Polish sample config.

3 files changed, 113 insertions, 43 deletions

diff --git a/conf/lua/regexp/headers.lua b/conf/lua/regexp/headers.lua
index 9a40995f1..85208b982 100644
--- a/conf/lua/regexp/headers.lua
+++ b/conf/lua/regexp/headers.lua
@@ -164,11 +164,6 @@ local from_yahoo_com = 'From=/\\@yahoo\\.com\\b/iH'
 reconf['FORGED_MSGID_YAHOO'] = string.format('(%s) & !(%s)', at_yahoo_msgid, from_yahoo_com)
 local r_from_yahoo_groups = 'From=/rambler.ru\\@returns\\.groups\\.yahoo\\.com\\b/iH'
 local r_from_yahoo_groups_ro = 'From=/ro.ru\\@returns\\.groups\\.yahoo\\.com\\b/iH'
-reconf['FROM_CBR'] = 'From=/\\@cbr\\.ru\\b/iH'
-reconf['FROM_CSHOP'] = 'From=/\\@cshop\\.ru\\b/iH'
-reconf['FROM_MIRHOSTING'] = 'From=/\\@mirhosting\\.com\\b/iH'
-reconf['FROM_PASSIFLORA'] = 'From=/\\@passiflora\\.ru\\b/iH'
-reconf['FROM_WORLDBANK'] = 'From=/\\@worldbank\\.org\\b/iH'
 
 -- Forged The Bat! MUA headers
 local thebat_mua_v1 = 'X-Mailer=/^The Bat! \\(v1\\./H'
diff --git a/conf/lua/rspamd.lua b/conf/lua/rspamd.lua
index bd04beab4..2f337aa9f 100644
--- a/conf/lua/rspamd.lua
+++ b/conf/lua/rspamd.lua
@@ -20,9 +20,23 @@ local r_bgcolor = '/BGCOLOR=/iP'
 local r_font_color = '/font color=[\\"\']?\\#FFFFFF[\\"\']?/iP'
 reconf['R_WHITE_ON_WHITE'] = string.format('(!(%s) & (%s))', r_bgcolor, r_font_color)
 reconf['R_FLASH_REDIR_IMGSHACK'] = '/^(?:http:\\/\\/)?img\\d{1,5}\\.imageshack\\.us\\/\\S+\\.swf/U'
-local r_rcvd_from_valuehost = 'Received=/\\sb0\\.valuehost\\.ru/H'
-local r_cyr_phone = '/8 \\(\\xD799\\)/P'
-reconf['R_SPAM_FROM_VALUEHOST'] = string.format('(%s) & (%s)', r_rcvd_from_valuehost, r_cyr_phone)
 
