diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2017-11-11 13:52:02 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2017-11-11 13:52:02 +0000 |
commit | 5da8cf87d7c40dc6a73d79f0a526f603852c9c6d (patch) | |
tree | 46e3be9eb2f36c5cc03cae1849692f8a658831ed /conf/metrics.conf | |
parent | 723215e676ec5c16d98609ff3f8c9fc6d41638a3 (diff) | |
download | rspamd-5da8cf87d7c40dc6a73d79f0a526f603852c9c6d.tar.gz rspamd-5da8cf87d7c40dc6a73d79f0a526f603852c9c6d.zip |
[Conf] Massive config rework for new structure of symbols and scores
Diffstat (limited to 'conf/metrics.conf')
-rw-r--r-- | conf/metrics.conf | 605 |
1 files changed, 3 insertions, 602 deletions
diff --git a/conf/metrics.conf b/conf/metrics.conf index 6553b86cf..9c4358f30 100644 --- a/conf/metrics.conf +++ b/conf/metrics.conf @@ -14,610 +14,11 @@ # # See https://rspamd.com/doc/tutorials/writing_rules.html for details +# DEPRECATION WARNING!! +# This file is deprecated since 1.7 +# Please use actions.conf and groups.conf files instead metric { name = "default"; - # If this param is set to non-zero - # then a metric would accept all symbols - # unknown_weight = 1.0 - - actions { - reject = 15; - add_header = 6; - greylist = 4; - } - - group "excessqp" { - max_score = 2.4; - } - group "excessb64" { - max_score = 3.0; - } - group "header" { - symbol "FORGED_SENDER" { - weight = 0.30; - description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; - } - symbol "R_MIXED_CHARSET" { - weight = 5.0; - description = "Mixed characters in a message"; - one_shot = true; - } - symbol "R_MIXED_CHARSET_URL" { - weight = 7.0; - description = "Mixed characters in a URL inside message"; - one_shot = true; - } - symbol "FORGED_RECIPIENTS" { - weight = 2.0; - description = "Recipients are not the same as RCPT TO: mail command"; - } - symbol "FORGED_RECIPIENTS_MAILLIST" { - weight = 0.0; - description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; - } - symbol "FORGED_SENDER_MAILLIST" { - weight = 0.0; - description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; - } - symbol "ONCE_RECEIVED" { - weight = 0.1; - description = "One received header in a message"; - } - symbol "RDNS_NONE" { - weight = 1.0; - description = "Cannot resolve reverse DNS for sender's IP"; - } - symbol "ONCE_RECEIVED_STRICT" { - weight = 4.0; - description = "One received header with 'bad' patterns inside"; - } - symbol "MAILLIST" { - weight = -0.2; - description = "Message seems to be from maillist"; - } - } - - group "subject" { - max_score = 6.0; - } - - group "mua" { - symbol "FORGED_MUA_MAILLIST" { - weight = 0.0; - description = "Avoid false positives for FORGED_MUA_* in maillist"; - } - } - - group "rbl" { - symbol "DNSWL_BLOCKED" { - weight = 0.0; - description = "Resolver blocked due to excessive queries"; - } - symbol "RCVD_IN_DNSWL" { - weight = 0.0; - description = "Unrecognised result from dnswl.org"; - } - symbol "RCVD_IN_DNSWL_NONE" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, low none"; - } - symbol "RCVD_IN_DNSWL_LOW" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, low trust"; - } - symbol "RCVD_IN_DNSWL_MED" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, medium trust"; - } - symbol "RCVD_IN_DNSWL_HI" { - weight = 0.0; - description = "Sender listed at http://www.dnswl.org, high trust"; - } - - symbol "RBL_SPAMHAUS" { - weight = 0.0; - description = "Unrecognised result from Spamhaus zen"; - } - symbol "RBL_SPAMHAUS_SBL" { - weight = 2.0; - description = "From address is listed in zen sbl"; - } - symbol "RBL_SPAMHAUS_CSS" { - weight = 2.0; - description = "From address is listed in zen css"; - } - symbol "RBL_SPAMHAUS_XBL" { - weight = 4.0; - description = "From address is listed in zen xbl"; - } - symbol "RBL_SPAMHAUS_XBL_ANY" { - weight = 4.0; - description = "From or received address is listed in zen xbl (any list)"; - } - symbol "RBL_SPAMHAUS_PBL" { - weight = 2.0; - description = "From address is listed in zen pbl (ISP list)"; - } - symbol "RBL_SPAMHAUS_DROP" { - weight = 7.0; - description = "From address is listed in zen drop bl"; - } - symbol "RECEIVED_SPAMHAUS_XBL" { - weight = 3.0; - description = "Received address is listed in zen xbl"; - one_shot = true; - } - - symbol "RBL_SENDERSCORE" { - weight = 2.0; - description = "From address is listed in senderscore.com BL"; - } - symbol "RBL_ABUSECH" { - weight = 1.0; - description = "From address is listed in ABUSE.CH BL"; - } - symbol "MAILSPIKE" { - weight = 0.0; - description = "Unrecognised result from Mailspike"; - } - symbol "RWL_MAILSPIKE_NEUTRAL" { - weight = 0.0; - description = "Neutral result from Mailspike"; - } - symbol "RBL_MAILSPIKE_WORST" { - weight = 2.0; - description = "From address is listed in RBL - worst possible reputation"; - } - symbol "RBL_MAILSPIKE_VERYBAD" { - weight = 1.5; - description = "From address is listed in RBL - very bad reputation"; - } - symbol "RBL_MAILSPIKE_BAD" { - weight = 1.0; - description = "From address is listed in RBL - bad reputation"; - } - symbol "RWL_MAILSPIKE_POSSIBLE" { - weight = 0.0; - description = "From address is listed in RWL - possibly legit"; - } - symbol "RWL_MAILSPIKE_GOOD" { - weight = 0.0; - description = "From address is listed in RWL - good reputation"; - } - symbol "RWL_MAILSPIKE_VERYGOOD" { - weight = 0.0; - description = "From address is listed in RWL - very good reputation"; - } - symbol "RWL_MAILSPIKE_EXCELLENT" { - weight = 0.0; - description = "From address is listed in RWL - excellent reputation"; - } - - symbol "RBL_SEM" { - weight = 1.0; - description = "Address is listed in Spameatingmonkey RBL"; - } - - symbol "RBL_SEM_IPV6" { - weight = 1.0; - description = "Address is listed in Spameatingmonkey RBL (ipv6)"; - } - } - - group "bayes" { - symbol "BAYES_SPAM" { - weight = 4.0; - description = "Message probably spam, probability: "; - } - symbol "BAYES_HAM" { - weight = -3.0; - description = "Message probably ham, probability: "; - } - } - - group "fuzzy" { - symbol "FUZZY_UNKNOWN" { - weight = 5.0; - description = "Generic fuzzy hash match"; - } - symbol "FUZZY_DENIED" { - weight = 12.0; - description = "Denied fuzzy hash"; - } - symbol "FUZZY_PROB" { - weight = 5.0; - description = "Probable fuzzy hash"; - } - symbol "FUZZY_WHITE" { - weight = -2.1; - description = "Whitelisted fuzzy hash"; - } - } - - group "spf" { - symbol "R_SPF_FAIL" { - weight = 1.0; - description = "SPF verification failed"; - } - symbol "R_SPF_SOFTFAIL" { - weight = 0.0; - description = "SPF verification soft-failed"; - } - symbol "R_SPF_NEUTRAL" { - weight = 0.0; - description = "SPF policy is neutral"; - } - symbol "R_SPF_ALLOW" { - weight = -0.2; - description = "SPF verification allows sending"; - } - symbol "R_SPF_DNSFAIL" { - weight = 0.0; - description = "SPF DNS failure"; - } - } - - group "dkim" { - symbol "R_DKIM_REJECT" { - weight = 1.0; - description = "DKIM verification failed"; - one_shot = true; - } - symbol "R_DKIM_TEMPFAIL" { - weight = 0.0; - description = "DKIM verification soft-failed"; - } - symbol "R_DKIM_ALLOW" { - weight = -0.2; - description = "DKIM verification succeed"; - one_shot = true; - } - } - - group "surbl" { - max_score = 12.5; - - symbol "SURBL_BLOCKED" { - weight = 0.0; - description = "SURBL: blocked by policy/overusage"; - } - symbol "PH_SURBL_MULTI" { - weight = 5.5; - description = "SURBL: Phishing sites"; - } - symbol "MW_SURBL_MULTI" { - weight = 5.5; - description = "SURBL: Malware sites"; - } - symbol "ABUSE_SURBL" { - weight = 5.5; - description = "SURBL: ABUSE"; - } - symbol "CRACKED_SURBL" { - weight = 4.0; - description = "SURBL: cracked site"; - } - symbol "RAMBLER_URIBL" { - weight = 4.5; - description = "Rambler uribl"; - one_shot = true; - } - - symbol "RAMBLER_EMAILBL" { - weight = 9.5; - description = "Rambler emailbl"; - one_shot = true; - } - - symbol "MSBL_EBL" { - weight = 7.5; - description = "MSBL emailbl"; - one_shot = true; - } - - symbol "SEM_URIBL_UNKNOWN" { - weight = 0.0; - description = "Spameatingmonkey uribl: unknown result"; - } - symbol "SEM_URIBL" { - weight = 3.5; - description = "Spameatingmonkey uribl"; - } - - symbol "SEM_URIBL_FRESH15_UNKNOWN" { - weight = 0.0; - description = "Spameatingmonkey Fresh15 uribl: unknown result"; - } - symbol "SEM_URIBL_FRESH15" { - weight = 3.0; - description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; - } - - symbol "DBL" { - weight = 0.0; - description = "DBL unknown result"; - } - symbol "DBL_SPAM" { - weight = 6.5; - description = "DBL uribl spam"; - } - symbol "DBL_PHISH" { - weight = 6.5; - description = "DBL uribl phishing"; - } - symbol "DBL_MALWARE" { - weight = 6.5; - description = "DBL uribl malware"; - } - symbol "DBL_BOTNET" { - weight = 5.5; - description = "DBL uribl botnet C&C domain"; - } - symbol "DBL_ABUSE" { - weight = 6.5; - description = "DBL uribl abused legit spam"; - } - symbol "DBL_ABUSE_REDIR" { - weight = 1.5; - description = "DBL uribl abused spammed redirector domain"; - } - symbol "DBL_ABUSE_PHISH" { - weight = 7.5; - description = "DBL uribl abused legit phish"; - } - symbol "DBL_ABUSE_MALWARE" { - weight = 7.5; - description = "DBL uribl abused legit malware"; - } - symbol "DBL_ABUSE_BOTNET" { - weight = 5.5; - description = "DBL uribl abused legit botnet C&C"; - } - symbol "DBL_PROHIBIT" { - weight = 0.00000; - description = "DBL uribl IP queries prohibited!"; - } - symbol "URIBL_MULTI" { - weight = 0.0; - description = "uribl.com: unrecognised result"; - } - symbol "URIBL_BLOCKED" { - weight = 0.0; - description = "uribl.com: query refused"; - } - symbol "URIBL_BLACK" { - weight = 7.5; - description = "uribl.com black url"; - } - symbol "URIBL_RED" { - weight = 3.5; - description = "uribl.com red url"; - } - symbol "URIBL_GREY" { - weight = 1.5; - description = "uribl.com grey url"; - one_shot = true; - } - symbol "SBL_URIBL" { - weight = 0.0; - description = "SBL URIBL: Filtered result"; - } - symbol "URIBL_SBL" { - weight = 6.5; - description = "Spamhaus SBL URIBL"; - } - symbol "URIBL_SBL_CSS" { - weight = 6.5; - description = "Spamhaus SBL CSS URIBL"; - } - symbol "RBL_SARBL_BAD" { - weight = 2.5; - description = "A domain listed in the mail is blacklisted in SARBL"; - } - } - - group "phishing" { - symbol "PHISHING" { - weight = 4.0; - description = "Phished URL"; - one_shot = true; - } - symbol "PHISHED_OPENPHISH" { - weight = 7.0; - description = "Phished URL found in openphish.com"; - } - symbol "PHISHED_PHISHTANK" { - weight = 7.0; - description = "Phished URL found in phishtank.com"; - } - symbol HACKED_WP_PHISHING { - weight = 4.5; - description = "Phishing message from hacked wordpress"; - } - } - - group "hfilter" { - symbol "HFILTER_HELO_BAREIP" { - weight = 3.00; - description = "Helo host is bare ip"; - } - symbol "HFILTER_HELO_BADIP" { - weight = 4.50; - description = "Helo host is very bad ip"; - } - symbol "HFILTER_HELO_1" { - weight = 0.5; - description = "Helo host checks (very low)"; - } - symbol "HFILTER_HELO_2" { - weight = 1.00; - description = "Helo host checks (low)"; - } - symbol "HFILTER_HELO_3" { - weight = 2.00; - description = "Helo host checks (medium)"; - } - symbol "HFILTER_HELO_4" { - weight = 2.50; - description = "Helo host checks (hard)"; - } - symbol "HFILTER_HELO_5" { - weight = 3.00; - description = "Helo