mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5492 Commits
29 Branches
Tree: b9ca3adcab
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b9ca3adcab'
${ noResults }
rspamd/conf/metrics.conf

metrics.conf 27KB
Raw Blame History

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154 
  1. # Metrics settings

  2. 

  3. metric {

  4.     name = "default";

  5.     # If this param is set to non-zero

  6.     # then a metric would accept all symbols

  7.     # unknown_weight = 1.0

  8. 

  9.     actions {

  10. 	reject = 15;

  11. 	add_header = 6;

  12. 	greylist = 4;

  13.     };

  14. 

  15.     group {

  16. 	name = "header";

  17. 	symbol {

  18. 	    weight = 2.0;

  19. 	    description = "Subject is missing inside message";

  20. 	    name = "MISSING_SUBJECT";

  21. 	}

  22. 	symbol {

  23. 	    weight = 2.100000;

  24. 	    description = "Message pretends to be send from Outlook but has 'strange' tags ";

  25. 	    name = "FORGED_OUTLOOK_TAGS";

  26. 	}

  27. 	symbol {

  28. 	    weight = 0.30;

  29. 	    description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";

  30. 	    name = "FORGED_SENDER";

  31. 	}

  32. 	symbol {

  33. 	    weight = 1.500000;

  34. 	    description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";

  35. 	    name = "SUSPICIOUS_RECIPS";

  36. 	}

  37. 	symbol {

  38. 	    weight = 6.0;

  39. 	    description = "Fake reply (has RE in subject, but has not References header)";

  40. 	    name = "FAKE_REPLY_C";

  41. 	}

  42. 	symbol {

  43. 	    weight = 1.0;

  44. 	    description = "Messages that have only HTML part";

  45. 	    name = "MIME_HTML_ONLY";

  46. 	}

  47. 	symbol {

  48. 	    weight = 2.0;

  49. 	    description = "Forged yahoo msgid";

  50. 	    name = "FORGED_MSGID_YAHOO";

  51. 	}

  52. 	symbol {

  53. 	    weight = 2.0;

  54. 	    description = "Forged The Bat! MUA headers";

  55. 	    name = "FORGED_MUA_THEBAT_BOUN";

  56. 	}

  57. 	symbol {

  58. 	    weight = 5.0;

  59. 	    description = "Charset is missing in a message";

  60. 	    name = "R_MISSING_CHARSET";

  61. 	}

  62. 	symbol {

  63. 	    weight = 2.0;

  64. 	    description = "Two received headers with ip addresses";

  65. 	    name = "RCVD_DOUBLE_IP_SPAM";

  66. 	}

  67. 	symbol {

  68. 	    weight = 5.0;

  69. 	    description = "Forged outlook HTML signature";

  70. 	    name = "FORGED_OUTLOOK_HTML";

  71. 	}

  72. 	symbol {

  73. 	    weight = 5.0;

  74. 	    description = "Recipients are absent or undisclosed";

  75. 	    name = "R_UNDISC_RCPT";

  76. 	}

  77. 	symbol {

  78. 	    weight = 2.0;

  79. 	    description = "Fake helo for verizon provider";

  80. 	    name = "FM_FAKE_HELO_VERIZON";

  81. 	}

  82. 	symbol {

  83. 	    weight = 2.0;

  84. 	    description = "Quoted reply-to from yahoo (seems to be forged)";

  85. 	    name = "REPTO_QUOTE_YAHOO";

  86. 	}

  87. 	symbol {

  88. 	    weight = 5.0;

  89. 	    description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";

  90. 	    name = "MISSING_MIMEOLE";

  91. 	}

  92. 	symbol {

  93. 	    weight = 2.0;

  94. 	    description = "To header is missing";

  95. 	    name = "MISSING_TO";

  96. 	}

  97. 	symbol {

  98. 	    weight = 1.500000;

  99. 	    description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  100. 	    name = "FROM_EXCESS_BASE64";

  101. 	}

  102. 	symbol {

  103. 	    weight = 1.200000;

  104. 	    description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  105. 	    name = "FROM_EXCESS_QP";

  106. 	}

  107. 	symbol {

  108. 	    weight = 1.500000;

  109. 	    description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  110. 	    name = "TO_EXCESS_BASE64";

  111. 	}

  112. 	symbol {

  113. 	    weight = 1.200000;

  114. 	    description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  115. 	    name = "TO_EXCESS_QP";

  116. 	}

  117. 	symbol {

  118. 	    weight = 1.500000;

  119. 	    description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  120. 	    name = "REPLYTO_EXCESS_BASE64";

  121. 	}

  122. 	symbol {

  123. 	    weight = 1.200000;

  124. 	    description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  125. 	    name = "REPLYTO_EXCESS_QP";

  126. 	}

  127. 	symbol {

  128. 	    weight = 1.500000;

  129. 	    description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";

  130. 	    name = "CC_EXCESS_BASE64";

  131. 	}

  132. 	symbol {

  133. 	    weight = 1.200000;

  134. 	    description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";

  135. 	    name = "CC_EXCESS_QP";

  136. 	}

  137. 	symbol {

  138. 	    weight = 5.0;

  139. 	    description = "Mixed characters in a message";

  140. 	    name = "R_MIXED_CHARSET";

  141. 	}

  142. 	symbol {

  143. 	    weight = 3.500000;

  144. 	    description = "Recipients list seems to be sorted";

  145. 	    name = "SORTED_RECIPS";

  146. 	}

  147. 	symbol {

  148. 	    weight = 3.0;

  149. 	    description = "Spambots signatures in received headers";

