mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8516 Commits
29 Branches
Tree: 608a41f4c7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '608a41f4c7'
${ noResults }
rspamd/conf/metrics.conf

metrics.conf 21KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672 
  1. # Metrics settings

  2. # Please don't modify this file as your changes might be overwritten with

  3. # the next update.

  4. #

  5. # You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine

  6. # parameters defined on the top level

  7. #

  8. # You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add

  9. # parameters defined on the top level

  10. #

  11. # For specific modules or configuration you can also modify

  12. # '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults

  13. # '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults

  14. #

  15. # See https://rspamd.com/doc/tutorials/writing_rules.html for details

  16. 

  17. metric {

  18.     name = "default";

  19.     # If this param is set to non-zero

  20.     # then a metric would accept all symbols

  21.     # unknown_weight = 1.0

  22. 

  23.     actions {

  24.       reject = 15;

  25.       add_header = 6;

  26.       greylist = 4;

  27.     }

  28. 

  29.     group "excessqp" {

  30.         max_score = 2.4;

  31.     }

  32.     group "excessb64" {

  33.         max_score = 3.0;

  34.     }

  35.     group "header" {

  36.         symbol "FORGED_SENDER" {

  37.             weight = 0.30;

  38.             description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";

  39.         }

  40.         symbol "R_MIXED_CHARSET" {

  41.             weight = 5.0;

  42.             description = "Mixed characters in a message";

  43.             one_shot = true;

  44.         }

  45.         symbol "R_MIXED_CHARSET_URL" {

  46.             weight = 7.0;

  47.             description = "Mixed characters in a URL inside message";

  48.             one_shot = true;

  49.         }

  50.         symbol "FORGED_RECIPIENTS" {

  51.             weight = 2.0;

  52.             description = "Recipients are not the same as RCPT TO: mail command";

  53.         }

  54.         symbol "FORGED_RECIPIENTS_MAILLIST" {

  55.             weight = 0.0;

  56.             description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";

  57.         }

  58.         symbol "FORGED_SENDER_MAILLIST" {

  59.             weight = 0.0;

  60.             description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";

  61.         }

  62.         symbol "ONCE_RECEIVED" {

  63.             weight = 0.1;

  64.             description = "One received header in a message";

  65.         }

  66.         symbol "RDNS_NONE" {

  67.             weight = 1.0;

  68.             description = "Cannot resolve reverse DNS for sender's IP";

  69.         }

  70.         symbol "ONCE_RECEIVED_STRICT" {

  71.             weight = 4.0;

  72.             description = "One received header with 'bad' patterns inside";

  73.         }

  74.         symbol "MAILLIST" {

  75.             weight = -0.2;

  76.             description = "Message seems to be from maillist";

  77.         }

  78.     }

  79. 

  80.     group "subject" {

  81.         max_score = 6.0;

  82.     }

  83. 

  84.     group "mua" {

  85.         symbol "FORGED_MUA_MAILLIST" {

  86.             weight = 0.0;

  87.             description = "Avoid false positives for FORGED_MUA_* in maillist";

  88.         }

  89.     }

  90. 

  91.     group "rbl" {

  92.         symbol "DNSWL_BLOCKED" {

  93.             weight = 0.0;

  94.             description = "Resolver blocked due to excessive queries";

  95.         }

  96.         symbol "RCVD_IN_DNSWL" {

  97.             weight = 0.0;

  98.             description = "Unrecognised result from dnswl.org";

  99.         }

  100.         symbol "RCVD_IN_DNSWL_NONE" {

  101.             weight = 0.0;

  102.             description = "Sender listed at http://www.dnswl.org, low none";

  103.         }

  104.         symbol "RCVD_IN_DNSWL_LOW" {

  105.             weight = 0.0;

  106.             description = "Sender listed at http://www.dnswl.org, low trust";

  107.         }

  108.         symbol "RCVD_IN_DNSWL_MED" {

  109.             weight = 0.0;

  110.             description = "Sender listed at http://www.dnswl.org, medium trust";

  111.         }

  112.         symbol "RCVD_IN_DNSWL_HI" {

  113.             weight = 0.0;

  114.             description = "Sender listed at http://www.dnswl.org, high trust";

  115.         }

  116. 

