mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2136 Commits
29 Branches
Tree: a79cc70480
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a79cc70480'
${ noResults }
rspamd/conf/metrics.conf

metrics.conf 23KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729 
  1. # Metrics settings

  2. 

  3. metric {

  4.     name = "default";

  5. 	actions {

  6. 		reject = 15;

  7. 		add_header = 6;

  8. 		greylist = 4;

  9. 	};

  10.     symbol {

  11.         weight = 2.0;

  12.         description = "Subject is missing inside message";

  13.         name = "MISSING_SUBJECT";

  14.     }

  15.     symbol {

  16.         weight = 2.100000;

  17.         description = "Message pretends to be send from Outlook but has 'strange' tags ";

  18.         name = "FORGED_OUTLOOK_TAGS";

  19.     }

  20.     symbol {

  21.         weight = 0.30;

  22.         description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";

  23.         name = "FORGED_SENDER";

  24.     }

  25.     symbol {

  26.         weight = 3.500000;

  27.         description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";

  28.         name = "SUSPICIOUS_RECIPS";

  29.     }

  30.     symbol {

  31.         weight = 6.0;

  32.         description = "Fake reply (has RE in subject, but has not References header)";

  33.         name = "FAKE_REPLY_C";

  34.     }

  35.     symbol {

  36.         weight = 1.0;

  37.         description = "Messages that have only HTML part";

  38.         name = "MIME_HTML_ONLY";

  39.     }

  40.     symbol {

  41.         weight = 2.0;

  42.         description = "Forged yahoo msgid";

  43.         name = "FORGED_MSGID_YAHOO";

  44.     }

  45.     symbol {

  46.         weight = 2.0;

  47.         description = "Forged The Bat! MUA headers";

  48.         name = "FORGED_MUA_THEBAT_BOUN";

  49.     }

  50.     symbol {

  51.         weight = 5.0;

  52.         description = "Charset is missing in a message";

  53.         name = "R_MISSING_CHARSET";

  54.     }

  55.     symbol {

  56.         weight = 2.0;

  57.         description = "Two received headers with ip addresses";

  58.         name = "RCVD_DOUBLE_IP_SPAM";

  59.     }

  60.     symbol {

  61.         weight = 5.0;

  62.         description = "Forged outlook HTML signature";

  63.         name = "FORGED_OUTLOOK_HTML";

  64.     }

  65.     symbol {

  66.         weight = 5.0;

  67.         description = "Recipients are absent or undisclosed";

  68.         name = "R_UNDISC_RCPT";

  69.     }

  70.     symbol {

  71.         weight = 9.0;

  72.         description = "White color on white background in HTML messages";

  73.         name = "R_WHITE_ON_WHITE";

  74.     }

  75.     symbol {

  76.         weight = 3.0;

  77.         description = "Short html part with a link to an image";

  78.         name = "HTML_SHORT_LINK_IMG_2";

  79.     }

  80.     symbol {

  81.         weight = 3.0;

  82.         description = "Forged outlook MUA";

  83.         name = "FORGED_MUA_OUTLOOK";

  84.     }

  85.     symbol {

  86.         weight = 0.0;

  87.         description = "Forged outlook MUA, but from maillist";

  88.         name = "FORGED_MUA_OUTLOOK_MAILLIST";

  89.     }

  90.     symbol {

  91.         weight = 5.0;

  92.         description = "Suspicious boundary in header Content-Type";

  93.         name = "SUSPICIOUS_BOUNDARY";

  94.     }

  95.     symbol {

  96.         weight = 4.0;

  97.         description = "Suspicious boundary in header Content-Type";

  98.         name = "SUSPICIOUS_BOUNDARY2";

  99.     }

  100.     symbol {

  101.         weight = 3.0;

  102.         description = "Suspicious boundary in header Content-Type";

  103.         name = "SUSPICIOUS_BOUNDARY3";

  104.     }

  105.     symbol {

  106.         weight = 4.0;

  107.         description = "Suspicious boundary in header Content-Type";

  108.         name = "SUSPICIOUS_BOUNDARY4";