  150. 	    name = "R_RCVD_SPAMBOTS";

  151. 	}

  152. 	symbol {

  153. 	    weight = 2.0;

  154. 	    description = "To header seems to be autogenerated";

  155. 	    name = "R_TO_SEEMS_AUTO";

  156. 	}

  157. 	symbol {

  158. 	    weight = 1.0;

  159. 	    description = "Subject needs encoding";

  160. 	    name = "SUBJECT_NEEDS_ENCODING";

  161. 	}

  162. 	symbol {

  163. 	    weight = 3.840000;

  164. 	    description = "Spam string at the end of message to make statistics faults 0";

  165. 	    name = "TRACKER_ID";

  166. 	}

  167. 	symbol {

  168. 	    weight = 1.0;

  169. 	    description = "No space in from header";

  170. 	    name = "R_NO_SPACE_IN_FROM";

  171. 	}

  172. 	symbol {

  173. 	    weight = 8.0;

  174. 	    description = "Subject seems to be spam";

  175. 	    name = "R_SAJDING";

  176. 	}

  177. 	symbol {

  178. 	    weight = 3.0;

  179. 	    description = "Detects bad content-transfer-encoding for text parts";

  180. 	    name = "R_BAD_CTE_7BIT";

  181. 	}

  182. 	symbol {

  183. 	    weight = 10.0;

  184. 	    description = "Flash redirect on imageshack.us";

  185. 	    name = "R_FLASH_REDIR_IMGSHACK";

  186. 	}

  187. 	symbol {

  188. 	    weight = 5.0;

  189. 	    description = "Message id is incorrect";

  190. 	    name = "INVALID_MSGID";

  191. 	}

  192. 	symbol {

  193. 	    weight = 3.0;

  194. 	    description = "Message id is missing ";

  195. 	    name = "MISSING_MID";

  196. 	}

  197. 	symbol {

  198. 	    weight = 1.0;

  199. 	    description = "Recipients are not the same as RCPT TO: mail command";

  200. 	    name = "FORGED_RECIPIENTS";

  201. 	}

  202. 	symbol {

  203. 	    weight = 0.0;

  204. 	    description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";

  205. 	    name = "FORGED_RECIPIENTS_MAILLIST";

  206. 	}

  207. 	symbol {

  208. 	    weight = 0.0;

  209. 	    description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";

  210. 	    name = "FORGED_SENDER_MAILLIST";

  211. 	}

  212. 	symbol {

  213. 	    weight = 2.0;

  214. 	    description = "Forged Exchange messages ";

  215. 	    name = "RATWARE_MS_HASH";

  216. 	}

  217. 	symbol {

  218. 	    weight = 1.0;

  219. 	    description = "Reply-type in content-type";

  220. 	    name = "STOX_REPLY_TYPE";

  221. 	}

  222. 	symbol {

  223. 	    weight = 1.0;

  224. 	    description = "One received header in a message ";

  225. 	    name = "ONCE_RECEIVED";

  226. 	}

  227. 	symbol {

  228. 	    weight = 4.0;

  229. 	    description = "One received header with 'bad' patterns inside";

  230. 	    name = "ONCE_RECEIVED_STRICT";

  231. 	}

  232. 	symbol {

  233. 	    weight = 2.0;

  234. 	    description = "Only Content-Type header without other MIME headers";

  235. 	    name = "MIME_HEADER_CTYPE_ONLY";

  236. 	}

  237. 	symbol {

  238. 	    weight = -1.0;

  239. 	    description = "Message seems to be from maillist";

  240. 	    name = "MAILLIST";

  241. 	}

  242. 	symbol {

  243. 	    weight = 1.0;

  244. 	    description = "Header From begins with tab";

  245. 	    name = "HEADER_FROM_DELIMITER_TAB";

  246. 	}

  247. 	symbol {

  248. 	    weight = 1.0;

  249. 	    description = "Header To begins with tab";

  250. 	    name = "HEADER_TO_DELIMITER_TAB";

  251. 	}

  252. 	symbol {

  253. 	    weight = 1.0;

  254. 	    description = "Header Cc begins with tab";

  255. 	    name = "HEADER_CC_DELIMITER_TAB";

  256. 	}

  257. 	symbol {

  258. 	    weight = 1.0;

  259. 	    description = "Header Reply-To begins with tab";

  260. 	    name = "HEADER_REPLYTO_DELIMITER_TAB";

  261. 	}

  262. 	symbol {

  263. 	    weight = 1.0;

  264. 	    description = "Header Date begins with tab";

  265. 	    name = "HEADER_DATE_DELIMITER_TAB";

  266. 	}

  267. 	symbol {

  268. 	    weight = 1.0;

  269. 	    description = "Header From has no delimiter between header name and header value";

  270. 	    name = "HEADER_FROM_EMPTY_DELIMITER";

  271. 	}

  272. 	symbol {

  273. 	    weight = 1.0;

  274. 	    description = "Header To has no delimiter between header name and header value";

  275. 	    name = "HEADER_TO_EMPTY_DELIMITER";

  276. 	}

  277. 	symbol {

  278. 	    weight = 1.0;

  279. 	    description = "Header Cc has no delimiter between header name and header value";

  280. 	    name = "HEADER_CC_EMPTY_DELIMITER";

  281. 	}

  282. 	symbol {

  283. 	    weight = 1.0;

  284. 	    description = "Header Reply-To has no delimiter between header name and header value";

  285. 	    name = "HEADER_REPLYTO_EMPTY_DELIMITER";

  286. 	}

  287. 	symbol {

  288. 	    weight = 1.0;