 -- Different text parts
-reconf['R_PARTS_DIFFER'] = 'compare_parts_distance(70)';
+reconf['R_PARTS_DIFFER'] = 'compare_parts_distance(85)';
+
+reconf['R_EMPTY_IMAGE'] = function (task)
+	parts = task:get_text_parts()
+	if parts then
+		for _,part in ipairs(parts) do
+			if part:is_empty() then
+				images = task:get_images()
+				if images then
+					return true
+				end
+				return false
+			end
+		end
+	end
+	return false
+end
+
diff --git a/rspamd.xml.sample b/rspamd.xml.sample
index b56820b51..2226eb948 100644
--- a/rspamd.xml.sample
+++ b/rspamd.xml.sample
@@ -30,90 +30,151 @@
 <metric>
  <name>default</name>
  <required_score>10.0</required_score>
+ <!-- Sample actions -->
  <action>reject</action>
  <action>greylist:5</action>
  <action>add_header:5</action>
+
+ <!-- Weights for symbols -->
+
+ <!-- Subject is missing inside message -->
  <symbol weight="2.00">MISSING_SUBJECT</symbol>
+ <!-- Message pretends to be send from Outlook but has 'strange' tags -->
  <symbol weight="2.10">FORGED_OUTLOOK_TAGS</symbol>
+ <!-- Sender is forged (different From: header and smtp MAIL FROM: addresses) -->
  <symbol weight="5.00">FORGED_SENDER</symbol>
- <symbol weight="2.00">DRUGS_MANYKINDS</symbol>
- <symbol weight="3.30">ADVANCE_FEE_2</symbol>
- <symbol weight="2.12">ADVANCE_FEE_3</symbol>
+ <!-- Recipients seems to be autogenerated (works if recipients count is more than 5) -->
  <symbol weight="3.50">SUSPICIOUS_RECIPS</symbol>
+ <!--  Fake reply (has RE in subject, but has not References header) --> 
  <symbol weight="6.00">FAKE_REPLY_C</symbol>
+ <!-- Messages that have only HTML part -->
  <symbol weight="1.00">MIME_HTML_ONLY</symbol>
- <symbol weight="5.50">AB_SURBL_MULTI</symbol>
+ <!-- Forged yahoo msgid -->
  <symbol weight="2.00">FORGED_MSGID_YAHOO</symbol>
- <symbol weight="5.50">SC_SURBL_MULTI</symbol>
+ <!-- Forged The Bat! MUA headers -->
  <symbol weight="2.00">FORGED_MUA_THEBAT_BOUN</symbol>
+ <!-- Charset is missing in a message -->
  <symbol weight="5.00">R_MISSING_CHARSET</symbol>
+ <!-- Two received headers with ip addresses -->
  <symbol weight="2.00">RCVD_DOUBLE_IP_SPAM</symbol>
- <symbol weight="5.50">OB_SURBL_MULTI</symbol>
+ <!-- Forged outlook HTML signature -->
  <symbol weight="5.00">FORGED_OUTLOOK_HTML</symbol>
- <symbol weight="-2.00">WHITELIST_IP</symbol>
+ <!-- Recipients are absent or undisclosed -->
  <symbol weight="5.00">R_UNDISC_RCPT</symbol>
- <symbol weight="2.00">DRUGS_ANXIETY</symbol>
- <symbol weight="2.00">DRUGS_MUSCLE</symbol>
- <symbol weight="2.00">DRUGS_ANXIETY_EREC</symbol>
- <symbol weight="5.50">PH_SURBL_MULTI</symbol>
+ <!-- White color on white background in HTML messages -->
  <symbol weight="9.00">R_WHITE_ON_WHITE</symbol>
+ <!-- Short html part with a link to an image -->
  <symbol weight="3.00">HTML_SHORT_LINK_IMG_2</symbol>
+ <!-- Forged outlook MUA -->
  <symbol weight="3.00">FORGED_MUA_OUTLOOK</symbol>
- <symbol weight="2.00">DRUGS_ERECTILE</symbol>
+ <!-- Fake helo for verizon provider -->
  <symbol weight="2.00">FM_FAKE_HELO_VERIZON</symbol>
+ <!--Quoted reply-to from yahoo (seems to be forged) --> 
  <symbol weight="2.00">REPTO_QUOTE_YAHOO</symbol>
+ <!-- Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange) -->
  <symbol weight="5.00">MISSING_MIMEOLE</symbol>
- <symbol weight="9.50">RAMBLER_URIBL</symbol>
+ <!-- To header is missing -->
  <symbol weight="2.00">MISSING_TO</symbol>
- <symbol weight="0.33">FROM_EXCESS_BASE64</symbol> 
- <symbol weight="-5.00">FROM_WORLDBANK</symbol>
- <symbol weight="-5.00">FROM_CBR</symbol>
- <symbol weight="-5.00">FROM_CSHOP</symbol>
- <symbol weight="-5.00">FROM_MIRHOSTING</symbol>
- <symbol weight="-5.00">FROM_PASSIFLORA</symbol> 
- <symbol weight="10.00">R_SPAM_FROM_VALUEHOST</symbol>
+ <!-- From that contains encoded characters while base 64 is not needed as all symbols are 7bit -->
+ <symbol weight="0.33">FROM_EXCESS_BASE64</symbol>
+ <!-- Mixed characters in a message -->
  <symbol weight="5.00">R_MIXED_CHARSET</symbol>
+ <!-- Recipients list seems to be sorted -->
  <symbol weight="3.50">SORTED_RECIPS</symbol>
+ <!-- Spambots signatures in received headers -->
  <symbol weight="3.00">R_RCVD_SPAMBOTS</symbol>
- <symbol weight="5.50">JP_SURBL_MULTI</symbol>
+ <!-- To header seems to be autogenerated -->
  <symbol weight="3.00">R_TO_SEEMS_AUTO</symbol>
+ <!-- Subject needs encoding -->
  <symbol weight="1.00">SUBJECT_NEEDS_ENCODING</symbol>
+ <!-- Spam string at the end of message to make statistics faults 0-->
  <symbol weight="3.84">TRACKER_ID</symbol>
- <symbol weight="8.00">R_LOTTO</symbol>
+ <!-- No space in from header -->
  <symbol weight="3.00">R_NO_SPACE_IN_FROM</symbol>
+ <!-- Subject seems to be spam --> 
  <symbol weight="8.00">R_SAJDING</symbol>
+ <!-- Detects bad content-transfer-encoding for text parts -->
  <symbol weight="6.00">R_BAD_CTE_7BIT</symbol>
- <symbol weight="5.50">WS_SURBL_MULTI</symbol>
+ <!-- Flash redirect on imageshack.us -->
  <symbol weight="10.00">R_FLASH_REDIR_IMGSHACK</symbol>
+ <!-- Message id is incorrect -->
  <symbol weight="5.00">INVALID_MSGID</symbol>
+ <!-- Message id is missing -->
  <symbol weight="3.00">MISSING_MID</symbol>
- <symbol weight="2.00">DRUGS_DIET</symbol>
+ <!-- Recipients are not the same as RCPT TO: mail command -->
  <symbol weight="3.00">FORGED_RECIPIENTS</symbol>
+ <!-- Forged Exchange messages -->
  <symbol weight="2.00">RATWARE_MS_HASH</symbol>
+ <!-- Reply-type in content-type -->
  <symbol weight="1.00">STOX_REPLY_TYPE</symbol>
+ <!-- IP in received headers is in PBL -->
+ <symbol weight="3.00">R_IP_PBL</symbol>
+ <!-- One received header in a message -->
+ <symbol weight="1.00">ONCE_RECEIVED</symbol>
+ <!-- One received header with 'bad' patterns inside -->
+ <symbol weight="4.00">ONCE_RECEIVED_STRICT</symbol>
+ <!-- Received headers contains addresses from RBL -->
+ <symbol weight="1.00">RECEIVED_RBL</symbol>
+ <!-- Text and HTML parts differ -->
+ <symbol weight="3.00">R_PARTS_DIFFER</symbol>
+ <!-- Only Content-Type header without other MIME headers -->
+ <symbol weight="2.00">MIME_HEADER_CTYPE_ONLY</symbol>
+ <!-- Message contains empty parts and image -->
+ <symbol weight="2.00">R_EMPTY_IMAGE</symbol>
+
+ <!-- Drugs patterns inside message -->
+ <symbol weight="2.00">DRUGS_MANYKINDS</symbol>
+ <!-- Specific drugs signatures -->
+ <symbol weight="2.00">DRUGS_ANXIETY</symbol>
+ <symbol weight="2.00">DRUGS_MUSCLE</symbol>
+ <symbol weight="2.00">DRUGS_ANXIETY_EREC</symbol>
+ <symbol weight="2.00">DRUGS_DIET</symbol>
+ <symbol weight="2.00">DRUGS_ERECTILE</symbol>
+
+ <!-- 2 or 3 'advance fee' patterns in a message -->
+ <symbol weight="3.30">ADVANCE_FEE_2</symbol>
+ <symbol weight="2.12">ADVANCE_FEE_3</symbol>
+
+ <!-- Lotto signatures -->
+ <symbol weight="8.00">R_LOTTO</symbol>
+
+ <!-- Statistics -->
  <symbol weight="3.00">BAYES_SPAM</symbol>
  <symbol weight="-3.00">BAYES_HAM</symbol>
+
+ <!-- Fuzzy lists example -->
  <symbol weight="1.00">R_FUZZY</symbol>
  <symbol weight="1.00">R_FUZZY1</symbol>
  <symbol weight="1.00">R_FUZZY2</symbol>
  <symbol weight="1.00">R_FUZZY3</symbol>
-	
+
+ <!-- SPF rules -->
  <symbol weight="3.00">R_SPF_FAIL</symbol>
  <symbol weight="1.00">R_SPF_SOFTFAIL</symbol>
  <symbol weight="-3.00">R_SPF_ALLOW</symbol>
- 
- <symbol weight="-2.00">MAILLIST</symbol>
 