  109.     }

  110.     symbol {

  111.         weight = 4.0;

  112.         description = "Message pretends to be send from The Bat! but has forged Message-ID";

  113.         name = "FORGED_MUA_THEBAT_MSGID";

  114.     }

  115.     symbol {

  116.         weight = 3.0;

  117.         description = "Message pretends to be send from The Bat! but has forged Message-ID";

  118.         name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN";

  119.     }

  120.     symbol {

  121.         weight = 3.0;

  122.         description = "Message pretends to be send from KMail but has forged Message-ID";

  123.         name = "FORGED_MUA_KMAIL_MSGID";

  124.     }

  125.     symbol {

  126.         weight = 2.500000;

  127.         description = "Message pretends to be send from KMail but has forged Message-ID";

  128.         name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN";

  129.     }

  130.     symbol {

  131.         weight = 4.0;

  132.         description = "Message pretends to be send from Opera Mail but has forged Message-ID";

  133.         name = "FORGED_MUA_OPERA_MSGID";

  134.     }

  135.     symbol {

  136.         weight = 4.0;

  137.         description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";

  138.         name = "SUSPICIOUS_OPERA_10W_MSGID";

  139.     }

  140.     symbol {

  141.         weight = 4.0;

  142.         description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";

  143.         name = "FORGED_MUA_MOZILLA_MAIL_MSGID";

  144.     }

  145.     symbol {

  146.         weight = 2.500000;

  147.         description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";

  148.         name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN";

  149.     }

  150.     symbol {

  151.         weight = 4.0;

  152.         description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";

  153.         name = "FORGED_MUA_THUNDERBIRD_MSGID";

  154.     }

  155.     symbol {

  156.         weight = 2.500000;

  157.         description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";

  158.         name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN";

  159.     }

  160.     symbol {

  161.         weight = 4.0;

  162.         description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";

  163.         name = "FORGED_MUA_SEAMONKEY_MSGID";

  164.     }

  165.     symbol {

  166.         weight = 2.500000;

  167.         description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";

  168.         name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN";

  169.     }

  170.     symbol {

  171.         weight = 2.0;

  172.         description = "Fake helo for verizon provider";

  173.         name = "FM_FAKE_HELO_VERIZON";

  174.     }

  175.     symbol {

  176.         weight = 2.0;

  177.         description = "Quoted reply-to from yahoo (seems to be forged)";

  178.         name = "REPTO_QUOTE_YAHOO";

  179.     }

  180.     symbol {

  181.         weight = 5.0;

  182.         description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";

  183.         name = "MISSING_MIMEOLE";

  184.     }

  185.     symbol {

  186.         weight = 2.0;

  187.         description = "To header is missing";

  188.         name = "MISSING_TO";

  189.     }

  190.     symbol {

  191.         weight = 1.500000;

  192.         description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  193.         name = "FROM_EXCESS_BASE64";

  194.     }

  195.     symbol {

  196.         weight = 1.200000;

  197.         description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  198.         name = "FROM_EXCESS_QP";

  199.     }

  200.     symbol {

  201.         weight = 1.500000;

  202.         description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  203.         name = "TO_EXCESS_BASE64";

  204.     }

  205.     symbol {

  206.         weight = 1.200000;

  207.         description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  208.         name = "TO_EXCESS_QP";

  209.     }

  210.     symbol {

  211.         weight = 1.500000;

  212.         description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  213.         name = "REPLYTO_EXCESS_BASE64";

  214.     }

  215.     symbol {

  216.         weight = 1.200000;

  217.         description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  218.         name = "REPLYTO_EXCESS_QP";

  219.     }

  220.     symbol {

  221.         weight = 1.500000;

  222.         description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  223.         name = "CC_EXCESS_BASE64";

  224.     }

  225.     symbol {

  226.         weight = 1.200000;

  227.         description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  228.         name = "CC_EXCESS_QP";

  229.     }

  230.     symbol {

  231.         weight = 5.0;

  232.         description = "Mixed characters in a message";

  233.         name = "R_MIXED_CHARSET";

  234.     }

  235.     symbol {

  236.         weight = 3.500000;

