From ac675792e2277deee495bf98f34045c4b3f4d954 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 21 Nov 2013 16:20:45 +0000 Subject: Add basics of the new configuration. --- conf/composites.conf | 10 + conf/logging.conf | 7 + conf/metrics.conf | 593 +++++++++++++++++++++++++++++++++++++++++++++++++++ conf/modules.conf | 146 +++++++++++++ conf/options.conf | 14 ++ conf/rspamd.conf | 17 ++ conf/statistic.conf | 19 ++ conf/workers.conf | 20 ++ 8 files changed, 826 insertions(+) create mode 100644 conf/composites.conf create mode 100644 conf/logging.conf create mode 100644 conf/metrics.conf create mode 100644 conf/modules.conf create mode 100644 conf/options.conf create mode 100644 conf/rspamd.conf create mode 100644 conf/statistic.conf create mode 100644 conf/workers.conf diff --git a/conf/composites.conf b/conf/composites.conf new file mode 100644 index 000000000..a8fe1ae4a --- /dev/null +++ b/conf/composites.conf @@ -0,0 +1,10 @@ +# Composites setup + +composite { + name = "FORGED_RECIPIENTS_MAILLIST"; + expression = "FORGED_RECIPIENTS & -MAILLIST"; +} +composite { + name = "FORGED_MUA_OUTLOOK_MAILLIST"; + expression = "FORGED_MUA_OUTLOOK and MAILLIST"; +} diff --git a/conf/logging.conf b/conf/logging.conf new file mode 100644 index 000000000..816582d56 --- /dev/null +++ b/conf/logging.conf @@ -0,0 +1,7 @@ +# Logging setup + +logging { + level = "info"; + type = "file"; + filename = "$LOGDIR/rspamd.log"; +} diff --git a/conf/metrics.conf b/conf/metrics.conf new file mode 100644 index 000000000..6cbeb8771 --- /dev/null +++ b/conf/metrics.conf @@ -0,0 +1,593 @@ +# Metrics settings + +metric { + name = "default"; + action = "reject:10"; + action = "greylist:4"; + action = "add_header:6"; + symbol { + weight = 2.0; + description = "Subject is missing inside message"; + name = "MISSING_SUBJECT"; + } + symbol { + weight = 2.100000; + description = "Message pretends to be send from Outlook but has 'strange' tags "; + name = "FORGED_OUTLOOK_TAGS"; + } + symbol { + weight = 5.0; + description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; + name = "FORGED_SENDER"; + } + symbol { + weight = 3.500000; + description = "Recipients seems to be autogenerated (works if recipients count is more than 5)"; + name = "SUSPICIOUS_RECIPS"; + } + symbol { + weight = 6.0; + description = "Fake reply (has RE in subject, but has not References header)"; + name = "FAKE_REPLY_C"; + } + symbol { + weight = 1.0; + description = "Messages that have only HTML part"; + name = "MIME_HTML_ONLY"; + } + symbol { + weight = 2.0; + description = "Forged yahoo msgid"; + name = "FORGED_MSGID_YAHOO"; + } + symbol { + weight = 2.0; + description = "Forged The Bat! MUA headers"; + name = "FORGED_MUA_THEBAT_BOUN"; + } + symbol { + weight = 5.0; + description = "Charset is missing in a message"; + name = "R_MISSING_CHARSET"; + } + symbol { + weight = 2.0; + description = "Two received headers with ip addresses"; + name = "RCVD_DOUBLE_IP_SPAM"; + } + symbol { + weight = 5.0; + description = "Forged outlook HTML signature"; + name = "FORGED_OUTLOOK_HTML"; + } + symbol { + weight = 5.0; + description = "Recipients are absent or undisclosed"; + name = "R_UNDISC_RCPT"; + } + symbol { + weight = 9.0; + description = "White color on white background in HTML messages"; + name = "R_WHITE_ON_WHITE"; + } + symbol { + weight = 3.0; + description = "Short html part with a link to an image"; + name = "HTML_SHORT_LINK_IMG_2"; + } + symbol { + weight = 3.0; + description = "Forged outlook MUA"; + name = "FORGED_MUA_OUTLOOK"; + } + symbol { + weight = 0.0; + description = "Forged outlook MUA, but from maillist"; + name = "FORGED_MUA_OUTLOOK_MAILLIST"; + } + symbol { + weight = 5.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY"; + } + symbol { + weight = 4.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY2"; + } + symbol { + weight = 3.