  289. 	    description = "Header Date has no delimiter between header name and header value";

  290. 	    name = "HEADER_DATE_EMPTY_DELIMITER";

  291. 	}

  292. 	symbol {

  293. 	    weight = 4.0;

  294. 	    description = "Header Received has raw illegal character";

  295. 	    name = "RCVD_ILLEGAL_CHARS";

  296. 	}

  297. 	symbol {

  298. 	    weight = 4.0;

  299. 	    description = "Fake helo mail.ru in header Received from non mail.ru sender address";

  300. 	    name = "FAKE_RECEIVED_mail_ru";

  301. 	}

  302. 	symbol {

  303. 	    weight = 4.0;

  304. 	    description = "Fake smtp.yandex.ru Received";

  305. 	    name = "FAKE_RECEIVED_smtp_yandex_ru";

  306. 	}

  307. 	symbol {

  308. 	    weight = 3.600000;

  309. 	    description = "Forged generic Received";

  310. 	    name = "FORGED_GENERIC_RECEIVED";

  311. 	}

  312. 	symbol {

  313. 	    weight = 3.600000;

  314. 	    description = "Forged generic Received";

  315. 	    name = "FORGED_GENERIC_RECEIVED2";

  316. 	}

  317. 	symbol {

  318. 	    weight = 3.600000;

  319. 	    description = "Forged generic Received";

  320. 	    name = "FORGED_GENERIC_RECEIVED3";

  321. 	}

  322. 	symbol {

  323. 	    weight = 3.600000;

  324. 	    description = "Forged generic Received";

  325. 	    name = "FORGED_GENERIC_RECEIVED4";

  326. 	}

  327. 	symbol {

  328. 	    weight = 4.600000;

  329. 	    description = "Forged generic Received";

  330. 	    name = "FORGED_GENERIC_RECEIVED5";

  331. 	}

  332. 	symbol {

  333. 	    weight = 3.0;

  334. 	    description = "Invalid Postfix Received";

  335. 	    name = "INVALID_POSTFIX_RECEIVED";

  336. 	}

  337. 	symbol {

  338. 	    weight = 5.0;

  339. 	    description = "Invalid Exim Received";

  340. 	    name = "INVALID_EXIM_RECEIVED";

  341. 	}

  342. 	symbol {

  343. 	    weight = 3.0;

  344. 	    description = "Invalid Exim Received";

  345. 	    name = "INVALID_EXIM_RECEIVED2";

  346. 	}

  347.     }

  348. 

  349.     group {

  350. 	name = "mua";

  351. 	symbol {

  352. 	    weight = 4.0;

  353. 	    description = "Message pretends to be send from The Bat! but has forged Message-ID";

  354. 	    name = "FORGED_MUA_THEBAT_MSGID";

  355. 	}

  356. 	symbol {

  357. 	    weight = 3.0;

  358. 	    description = "Message pretends to be send from The Bat! but has forged Message-ID";

  359. 	    name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN";

  360. 	}

  361. 	symbol {

  362. 	    weight = 3.0;

  363. 	    description = "Message pretends to be send from KMail but has forged Message-ID";

  364. 	    name = "FORGED_MUA_KMAIL_MSGID";

  365. 	}

  366. 	symbol {

  367. 	    weight = 2.500000;

  368. 	    description = "Message pretends to be send from KMail but has forged Message-ID";

  369. 	    name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN";

  370. 	}

  371. 	symbol {

  372. 	    weight = 4.0;

  373. 	    description = "Message pretends to be send from Opera Mail but has forged Message-ID";

  374. 	    name = "FORGED_MUA_OPERA_MSGID";

  375. 	}

  376. 	symbol {

  377. 	    weight = 4.0;

  378. 	    description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";

  379. 	    name = "SUSPICIOUS_OPERA_10W_MSGID";

  380. 	}

  381. 	symbol {

  382. 	    weight = 4.0;

  383. 	    description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";

  384. 	    name = "FORGED_MUA_MOZILLA_MAIL_MSGID";

  385. 	}

  386. 	symbol {

  387. 	    weight = 2.500000;

  388. 	    description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";

  389. 	    name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN";

  390. 	}

  391. 	symbol {

  392. 	    weight = 4.0;

  393. 	    description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";

  394. 	    name = "FORGED_MUA_THUNDERBIRD_MSGID";

  395. 	}

  396. 	symbol {

  397. 	    weight = 2.500000;

  398. 	    description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";

  399. 	    name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN";

  400. 	}

  401. 	symbol {

  402. 	    weight = 4.0;

  403. 	    description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";

  404. 	    name = "FORGED_MUA_SEAMONKEY_MSGID";

  405. 	}

  406. 	symbol {

  407. 	    weight = 2.500000;

  408. 	    description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";

  409. 	    name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN";

  410. 	}

  411. 	symbol {

  412. 	    weight = 3.0;

  413. 	    description = "Forged outlook MUA";

  414. 	    name = "FORGED_MUA_OUTLOOK";

  415. 	}

  416.     }

  417.     symbol {

  418. 	weight = 0.0;

  419. 	description = "Avoid false positives for FORGED_MUA_* in maillist";

  420. 	name = "FORGED_MUA_MAILLIST";

  421.     }

  422. 

