  476.         }

  477.         symbol "RBL_SPAMHAUS_XBL3" {

  478.             weight = 4.0;

  479.             description = "From address is listed in zen xbl (reserved)";

  480.         }

  481.         symbol "RBL_SPAMHAUS_XBL_ANY" {

  482.             weight = 4.0;

  483.             description = "From or receive address is listed in zen xbl (any list)";

  484.         }

  485.         symbol "RBL_SPAMHAUS_PBL" {

  486.             weight = 2.0;

  487.             description = "From address is listed in zen pbl (ISP list)";

  488.         }

  489.         symbol "RBL_SPAMHAUS_PBL1" {

  490.             weight = 2.0;

  491.             description = "From address is listed in zen pbl (Spamhaus list)";

  492.         }

  493.         symbol "RECEIVED_SPAMHAUS_XBL" {

  494.             weight = 3.0;

  495.             description = "Received address is listed in zen xbl";

  496.             one_shot = true;

  497.         }

  498. 

  499.         symbol "RWL_SPAMHAUS_WL" {

  500.             weight = 0.0;

  501.             description = "Unrecognised result from Spamhaus whitelist";

  502.         }

  503.         symbol "RWL_SPAMHAUS_WL_IND" {

  504.             weight = 0.0;

  505.             description = "Sender listed at Spamhaus whitelist";

  506.         }

  507.         symbol "RWL_SPAMHAUS_WL_TRANS" {

  508.             weight = 0.0;

  509.             description = "Sender listed at Spamhaus whitelist";

  510.         }

  511.         symbol "RWL_SPAMHAUS_WL_IND_EXP" {

  512.             weight = 0.0;

  513.             description = "Sender listed at Spamhaus whitelist";

  514.         }

  515.         symbol "RWL_SPAMHAUS_WL_TRANS_EXP" {

  516.             weight = 0.0;

  517.             description = "Sender listed at Spamhaus whitelist";

  518.         }

  519.         symbol "RBL_SENDERSCORE" {

  520.             weight = 2.0;

  521.             description = "From address is listed in senderscore.com BL";

  522.         }

  523.         symbol "RBL_ABUSECH" {

  524.             weight = 1.0;

  525.             description = "From address is listed in ABUSE.CH BL";

  526.         }

  527.         symbol "RBL_UCEPROTECT_LEVEL1" {

  528.             weight = 1.0;

  529.             description = "From address is listed in UCEPROTECT LEVEL1 BL";

  530.         }

  531.         symbol "RBL_MAILSPIKE" {

  532.             weight = 0.0;

  533.             description = "Unrecognised result from Mailspike blacklist";

  534.         }

  535.         symbol "RWL_MAILSPIKE" {

  536.             weight = 0.0;

  537.             description = "Unrecognised result from Mailspike whitelist";

  538.         }

  539.         symbol "RBL_MAILSPIKE_ZOMBIE" {

  540.             weight = 2.0;

  541.             description = "From address is listed in RBL";

  542.         }

  543.         symbol "RBL_MAILSPIKE_WORST" {

  544.             weight = 2.0;

  545.             description = "From address is listed in RBL";

  546.         }

  547.         symbol "RBL_MAILSPIKE_VERYBAD" {

  548.             weight = 1.5;

  549.             description = "From address is listed in RBL";

  550.         }

  551.         symbol "RBL_MAILSPIKE_BAD" {

  552.             weight = 1.0;

  553.             description = "From address is listed in RBL";

  554.         }

  555.         symbol "RWL_MAILSPIKE_POSSIBLE" {

  556.             weight = 0.0;

  557.             description = "From address is listed in RWL";

  558.         }

  559.         symbol "RWL_MAILSPIKE_GOOD" {

  560.             weight = 0.0;

  561.             description = "From address is listed in RWL";

  562.         }

  563.         symbol "RWL_MAILSPIKE_VERYGOOD" {

  564.             weight = 0.0;

  565.             description = "From address is listed in RWL";

  566.         }

  567.         symbol "RWL_MAILSPIKE_EXCELLENT" {

  568.             weight = 0.0;

  569.             description = "From address is listed in RWL";

  570.         }

  571. 