  237.         description = "Recipients list seems to be sorted";

  238.         name = "SORTED_RECIPS";

  239.     }

  240.     symbol {

  241.         weight = 3.0;

  242.         description = "Spambots signatures in received headers";

  243.         name = "R_RCVD_SPAMBOTS";

  244.     }

  245.     symbol {

  246.         weight = 2.0;

  247.         description = "To header seems to be autogenerated";

  248.         name = "R_TO_SEEMS_AUTO";

  249.     }

  250.     symbol {

  251.         weight = 1.0;

  252.         description = "Subject needs encoding";

  253.         name = "SUBJECT_NEEDS_ENCODING";

  254.     }

  255.     symbol {

  256.         weight = 3.840000;

  257.         description = "Spam string at the end of message to make statistics faults 0";

  258.         name = "TRACKER_ID";

  259.     }

  260.     symbol {

  261.         weight = 1.0;

  262.         description = "No space in from header";

  263.         name = "R_NO_SPACE_IN_FROM";

  264.     }

  265.     symbol {

  266.         weight = 8.0;

  267.         description = "Subject seems to be spam";

  268.         name = "R_SAJDING";

  269.     }

  270.     symbol {

  271.         weight = 3.0;

  272.         description = "Detects bad content-transfer-encoding for text parts";

  273.         name = "R_BAD_CTE_7BIT";

  274.     }

  275.     symbol {

  276.         weight = 10.0;

  277.         description = "Flash redirect on imageshack.us";

  278.         name = "R_FLASH_REDIR_IMGSHACK";

  279.     }

  280.     symbol {

  281.         weight = 5.0;

  282.         description = "Message id is incorrect";

  283.         name = "INVALID_MSGID";

  284.     }

  285.     symbol {

  286.         weight = 3.0;

  287.         description = "Message id is missing ";

  288.         name = "MISSING_MID";

  289.     }

  290.     symbol {

  291.         weight = 1.0;

  292.         description = "Recipients are not the same as RCPT TO: mail command";

  293.         name = "FORGED_RECIPIENTS";

  294.     }

  295.     symbol {

  296.         weight = 0.0;

  297.         description = "Recipients are not the same as RCPT TO: mail command, but from maillist";

  298.         name = "FORGED_RECIPIENTS_MAILLIST";

  299.     }

  300.     symbol {

  301.         weight = 2.0;

  302.         description = "Forged Exchange messages ";

  303.         name = "RATWARE_MS_HASH";

  304.     }

  305.     symbol {

  306.         weight = 1.0;

  307.         description = "Reply-type in content-type";

  308.         name = "STOX_REPLY_TYPE";

  309.     }

  310.     symbol {

  311.         weight = 3.0;

  312.         description = "IP in received headers is in PBL";

  313.         name = "R_IP_PBL";

  314.     }

  315.     symbol {

  316.         weight = 1.0;

  317.         description = "One received header in a message ";

  318.         name = "ONCE_RECEIVED";

  319.     }

  320.     symbol {

  321.         weight = 4.0;

  322.         description = "One received header with 'bad' patterns inside";

  323.         name = "ONCE_RECEIVED_STRICT";

  324.     }

  325.     symbol { name = "RBL_SPAMHAUS"; weight = 0.0; description = "From address is listed in zen"; }

  326.     symbol { name = "RBL_SPAMHAUS_SBL"; weight = 2.0; description = "From address is listed in zen sbl"; }

  327.     symbol { name = "RBL_SPAMHAUS_CSS"; weight = 2.0; description = "From address is listed in zen css"; }

  328.     symbol { name = "RBL_SPAMHAUS_XBL"; weight = 4.0; description = "From address is listed in zen xbl"; }

  329.     symbol { name = "RBL_SPAMHAUS_PBL"; weight = 2.0; description = "From address is listed in zen pbl"; }

  330.     symbol { name = "RECEIVED_SPAMHAUS_XBL"; weight = 3.0; description = "Received address is listed in zen pbl"; }

  331.     symbol {

  332.         weight = 2.0;

  333.         description = "From address is listed in senderscore.com BL";