  423.     group {

  424. 	name = "body";

  425. 	symbol {

  426. 	    weight = 9.0;

  427. 	    description = "White color on white background in HTML messages";

  428. 	    name = "R_WHITE_ON_WHITE";

  429. 	}

  430. 	symbol {

  431. 	    weight = 3.0;

  432. 	    description = "Short html part with a link to an image";

  433. 	    name = "HTML_SHORT_LINK_IMG_1";

  434. 	}

  435. 	symbol {

  436. 	    weight = 1.0;

  437. 	    description = "Short html part with a link to an image";

  438. 	    name = "HTML_SHORT_LINK_IMG_2";

  439. 	}

  440. 	symbol {

  441. 	    weight = 0.5;

  442. 	    description = "Short html part with a link to an image";

  443. 	    name = "HTML_SHORT_LINK_IMG_3";

  444. 	}

  445. 	symbol {

  446. 	    weight = 5.0;

  447. 	    description = "Suspicious boundary in header Content-Type";

  448. 	    name = "SUSPICIOUS_BOUNDARY";

  449. 	}

  450. 	symbol {

  451. 	    weight = 4.0;

  452. 	    description = "Suspicious boundary in header Content-Type";

  453. 	    name = "SUSPICIOUS_BOUNDARY2";

  454. 	}

  455. 	symbol {

  456. 	    weight = 3.0;

  457. 	    description = "Suspicious boundary in header Content-Type";

  458. 	    name = "SUSPICIOUS_BOUNDARY3";

  459. 	}

  460. 	symbol {

  461. 	    weight = 4.0;

  462. 	    description = "Suspicious boundary in header Content-Type";

  463. 	    name = "SUSPICIOUS_BOUNDARY4";

  464. 	}

  465. 	symbol {

  466. 	    weight = 3.0;

  467. 	    description = "Text and HTML parts differ";

  468. 	    name = "R_PARTS_DIFFER";

  469. 	}

  470. 

  471. 	symbol {

  472. 	    weight = 2.0;

  473. 	    description = "Message contains empty parts and image";

  474. 	    name = "R_EMPTY_IMAGE";

  475. 	}

  476. 	symbol {

  477. 	    weight = 2.0;

  478. 	    description = "Drugs patterns inside message";

  479. 	    name = "DRUGS_MANYKINDS";

  480. 	}

  481. 	symbol {

  482. 	    weight = 2.0;

  483. 	    description = "";

  484. 	    name = "DRUGS_ANXIETY";

  485. 	}

  486. 	symbol {

  487. 	    weight = 2.0;

  488. 	    description = "";

  489. 	    name = "DRUGS_MUSCLE";

  490. 	}

  491. 	symbol {

  492. 	    weight = 2.0;

  493. 	    description = "";

  494. 	    name = "DRUGS_ANXIETY_EREC";

  495. 	}

  496. 	symbol {

  497. 	    weight = 2.0;

  498. 	    description = "";

  499. 	    name = "DRUGS_DIET";

  500. 	}

  501. 	symbol {

  502. 	    weight = 2.0;

  503. 	    description = "";

  504. 	    name = "DRUGS_ERECTILE";

  505. 	}

  506. 	symbol {

  507. 	    weight = 3.300000;

  508. 	    description = "2 'advance fee' patterns in a message";

  509. 	    name = "ADVANCE_FEE_2";

  510. 	}

  511. 	symbol {

  512. 	    weight = 2.120000;

  513. 	    description = "3 'advance fee' patterns in a message";

  514. 	    name = "ADVANCE_FEE_3";

  515. 	}

  516. 	symbol {

  517. 	    weight = 8.0;

  518. 	    description = "Lotto signatures";

  519. 	    name = "R_LOTTO";

  520. 	}

  521.     }

  522. 

  523.     group {

  524. 	name = "rbl";

  525. 	symbol {

  526. 	    name = "DNSWL_BLOCKED";

  527. 	    weight = 0.0;

  528. 	    description = "Resolver blocked due to excessive queries";

  529. 	}

  530. 	symbol {

  531. 	    name = "RCVD_IN_DNSWL";

  532. 	    weight = 0.0;

  533. 	    description = "Unrecognised result from dnswl.org";

  534. 	}

  535. 	symbol {

  536. 	    name = "RCVD_IN_DNSWL_NONE";

  537. 	    weight = 0.0;

  538. 	    description = "Sender listed at http://www.dnswl.org, low none";

  539. 	}

  540. 	symbol {

  541. 	    name = "RCVD_IN_DNSWL_LOW";

  542. 	    weight = 0.0;

  543. 	    description = "Sender listed at http://www.dnswl.org, low trust";

  544. 	}

  545. 	symbol {

  546. 	    name = "RCVD_IN_DNSWL_MED";

  547. 	    weight = 0.0;

  548. 	    description = "Sender listed at http://www.dnswl.org, medium trust";

  549. 	}

  550. 	symbol {

  551. 	    name = "RCVD_IN_DNSWL_HI";

  552. 	    weight = 0.0;

  553. 	    description = "Sender listed at http://www.dnswl.org, high trust";

  554. 	}

  555. 

  556. 	symbol {

  557. 	    name = "RBL_SPAMHAUS";

  558. 	    weight = 0.0;

  559. 	    description = "Unrecognised result from Spamhaus zen";

  560. 	}

  561. 	symbol {

  562. 	    name = "RBL_SPAMHAUS_SBL";

  563. 	    weight = 2.0;

  564. 	    description = "From address is listed in zen sbl";

  565. 	}

  566. 	symbol {

  567. 	    name = "RBL_SPAMHAUS_CSS";

  568. 	    weight = 2.0;

  569. 	    description = "From address is listed in zen css";

  570. 	}

  571. 	symbol {

  572. 	    name = "RBL_SPAMHAUS_XBL";

  573. 	    weight = 4.0;

  574. 	    description = "From address is listed in zen xbl";

  575. 	}

  576. 	symbol {

  577. 	    name = "RBL_SPAMHAUS_PBL";

  578. 	    weight = 2.0;

  579. 	    description = "From address is listed in zen pbl";

  580. 	}

  581. 	symbol {

  582. 	    name = "RECEIVED_SPAMHAUS_XBL";

  583. 	    weight = 3.0;

  584. 	    description = "Received address is listed in zen pbl";

  585. 	    one_shot = true;

  586. 	}

  587. 