  117.         symbol "RBL_SPAMHAUS" {

  118.             weight = 0.0;

  119.             description = "Unrecognised result from Spamhaus zen";

  120.         }

  121.         symbol "RBL_SPAMHAUS_SBL" {

  122.             weight = 2.0;

  123.             description = "From address is listed in zen sbl";

  124.         }

  125.         symbol "RBL_SPAMHAUS_CSS" {

  126.             weight = 2.0;

  127.             description = "From address is listed in zen css";

  128.         }

  129.         symbol "RBL_SPAMHAUS_XBL" {

  130.             weight = 4.0;

  131.             description = "From address is listed in zen xbl";

  132.         }

  133.         symbol "RBL_SPAMHAUS_XBL_ANY" {

  134.             weight = 4.0;

  135.             description = "From or receive address is listed in zen xbl (any list)";

  136.         }

  137.         symbol "RBL_SPAMHAUS_PBL" {

  138.             weight = 2.0;

  139.             description = "From address is listed in zen pbl (ISP list)";

  140.         }

  141.         symbol "RBL_SPAMHAUS_DROP" {

  142.             weight = 7.0;

  143.             description = "From address is listed in zen drop bl";

  144.         }

  145.         symbol "RECEIVED_SPAMHAUS_XBL" {

  146.             weight = 3.0;

  147.             description = "Received address is listed in zen xbl";

  148.             one_shot = true;

  149.         }

  150. 

  151.         symbol "RWL_SPAMHAUS_WL" {

  152.             weight = 0.0;

  153.             description = "Unrecognised result from Spamhaus whitelist";

  154.         }

  155.         symbol "RWL_SPAMHAUS_WL_IND" {

  156.             weight = 0.0;

  157.             description = "Sender listed at Spamhaus whitelist";

  158.         }

  159.         symbol "RWL_SPAMHAUS_WL_TRANS" {

  160.             weight = 0.0;

  161.             description = "Sender listed at Spamhaus whitelist";

  162.         }

  163.         symbol "RWL_SPAMHAUS_WL_IND_EXP" {

  164.             weight = 0.0;

  165.             description = "Sender listed at Spamhaus whitelist";

  166.         }

  167.         symbol "RWL_SPAMHAUS_WL_TRANS_EXP" {

  168.             weight = 0.0;

  169.             description = "Sender listed at Spamhaus whitelist";

  170.         }

  171.         symbol "RBL_SENDERSCORE" {

  172.             weight = 2.0;

  173.             description = "From address is listed in senderscore.com BL";

  174.         }

  175.         symbol "RBL_ABUSECH" {

  176.             weight = 1.0;

  177.             description = "From address is listed in ABUSE.CH BL";

  178.         }

  179.         symbol "MAILSPIKE" {

  180.             weight = 0.0;

  181.             description = "Unrecognised result from Mailspike";

  182.         }

  183.         symbol "RWL_MAILSPIKE_NEUTRAL" {

  184.             weight = 0.0;

  185.             description = "Neutral result from Mailspike";

  186.         }

  187.         symbol "RBL_MAILSPIKE_WORST" {

  188.             weight = 2.0;

  189.             description = "From address is listed in RBL - worst possible reputation";

  190.         }

  191.         symbol "RBL_MAILSPIKE_VERYBAD" {

  192.             weight = 1.5;

  193.             description = "From address is listed in RBL - very bad reputation";

  194.         }

  195.         symbol "RBL_MAILSPIKE_BAD" {

  196.             weight = 1.0;

  197.             description = "From address is listed in RBL - bad reputation";

  198.         }

  199.         symbol "RWL_MAILSPIKE_POSSIBLE" {

  200.             weight = 0.0;

  201.             description = "From address is listed in RWL - possibly legit";

  202.         }

  203.         symbol "RWL_MAILSPIKE_GOOD" {

  204.             weight = 0.0;

  205.             description = "From address is listed in RWL - good reputation";

  206.         }

  207.         symbol "RWL_MAILSPIKE_VERYGOOD" {

  208.             weight = 0.0;

  209.             description = "From address is listed in RWL - very good reputation";

  210.         }

  211.         symbol "RWL_MAILSPIKE_EXCELLENT" {

  212.             weight = 0.0;

  213.             description = "From address is listed in RWL - excellent reputation";

  214.         }

  215. 