  334.         name = "RBL_SENDERSCORE";

  335.     }

  336.     symbol {

  337.         weight = 2.0;

  338.         description = "From address is listed in mailspike.com BL";

  339.         name = "RBL_MAILSPIKE";

  340.     }

  341.     symbol {

  342.         weight = 1.0;

  343.         name = "RBL_SORBS";

  344.         description = "From address is listed in SORBS RBL";

  345.     }

  346.     symbol {

  347.         weight = 2.5; 

  348.         name = "RBL_SORBS_HTTP";

  349.         description = "List of Open HTTP Proxy Servers.";

  350.     }

  351.     symbol {

  352.         weight = 2.5;

  353.         name = "RBL_SORBS_SOCKS";

  354.         description = "List of Open SOCKS Proxy Servers.";

  355.     }

  356.     symbol {

  357.         weight = 1.0;

  358.         name = "RBL_SORBS_MISC";

  359.         description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";

  360.     }

  361.     symbol {

  362.         weight = 3.0;

  363.         name = "RBL_SORBS_SMTP";

  364.         description = "List of Open SMTP relay servers.";

  365.     }

  366.     symbol {

  367.         weight = 1.5;

  368.         name = "RBL_SORBS_RECENT";

  369.         description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";

  370.     }

  371.     symbol {

  372.         weight = 0.4;

  373.         name = "RBL_SORBS_WEB";

  374.         description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";

  375.     }

  376.     symbol {

  377.         weight = 2.0;

  378.         name = "RBL_SORBS_DUL";

  379.         description = "Dynamic IP Address ranges (NOT a Dial Up list!)";

  380.     }

  381.     symbol {

  382.         weight = 1.0;

  383.         name = "RBL_SORBS_BLOCK";

  384.         description = "List of hosts demanding that they never be tested by SORBS.";

  385.     }

  386.     symbol {

  387.         weight = 1.0;

  388.         name = "RBL_SORBS_ZOMBIE";

  389.         description = "List of networks hijacked from their original owners, some of which have already used for spamming.";

  390.     }

  391.     

  392.     symbol { name = "RBL_SEM_UNKNOWN"; weight = 0.0; description = "Address is listed in Spameatingmonkey RBL"; }

  393.     symbol { name = "RBL_SEM"; weight = 1.0; description = "Address is listed in Spameatingmonkey RBL"; }

  394.     

  395.     symbol {

  396.         weight = 3.0;

  397.         description = "Text and HTML parts differ";

  398.         name = "R_PARTS_DIFFER";

  399.     }

  400.     symbol {

  401.         weight = 2.0;

  402.         description = "Only Content-Type header without other MIME headers";

  403.         name = "MIME_HEADER_CTYPE_ONLY";

  404.     }

  405.     symbol {

  406.         weight = 2.0;

  407.         description = "Message contains empty parts and image ";

  408.         name = "R_EMPTY_IMAGE";

  409.     }

  410.     symbol {

  411.         weight = 2.0;

  412.         description = "Drugs patterns inside message";

  413.         name = "DRUGS_MANYKINDS";

  414.     }

  415.     symbol {

  416.         weight = 2.0;

  417.         description = "";

  418.         name = "DRUGS_ANXIETY";

  419.     }

  420.     symbol {

  421.         weight = 2.0;

  422.         description = "";

  423.         name = "DRUGS_MUSCLE";

  424.     }

  425.     symbol {

  426.         weight = 2.0;

  427.         description = "";

  428.         name = "DRUGS_ANXIETY_EREC";

  429.     }

  430.     symbol {

  431.         weight = 2.0;

  432.         description = "";

  433.         name = "DRUGS_DIET";

  434.     }

  435.     symbol {

  436.         weight = 2.0;

  437.         description = "";

  438.         name = "DRUGS_ERECTILE";

  439.     }

  440.     symbol {

  441.         weight = 3.300000;

  442.         description = "2 'advance fee' patterns in a message";

  443.         name = "ADVANCE_FEE_2";

  444.     }

  445.     symbol {

  446.         weight = 2.120000;