  588. 	symbol {

  589. 	    name = "RWL_SPAMHAUS_WL";

  590. 	    weight = 0.0;

  591. 	    description = "Unrecognised result from Spamhaus whitelist";

  592. 	}

  593. 	symbol {

  594. 	    name = "RWL_SPAMHAUS_WL_IND";

  595. 	    weight = 0.0;

  596. 	    description = "Sender listed at Spamhaus whitelist";

  597. 	}

  598. 	symbol {

  599. 	    name = "RWL_SPAMHAUS_WL_TRANS";

  600. 	    weight = 0.0;

  601. 	    description = "Sender listed at Spamhaus whitelist";

  602. 	}

  603. 	symbol {

  604. 	    name = "RWL_SPAMHAUS_WL_IND_EXP";

  605. 	    weight = 0.0;

  606. 	    description = "Sender listed at Spamhaus whitelist";

  607. 	}

  608. 	symbol {

  609. 	    name = "RWL_SPAMHAUS_WL_TRANS_EXP";

  610. 	    weight = 0.0;

  611. 	    description = "Sender listed at Spamhaus whitelist";

  612. 	}

  613. 

  614. 	symbol {

  615. 	    weight = 2.0;

  616. 	    description = "From address is listed in senderscore.com BL";

  617. 	    name = "RBL_SENDERSCORE";

  618. 	}

  619. 	symbol {

  620. 	    weight = 1.0;

  621. 	    description = "From address is listed in ABUSE.CH BL";

  622. 	    name = "RBL_ABUSECH";

  623. 	}

  624. 	symbol {

  625. 	    weight = 1.0;

  626. 	    description = "From address is listed in UCEPROTECT LEVEL1 BL";

  627. 	    name = "RBL_UCEPROTECT_LEVEL1";

  628. 	}

  629. 	symbol {

  630. 	    name = "RBL_MAILSPIKE";

  631. 	    weight = 0.0;

  632. 	    description = "Unrecognised result from Mailspike blacklist";

  633. 	}

  634. 	symbol {

  635. 	    name = "RWL_MAILSPIKE";

  636. 	    weight = 0.0;

  637. 	    description = "Unrecognised result from Mailspike whitelist";

  638. 	}

  639. 	symbol {

  640. 	    name = "RBL_MAILSPIKE_ZOMBIE";

  641. 	    weight = 2.0;

  642. 	    description = "From address is listed in RBL";

  643. 	}

  644. 	symbol {

  645. 	    name = "RBL_MAILSPIKE_WORST";

  646. 	    weight = 2.0;

  647. 	    description = "From address is listed in RBL";

  648. 	}

  649. 	symbol {

  650. 	    name = "RBL_MAILSPIKE_VERYBAD";

  651. 	    weight = 1.5;

  652. 	    description = "From address is listed in RBL";

  653. 	}

  654. 	symbol {

  655. 	    name = "RBL_MAILSPIKE_BAD";

  656. 	    weight = 1.0;

  657. 	    description = "From address is listed in RBL";

  658. 	}

  659. 	symbol {

  660. 	    name = "RWL_MAILSPIKE_POSSIBLE";

  661. 	    weight = 0.0;

  662. 	    description = "From address is listed in RWL";

  663. 	}

  664. 	symbol {

  665. 	    name = "RWL_MAILSPIKE_GOOD";

  666. 	    weight = 0.0;

  667. 	    description = "From address is listed in RWL";

  668. 	}

  669. 	symbol {

  670. 	    name = "RWL_MAILSPIKE_VERYGOOD";

  671. 	    weight = 0.0;

  672. 	    description = "From address is listed in RWL";

  673. 	}

  674. 	symbol {

  675. 	    name = "RWL_MAILSPIKE_EXCELLENT";

  676. 	    weight = 0.0;

  677. 	    description = "From address is listed in RWL";

  678. 	}

  679. 

  680. 	symbol {

  681. 	    weight = 0.0;

  682. 	    name = "RBL_SORBS";

  683. 	    description = "Unrecognised result from SORBS RBL";

  684. 	}

  685. 	symbol {

  686. 	    weight = 2.5;

  687. 	    name = "RBL_SORBS_HTTP";

  688. 	    description = "List of Open HTTP Proxy Servers.";

  689. 	}

  690. 	symbol {

  691. 	    weight = 2.5;

  692. 	    name = "RBL_SORBS_SOCKS";

  693. 	    description = "List of Open SOCKS Proxy Servers.";

  694. 	}

  695. 	symbol {

  696. 	    weight = 1.0;

  697. 	    name = "RBL_SORBS_MISC";

  698. 	    description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";

  699. 	}

  700. 	symbol {

  701. 	    weight = 3.0;

  702. 	    name = "RBL_SORBS_SMTP";

  703. 	    description = "List of Open SMTP relay servers.";

  704. 	}

  705. 	symbol {

  706. 	    weight = 1.5;

  707. 	    name = "RBL_SORBS_RECENT";

  708. 	    description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).";

  709. 	}

  710. 	symbol {

  711. 	    weight = 0.4;

  712. 	    name = "RBL_SORBS_WEB";

  713. 	    description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";

  714. 	}

  715. 	symbol {

  716. 	    weight = 2.0;

  717. 	    name = "RBL_SORBS_DUL";

  718. 	    description = "Dynamic IP Address ranges (NOT a Dial Up list!)";

  719. 	}

  720. 	symbol {

  721. 	    weight = 1.0;

  722. 	    name = "RBL_SORBS_BLOCK";

  723. 	    description = "List of hosts demanding that they never be tested by SORBS.";

  724. 	}

  725. 	symbol {

  726. 	    weight = 1.0;

  727. 	    name = "RBL_SORBS_ZOMBIE";

  728. 	    description = "List of networks hijacked from their original owners, some of which have already used for spamming.";

  729. 	}

  730. 