  216.         symbol "RBL_SORBS" {

  217.             weight = 0.0;

  218.             description = "Unrecognised result from SORBS RBL";

  219.         }

  220.         symbol "RBL_SORBS_HTTP" {

  221.             weight = 2.5;

  222.             description = "List of Open HTTP Proxy Servers.";

  223.         }

  224.         symbol "RBL_SORBS_SOCKS" {

  225.             weight = 2.5;

  226.             description = "List of Open SOCKS Proxy Servers.";

  227.         }

  228.         symbol "RBL_SORBS_MISC" {

  229.             weight = 1.0;

  230.             description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";

  231.         }

  232.         symbol "RBL_SORBS_SMTP" {

  233.             weight = 3.0;

  234.             description = "List of Open SMTP relay servers.";

  235.         }

  236.         symbol "RBL_SORBS_RECENT" {

  237.             weight = 1.5;

  238.             description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";

  239.         }

  240.         symbol "RBL_SORBS_WEB" {

  241.             weight = 0.4;

  242.             description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";

  243.         }

  244.         symbol "RBL_SORBS_DUL" {

  245.             weight = 2.0;

  246.             description = "Dynamic IP Address ranges (NOT a Dial Up list!)";

  247.         }

  248.         symbol "RBL_SORBS_BLOCK" {

  249.             weight = 1.0;

  250.             description = "List of hosts demanding that they never be tested by SORBS.";

  251.         }

  252.         symbol "RBL_SORBS_ZOMBIE" {

  253.             weight = 1.0;

  254.             description = "List of networks hijacked from their original owners, some of which have already used for spamming.";

  255.         }

  256. 

  257.         symbol "RBL_SEM" {

  258.             weight = 1.0;

  259.             description = "Address is listed in Spameatingmonkey RBL";

  260.         }

  261. 

  262.         symbol "RBL_SEM_IPV6" {

  263.             weight = 1.0;

  264.             description = "Address is listed in Spameatingmonkey RBL (ipv6)";

  265.         }

  266.         }

  267. 

  268.         group "bayes" {

  269. 

  270.         symbol "BAYES_SPAM" {

  271.             weight = 4.0;

  272.             description = "Message probably spam, probability: ";

  273.         }

  274.         symbol "BAYES_HAM" {

  275.             weight = -3.0;

  276.             description = "Message probably ham, probability: ";

  277.         }

  278.     }

  279. 

  280.     group "fuzzy" {

  281.         symbol "FUZZY_UNKNOWN" {

  282.             weight = 5.0;

  283.             description = "Generic fuzzy hash match";

  284.         }

  285.         symbol "FUZZY_DENIED" {

  286.             weight = 12.0;

  287.             description = "Denied fuzzy hash";

  288.         }

  289.         symbol "FUZZY_PROB" {

  290.             weight = 5.0;

  291.             description = "Probable fuzzy hash";

  292.         }

  293.         symbol "FUZZY_WHITE" {

  294.             weight = -2.1;

  295.             description = "Whitelisted fuzzy hash";

  296.         }

  297.     }

  298. 

  299.     group "spf" {

  300.         symbol "R_SPF_FAIL" {

  301.             weight = 1.0;

  302.             description = "SPF verification failed";

  303.         }

  304.         symbol "R_SPF_SOFTFAIL" {

  305.             weight = 0.0;

  306.             description = "SPF verification soft-failed";

  307.         }

  308.         symbol "R_SPF_NEUTRAL" {

  309.             weight = 0.0;

  310.             description = "SPF policy is neutral";

  311.         }

  312.         symbol "R_SPF_ALLOW" {

  313.             weight = -0.2;

  314.             description = "SPF verification allows sending";

  315.         }

  316.         symbol "R_SPF_DNSFAIL" {

  317.             weight = 0.0;

  318.             description = "SPF DNS failure";

  319.         }

  320.     }

  321. 

  322.     group "dkim" {

  323.         symbol "R_DKIM_REJECT" {

  324.             weight = 1.0;

  325.             description = "DKIM verification failed";

  326.             one_shot = true;

  327.         }

  328.         symbol "R_DKIM_TEMPFAIL" {

  329.             weight = 0.0;

  330.             description = "DKIM verification soft-failed";

  331.         }

  332.         symbol "R_DKIM_ALLOW" {

  333.             weight = -0.2;

  334.             description = "DKIM verification succeed";

  335.             one_shot = true;

  336.         }

  337.     }

  338. 