- <symbol weight="3.00">R_IP_PBL</symbol>
+ <!-- Whitelisted client's IP --> 
+ <symbol weight="-2.00">WHITELIST_IP</symbol>
+ <!-- Message seems to be from maillist -->
+ <symbol weight="-2.00">MAILLIST</symbol>
 
+ <!-- multi.surbl.org lists (more details at http://www.surbl.org) -->
+ <!-- Phishing and malware sites -->
+ <symbol weight="5.50">PH_SURBL_MULTI</symbol>
+ <!-- Outblaze URI Blacklist -->
+ <symbol weight="5.50">OB_SURBL_MULTI</symbol>
+ <!-- AbuseButler web sites -->
+ <symbol weight="5.50">AB_SURBL_MULTI</symbol>
+ <!-- SpamCop web sites -->
+ <symbol weight="5.50">SC_SURBL_MULTI</symbol>
+ <!-- jwSpamSpy + Prolocation sites -->
+ <symbol weight="5.50">JP_SURBL_MULTI</symbol>
+ <!-- sa-blacklist web sites -->
+ <symbol weight="5.50">WS_SURBL_MULTI</symbol>
 
- <symbol weight="1.00">ONCE_RECEIVED</symbol>
- <symbol weight="4.00">ONCE_RECEIVED_STRICT</symbol>
+ <!-- rambler.ru uribl -->
+ <symbol weight="9.50">RAMBLER_URIBL</symbol>
 
- <symbol weight="1.00">RECEIVED_RBL</symbol>
- 
- <symbol weight="3.00">R_PARTS_DIFFER</symbol>
- <symbol weight="2.00">MIME_HEADER_CTYPE_ONLY</symbol>
 </metric>
 <!-- End of factors section -->