  731. 	symbol {

  732. 	    weight = 1.0;

  733. 	    name = "RBL_SEM";

  734. 	    description = "Address is listed in Spameatingmonkey RBL";

  735. 	}

  736. 

  737. 	symbol {

  738. 	    weight = 1.0;

  739. 	    name = "RBL_SEM_IPV6";

  740. 	    description = "Address is listed in Spameatingmonkey RBL (ipv6)";

  741. 	}

  742.     }

  743. 

  744.     group {

  745. 	name = "bayes";

  746. 

  747. 	symbol {

  748. 	    weight = 3.0;

  749. 	    description = "Message probably spam, probability: ";

  750. 	    name = "BAYES_SPAM";

  751. 	}

  752. 	symbol {

  753. 	    weight = -3.0;

  754. 	    description = "Message probably ham, probability: ";

  755. 	    name = "BAYES_HAM";

  756. 	}

  757.     }

  758. 

  759.     group {

  760. 	name = "fuzzy";

  761. 	symbol {

  762. 	    weight = 5.0;

  763. 	    description = "Generic fuzzy hash match";

  764. 	    name = "FUZZY_UNKNOWN";

  765. 	}

  766. 	symbol {

  767. 	    weight = 10.0;

  768. 	    description = "Denied fuzzy hash";

  769. 	    name = "FUZZY_DENIED";

  770. 	}

  771. 	symbol {

  772. 	    weight = 5.0;

  773. 	    description = "Probable fuzzy hash";

  774. 	    name = "FUZZY_PROB";

  775. 	}

  776. 	symbol {

  777. 	    weight = -2.1;

  778. 	    description = "Whitelisted fuzzy hash";

  779. 	    name = "FUZZY_WHITE";

  780. 	}

  781.     }

  782. 

  783.     group {

  784. 	name = "spf";

  785. 	symbol {

  786. 	    weight = 1.0;

  787. 	    description = "SPF verification failed";

  788. 	    name = "R_SPF_FAIL";

  789. 	}

  790. 	symbol {

  791. 	    weight = 0.0;

  792. 	    description = "SPF verification soft-failed";

  793. 	    name = "R_SPF_SOFTFAIL";

  794. 	}

  795. 	symbol {

  796. 	    weight = 0.0;

  797. 	    description = "SPF policy is neutral";

  798. 	    name = "R_SPF_NEUTRAL";

  799. 	}

  800. 	symbol {

  801. 	    weight = -1.1;

  802. 	    description = "SPF verification alowed";

  803. 	    name = "R_SPF_ALLOW";

  804. 	}

  805.     }

  806. 

  807.     group {

  808. 	name = "dkim";

  809. 	symbol {

  810. 	    weight = 1.0;

  811. 	    description = "DKIM verification failed";

  812. 	    name = "R_DKIM_REJECT";

  813. 	}

  814. 	symbol {

  815. 	    weight = 0.0;

  816. 	    description = "DKIM verification soft-failed";

  817. 	    name = "R_DKIM_TEMPFAIL";

  818. 	}

  819. 	symbol {

  820. 	    weight = -1.1;

  821. 	    description = "DKIM verification succeed";

  822. 	    name = "R_DKIM_ALLOW";

  823. 	    one_shot = true;

  824. 	}

  825.     }

  826. 

  827.     group {

  828. 	name = "surbl";

  829. 	symbol {

  830. 	    weight = 5.5;

  831. 	    description = "SURBL: Phishing sites";

  832. 	    name = "PH_SURBL_MULTI";

  833. 	}

  834. 	symbol {

  835. 	    weight = 5.5;

  836. 	    description = "SURBL: Malware sites";

  837. 	    name = "MW_SURBL_MULTI";

  838. 	}

  839. 	symbol {

  840. 	    weight = 5.5;

  841. 	    description = "SURBL: AbuseButler web sites";

  842. 	    name = "AB_SURBL_MULTI";

  843. 	}

  844. 	symbol {

  845. 	    weight = 5.5;

  846. 	    description = "SURBL: SpamCop web sites";

  847. 	    name = "SC_SURBL_MULTI";

  848. 	}

  849. 	symbol {

  850. 	    weight = 5.5;

  851. 	    description = "SURBL: jwSpamSpy + Prolocation sites";

  852. 	    name = "JP_SURBL_MULTI";

  853. 	}

  854. 	symbol {

  855. 	    weight = 5.5;

  856. 	    description = "SURBL: sa-blacklist web sites ";

  857. 	    name = "WS_SURBL_MULTI";

  858. 	}

  859. 	symbol {

  860. 	    weight = 4.5;

  861. 	    description = "rambler.ru uribl";

  862. 	    name = "RAMBLER_URIBL";

  863. 	}

  864. 