  339.     group "surbl" {

  340.         symbol "SURBL_BLOCKED" {

  341.             weight = 0.0;

  342.             description = "SURBL: blocked by policy/overusage";

  343.         }

  344.         symbol "PH_SURBL_MULTI" {

  345.             weight = 5.5;

  346.             description = "SURBL: Phishing sites";

  347.         }

  348.         symbol "MW_SURBL_MULTI" {

  349.             weight = 5.5;

  350.             description = "SURBL: Malware sites";

  351.         }

  352.         symbol "ABUSE_SURBL" {

  353.             weight = 5.5;

  354.             description = "SURBL: ABUSE";

  355.         }

  356.         symbol "CRACKED_SURBL" {

  357.             weight = 4.0;

  358.             description = "SURBL: cracked site";

  359.         }

  360.         symbol "RAMBLER_URIBL" {

  361.             weight = 4.5;

  362.             description = "rambler.ru uribl";

  363.         }

  364. 

  365.         symbol "SEM_URIBL_UNKNOWN" {

  366.             weight = 0.0;

  367.             description = "Spameatingmonkey uribl: unknown result";

  368.         }

  369.         symbol "SEM_URIBL" {

  370.             weight = 3.5;

  371.             description = "Spameatingmonkey uribl";

  372.         }

  373. 

  374.         symbol "SEM_URIBL_FRESH15_UNKNOWN" {

  375.             weight = 0.0;

  376.             description = "Spameatingmonkey Fresh15 uribl: unknown result";

  377.         }

  378.         symbol "SEM_URIBL_FRESH15" {

  379.             weight = 3.0;

  380.             description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";

  381.         }

  382. 

  383.         symbol "DBL" {

  384.             weight = 0.0;

  385.             description = "DBL unknown result";

  386.         }

  387.         symbol "DBL_SPAM" {

  388.             weight = 6.5;

  389.             description = "DBL uribl spam";

  390.         }

  391.         symbol "DBL_PHISH" {

  392.             weight = 6.5;

  393.             description = "DBL uribl phishing";

  394.         }

  395.         symbol "DBL_MALWARE" {

  396.             weight = 6.5;

  397.             description = "DBL uribl malware";

  398.         }

  399.         symbol "DBL_BOTNET" {

  400.             weight = 5.5;

  401.             description = "DBL uribl botnet C&C domain";

  402.         }

  403.         symbol "DBL_ABUSE" {

  404.             weight = 6.5;

  405.             description = "DBL uribl abused legit spam";

  406.         }

  407.         symbol "DBL_ABUSE_REDIR" {

  408.             weight = 1.5;

  409.             description = "DBL uribl abused spammed redirector domain";

  410.         }

  411.         symbol "DBL_ABUSE_PHISH" {

  412.             weight = 7.5;

  413.             description = "DBL uribl abused legit phish";

  414.         }

  415.         symbol "DBL_ABUSE_MALWARE" {

  416.             weight = 7.5;

  417.             description = "DBL uribl abused legit malware";

  418.         }

  419.         symbol "DBL_ABUSE_BOTNET" {

  420.             weight = 5.5;

  421.             description = "DBL uribl abused legit botnet C&C";

  422.         }

  423.         symbol "DBL_PROHIBIT" {

  424.             weight = 0.00000;

  425.             description = "DBL uribl IP queries prohibited!";

  426.         }

  427.         symbol "URIBL_MULTI" {

  428.             weight = 0.0;

  429.             description = "uribl.com: unrecognised result";

  430.         }

  431.         symbol "URIBL_BLOCKED" {

  432.             weight = 0.0;

  433.             description = "uribl.com: query refused";

  434.         }

  435.         symbol "URIBL_BLACK" {

  436.             weight = 7.5;

  437.             description = "uribl.com black url";

  438.         }

  439.         symbol "URIBL_RED" {

  440.             weight = 3.5;

  441.             description = "uribl.com red url";

  442.         }

  443.         symbol "URIBL_GREY" {

  444.             weight = 1.5;

  445.             description = "uribl.com grey url";

  446.             one_shot = true;

  447.         }

  448.         symbol "RAMBLER_EMAILBL" {

  449.             weight = 9.5;

  450.             description = "rambler.ru emailbl";

  451.             one_shot = true;

  452.         }

  453. 