host checks (very hard)"; - } - symbol "HFILTER_HOSTNAME_1" { - weight = 0.5; - description = "Hostname checks (very low)"; - } - symbol "HFILTER_HOSTNAME_2" { - weight = 1.00; - description = "Hostname checks (low)"; - } - symbol "HFILTER_HOSTNAME_3" { - weight = 2.00; - description = "Hostname checks (medium)"; - } - symbol "HFILTER_HOSTNAME_4" { - weight = 2.50; - description = "Hostname checks (hard)"; - } - symbol "HFILTER_HOSTNAME_5" { - weight = 3.00; - description = "Hostname checks (very hard)"; - } - symbol "HFILTER_HELO_NORESOLVE_MX" { - weight = 0.20; - description = "MX found in Helo and no resolve"; - } - symbol "HFILTER_HELO_NORES_A_OR_MX" { - weight = 0.3; - description = "Helo no resolve to A or MX"; - } - symbol "HFILTER_HELO_IP_A" { - weight = 1.00; - description = "Helo A IP != hostname IP"; - } - symbol "HFILTER_HELO_NOT_FQDN" { - weight = 2.00; - description = "Helo not FQDN"; - } - symbol "HFILTER_FROMHOST_NORESOLVE_MX" { - weight = 0.5; - description = "MX found in FROM host and no resolve"; - } - symbol "HFILTER_FROMHOST_NORES_A_OR_MX" { - weight = 1.50; - description = "FROM host no resolve to A or MX"; - } - symbol "HFILTER_FROMHOST_NOT_FQDN" { - weight = 3.00; - description = "FROM host not FQDN"; - } - symbol "HFILTER_FROM_BOUNCE" { - weight = 0.00; - description = "Bounce message"; - } - /* - symbol { - weight = 0.50; - name = "HFILTER_MID_NORESOLVE_MX"; - description = "MX found in Message-id host and no resolve"; - } - symbol { - weight = 0.50; - name = "HFILTER_MID_NORES_A_OR_MX"; - description = "Message-id host no resolve to A or MX"; - } - symbol { - weight = 0.50; - name = "HFILTER_MID_NOT_FQDN"; - description = "Message-id host not FQDN"; - } - */ - symbol "HFILTER_HOSTNAME_UNKNOWN" { - weight = 2.50; - description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; - } - symbol "HFILTER_RCPT_BOUNCEMOREONE" { - weight = 1.50; - description = "Message from bounce and over 1 recipient"; - } - symbol "HFILTER_URL_ONLY" { - weight = 2.20; - description = "URL only in body"; - } - symbol "HFILTER_URL_ONELINE" { - weight = 2.50; - description = "One line URL and text in body"; - } - } - - group "dmarc" { - - symbol "DMARC_POLICY_ALLOW" { - weight = -0.5; - description = "DMARC permit policy"; - } - symbol "DMARC_POLICY_ALLOW_WITH_FAILURES" { - weight = -0.5; - description = "DMARC permit policy with DKIM/SPF failure"; - } - symbol "DMARC_POLICY_REJECT" { - weight = 2.0; - description = "DMARC reject policy"; - } - symbol "DMARC_POLICY_QUARANTINE" { - weight = 1.5; - description = "DMARC quarantine policy"; - } - symbol "DMARC_POLICY_SOFTFAIL" { - weight = 0.1; - description = "DMARC failed"; - } - } - group "mime_types" { - symbol "MIME_GOOD" { - weight = -0.1; - description = "Known content-type"; - one_shot = true; - } - symbol "MIME_BAD" { - weight = 1.0; - description = "Known bad content-type"; - one_shot = true; - } - symbol "MIME_UNKNOWN" { - weight = 0.1; - description = "Missing or unknown content-type"; - one_shot = true; - } - symbol "MIME_BAD_ATTACHMENT" { - weight = 4.0; - description = "Invalid attachment mime type"; - one_shot = true; - } - symbol "MIME_ENCRYPTED_ARCHIVE" { - weight = 2.0; - description = "Encrypted archive in a message"; - one_shot = true; - } - symbol "MIME_ARCHIVE_IN_ARCHIVE" { - weight = 5.0; - description = "Archive within another archive"; - one_shot = true; - } - symbol "MIME_DOUBLE_BAD_EXTENSION" { - weight = 3.0; # This rule has dynamic weight up to 4.0 - description = "Bad extension cloaking"; - one_shot = true; - } - symbol "MIME_BAD_EXTENSION" { - weight = 2.0; # This rule has dynamic weight up to 4.0 - description = "Bad extension"; - one_shot = true; - } - } - .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" } |