  865. 	symbol {

  866. 	    weight = 3.5;

  867. 	    name = "SEM_URIBL";

  868. 	    description = "Spameatingmonkey uribl";

  869. 	}

  870. 

  871. 	symbol {

  872. 	    weight = 3.0;

  873. 	    name = "SEM_URIBL_FRESH15";

  874. 	    description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";

  875. 	}

  876. 

  877. 	symbol {

  878. 	    weight = 6.5;

  879. 	    description = "DBL uribl spam";

  880. 	    name = "DBL_SPAM";

  881. 	}

  882. 	symbol {

  883. 	    weight = 6.5;

  884. 	    description = "DBL uribl phishing";

  885. 	    name = "DBL_PHISH";

  886. 	}

  887. 	symbol {

  888. 	    weight = 6.5;

  889. 	    description = "DBL uribl malware";

  890. 	    name = "DBL_MALWARE";

  891. 	}

  892. 	symbol {

  893. 	    weight = 5.5;

  894. 	    description = "DBL uribl botnet C&C domain";

  895. 	    name = "DBL_BOTNET";

  896. 	}

  897. 	symbol {

  898. 	    weight = 6.5;

  899. 	    description = "DBL uribl abused legit spam";

  900. 	    name = "DBL_ABUSE";

  901. 	}

  902. 	symbol {

  903. 	    weight = 1.5;

  904. 	    description = "DBL uribl abused spammed redirector domain";

  905. 	    name = "DBL_ABUSE_REDIR";

  906. 	}

  907. 	symbol {

  908. 	    weight = 7.5;

  909. 	    description = "DBL uribl abused legit phish";

  910. 	    name = "DBL_ABUSE_PHISH";

  911. 	}

  912. 	symbol {

  913. 	    weight = 7.5;

  914. 	    description = "DBL uribl abused legit malware";

  915. 	    name = "DBL_ABUSE_MALWARE";

  916. 	}

  917. 	symbol {

  918. 	    weight = 5.5;

  919. 	    description = "DBL uribl abused legit botnet C&C";

  920. 	    name = "DBL_ABUSE_BOTNET";

  921. 	}

  922. 	symbol {

  923. 	    weight = 0.00000;

  924. 	    description = "DBL uribl IP queries prohibited!";

  925. 	    name = "DBL_PROHIBIT";

  926. 	}

  927. 	symbol {

  928. 	    weight = 7.5;

  929. 	    description = "uribl.com black url";

  930. 	    name = "URIBL_BLACK";

  931. 	}

  932. 	symbol {

  933. 	    weight = 3.5;

  934. 	    description = "uribl.com red url";

  935. 	    name = "URIBL_RED";

  936. 	}

  937. 	symbol {

  938. 	    weight = 1.5;

  939. 	    description = "uribl.com grey url";

  940. 	    name = "URIBL_GREY";

  941. 	}

  942. 	symbol {

  943. 	    weight = 9.5;

  944. 	    description = "rambler.ru emailbl";

  945. 	    name = "RAMBLER_EMAILBL";

  946. 	}

  947. 

  948. 	symbol {

  949. 	    weight = 6.5;

  950. 	    description = "Spamhaus SBL dnsbl";

  951. 	    name = "URIBL_SBL";

  952. 	}

  953. 	}

  954. 

  955.     group {

  956. 	name = "phishing";

  957. 

  958. 	symbol {

  959. 	    weight = 5.0;

  960. 	    description = "Phished mail";

  961. 	    name = "PHISHING";

  962. 	}

  963.     }

  964. 

  965.     group {

  966. 	name = "date";

  967. 

  968. 	symbol {

  969. 	    weight = 4.0;

  970. 	    description = "Message date is in future";

  971. 	    name = "DATE_IN_FUTURE";

  972. 	}

  973. 	symbol {

  974. 	    weight = 1.0;

  975. 	    description = "Message date is in past";

  976. 	    name = "DATE_IN_PAST";

  977. 	}

  978. 	symbol {

  979. 	    weight = 1.0;

  980. 	    description = "Message date is missing";

  981. 	    name = "MISSING_DATE";

  982. 	}

  983.     }

  984. 

  985.     group {

  986. 	name = "hfilter";

  987. 

  988. 	symbol {

  989. 	    weight = 3.00;

  990. 	    name = "HFILTER_HELO_BAREIP";

  991. 	    description = "Helo host is bare ip";

  992. 	}

  993. 	symbol {

  994. 	    weight = 4.50;

  995. 	    name = "HFILTER_HELO_BADIP";

  996. 	    description = "Helo host is very bad ip";

  997. 	}

  998. 	symbol {

  999. 	    weight = 2.00;

  1000. 	    name = "HFILTER_HELO_UNKNOWN";

  1001. 	    description = "Helo host empty or unknown";

  1002. 	}

  1003. 	symbol {

  1004. 	    weight = 0.5;

  1005. 	    name = "HFILTER_HELO_1";

  1006. 	    description = "Helo host checks (very low)";

  1007. 	}

  1008. 	symbol {

  1009. 	    weight = 1.00;

  1010. 	    name = "HFILTER_HELO_2";

  1011. 	    description = "Helo host checks (low)";

  1012. 	}

  1013. 	symbol {

  1014. 	    weight = 2.00;

  1015. 	    name = "HFILTER_HELO_3";

  1016. 	    description = "Helo host checks (medium)";

  1017. 	}

  1018. 	symbol {

  1019. 	    weight = 2.50;

  1020. 	    name = "HFILTER_HELO_4";

  1021. 	    description = "Helo host checks (hard)";