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY3"; + } + symbol { + weight = 4.0; + description = "Suspicious boundary in header Content-Type"; + name = "SUSPICIOUS_BOUNDARY4"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from The Bat! but has forged Message-ID"; + name = "FORGED_MUA_THEBAT_MSGID"; + } + symbol { + weight = 3.0; + description = "Message pretends to be send from The Bat! but has forged Message-ID"; + name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN"; + } + symbol { + weight = 3.0; + description = "Message pretends to be send from KMail but has forged Message-ID"; + name = "FORGED_MUA_KMAIL_MSGID"; + } + symbol { + weight = 2.500000; + description = "Message pretends to be send from KMail but has forged Message-ID"; + name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from Opera Mail but has forged Message-ID"; + name = "FORGED_MUA_OPERA_MSGID"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail"; + name = "SUSPICIOUS_OPERA_10W_MSGID"; + } + symbol { + weight = 4.0; + description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; + name = "FORGED_MUA_MOZILLA_MAIL_MSGID"; + } + symbol { + weight = 2.500000; + description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; + name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN"; + } + symbol { + weight = 4.0; + description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; + name = "FORGED_MUA_THUNDERBIRD_MSGID"; + } + symbol { + weight = 2.500000; + description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; + name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN"; + } + symbol { + weight = 4.0; + description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; + name = "FORGED_MUA_SEAMONKEY_MSGID"; + } + symbol { + weight = 2.500000; + description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; + name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN"; + } + symbol { + weight = 2.0; + description = "Fake helo for verizon provider"; + name = "FM_FAKE_HELO_VERIZON"; + } + symbol { + weight = 2.0; + description = "Quoted reply-to from yahoo (seems to be forged)"; + name = "REPTO_QUOTE_YAHOO"; + } + symbol { + weight = 5.0; + description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)"; + name = "MISSING_MIMEOLE"; + } + symbol { + weight = 2.0; + description = "To header is missing"; + name = "MISSING_TO"; + } + symbol { + weight = 1.500000; + description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "FROM_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "FROM_EXCESS_QP"; + } + symbol { + weight = 1.500000; + description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "TO_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "TO_EXCESS_QP"; + } + symbol { + weight = 1.500000; + description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "REPLYTO_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "REPLYTO_EXCESS_QP"; + } + symbol { + weight = 1.500000; + description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit"; + name = "CC_EXCESS_BASE64"; + } + symbol { + weight = 1.200000; + description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; + name = "CC_EXCESS_QP"; + } + symbol { + weight = 5.0; + description = "Mixed characters in a message"; + name = "R_MIXED_CHARSET"; + } + symbol { + weight = 3.500000; + description = "Recipients list seems to be sorted"; + name = "SORTED_RECIPS"; + } + symbol { + weight = 3.0; + description = "Spambots signatures in received headers"; + name = "R_RCVD_SPAMBOTS"; + } + symbol { + weight = 2.0; + description = "To header seems to be autogenerated"; + name = "R_TO_SEEMS_AUTO"; + } + symbol { + weight = 1.0; + description = "Subject needs encoding"; + name = "SUBJECT_NEEDS_ENCODING"; + } + symbol { + weight = 3.840000; + description = "Spam string at the end of message to make statistics faults 0"; + name = "TRACKER_ID"; + } + symbol { + weight = 1.0; + description = "No space in from header"; + name = "R_NO_SPACE_IN_FROM"; + } + symbol { + weight = 8.0; + description = "Subject seems to be spam"; + name = "R_SAJDING"; + } + symbol { + weight = 3.0; + description = "Detects bad content-transfer-encoding for text parts"; + name = "R_BAD_CTE_7BIT"; + } + symbol { + weight = 10.0; + description = "Flash redirect on imageshack.us"; + name = "R_FLASH_REDIR_IMGSHACK"; + } + symbol { + weight = 5.0; + description = "Message id is incorrect"; + name = "INVALID_MSGID"; + } + symbol { + weight = 3.0; + description = "Message id is missing "; + name = "MISSING_MID"; + } + symbol { + weight = 3.0; + description = "Recipients are not the same as RCPT TO: mail command"; + name = "FORGED_RECIPIENTS"; + } + symbol { + weight = 0.0; + description = "Recipients are not the same as RCPT TO: mail command, but from maillist"; + name = "FORGED_RECIPIENTS_MAILLIST"; + } + symbol { + weight = 2.0; + description = "Forged Exchange messages "; + name = "RATWARE_MS_HASH"; + } + symbol { + weight = 1.0; + description = "Reply-type in content-type"; + name = "STOX_REPLY_TYPE"; + } + symbol { + weight = 3.0; + description = "IP in received headers is in PBL"; + name = "R_IP_PBL"; + } + symbol { + weight = 1.0; + description = "One received header in a message "; + name = "ONCE_RECEIVED"; + } + symbol { + weight = 4.0; + description = "One received header with 'bad' patterns inside"; + name = "ONCE_RECEIVED_STRICT"; + } + symbol { + weight = 1.0; + description = "Received headers contains addresses from RBL"; + name = "RECEIVED_RBL"; + } + symbol { + weight = 3.0; + description = "Text and HTML parts differ"; + name = "R_PARTS_DIFFER"; + } + symbol { + weight = 2.0; + description = "Only Content-Type header without other MIME headers"; + name = "MIME_HEADER_CTYPE_ONLY"; + } + symbol { + weight = 2.0; + description = "Message contains empty parts and image "; + name = "R_EMPTY_IMAGE"; + } + symbol { + weight = 2.0; + description = "Drugs patterns inside message"; + name = "DRUGS_MANYKINDS"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_ANXIETY"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_MUSCLE"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_ANXIETY_EREC"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_DIET"; + } + symbol { + weight = 2.0; + description = ""; + name = "DRUGS_ERECTILE"; + } + symbol { + weight = 3.300000; + description = "2 'advance fee' patterns in a message"; + name = "ADVANCE_FEE_2"; + } + symbol { + weight = 2.120000; + description = "3 'advance fee' patterns in a message"; + name = "ADVANCE_FEE_3"; + } + symbol { + weight = 8.0; + description = "Lotto signatures"; + name = "R_LOTTO"; + } + symbol { + weight = 3.0; + description = "Message probably spam, probability: "; + name = "BAYES_SPAM"; + } + symbol { + weight = -3.0; + description = "Message probably ham, probability: "; + name = "BAYES_HAM"; + } + symbol { + weight = 1.0; + description = ""; + name = "R_FUZZY"; + } + symbol { + weight = 1.0; + description = ""; + name = "R_FUZZY1"; + } + symbol { + weight = 1.0; + description = ""; + name = "R_FUZZY2"; + } + symbol { + weight = 1.0; + description = ""; + name = "R_FUZZY3"; + } + symbol { + weight = 3.0; + description = "SPF verification failed"; + name = "R_SPF_FAIL"; + } + symbol { + weight = 1.0; + description = "SPF verification soft-failed"; + name = "R_SPF_SOFTFAIL"; + } + symbol { + weight = -3.0; + description = "SPF verification alowed"; + name = "R_SPF_ALLOW"; + } + symbol { + weight = -2.0; + description = "Whitelisted client's IP"; + name = "WHITELIST_IP"; + } + symbol { + weight = -2.0; + description = "Message seems to be from maillist"; + name = "MAILLIST"; + } + symbol { + weight = 5.500000; + description = "Phishing and malware sites"; + name = "PH_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "Outblaze URI Blacklist"; + name = "OB_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "AbuseButler web sites"; + name = "AB_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "SpamCop web sites"; + name = "SC_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "jwSpamSpy + Prolocation sites"; + name = "JP_SURBL_MULTI"; + } + symbol { + weight = 5.500000; + description = "sa-blacklist web sites "; + name = "WS_SURBL_MULTI"; + } + symbol { + weight = 9.500000; + description = "rambler.ru uribl"; + name = "RAMBLER_URIBL"; + } + symbol { + weight = 9.500000; + description = "rambler.ru emailbl"; + name = "RAMBLER_EMAILBL"; + } + symbol { + weight = 5.0; + description = "Phished mail"; + name = "PHISHING"; + } + symbol { + weight = 1.0; + description = "Header From begins with tab"; + name = "HEADER_FROM_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header To begins with tab"; + name = "HEADER_TO_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header Cc begins with tab"; + name = "HEADER_CC_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header Reply-To begins with tab"; + name = "HEADER_REPLYTO_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header Date begins with tab"; + name = "HEADER_DATE_DELIMITER_TAB"; + } + symbol { + weight = 1.0; + description = "Header From has no delimiter between header name and header value"; + name = "HEADER_FROM_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header To has no delimiter between header name and header value"; + name = "HEADER_TO_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header Cc has no delimiter between header name and header value"; + name = "HEADER_CC_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header Reply-To has no delimiter between header name and header value"; + name = "HEADER_REPLYTO_EMPTY_DELIMITER"; + } + symbol { + weight = 1.0; + description = "Header Date has no delimiter between header name and header value"; + name = "HEADER_DATE_EMPTY_DELIMITER"; + } + symbol { + weight = 4.0; + description = "Header Received has raw illegal character"; + name = "RCVD_ILLEGAL_CHARS"; + } + symbol { + weight = 4.0; + description = "Fake helo mail.ru in header Received from non mail.ru sender address"; + name = "FAKE_RECEIVED_mail_ru"; + } + symbol { + weight = 4.0; + description = "Fake smtp.yandex.ru Received"; + name = "FAKE_RECEIVED_smtp_yandex_ru"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED2"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED3"; + } + symbol { + weight = 3.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED4"; + } + symbol { + weight = 4.600000; + description = "Forged generic Received"; + name = "FORGED_GENERIC_RECEIVED5"; + } + symbol { + weight = 3.0; + description = "Invalid Postfix Received"; + name = "INVALID_POSTFIX_RECEIVED"; + } + symbol { + weight = 5.0; + description = "Invalid Exim Received"; + name = "INVALID_EXIM_RECEIVED"; + } + symbol { + weight = 3.0; + description = "Invalid Exim Received"; + name = "INVALID_EXIM_RECEIVED2"; + } +} diff --git a/conf/modules.conf b/conf/modules.conf new file mode 100644 index 000000000..c549a6213 --- /dev/null +++ b/conf/modules.conf @@ -0,0 +1,146 @@ +# Rspamd modules configuration +fuzzy_check { + servers = "highsecure.ru:11335"; + symbol = "R_FUZZY"; + min_bytes = 300; + max_score = 10; + mime_types = "application/pdf"; + fuzzy_map = { + FUZZY_DENIED { + weight = 10.0; + flag = 1 + } + FUZZY_PROB { + weight = 5.0; + flag = 2 + } + FUZZY_WHITE { + weight = -2.1; + flag = 3 + } + } +} +forged_recipients { + symbol_sender = "FORGED_SENDER"; + symbol_rcpt = "FORGED_RECIPIENTS"; +} +maillist { + symbol = "MAILLIST"; +} +surbl { + whitelist = "file://$CONFDIR/rspamd/surbl-whitelist.inc"; + exceptions = "file://$CONFDIR/rspamd/2tld.inc"; + + rule { + suffix = "multi.surbl.org"; + symbol = "SURBL_MULTI"; + bits { + JP_SURBL_MULTI = 64; + AB_SURBL_MULTI = 32; + OB_SURBL_MULTI = 16; + PH_SURBL_MULTI = 8; + WS_SURBL_MULTI = 4; + SC_SURBL_MULTI = 2; + } + } + rule { + suffix = "uribl.rambler.ru"; + symbol = "RAMBLER_URIBL"; + } + rule { + suffix = "dbl.spamhaus.org"; + options = "noip"; + } +} +rbl { + default_received = false; + default_from = true; + + rbls { + spamhaus_zen { + symbol = "RBL_ZEN"; + rbl = "zen.spamhaus.org"; + ipv4 = true; + ipv6 = true; + } + spamhaus_pbl { + symbol = "RECEIVED_PBL"; + rbl = "pbl.spamhaus.org"; + ipv4 = true; + ipv6 = true; + received = true; + from = false; + } + spamhaus_pbl { + symbol = "RECEIVED_XBL"; + rbl = "xbl.spamhaus.org"; + ipv4 = true; + ipv6 = true; + received = true; + from = false; + } + mailspike { + symbol = "RBL_MAILSPIKE"; + rbl = "bl.mailspike.net"; + } + senderscore { + symbol = "RBL_SENDERSCORE"; + rbl = "bl.score.senderscore.com"; + } + } +} + +chartable { + threshold = 0.300000; + symbol = "R_MIXED_CHARSET"; +} +once_received { + good_host = "mail"; + bad_host = "static"; + bad_host = "dynamic"; + symbol_strict = "ONCE_RECEIVED_STRICT"; + symbol = "ONCE_RECEIVED"; +} +multimap { + spamhaus { + type = "dnsbl"; + map = "pbl.spamhaus.org"; + symbol = "R_IP_PBL"; + description = "PBL dns block list"; + } +} +phishing { + symbol = "PHISHING"; +} +emails { + rule { + symbol = RAMBLER_EMAILBL; + dnsbl = email-bl.rambler.ru; + domain_only = false; + } +} +spf { + spf_cache_size = 2k; + spf_cache_expire = 1d; +} +dkim { + dkim_cache_size = 2k; + dkim_cache_expire = 1d; + time_jitter = 6h; + trusted_only = false; + skip_multi = false; +} + +ratelimit { + limit = "to:100:0.033333333"; + limit = "to_ip:30:0.025"; + limit = "to_ip_from:20:0.01666666667"; + limit = "bounce_to:10:0.000555556"; + limit = "bounce_to_ip:5:0.000277778"; + whitelisted_rcpts = "postmaster,mailer-daemon"; + max_rcpt = 5; +} + +regexp { + max_size = 1M; +} diff --git a/conf/options.conf b/conf/options.conf new file mode 100644 index 000000000..b074c5556 --- /dev/null +++ b/conf/options.conf @@ -0,0 +1,14 @@ +# Basic options + +options { + pidfile = "$RUNDIR/rspamd.pid"; + filters = "chartable,dkim,spf,surbl,regexp"; + raw_mode = false; + one_shot = false; + dns_timeout = 1s; + dns_retransmits = 5; + cache_file = "$DBDIR/symbols.cache"; + map_watch_interval = 1min; + dynamic_conf = "$DBDIR/rspamd_dynamic"; + history_file = "$DBDIR/rspamd.history"; +} diff --git a/conf/rspamd.conf b/conf/rspamd.conf new file mode 100644 index 000000000..bbfb12007 --- /dev/null +++ b/conf/rspamd.conf @@ -0,0 +1,17 @@ +# A common rspamd configuration file + +lua = "$CONFDIR/lua/rspamd.lua" + +.include "options.conf" +.include "logging.conf" +.include "metrics.conf" +.include "workers.conf" +.include "composites.conf" + +.icnlude "statistic.conf" + +.include "modules.conf" + +modules { + path = "$PLUGINSDIR/lua/" +} diff --git a/conf/statistic.conf b/conf/statistic.conf new file mode 100644 index 000000000..bd738dd84 --- /dev/null +++ b/conf/statistic.conf @@ -0,0 +1,19 @@ +# Rspamd statistic setup + +classifier { + type = "bayes"; + tokenizer = "osb-text"; + metric = "default"; + min_tokens = 10; + max_tokens = 1000; + statfile { + symbol = "BAYES_HAM"; + size = 50M; + path = "$DBDIR/bayes.ham"; + } + statfile { + symbol = "BAYES_SPAM"; + size = 50M; + path = "$DBDIR/bayes.spam"; + } +} diff --git a/conf/workers.conf b/conf/workers.conf new file mode 100644 index 000000000..1d8e0df90 --- /dev/null +++ b/conf/workers.conf @@ -0,0 +1,20 @@ +# Common workers configuration + +worker { + type = "normal"; + bind_socket = "*:11333"; + http = false; + allow_learn = true; + mime = true; +} +worker { + type = "controller"; + bind_socket = "127.0.0.1:11334"; + count = 1; +} +worker { + type = "webui"; + count = 1; + bind_socket = "localhost:11336"; + password = "q1"; +} -- cgit v1.2.3