  447.         description = "3 'advance fee' patterns in a message";

  448.         name = "ADVANCE_FEE_3";

  449.     }

  450.     symbol {

  451.         weight = 8.0;

  452.         description = "Lotto signatures";

  453.         name = "R_LOTTO";

  454.     }

  455.     symbol {

  456.         weight = 3.0;

  457.         description = "Message probably spam, probability: ";

  458.         name = "BAYES_SPAM";

  459.     }

  460.     symbol {

  461.         weight = -3.0;

  462.         description = "Message probably ham, probability: ";

  463.         name = "BAYES_HAM";

  464.     }

  465.     symbol {

  466.         weight = 5.0;

  467.         description = "Generic fuzzy hash match";

  468.         name = "FUZZY_UNKNOWN";

  469.     }

  470.     symbol {

  471.         weight = 10.0;

  472.         description = "Denied fuzzy hash";

  473.         name = "FUZZY_DENIED";

  474.     }

  475.     symbol {

  476.         weight = 5.0;

  477.         description = "Probable fuzzy hash";

  478.         name = "FUZZY_PROB";

  479.     }

  480.     symbol {

  481.         weight = -2.1;

  482.         description = "Whitelisted fuzzy hash";

  483.         name = "FUZZY_WHITE";

  484.     }

  485.     symbol {

  486.         weight = 1.0;

  487.         description = "SPF verification failed";

  488.         name = "R_SPF_FAIL";

  489.     }

  490.     symbol {

  491.         weight = 0.0;

  492.         description = "SPF verification soft-failed";

  493.         name = "R_SPF_SOFTFAIL";

  494.     }

  495.     symbol {

  496.         weight = -1.1;

  497.         description = "SPF verification alowed";

  498.         name = "R_SPF_ALLOW";

  499.     }

  500.     symbol {

  501.         weight = 1.0;

  502.         description = "DKIM verification failed";

  503.         name = "R_DKIM_REJECT";

  504.     }

  505.     symbol {

  506.         weight = 0.0;

  507.         description = "SPF verification soft-failed";

  508.         name = "R_DKIM_TEMPFAIL";

  509.     }

  510.     symbol {

  511.         weight = -1.1;

  512.         description = "DKIM verification succeed";

  513.         name = "R_DKIM_ALLOW";

  514.     }

  515.     symbol {

  516.         weight = -1.0;

  517.         description = "Message seems to be from maillist";

  518.         name = "MAILLIST";

  519.     }

  520.     symbol {

  521.         weight = 5.500000;

  522.         description = "Phishing and malware sites";

  523.         name = "PH_SURBL_MULTI";

  524.     }

  525.     symbol {

  526.         weight = 5.500000;

  527.         description = "Outblaze URI Blacklist";

  528.         name = "OB_SURBL_MULTI";

  529.     }

  530.     symbol {

  531.         weight = 5.500000;

  532.         description = "AbuseButler web sites";

  533.         name = "AB_SURBL_MULTI";

  534.     }

  535.     symbol {

  536.         weight = 5.500000;

  537.         description = "SpamCop web sites";

  538.         name = "SC_SURBL_MULTI";

  539.     }

  540.     symbol {

  541.         weight = 5.500000;

  542.         description = "jwSpamSpy + Prolocation sites";

  543.         name = "JP_SURBL_MULTI";

  544.     }

  545.     symbol {

  546.         weight = 5.500000;

  547.         description = "sa-blacklist web sites ";

  548.         name = "WS_SURBL_MULTI";

  549.     }

  550.     symbol {

  551.         weight = 4.500000;

  552.         description = "rambler.ru uribl";

  553.         name = "RAMBLER_URIBL";

  554.     }

  555.     

  556.     symbol { weight = 0.0; name = "SEM_URIBL_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; }

  557.     symbol { weight = 3.5; name = "SEM_URIBL"; description = "Spameatingmonkey uribl"; }

  558. 

  559.     symbol { weight = 0.0; name = "SEM_URIBL_FRESH15_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; }

  560.     symbol { weight = 3.0; name = "SEM_URIBL_FRESH15"; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; }

  561.     

