aboutsummaryrefslogtreecommitdiffstats
path: root/conf
diff options
context:
space:
mode:
Diffstat (limited to 'conf')
-rw-r--r--conf/metrics.conf272
1 files changed, 0 insertions, 272 deletions
diff --git a/conf/metrics.conf b/conf/metrics.conf
index 0bab8ea51..1294ca2f1 100644
--- a/conf/metrics.conf
+++ b/conf/metrics.conf
@@ -28,99 +28,23 @@ metric {
group "excessqp" {
max_score = 2.4;
- symbol "FROM_EXCESS_QP" {
- weight = 1.2;
- description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- }
- symbol "TO_EXCESS_QP" {
- weight = 1.2;
- description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- }
- symbol "REPLYTO_EXCESS_QP" {
- weight = 1.2;
- description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- }
- symbol "CC_EXCESS_QP" {
- weight = 1.2;
- description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
- }
}
group "excessb64" {
max_score = 3.0;
- symbol "FROM_EXCESS_BASE64" {
- weight = 1.5;
- description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- }
- symbol "TO_EXCESS_BASE64" {
- weight = 1.5;
- description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- }
- symbol "REPLYTO_EXCESS_BASE64" {
- weight = 1.5;
- description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- }
- symbol "CC_EXCESS_BASE64" {
- weight = 1.5;
- description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
- }
}
group "header" {
- symbol "MISSING_SUBJECT" {
- weight = 2.0;
- description = "Subject is missing inside message";
- }
- symbol "FORGED_OUTLOOK_TAGS" {
- weight = 2.100000;
- description = "Message pretends to be send from Outlook but has 'strange' tags ";
- }
symbol "FORGED_SENDER" {
weight = 0.30;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
}
- symbol "SUSPICIOUS_RECIPS" {
- weight = 1.500000;
- description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
- }
symbol "MIME_HTML_ONLY" {
weight = 0.2;
description = "Messages that have only HTML part";
}
- symbol "FORGED_MSGID_YAHOO" {
- weight = 2.0;
- description = "Forged yahoo msgid";
- }
- symbol "FORGED_MUA_THEBAT_BOUN" {
- weight = 2.0;
- description = "Forged The Bat! MUA headers";
- }
- symbol "R_MISSING_CHARSET" {
- weight = 2.5;
- description = "Charset is missing in a message";
- }
- symbol "RCVD_DOUBLE_IP_SPAM" {
- weight = 2.0;
- description = "Two received headers with ip addresses";
- }
- symbol "FORGED_OUTLOOK_HTML" {
- weight = 5.0;
- description = "Forged outlook HTML signature";
- }
- symbol "R_UNDISC_RCPT" {
- weight = 3.0;
- description = "Recipients are absent or undisclosed";
- }
symbol "FM_FAKE_HELO_VERIZON" {
weight = 2.0;
description = "Fake helo for verizon provider";
}
- symbol "REPTO_QUOTE_YAHOO" {
- weight = 2.0;
- description = "Quoted reply-to from yahoo (seems to be forged)";
- }
- symbol "MISSING_MIMEOLE" {
- weight = 2.0;
- description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
- }
symbol "MISSING_TO" {
weight = 2.0;
description = "To header is missing";
@@ -135,42 +59,6 @@ metric {
description = "Mixed characters in a URL inside message";
one_shot = true;
}
- symbol "SORTED_RECIPS" {
- weight = 3.500000;
- description = "Recipients list seems to be sorted";
- }
- symbol "R_RCVD_SPAMBOTS" {
- weight = 3.0;
- description = "Spambots signatures in received headers";
- }
- symbol "SUBJECT_NEEDS_ENCODING" {
- weight = 1.0;
- description = "Subject needs encoding";
- }
- symbol "TRACKER_ID" {
- weight = 3.84;
- description = "Spam string at the end of message to make statistics faults 0";
- }
- symbol "R_NO_SPACE_IN_FROM" {
- weight = 1.0;
- description = "No space in from header";
- }
- symbol "R_SAJDING" {
- weight = 8.0;
- description = "Subject seems to be spam";
- }
- symbol "R_BAD_CTE_7BIT" {
- weight = 3.0;
- description = "Detects bad content-transfer-encoding for text parts";
- }
- symbol "INVALID_MSGID" {
- weight = 1.7;
- description = "Message id is incorrect";
- }
- symbol "MISSING_MID" {
- weight = 2.5;
- description = "Message id is missing ";
- }
symbol "FORGED_RECIPIENTS" {
weight = 2.0;
description = "Recipients are not the same as RCPT TO: mail command";
@@ -183,14 +71,6 @@ metric {
weight = 0.0;
description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
}
- symbol "RATWARE_MS_HASH" {
- weight = 2.0;
- description = "Forged Exchange messages";
- }
- symbol "STOX_REPLY_TYPE" {
- weight = 1.0;
- description = "Reply-type in content-type";
- }
symbol "ONCE_RECEIVED" {
weight = 0.1;
description = "One received header in a message";
@@ -203,99 +83,15 @@ metric {
weight = 4.0;
description = "One received header with 'bad' patterns inside";
}
- symbol "MIME_HEADER_CTYPE_ONLY" {
- weight = 2.0;
- description = "Only Content-Type header without other MIME headers";
- }
symbol "MAILLIST" {
weight = -0.2;
description = "Message seems to be from maillist";
}
- symbol "HEADER_FROM_DELIMITER_TAB" {
- weight = 1.0;
- description = "Header From begins with tab";
- }
- symbol "HEADER_TO_DELIMITER_TAB" {
- weight = 1.0;