  1022. 	}

  1023. 	symbol {

  1024. 	    weight = 3.00;

  1025. 	    name = "HFILTER_HELO_5";

  1026. 	    description = "Helo host checks (very hard)";

  1027. 	}

  1028. 	symbol {

  1029. 	    weight = 0.5;

  1030. 	    name = "HFILTER_HOSTNAME_1";

  1031. 	    description = "Hostname checks (very low)";

  1032. 	}

  1033. 	symbol {

  1034. 	    weight = 1.00;

  1035. 	    name = "HFILTER_HOSTNAME_2";

  1036. 	    description = "Hostname checks (low)";

  1037. 	}

  1038. 	symbol {

  1039. 	    weight = 2.00;

  1040. 	    name = "HFILTER_HOSTNAME_3";

  1041. 	    description = "Hostname checks (medium)";

  1042. 	}

  1043. 	symbol {

  1044. 	    weight = 2.50;

  1045. 	    name = "HFILTER_HOSTNAME_4";

  1046. 	    description = "Hostname checks (hard)";

  1047. 	}

  1048. 	symbol {

  1049. 	    weight = 3.00;

  1050. 	    name = "HFILTER_HOSTNAME_5";

  1051. 	    description = "Hostname checks (very hard)";

  1052. 	}

  1053. 	symbol {

  1054. 	    weight = 0.20;

  1055. 	    name = "HFILTER_HELO_NORESOLVE_MX";

  1056. 	    description = "MX found in Helo and no resolve";

  1057. 	}

  1058. 	symbol {

  1059. 	    weight = 0.3;

  1060. 	    name = "HFILTER_HELO_NORES_A_OR_MX";

  1061. 	    description = "Helo no resolve to A or MX";

  1062. 	}

  1063. 	symbol {

  1064. 	    weight = 1.00;

  1065. 	    name = "HFILTER_HELO_IP_A";

  1066. 	    description = "Helo A IP != hostname IP";

  1067. 	}

  1068. 	symbol {

  1069. 	    weight = 2.00;

  1070. 	    name = "HFILTER_HELO_NOT_FQDN";

  1071. 	    description = "Helo not FQDN";

  1072. 	}

  1073. 	symbol {

  1074. 	    weight = 0.5;

  1075. 	    name = "HFILTER_FROMHOST_NORESOLVE_MX";

  1076. 	    description = "MX found in FROM host and no resolve";

  1077. 	}

  1078. 	symbol {

  1079. 	    weight = 1.50;

  1080. 	    name = "HFILTER_FROMHOST_NORES_A_OR_MX";

  1081. 	    description = "FROM host no resolve to A or MX";

  1082. 	}

  1083. 	symbol {

  1084. 	    weight = 3.00;

  1085. 	    name = "HFILTER_FROMHOST_NOT_FQDN";

  1086. 	    description = "FROM host not FQDN";

  1087. 	}

  1088. 	symbol {

  1089. 	    weight = 0.00;

  1090. 	    name = "HFILTER_FROM_BOUNCE";

  1091. 	    description = "Bounce message";

  1092. 	}

  1093. 	symbol {

  1094. 	    weight = 0.50;

  1095. 	    name = "HFILTER_MID_NORESOLVE_MX";

  1096. 	    description = "MX found in Message-id host and no resolve";

  1097. 	}

  1098. 	symbol {

  1099. 	    weight = 0.50;

  1100. 	    name = "HFILTER_MID_NORES_A_OR_MX";

  1101. 	    description = "Message-id host no resolve to A or MX";

  1102. 	}

  1103. 	symbol {

  1104. 	    weight = 0.50;

  1105. 	    name = "HFILTER_MID_NOT_FQDN";

  1106. 	    description = "Message-id host not FQDN";

  1107. 	}

  1108. 	symbol {

  1109. 	    weight = 4.00;

  1110. 	    name = "HFILTER_HOSTNAME_UNKNOWN";

  1111. 	    description = "Unknown hostname (no PTR or no resolve PTR to hostname)";

  1112. 	}

  1113. 	symbol {

  1114. 	    weight = 1.50;

  1115. 	    name = "HFILTER_RCPT_BOUNCEMOREONE";

  1116. 	    description = "Message from bounce and over 1 recepient";

  1117. 	}

  1118. 	symbol {

  1119. 	    weight = 3.50;

  1120. 	    name = "HFILTER_URL_ONLY";

  1121. 	    description = "URL only in body";

  1122. 	}

  1123. 	symbol {

  1124. 	    weight = 2.20;

  1125. 	    name = "HFILTER_URL_ONELINE";

  1126. 	    description = "One line URL and text in body";

  1127. 	}

  1128.     }

  1129. 

  1130.     group {

  1131.     	name = "dmarc";

  1132. 

  1133.     	symbol {

  1134.     		weight = -1.0;

  1135.     		name = "DMARC_POLICY_ALLOW";

  1136.     		description = "DMARC permit policy";

  1137.     	}

  1138.     	symbol {

  1139.     		weight = 2.0;

  1140.     		name = "DMARC_POLICY_REJECT";

  1141.     		description = "DMARC reject policy";

  1142.     	}

  1143.     	symbol {

  1144.     		weight = 1.5;

  1145.     		name = "DMARC_POLICY_QUARANTINE";

  1146.     		description = "DMARC quarantine policy";

  1147.     	}

  1148.     	symbol {

  1149.     		weight = 0.1;

  1150.     		name = "DMARC_POLICY_SOFTFAIL";

  1151.     		description = "DMARC failed";

  1152.     	}

  1153.     }

  1154. }