  562.     symbol {

  563.         weight = 5.500000;

  564.         description = "DBL uribl";

  565.         name = "DBL";

  566.     }

  567.     symbol {

  568.         weight = 7.5;

  569.         description = "uribl.com black url";

  570.         name = "URIBL_BLACK";

  571.     }

  572.     symbol {

  573.         weight = 3.5;

  574.         description = "uribl.com red url";

  575.         name = "URIBL_RED";

  576.     }

  577.     symbol {

  578.         weight = 1.5;

  579.         description = "uribl.com grey url";

  580.         name = "URIBL_GREY";

  581.     }

  582.     symbol {

  583.         weight = 9.500000;

  584.         description = "rambler.ru emailbl";

  585.         name = "RAMBLER_EMAILBL";

  586.     }

  587.     symbol {

  588.         weight = 5.0;

  589.         description = "Phished mail";

  590.         name = "PHISHING";

  591.     }

  592.     symbol {

  593.         weight = 1.0;

  594.         description = "Header From begins with tab";

  595.         name = "HEADER_FROM_DELIMITER_TAB";

  596.     }

  597.     symbol {

  598.         weight = 1.0;

  599.         description = "Header To begins with tab";

  600.         name = "HEADER_TO_DELIMITER_TAB";

  601.     }

  602.     symbol {

  603.         weight = 1.0;

  604.         description = "Header Cc begins with tab";

  605.         name = "HEADER_CC_DELIMITER_TAB";

  606.     }

  607.     symbol {

  608.         weight = 1.0;

  609.         description = "Header Reply-To begins with tab";

  610.         name = "HEADER_REPLYTO_DELIMITER_TAB";

  611.     }

  612.     symbol {

  613.         weight = 1.0;

  614.         description = "Header Date begins with tab";

  615.         name = "HEADER_DATE_DELIMITER_TAB";

  616.     }

  617.     symbol {

  618.         weight = 1.0;

  619.         description = "Header From has no delimiter between header name and header value";

  620.         name = "HEADER_FROM_EMPTY_DELIMITER";

  621.     }

  622.     symbol {

  623.         weight = 1.0;

  624.         description = "Header To has no delimiter between header name and header value";

  625.         name = "HEADER_TO_EMPTY_DELIMITER";

  626.     }

  627.     symbol {

  628.         weight = 1.0;

  629.         description = "Header Cc has no delimiter between header name and header value";

  630.         name = "HEADER_CC_EMPTY_DELIMITER";

  631.     }

  632.     symbol {

  633.         weight = 1.0;

  634.         description = "Header Reply-To has no delimiter between header name and header value";

  635.         name = "HEADER_REPLYTO_EMPTY_DELIMITER";

  636.     }

  637.     symbol {

  638.         weight = 1.0;

  639.         description = "Header Date has no delimiter between header name and header value";

  640.         name = "HEADER_DATE_EMPTY_DELIMITER";

  641.     }

  642.     symbol {

  643.         weight = 4.0;

  644.         description = "Header Received has raw illegal character";

  645.         name = "RCVD_ILLEGAL_CHARS";

  646.     }

  647.     symbol {

  648.         weight = 4.0;

  649.         description = "Fake helo mail.ru in header Received from non mail.ru sender address";

  650.         name = "FAKE_RECEIVED_mail_ru";

  651.     }

  652.     symbol {

  653.         weight = 4.0;

  654.         description = "Fake smtp.yandex.ru Received";

  655.         name = "FAKE_RECEIVED_smtp_yandex_ru";

  656.     }

  657.     symbol {

  658.         weight = 3.600000;

  659.         description = "Forged generic Received";

  660.         name = "FORGED_GENERIC_RECEIVED";

  661.     }

  662.     symbol {

  663.         weight = 3.600000;

  664.         description = "Forged generic Received";

  665.         name = "FORGED_GENERIC_RECEIVED2";

  666.     }

  667.     symbol {

  668.         weight = 3.600000;

  669.         description = "Forged generic Received";

  670.         name = "FORGED_GENERIC_RECEIVED3";