  572.         symbol "RBL_SORBS" {

  573.             weight = 0.0;

  574.             description = "Unrecognised result from SORBS RBL";

  575.         }

  576.         symbol "RBL_SORBS_HTTP" {

  577.             weight = 2.5;

  578.             description = "List of Open HTTP Proxy Servers.";

  579.         }

  580.         symbol "RBL_SORBS_SOCKS" {

  581.             weight = 2.5;

  582.             description = "List of Open SOCKS Proxy Servers.";

  583.         }

  584.         symbol "RBL_SORBS_MISC" {

  585.             weight = 1.0;

  586.             description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";

  587.         }

  588.         symbol "RBL_SORBS_SMTP" {

  589.             weight = 3.0;

  590.             description = "List of Open SMTP relay servers.";

  591.         }

  592.         symbol "RBL_SORBS_RECENT" {

  593.             weight = 1.5;

  594.             description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";

  595.         }

  596.         symbol "RBL_SORBS_WEB" {

  597.             weight = 0.4;

  598.             description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";

  599.         }

  600.         symbol "RBL_SORBS_DUL" {

  601.             weight = 2.0;

  602.             description = "Dynamic IP Address ranges (NOT a Dial Up list!)";

  603.         }

  604.         symbol "RBL_SORBS_BLOCK" {

  605.             weight = 1.0;

  606.             description = "List of hosts demanding that they never be tested by SORBS.";

  607.         }

  608.         symbol "RBL_SORBS_ZOMBIE" {

  609.             weight = 1.0;

  610.             description = "List of networks hijacked from their original owners, some of which have already used for spamming.";

  611.         }

  612. 

  613.         symbol "RBL_SEM" {

  614.             weight = 1.0;

  615.             description = "Address is listed in Spameatingmonkey RBL";

  616.         }

  617. 

  618.         symbol "RBL_SEM_IPV6" {

  619.             weight = 1.0;

  620.             description = "Address is listed in Spameatingmonkey RBL (ipv6)";

  621.         }

  622.         }

  623. 

  624.         group "bayes" {

  625. 

  626.         symbol "BAYES_SPAM" {

  627.             weight = 4.0;

  628.             description = "Message probably spam, probability: ";

  629.         }

  630.         symbol "BAYES_HAM" {

  631.             weight = -3.0;

  632.             description = "Message probably ham, probability: ";

  633.         }

  634.     }

  635. 

  636.     group "fuzzy" {

  637.         symbol "FUZZY_UNKNOWN" {

  638.             weight = 5.0;

  639.             description = "Generic fuzzy hash match";

  640.         }

  641.         symbol "FUZZY_DENIED" {

  642.             weight = 12.0;

  643.             description = "Denied fuzzy hash";

  644.         }

  645.         symbol "FUZZY_PROB" {

  646.             weight = 5.0;

  647.             description = "Probable fuzzy hash";

  648.         }

  649.         symbol "FUZZY_WHITE" {

  650.             weight = -2.1;

  651.             description = "Whitelisted fuzzy hash";

  652.         }

  653.     }

  654. 

  655.     group "spf" {

  656.         symbol "R_SPF_FAIL" {

  657.             weight = 1.0;

  658.             description = "SPF verification failed";

  659.         }

  660.         symbol "R_SPF_SOFTFAIL" {

  661.             weight = 0.0;

  662.             description = "SPF verification soft-failed";

  663.         }

  664.         symbol "R_SPF_NEUTRAL" {

  665.             weight = 0.0;

  666.             description = "SPF policy is neutral";

  667.         }

  668.         symbol "R_SPF_ALLOW" {

  669.             weight = -1.5;

  670.             description = "SPF verification alowed";

  671.         }

  672.     }

  673. 

  674.     group "dkim" {

  675.         symbol "R_DKIM_REJECT" {

  676.             weight = 1.0;

  677.             description = "DKIM verification failed";

  678.         }

  679.         symbol "R_DKIM_TEMPFAIL" {

  680.             weight = 0.0;

  681.             description = "DKIM verification soft-failed";

  682.         }

  683.         symbol "R_DKIM_ALLOW" {

  684.             weight = -1.1;

  685.             description = "DKIM verification succeed";

  686.             one_shot = true;

  687.         }

  688.     }

  689. 

