From cba8dc9d42473547eb8e708a31f88838ecbc0a27 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Wed, 6 Apr 2016 11:01:58 +0100 Subject: [Feature] Rework metrics configuration to allow includes --- conf/metrics.conf | 763 +++++++++++++++++++----------------------------------- 1 file changed, 260 insertions(+), 503 deletions(-) diff --git a/conf/metrics.conf b/conf/metrics.conf index 3669f1cb0..96304725b 100644 --- a/conf/metrics.conf +++ b/conf/metrics.conf @@ -26,1132 +26,904 @@ metric { greylist = 4; } - group { - name = "header"; - symbol { + group "header" { + symbol "MISSING_SUBJECT" { weight = 2.0; description = "Subject is missing inside message"; - name = "MISSING_SUBJECT"; } - symbol { + symbol "FORGED_OUTLOOK_TAGS" { weight = 2.100000; description = "Message pretends to be send from Outlook but has 'strange' tags "; - name = "FORGED_OUTLOOK_TAGS"; } - symbol { + symbol "FORGED_SENDER" { weight = 0.30; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; - name = "FORGED_SENDER"; } - symbol { + symbol "SUSPICIOUS_RECIPS" { weight = 1.500000; description = "Recipients seems to be autogenerated (works if recipients count is more than 5)"; - name = "SUSPICIOUS_RECIPS"; } - symbol { + symbol "FAKE_REPLY_C" { weight = 6.0; description = "Fake reply (has RE in subject, but has not References header)"; - name = "FAKE_REPLY_C"; } - symbol { + symbol "MIME_HTML_ONLY" { weight = 1.0; description = "Messages that have only HTML part"; - name = "MIME_HTML_ONLY"; } - symbol { + symbol "FORGED_MSGID_YAHOO" { weight = 2.0; description = "Forged yahoo msgid"; - name = "FORGED_MSGID_YAHOO"; } - symbol { + symbol "FORGED_MUA_THEBAT_BOUN" { weight = 2.0; description = "Forged The Bat! MUA headers"; - name = "FORGED_MUA_THEBAT_BOUN"; } - symbol { + symbol "R_MISSING_CHARSET" { weight = 5.0; description = "Charset is missing in a message"; - name = "R_MISSING_CHARSET"; } - symbol { + symbol "RCVD_DOUBLE_IP_SPAM" { weight = 2.0; description = "Two received headers with ip addresses"; - name = "RCVD_DOUBLE_IP_SPAM"; } - symbol { + symbol "FORGED_OUTLOOK_HTML" { weight = 5.0; description = "Forged outlook HTML signature"; - name = "FORGED_OUTLOOK_HTML"; } - symbol { + symbol "R_UNDISC_RCPT" { weight = 5.0; description = "Recipients are absent or undisclosed"; - name = "R_UNDISC_RCPT"; } - symbol { + symbol "FM_FAKE_HELO_VERIZON" { weight = 2.0; description = "Fake helo for verizon provider"; - name = "FM_FAKE_HELO_VERIZON"; } - symbol { + symbol "REPTO_QUOTE_YAHOO" { weight = 2.0; description = "Quoted reply-to from yahoo (seems to be forged)"; - name = "REPTO_QUOTE_YAHOO"; } - symbol { + symbol "MISSING_MIMEOLE" { weight = 5.0; description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)"; - name = "MISSING_MIMEOLE"; } - symbol { + symbol "MISSING_TO" { weight = 2.0; description = "To header is missing"; - name = "MISSING_TO"; } - symbol { - weight = 1.500000; + symbol "FROM_EXCESS_BASE64" { + weight = 1.5; description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "FROM_EXCESS_BASE64"; } - symbol { - weight = 1.200000; + symbol "FROM_EXCESS_QP" { + weight = 1.2; description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "FROM_EXCESS_QP"; } - symbol { - weight = 1.500000; + symbol "TO_EXCESS_BASE64" { + weight = 