- description = "Header To begins with tab";
- }
- symbol "HEADER_CC_DELIMITER_TAB" {
- weight = 1.0;
- description = "Header Cc begins with tab";
- }
- symbol "HEADER_REPLYTO_DELIMITER_TAB" {
- weight = 1.0;
- description = "Header Reply-To begins with tab";
- }
- symbol "HEADER_DATE_DELIMITER_TAB" {
- weight = 1.0;
- description = "Header Date begins with tab";
- }
- symbol "HEADER_FROM_EMPTY_DELIMITER" {
- weight = 1.0;
- description = "Header From has no delimiter between header name and header value";
- }
- symbol "HEADER_TO_EMPTY_DELIMITER" {
- weight = 1.0;
- description = "Header To has no delimiter between header name and header value";
- }
- symbol "HEADER_CC_EMPTY_DELIMITER" {
- weight = 1.0;
- description = "Header Cc has no delimiter between header name and header value";
- }
- symbol "HEADER_REPLYTO_EMPTY_DELIMITER" {
- weight = 1.0;
- description = "Header Reply-To has no delimiter between header name and header value";
- }
- symbol "HEADER_DATE_EMPTY_DELIMITER" {
- weight = 1.0;
- description = "Header Date has no delimiter between header name and header value";
- }
- symbol "RCVD_ILLEGAL_CHARS" {
- weight = 4.0;
- description = "Header Received has raw illegal character";
- }
- symbol "FAKE_RECEIVED_mail_ru" {
- weight = 4.0;
- description = "Fake helo mail.ru in header Received from non mail.ru sender address";
- }
- symbol "FAKE_RECEIVED_smtp_yandex_ru" {
- weight = 4.0;
- description = "Fake smtp.yandex.ru Received";
- }
- symbol "FORGED_GENERIC_RECEIVED" {
- weight = 3.6;
- description = "Forged generic Received";
- }
- symbol "FORGED_GENERIC_RECEIVED2" {
- weight = 3.6;
- description = "Forged generic Received";
- }
- symbol "FORGED_GENERIC_RECEIVED3" {
- weight = 3.6;
- description = "Forged generic Received";
- }
- symbol "FORGED_GENERIC_RECEIVED4" {
- weight = 3.6;
- description = "Forged generic Received";
- }
- symbol "FORGED_GENERIC_RECEIVED5" {
- weight = 4.6;
- description = "Forged generic Received";
- }
- symbol "INVALID_POSTFIX_RECEIVED" {
- weight = 3.0;
- description = "Invalid Postfix Received";
- }
}
group "subject" {
max_score = 6.0;
- symbol "FAKE_REPLY_C" {
- weight = 6.0;
- description = "Fake reply (has RE in subject, but has not References header)";
- }
symbol "LONG_SUBJ" {
weight = 6.0;
description = "Subject is too long";
@@ -307,58 +103,6 @@ metric {
}
group "mua" {
- symbol "FORGED_MUA_THEBAT_MSGID" {
- weight = 4.0;
- description = "Message pretends to be send from The Bat! but has forged Message-ID";
- }
- symbol "FORGED_MUA_THEBAT_MSGID_UNKNOWN" {
- weight = 3.0;
- description = "Message pretends to be send from The Bat! but has forged Message-ID";
- }
- symbol "FORGED_MUA_KMAIL_MSGID" {
- weight = 3.0;
- description = "Message pretends to be send from KMail but has forged Message-ID";
- }
- symbol "FORGED_MUA_KMAIL_MSGID_UNKNOWN" {
- weight = 2.5;
- description = "Message pretends to be send from KMail but has forged Message-ID";
- }
- symbol "FORGED_MUA_OPERA_MSGID" {
- weight = 4.0;
- description = "Message pretends to be send from Opera Mail but has forged Message-ID";
- }
- symbol "SUSPICIOUS_OPERA_10W_MSGID" {
- weight = 4.0;
- description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
- }
- symbol "FORGED_MUA_MOZILLA_MAIL_MSGID" {
- weight = 4.0;
- description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
- }
- symbol "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN" {
- weight = 2.5;
- description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
- }
- symbol "FORGED_MUA_THUNDERBIRD_MSGID" {
- weight = 4.0;
- description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
- }
- symbol "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN" {
- weight = 2.5;
- description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
- }
- symbol "FORGED_MUA_SEAMONKEY_MSGID" {
- weight = 4.0;
- description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
- }
- symbol "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN" {
- weight = 2.5;
- description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
- }
- symbol "FORGED_MUA_OUTLOOK" {
- weight = 3.0;
- description = "Forged outlook MUA";
- }
symbol "FORGED_MUA_MAILLIST" {
weight = 0.0;
description = "Avoid false positives for FORGED_MUA_* in maillist";
@@ -382,22 +126,6 @@ metric {
weight = 0.5;
description = "Short html part with a link to an image";
}
- symbol "SUSPICIOUS_BOUNDARY" {
- weight = 5.0;
- description = "Suspicious boundary in header Content-Type";
- }
- symbol "SUSPICIOUS_BOUNDARY2" {
- weight = 4.0;
- description = "Suspicious boundary in header Content-Type";
- }
- symbol "SUSPICIOUS_BOUNDARY3" {
- weight = 3.0;
- description = "Suspicious boundary in header Content-Type";
- }
- symbol "SUSPICIOUS_BOUNDARY4" {
- weight = 4.0;
- description = "Suspicious boundary in header Content-Type";
- }
symbol "R_PARTS_DIFFER" {
weight = 1.0;
description = "Text and HTML parts differ";
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 06:49:49 +0000