  690.     group "surbl" {

  691.         symbol "SURBL_BLOCKED" {

  692.             weight = 0.0;

  693.             description = "SURBL: blocked by policy/overusage";

  694.         }

  695.         symbol "PH_SURBL_MULTI" {

  696.             weight = 5.5;

  697.             description = "SURBL: Phishing sites";

  698.         }

  699.         symbol "MW_SURBL_MULTI" {

  700.             weight = 5.5;

  701.             description = "SURBL: Malware sites";

  702.         }

  703.         symbol "ABUSE_SURBL" {

  704.             weight = 5.5;

  705.             description = "SURBL: ABUSE";

  706.         }

  707.         symbol "CRACKED_SURBL" {

  708.             weight = 4.0;

  709.             description = "SURBL: cracked site";

  710.         }

  711.         symbol "WS_SURBL_MULTI" {

  712.             weight = 5.5;

  713.             description = "SURBL: sa-blacklist web sites ";

  714.         }

  715.         symbol "RAMBLER_URIBL" {

  716.             weight = 4.5;

  717.             description = "rambler.ru uribl";

  718.         }

  719. 

  720.         symbol "SEM_URIBL_UNKNOWN" {

  721.             weight = 0.0;

  722.             description = "Spameatingmonkey uribl: unknown result";

  723.         }

  724.         symbol "SEM_URIBL" {

  725.             weight = 3.5;

  726.             description = "Spameatingmonkey uribl";

  727.         }

  728. 

  729.         symbol "SEM_URIBL_FRESH15_UNKNOWN" {

  730.             weight = 0.0;

  731.             description = "Spameatingmonkey Fresh15 uribl: unknown result";

  732.         }

  733.         symbol "SEM_URIBL_FRESH15" {

  734.             weight = 3.0;

  735.             description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";

  736.         }

  737. 

  738.         symbol "DBL" {

  739.             weight = 0.0;

  740.             description = "DBL unknown result";

  741.         }

  742.         symbol "DBL_SPAM" {

  743.             weight = 6.5;

  744.             description = "DBL uribl spam";

  745.         }

  746.         symbol "DBL_PHISH" {

  747.             weight = 6.5;

  748.             description = "DBL uribl phishing";

  749.         }

  750.         symbol "DBL_MALWARE" {

  751.             weight = 6.5;

  752.             description = "DBL uribl malware";

  753.         }

  754.         symbol "DBL_BOTNET" {

  755.             weight = 5.5;

  756.             description = "DBL uribl botnet C&C domain";

  757.         }

  758.         symbol "DBL_ABUSE" {

  759.             weight = 6.5;

  760.             description = "DBL uribl abused legit spam";

  761.         }

  762.         symbol "DBL_ABUSE_REDIR" {

  763.             weight = 1.5;

  764.             description = "DBL uribl abused spammed redirector domain";

  765.         }

  766.         symbol "DBL_ABUSE_PHISH" {

  767.             weight = 7.5;

  768.             description = "DBL uribl abused legit phish";

  769.         }

  770.         symbol "DBL_ABUSE_MALWARE" {

  771.             weight = 7.5;

  772.             description = "DBL uribl abused legit malware";

  773.         }

  774.         symbol "DBL_ABUSE_BOTNET" {

  775.             weight = 5.5;

  776.             description = "DBL uribl abused legit botnet C&C";

  777.         }

  778.         symbol "DBL_PROHIBIT" {

  779.             weight = 0.00000;

  780.             description = "DBL uribl IP queries prohibited!";

  781.         }

  782.         symbol "URIBL_MULTI" {

  783.             weight = 0.0;

  784.             description = "uribl.com: unrecognised result";

  785.         }

  786.         symbol "URIBL_BLOCKED" {

  787.             weight = 0.0;

  788.             description = "uribl.com: query refused";

  789.         }

  790.         symbol "URIBL_BLACK" {

  791.             weight = 7.5;

  792.             description = "uribl.com black url";

  793.         }

  794.         symbol "URIBL_RED" {

  795.             weight = 3.5;

  796.             description = "uribl.com red url";

  797.         }

  798.         symbol "URIBL_GREY" {

  799.             weight = 1.5;

  800.             description = "uribl.com grey url";

  801.         }

  802.         symbol "RAMBLER_EMAILBL" {

  803.             weight = 9.5;

  804.             description = "rambler.ru emailbl";

  805.         }

  806. 