1.5; description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "TO_EXCESS_BASE64"; } - symbol { - weight = 1.200000; + symbol "TO_EXCESS_QP" { + weight = 1.2; description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "TO_EXCESS_QP"; } - symbol { - weight = 1.500000; + symbol "REPLYTO_EXCESS_BASE64" { + weight = 1.5; description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "REPLYTO_EXCESS_BASE64"; } - symbol { - weight = 1.200000; + symbol "REPLYTO_EXCESS_QP" { + weight = 1.2; description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "REPLYTO_EXCESS_QP"; } - symbol { - weight = 1.500000; + symbol "CC_EXCESS_BASE64" { + weight = 1.5; description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit"; - name = "CC_EXCESS_BASE64"; } - symbol { - weight = 1.200000; + symbol "CC_EXCESS_QP" { + weight = 1.2; description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; - name = "CC_EXCESS_QP"; } - symbol { + symbol "R_MIXED_CHARSET" { weight = 5.0; description = "Mixed characters in a message"; - name = "R_MIXED_CHARSET"; } - symbol { + symbol "SORTED_RECIPS" { weight = 3.500000; description = "Recipients list seems to be sorted"; - name = "SORTED_RECIPS"; } - symbol { + symbol "R_RCVD_SPAMBOTS" { weight = 3.0; description = "Spambots signatures in received headers"; - name = "R_RCVD_SPAMBOTS"; } - symbol { + symbol "SUBJECT_NEEDS_ENCODING" { weight = 1.0; description = "Subject needs encoding"; - name = "SUBJECT_NEEDS_ENCODING"; } - symbol { - weight = 3.840000; + symbol "TRACKER_ID" { + weight = 3.84; description = "Spam string at the end of message to make statistics faults 0"; - name = "TRACKER_ID"; } - symbol { + symbol "R_NO_SPACE_IN_FROM" { weight = 1.0; description = "No space in from header"; - name = "R_NO_SPACE_IN_FROM"; } - symbol { + symbol "R_SAJDING" { weight = 8.0; description = "Subject seems to be spam"; - name = "R_SAJDING"; } - symbol { + symbol "R_BAD_CTE_7BIT" { weight = 3.0; description = "Detects bad content-transfer-encoding for text parts"; - name = "R_BAD_CTE_7BIT"; } - symbol { + symbol "R_FLASH_REDIR_IMGSHACK" { weight = 10.0; description = "Flash redirect on imageshack.us"; - name = "R_FLASH_REDIR_IMGSHACK"; } - symbol { + symbol "INVALID_MSGID" { weight = 1.7; description = "Message id is incorrect"; - name = "INVALID_MSGID"; } - symbol { + symbol "MISSING_MID" { weight = 2.5; description = "Message id is missing "; - name = "MISSING_MID"; } - symbol { + symbol "FORGED_RECIPIENTS" { weight = 2.0; description = "Recipients are not the same as RCPT TO: mail command"; - name = "FORGED_RECIPIENTS"; } - symbol { + symbol "FORGED_RECIPIENTS_MAILLIST" { weight = 0.0; description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; - name = "FORGED_RECIPIENTS_MAILLIST"; } - symbol { + symbol "FORGED_SENDER_MAILLIST" { weight = 0.0; description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; - name = "FORGED_SENDER_MAILLIST"; } - symbol { + symbol "RATWARE_MS_HASH" { weight = 2.0; - description = "Forged Exchange messages "; - name = "RATWARE_MS_HASH"; + description = "Forged Exchange messages"; } - symbol { + symbol "STOX_REPLY_TYPE" { weight = 1.0; description = "Reply-type in content-type"; - name = "STOX_REPLY_TYPE"; } - symbol { + symbol "ONCE_RECEIVED" { weight = 0.1; description = "One received header in a message"; - name = "ONCE_RECEIVED"; } - symbol { + symbol "RDNS_NONE" { weight = 1.0; description = "Cannot resolve reverse DNS for sender's IP"; - name = "RDNS_NONE"; } - symbol { + symbol "ONCE_RECEIVED_STRICT" { weight = 4.0; description = "One received header with 'bad' patterns inside"; - name = "ONCE_RECEIVED_STRICT"; } - symbol { + symbol "MIME_HEADER_CTYPE_ONLY" { weight = 2.0; description = "Only Content-Type header without other MIME headers"; - name = "MIME_HEADER_CTYPE_ONLY"; } - symbol { + symbol "MAILLIST" { weight = -0.2; description = "Message seems to be from maillist"; - name = "MAILLIST"; } - symbol { + symbol "HEADER_FROM_DELIMITER_TAB" { weight = 1.0; description = "Header From begins with tab"; - name = "HEADER_FROM_DELIMITER_TAB"; } - symbol { + symbol "HEADER_TO_DELIMITER_TAB" { weight = 1.0; description = "Header To begins with tab"; - name = "HEADER_TO_DELIMITER_TAB"; } - symbol { + symbol "HEADER_CC_DELIMITER_TAB" { weight = 1.0; description = "Header Cc begins with tab"; - name = "HEADER_CC_DELIMITER_TAB"; } - symbol { + symbol "HEADER_REPLYTO_DELIMITER_TAB" { weight = 1.0; description = "Header Reply-To begins with tab"; - name = "HEADER_REPLYTO_DELIMITER_TAB"; } - symbol { + symbol "HEADER_DATE_DELIMITER_TAB" { weight = 1.0; description = "Header Date begins with tab"; - name = "HEADER_DATE_DELIMITER_TAB"; } - symbol { + symbol "HEADER_FROM_EMPTY_DELIMITER" { weight = 1.0; description = "Header From has no delimiter between header name and header value"; - name = "HEADER_FROM_EMPTY_DELIMITER"; } - symbol { + symbol "HEADER_TO_EMPTY_DELIMITER" { weight = 1.0; description = "Header To has no delimiter between header name and header value"; - name = "HEADER_TO_EMPTY_DELIMITER"; } - symbol { + symbol "HEADER_CC_EMPTY_DELIMITER" { weight = 1.0; description = "Header Cc has no delimiter between header name and header value"; - name = "HEADER_CC_EMPTY_DELIMITER"; } - symbol { + symbol "HEADER_REPLYTO_EMPTY_DELIMITER" { weight = 1.0; description = "Header Reply-To has no delimiter between header name and header value"; - name = "HEADER_REPLYTO_EMPTY_DELIMITER"; } - symbol { + symbol "HEADER_DATE_EMPTY_DELIMITER" { weight = 1.0; description = "Header Date has no delimiter between header name and header value"; - name = "HEADER_DATE_EMPTY_DELIMITER"; } - symbol { + symbol "RCVD_ILLEGAL_CHARS" { weight = 4.0; description = "Header Received has raw illegal character"; - name = "RCVD_ILLEGAL_CHARS"; } - symbol { + symbol "FAKE_RECEIVED_mail_ru" { weight = 4.0; description = "Fake helo mail.ru in header Received from non mail.ru sender address"; - name = "FAKE_RECEIVED_mail_ru"; } - symbol { + symbol "FAKE_RECEIVED_smtp_yandex_ru" { weight = 4.0; description = "Fake smtp.yandex.ru Received"; - name = "FAKE_RECEIVED_smtp_yandex_ru"; } - symbol { - weight = 3.600000; + symbol "FORGED_GENERIC_RECEIVED" { + weight = 3.6; description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED"; } - symbol { - weight = 3.600000; + symbol "FORGED_GENERIC_RECEIVED2" { + weight = 3.6; description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED2"; } - symbol { - weight = 3.600000; + symbol "FORGED_GENERIC_RECEIVED3" { + weight = 3.6; description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED3"; } - symbol { - weight = 3.600000; + symbol "FORGED_GENERIC_RECEIVED4" { + weight = 3.6; description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED4"; } - symbol { - weight = 4.600000; + symbol "FORGED_GENERIC_RECEIVED5" { + weight = 4.6; description = "Forged generic Received"; - name = "FORGED_GENERIC_RECEIVED5"; } - symbol { + symbol "INVALID_POSTFIX_RECEIVED" { weight = 3.0; description = "Invalid Postfix Received"; - name = "INVALID_POSTFIX_RECEIVED"; } } - group { - name = "mua"; - symbol { + group "mua" { + symbol "FORGED_MUA_THEBAT_MSGID" { weight = 4.0; description = "Message pretends to be send from The Bat! but has forged Message-ID"; - name = "FORGED_MUA_THEBAT_MSGID"; } - symbol { + symbol "FORGED_MUA_THEBAT_MSGID_UNKNOWN" { weight = 3.0; description = "Message pretends to be send from The Bat! but has forged Message-ID"; - name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN"; } - symbol { + symbol "FORGED_MUA_KMAIL_MSGID" { weight = 3.0; description = "Message pretends to be send from KMail but has forged Message-ID"; - name = "FORGED_MUA_KMAIL_MSGID"; } - symbol { - weight = 2.500000; + symbol "FORGED_MUA_KMAIL_MSGID_UNKNOWN" { + weight = 2.5; description = "Message pretends to be send from KMail but has forged Message-ID"; - name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN"; } - symbol { + symbol "FORGED_MUA_OPERA_MSGID" { weight = 4.0; description = "Message pretends to be send from Opera Mail but has forged Message-ID"; - name = "FORGED_MUA_OPERA_MSGID"; } - symbol { + symbol "SUSPICIOUS_OPERA_10W_MSGID" { weight = 4.0; description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail"; - name = "SUSPICIOUS_OPERA_10W_MSGID"; } - symbol { + symbol "FORGED_MUA_MOZILLA_MAIL_MSGID" { weight = 4.0; description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; - name = "FORGED_MUA_MOZILLA_MAIL_MSGID"; } - symbol { - weight = 2.500000; + symbol "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN" { + weight = 2.5; description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; - name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN"; } - symbol { + symbol "FORGED_MUA_THUNDERBIRD_MSGID" { weight = 4.0; description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; - name = "FORGED_MUA_THUNDERBIRD_MSGID"; } - symbol { - weight = 2.500000; + symbol "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN" { + weight = 2.5; description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; - name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN"; } - symbol { + symbol "FORGED_MUA_SEAMONKEY_MSGID" { weight = 4.0; description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; - name = "FORGED_MUA_SEAMONKEY_MSGID"; } - symbol { - weight = 2.500000; + symbol "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN" { + weight = 2.5; description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; - name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN"; } - symbol { + symbol "FORGED_MUA_OUTLOOK" { weight = 3.0; description = "Forged outlook MUA"; - name = "FORGED_MUA_OUTLOOK"; } - symbol { + symbol "FORGED_MUA_MAILLIST" { weight = 0.0; description = "Avoid false positives for FORGED_MUA_* in maillist"; - name = "FORGED_MUA_MAILLIST"; } } - group { - name = "body"; - symbol { + group "body" { + symbol "R_WHITE_ON_WHITE" { weight = 9.0; description = "White color on white background in HTML messages"; - name = "R_WHITE_ON_WHITE"; } - symbol { + symbol "HTML_SHORT_LINK_IMG_1" { weight = 3.0; description = "Short html part with a link to an image"; - name = "HTML_SHORT_LINK_IMG_1"; } - symbol { + symbol "HTML_SHORT_LINK_IMG_2" { weight = 1.0; description = "Short html part with a link to an image"; - name = "HTML_SHORT_LINK_IMG_2"; } - symbol { + symbol "HTML_SHORT_LINK_IMG_3" { weight = 0.5; description = "Short html part with a link to an image"; - name = "HTML_SHORT_LINK_IMG_3"; } - symbol { + symbol "SUSPICIOUS_BOUNDARY" { weight = 5.0; description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY"; } - symbol { + symbol "SUSPICIOUS_BOUNDARY2" { weight = 4.0; description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY2"; } - symbol { + symbol "SUSPICIOUS_BOUNDARY3" { weight = 3.0; description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY3"; } - symbol { + symbol "SUSPICIOUS_BOUNDARY4" { weight = 4.0; description = "Suspicious boundary in header Content-Type"; - name = "SUSPICIOUS_BOUNDARY4"; } - symbol { + symbol "R_PARTS_DIFFER" { weight = 1.0; description = "Text and HTML parts differ"; - name = "R_PARTS_DIFFER"; } - symbol { + symbol "R_EMPTY_IMAGE" { weight = 2.0; description = "Message contains empty parts and image"; - name = "R_EMPTY_IMAGE"; } - symbol { + symbol "DRUGS_MANYKINDS" { weight = 2.0; description = "Drugs patterns inside message"; - name = "DRUGS_MANYKINDS"; } - symbol { + symbol "DRUGS_ANXIETY" { weight = 2.0; description = ""; - name = "DRUGS_ANXIETY"; } - symbol { + symbol "DRUGS_MUSCLE" { weight = 2.0; description = ""; - name = "DRUGS_MUSCLE"; } - symbol { + symbol "DRUGS_ANXIETY_EREC" { weight = 2.0; description = ""; - name = "DRUGS_ANXIETY_EREC"; } - symbol { + symbol "DRUGS_DIET" { weight = 2.0; description = ""; - name = "DRUGS_DIET"; } - symbol { + symbol "DRUGS_ERECTILE" { weight = 2.0; description = ""; - name = "DRUGS_ERECTILE"; } - symbol { + symbol "ADVANCE_FEE_2" { weight = 3.300000; description = "2 'advance fee' patterns in a message"; - name = "ADVANCE_FEE_2"; } - symbol { + symbol "ADVANCE_FEE_3" { weight = 2.120000; description = "3 'advance fee' patterns in a message"; - name = "ADVANCE_FEE_3"; } - symbol { + symbol "R_LOTTO" { weight = 8.0; description = "Lotto signatures"; - name = "R_LOTTO"; } } - group { - name = "rbl"; - symbol { - name = "DNSWL_BLOCKED"; + group "rbl" { + symbol "DNSWL_BLOCKED" { weight = 0.0; description = "Resolver blocked due to excessive queries"; } - symbol { - name = "RCVD_IN_DNSWL"; + symbol "RCVD_IN_DNSWL" { weight = 0.0; description = "Unrecognised result from dnswl.org"; } - symbol { - name = "RCVD_IN_DNSWL_NONE"; + symbol "RCVD_IN_DNSWL_NONE" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, low none"; } - symbol { - name = "RCVD_IN_DNSWL_LOW"; + symbol "RCVD_IN_DNSWL_LOW" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, low trust"; } - symbol { - name = "RCVD_IN_DNSWL_MED"; + symbol "RCVD_IN_DNSWL_MED" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, medium trust"; } - symbol { - name = "RCVD_IN_DNSWL_HI"; + symbol "RCVD_IN_DNSWL_HI" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, high trust"; } - symbol { - name = "RBL_SPAMHAUS"; + symbol "RBL_SPAMHAUS" { weight = 