  671.     }

  672.     symbol {

  673.         weight = 3.600000;

  674.         description = "Forged generic Received";

  675.         name = "FORGED_GENERIC_RECEIVED4";

  676.     }

  677.     symbol {

  678.         weight = 4.600000;

  679.         description = "Forged generic Received";

  680.         name = "FORGED_GENERIC_RECEIVED5";

  681.     }

  682.     symbol {

  683.         weight = 3.0;

  684.         description = "Invalid Postfix Received";

  685.         name = "INVALID_POSTFIX_RECEIVED";

  686.     }

  687.     symbol {

  688.         weight = 5.0;

  689.         description = "Invalid Exim Received";

  690.         name = "INVALID_EXIM_RECEIVED";

  691.     }

  692.     symbol {

  693.         weight = 3.0;

  694.         description = "Invalid Exim Received";

  695.         name = "INVALID_EXIM_RECEIVED2";

  696.     }

  697.     symbol {

  698.         weight = 4.0;

  699.         description = "Message date is in future";

  700.         name = "DATE_IN_FUTURE";

  701.     }

  702.     symbol {

  703.         weight = 1.0;

  704.         description = "Message date is in past";

  705.         name = "DATE_IN_PAST";

  706.     }

  707. # hfilter symbols

  708.     symbol { weight = 1.00; name = "HFILTER_HELO_1"; description = "Helo host checks (very low)"; }

  709.     symbol { weight = 2.00; name = "HFILTER_HELO_2"; description = "Helo host checks (low)"; }

  710.     symbol { weight = 3.00; name = "HFILTER_HELO_3"; description = "Helo host checks (medium)"; }

  711.     symbol { weight = 3.50; name = "HFILTER_HELO_4"; description = "Helo host checks (hard)"; }

  712.     symbol { weight = 4.00; name = "HFILTER_HELO_5"; description = "Helo host checks (very hard)"; }

  713.     symbol { weight = 1.00; name = "HFILTER_HOSTNAME_1"; description = "Hostname checks (very low)"; }

  714.     symbol { weight = 2.00; name = "HFILTER_HOSTNAME_2"; description = "Hostname checks (low)"; }

  715.     symbol { weight = 3.00; name = "HFILTER_HOSTNAME_3"; description = "Hostname checks (medium)"; }

  716.     symbol { weight = 3.50; name = "HFILTER_HOSTNAME_4"; description = "Hostname checks (hard)"; }

  717.     symbol { weight = 4.00; name = "HFILTER_HOSTNAME_5"; description = "Hostname checks (very hard)"; }

  718.     symbol { weight = 1.50; name = "HFILTER_HELO_NORESOLVE_MX"; description = "MX found in Helo and no resolve"; }

  719.     symbol { weight = 2.00; name = "HFILTER_HELO_NORES_A_OR_MX"; description = "Helo no resolve to A or MX"; }

  720.     symbol { weight = 1.00; name = "HFILTER_HELO_IP_A"; description = "Helo A IP != hostname IP"; }

  721.     symbol { weight = 3.00; name = "HFILTER_HELO_NOT_FQDN"; description = "Helo not FQDN"; }

  722.     symbol { weight = 1.50; name = "HFILTER_FROMHOST_NORESOLVE_MX"; description = "MX found in FROM host and no resolve"; }

  723.     symbol { weight = 3.50; name = "HFILTER_FROMHOST_NORES_A_OR_MX"; description = "FROM host no resolve to A or MX"; }

  724.     symbol { weight = 4.00; name = "HFILTER_FROMHOST_NOT_FQDN"; description = "FROM host not FQDN"; }

  725.     symbol { weight = 0.50; name = "HFILTER_MID_NOT_FQDN"; description = "Message-id host not FQDN"; }

  726.     symbol { weight = 4.00; name = "HFILTER_HOSTNAME_UNKNOWN"; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; }

  727.     symbol { weight = 3.50; name = "HFILTER_URL_ONLY"; description = "URL only in body"; }

  728.     symbol { weight = 2.20; name = "HFILTER_URL_ONELINE"; description = "One line URL and text in body"; }

  729. }