  807.         symbol "SBL_URIBL" {

  808.             weight = 0.0;

  809.             description = "SBL URIBL: Filtered result";

  810.         }

  811.         symbol "URIBL_SBL" {

  812.             weight = 6.5;

  813.             description = "Spamhaus SBL URIBL";

  814.         }

  815.         symbol "URIBL_SBL_CSS" {

  816.             weight = 6.5;

  817.             description = "Spamhaus SBL CSS URIBL";

  818.         }

  819.     }

  820. 

  821.     group "phishing" {

  822.         symbol "PHISHING" {

  823.             weight = 3.0;

  824.             description = "Phished mail";

  825.         }

  826.     }

  827. 

  828.     group "date" {

  829. 

  830.         symbol "DATE_IN_FUTURE" {

  831.             weight = 4.0;

  832.             description = "Message date is in future";

  833.         }

  834.         symbol "DATE_IN_PAST" {

  835.             weight = 1.0;

  836.             description = "Message date is in past";

  837.         }

  838.         symbol "MISSING_DATE" {

  839.             weight = 1.0;

  840.             description = "Message date is missing";

  841.         }

  842.     }

  843. 

  844.     group "hfilter" {

  845.         symbol "HFILTER_HELO_BAREIP" {

  846.             weight = 3.00;

  847.             description = "Helo host is bare ip";

  848.         }

  849.         symbol "HFILTER_HELO_BADIP" {

  850.             weight = 4.50;

  851.             description = "Helo host is very bad ip";

  852.         }

  853.         symbol "HFILTER_HELO_UNKNOWN" {

  854.             weight = 2.00;

  855.             description = "Helo host empty or unknown";

  856.         }

  857.         symbol "HFILTER_HELO_1" {

  858.             weight = 0.5;

  859.             description = "Helo host checks (very low)";

  860.         }

  861.         symbol "HFILTER_HELO_2" {

  862.             weight = 1.00;

  863.             description = "Helo host checks (low)";

  864.         }

  865.         symbol "HFILTER_HELO_3" {

  866.             weight = 2.00;

  867.             description = "Helo host checks (medium)";

  868.         }

  869.         symbol "HFILTER_HELO_4" {

  870.             weight = 2.50;

  871.             description = "Helo host checks (hard)";

  872.         }

  873.         symbol "HFILTER_HELO_5" {

  874.             weight = 3.00;

  875.             description = "Helo host checks (very hard)";

  876.         }

  877.         symbol "HFILTER_HOSTNAME_1" {

  878.             weight = 0.5;

  879.             description = "Hostname checks (very low)";

  880.         }

  881.         symbol "HFILTER_HOSTNAME_2" {

  882.             weight = 1.00;

  883.             description = "Hostname checks (low)";

  884.         }

  885.         symbol "HFILTER_HOSTNAME_3" {

  886.             weight = 2.00;

  887.             description = "Hostname checks (medium)";

  888.         }

  889.         symbol "HFILTER_HOSTNAME_4" {

  890.             weight = 2.50;

  891.             description = "Hostname checks (hard)";

  892.         }

  893.         symbol "HFILTER_HOSTNAME_5" {

  894.             weight = 3.00;

  895.             description = "Hostname checks (very hard)";

  896.         }

  897.         symbol "HFILTER_HELO_NORESOLVE_MX" {

  898.             weight = 0.20;

  899.             description = "MX found in Helo and no resolve";

  900.         }

  901.         symbol "HFILTER_HELO_NORES_A_OR_MX" {

  902.             weight = 0.3;