  454.         symbol "SBL_URIBL" {

  455.             weight = 0.0;

  456.             description = "SBL URIBL: Filtered result";

  457.         }

  458.         symbol "URIBL_SBL" {

  459.             weight = 6.5;

  460.             description = "Spamhaus SBL URIBL";

  461.         }

  462.         symbol "URIBL_SBL_CSS" {

  463.             weight = 6.5;

  464.             description = "Spamhaus SBL CSS URIBL";

  465.         }

  466.         symbol "RBL_SARBL_BAD" {

  467.             weight = 2.5;

  468.             description = "A domain listed in the mail is blacklisted in SARBL";

  469.        }

  470.     }

  471. 

  472.     group "phishing" {

  473.         symbol "PHISHING" {

  474.             weight = 4.0;

  475.             description = "Phished URL";

  476.             one_shot = true;

  477.         }

  478.         symbol "PHISHED_OPENPHISH" {

  479.             weight = 7.0;

  480.             description = "Phished URL found in openphish.com";

  481.         }

  482.         symbol "PHISHED_PHISHTANK" {

  483.             weight = 7.0;

  484.             description = "Phished URL found in phishtank.com";

  485.         }

  486.     }

  487. 

  488.     group "hfilter" {

  489.         symbol "HFILTER_HELO_BAREIP" {

  490.             weight = 3.00;

  491.             description = "Helo host is bare ip";

  492.         }

  493.         symbol "HFILTER_HELO_BADIP" {

  494.             weight = 4.50;

  495.             description = "Helo host is very bad ip";

  496.         }

  497.         symbol "HFILTER_HELO_1" {

  498.             weight = 0.5;

  499.             description = "Helo host checks (very low)";

  500.         }

  501.         symbol "HFILTER_HELO_2" {

  502.             weight = 1.00;

  503.             description = "Helo host checks (low)";

  504.         }

  505.         symbol "HFILTER_HELO_3" {

  506.             weight = 2.00;

  507.             description = "Helo host checks (medium)";

  508.         }

  509.         symbol "HFILTER_HELO_4" {

  510.             weight = 2.50;

  511.             description = "Helo host checks (hard)";

  512.         }

  513.         symbol "HFILTER_HELO_5" {

  514.             weight = 3.00;

  515.             description = "Helo host checks (very hard)";

  516.         }

  517.         symbol "HFILTER_HOSTNAME_1" {

  518.             weight = 0.5;

  519.             description = "Hostname checks (very low)";

  520.         }

  521.         symbol "HFILTER_HOSTNAME_2" {

  522.             weight = 1.00;

  523.             description = "Hostname checks (low)";

  524.         }

  525.         symbol "HFILTER_HOSTNAME_3" {

  526.             weight = 2.00;

  527.             description = "Hostname checks (medium)";

  528.         }

  529.         symbol "HFILTER_HOSTNAME_4" {

  530.             weight = 2.50;

  531.             description = "Hostname checks (hard)";

  532.         }

  533.         symbol "HFILTER_HOSTNAME_5" {

  534.             weight = 3.00;

  535.             description = "Hostname checks (very hard)";

  536.         }

  537.         symbol "HFILTER_HELO_NORESOLVE_MX" {

  538.             weight = 0.20;

  539.             description = "MX found in Helo and no resolve";

  540.         }

  541.         symbol "HFILTER_HELO_NORES_A_OR_MX" {

  542.             weight = 0.3;

  543.             description = "Helo no resolve to A or MX";

  544.         }

  545.         symbol "HFILTER_HELO_IP_A" {

  546.             weight = 1.00;

  547.             description = "Helo A IP != hostname IP";

  548.         }

  549.         symbol "HFILTER_HELO_NOT_FQDN" {

  550.             weight = 2.00;

  551.             description = "Helo not FQDN";

  552.         }

  553.         symbol "HFILTER_FROMHOST_NORESOLVE_MX" {

  554.             weight = 0.5;

  555.             description = "MX found in FROM host and no resolve";

  556.         }

  557.         symbol "HFILTER_FROMHOST_NORES_A_OR_MX" {

  558.             weight = 1.50;

  559.             description = "FROM host no resolve to A or MX";