  903.             description = "Helo no resolve to A or MX";

  904.         }

  905.         symbol "HFILTER_HELO_IP_A" {

  906.             weight = 1.00;

  907.             description = "Helo A IP != hostname IP";

  908.         }

  909.         symbol "HFILTER_HELO_NOT_FQDN" {

  910.             weight = 2.00;

  911.             description = "Helo not FQDN";

  912.         }

  913.         symbol "HFILTER_FROMHOST_NORESOLVE_MX" {

  914.             weight = 0.5;

  915.             description = "MX found in FROM host and no resolve";

  916.         }

  917.         symbol "HFILTER_FROMHOST_NORES_A_OR_MX" {

  918.             weight = 1.50;

  919.             description = "FROM host no resolve to A or MX";

  920.         }

  921.         symbol "HFILTER_FROMHOST_NOT_FQDN" {

  922.             weight = 3.00;

  923.             description = "FROM host not FQDN";

  924.         }

  925.         symbol "HFILTER_FROM_BOUNCE" {

  926.             weight = 0.00;

  927.             description = "Bounce message";

  928.         }

  929.     /*

  930.         symbol {

  931.             weight = 0.50;

  932.             name = "HFILTER_MID_NORESOLVE_MX";

  933.             description = "MX found in Message-id host and no resolve";

  934.         }

  935.         symbol {

  936.             weight = 0.50;

  937.             name = "HFILTER_MID_NORES_A_OR_MX";

  938.             description = "Message-id host no resolve to A or MX";

  939.         }

  940.         symbol {

  941.             weight = 0.50;

  942.             name = "HFILTER_MID_NOT_FQDN";

  943.             description = "Message-id host not FQDN";

  944.         }

  945.     */

  946.         symbol "HFILTER_HOSTNAME_UNKNOWN" {

  947.             weight = 2.50;

  948.             description = "Unknown hostname (no PTR or no resolve PTR to hostname)";

  949.         }

  950.         symbol "HFILTER_RCPT_BOUNCEMOREONE" {

  951.             weight = 1.50;

  952.             description = "Message from bounce and over 1 recepient";

  953.         }

  954.         symbol "HFILTER_URL_ONLY" {

  955.             weight = 1.50;

  956.             description = "URL only in body";

  957.         }

  958.         symbol "HFILTER_URL_ONELINE" {

  959.             weight = 2.20;

  960.             description = "One line URL and text in body";

  961.         }

  962.     }

  963. 

  964.     group "dmarc" {

  965. 

  966.         symbol "DMARC_POLICY_ALLOW" {

  967.             weight = -1.0;

  968.             description = "DMARC permit policy";

  969.         }

  970.         symbol "DMARC_POLICY_REJECT" {

  971.             weight = 2.0;

  972.             description = "DMARC reject policy";

  973.         }

  974.         symbol "DMARC_POLICY_QUARANTINE" {

  975.             weight = 1.5;

  976.             description = "DMARC quarantine policy";

  977.         }

  978.         symbol "DMARC_POLICY_SOFTFAIL" {

  979.             weight = 0.1;

  980.             description = "DMARC failed";

  981.         }

  982.     }

  983.     group "mime_types" {

  984.         symbol "MIME_GOOD" {

  985.             weight = -0.1;

  986.             description = "Known content-type";

  987.             one_shot = true;

  988.         }

  989.         symbol "MIME_BAD" {

  990.             weight = 1.0;

  991.             description = "Known bad content-type";

  992.             one_shot = true;

  993.         }

  994.         symbol "MIME_UNKNOWN" {

  995.             weight = 0.1;

  996.             description = "Missing or unknown content-type";

  997.             one_shot = true;

  998.         }

  999.         symbol "MIME_BAD_ATTACHMENT" {

  1000.             weight = 4.0;

  1001.             description = "Invalid attachement mime type";

  1002.             one_shot = true;

  1003.         }

  1004.     }

  1005. 

  1006.     .include(try=true; priority=1) "$LOCAL_CONFDIR/local.d/metrics.conf"

  1007.     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf"

  1008. }