  560.         }

  561.         symbol "HFILTER_FROMHOST_NOT_FQDN" {

  562.             weight = 3.00;

  563.             description = "FROM host not FQDN";

  564.         }

  565.         symbol "HFILTER_FROM_BOUNCE" {

  566.             weight = 0.00;

  567.             description = "Bounce message";

  568.         }

  569.     /*

  570.         symbol {

  571.             weight = 0.50;

  572.             name = "HFILTER_MID_NORESOLVE_MX";

  573.             description = "MX found in Message-id host and no resolve";

  574.         }

  575.         symbol {

  576.             weight = 0.50;

  577.             name = "HFILTER_MID_NORES_A_OR_MX";

  578.             description = "Message-id host no resolve to A or MX";

  579.         }

  580.         symbol {

  581.             weight = 0.50;

  582.             name = "HFILTER_MID_NOT_FQDN";

  583.             description = "Message-id host not FQDN";

  584.         }

  585.     */

  586.         symbol "HFILTER_HOSTNAME_UNKNOWN" {

  587.             weight = 2.50;

  588.             description = "Unknown hostname (no PTR or no resolve PTR to hostname)";

  589.         }

  590.         symbol "HFILTER_RCPT_BOUNCEMOREONE" {

  591.             weight = 1.50;

  592.             description = "Message from bounce and over 1 recepient";

  593.         }

  594.         symbol "HFILTER_URL_ONLY" {

  595.             weight = 2.20;

  596.             description = "URL only in body";

  597.         }

  598.         symbol "HFILTER_URL_ONELINE" {

  599.             weight = 2.50;

  600.             description = "One line URL and text in body";

  601.         }

  602.     }

  603. 

  604.     group "dmarc" {

  605. 

  606.         symbol "DMARC_POLICY_ALLOW" {

  607.             weight = -0.5;

  608.             description = "DMARC permit policy";

  609.         }

  610.         symbol "DMARC_POLICY_ALLOW_WITH_FAILURES" {

  611.             weight = -0.5;

  612.             description = "DMARC permit policy with DKIM/SPF failure";

  613.         }

  614.         symbol "DMARC_POLICY_REJECT" {

  615.             weight = 2.0;

  616.             description = "DMARC reject policy";

  617.         }

  618.         symbol "DMARC_POLICY_QUARANTINE" {

  619.             weight = 1.5;

  620.             description = "DMARC quarantine policy";

  621.         }

  622.         symbol "DMARC_POLICY_SOFTFAIL" {

  623.             weight = 0.1;

  624.             description = "DMARC failed";

  625.         }

  626.     }

  627.     group "mime_types" {

  628.         symbol "MIME_GOOD" {

  629.             weight = -0.1;

  630.             description = "Known content-type";

  631.             one_shot = true;

  632.         }

  633.         symbol "MIME_BAD" {

  634.             weight = 1.0;

  635.             description = "Known bad content-type";

  636.             one_shot = true;

  637.         }

  638.         symbol "MIME_UNKNOWN" {

  639.             weight = 0.1;

  640.             description = "Missing or unknown content-type";

  641.             one_shot = true;

  642.         }

  643.         symbol "MIME_BAD_ATTACHMENT" {

  644.             weight = 4.0;

  645.             description = "Invalid attachement mime type";

  646.             one_shot = true;

  647.         }

  648.         symbol "MIME_ENCRYPTED_ARCHIVE" {

  649.             weight = 2.0;

  650.             description = "Encrypted archive in a message";

  651.             one_shot = true;

  652.         }

  653.         symbol "MIME_ARCHIVE_IN_ARCHIVE" {

  654.             weight = 5.0;

  655.             description = "Archive within another archive";

  656.             one_shot = true;

  657.         }

  658.         symbol "MIME_DOUBLE_BAD_EXTENSION" {

  659.             weight = 3.0; # This rule has dynamic weight up to 4.0

  660.             description = "Bad extension cloaking";

  661.             one_shot = true;

  662.         }

  663.         symbol "MIME_BAD_EXTENSION" {

  664.             weight = 2.0; # This rule has dynamic weight up to 4.0

  665.             description = "Bad extension";

  666.             one_shot = true;

  667.         }

  668.     }

  669. 

  670.     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf"

  671.     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf"

  672. }