0.0; description = "Unrecognised result from Spamhaus zen"; } - symbol { - name = "RBL_SPAMHAUS_SBL"; + symbol "RBL_SPAMHAUS_SBL" { weight = 2.0; description = "From address is listed in zen sbl"; } - symbol { - name = "RBL_SPAMHAUS_CSS"; + symbol "RBL_SPAMHAUS_CSS" { weight = 2.0; description = "From address is listed in zen css"; } - symbol { - name = "RBL_SPAMHAUS_XBL"; + symbol "RBL_SPAMHAUS_XBL" { weight = 4.0; description = "From address is listed in zen xbl"; } - symbol { - name = "RBL_SPAMHAUS_XBL1"; + symbol "RBL_SPAMHAUS_XBL1" { weight = 4.0; description = "From address is listed in zen xbl (obsoleted/reserved)"; } - symbol { - name = "RBL_SPAMHAUS_XBL2"; + symbol "RBL_SPAMHAUS_XBL2" { weight = 4.0; description = "From address is listed in zen xbl (obsoleted/reserved)"; } - symbol { - name = "RBL_SPAMHAUS_XBL3"; + symbol "RBL_SPAMHAUS_XBL3" { weight = 4.0; description = "From address is listed in zen xbl (reserved)"; } - symbol { - name = "RBL_SPAMHAUS_XBL_ANY"; + symbol "RBL_SPAMHAUS_XBL_ANY" { weight = 4.0; description = "From or receive address is listed in zen xbl (any list)"; } - symbol { - name = "RBL_SPAMHAUS_PBL"; + symbol "RBL_SPAMHAUS_PBL" { weight = 2.0; description = "From address is listed in zen pbl (ISP list)"; } - symbol { - name = "RBL_SPAMHAUS_PBL1"; + symbol "RBL_SPAMHAUS_PBL1" { weight = 2.0; description = "From address is listed in zen pbl (Spamhaus list)"; } - symbol { - name = "RECEIVED_SPAMHAUS_XBL"; + symbol "RECEIVED_SPAMHAUS_XBL" { weight = 3.0; description = "Received address is listed in zen xbl"; one_shot = true; } - symbol { - name = "RWL_SPAMHAUS_WL"; + symbol "RWL_SPAMHAUS_WL" { weight = 0.0; description = "Unrecognised result from Spamhaus whitelist"; } - symbol { - name = "RWL_SPAMHAUS_WL_IND"; + symbol "RWL_SPAMHAUS_WL_IND" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { - name = "RWL_SPAMHAUS_WL_TRANS"; + symbol "RWL_SPAMHAUS_WL_TRANS" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { - name = "RWL_SPAMHAUS_WL_IND_EXP"; + symbol "RWL_SPAMHAUS_WL_IND_EXP" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - symbol { - name = "RWL_SPAMHAUS_WL_TRANS_EXP"; + symbol "RWL_SPAMHAUS_WL_TRANS_EXP" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } - - symbol { + symbol "RBL_SENDERSCORE" { weight = 2.0; description = "From address is listed in senderscore.com BL"; - name = "RBL_SENDERSCORE"; } - symbol { + symbol "RBL_ABUSECH" { weight = 1.0; description = "From address is listed in ABUSE.CH BL"; - name = "RBL_ABUSECH"; } - symbol { + symbol "RBL_UCEPROTECT_LEVEL1" { weight = 1.0; description = "From address is listed in UCEPROTECT LEVEL1 BL"; - name = "RBL_UCEPROTECT_LEVEL1"; } - symbol { - name = "RBL_MAILSPIKE"; + symbol "RBL_MAILSPIKE" { weight = 0.0; description = "Unrecognised result from Mailspike blacklist"; } - symbol { - name = "RWL_MAILSPIKE"; + symbol "RWL_MAILSPIKE" { weight = 0.0; description = "Unrecognised result from Mailspike whitelist"; } - symbol { - name = "RBL_MAILSPIKE_ZOMBIE"; + symbol "RBL_MAILSPIKE_ZOMBIE" { weight = 2.0; description = "From address is listed in RBL"; } - symbol { - name = "RBL_MAILSPIKE_WORST"; + symbol "RBL_MAILSPIKE_WORST" { weight = 2.0; description = "From address is listed in RBL"; } - symbol { - name = "RBL_MAILSPIKE_VERYBAD"; + symbol "RBL_MAILSPIKE_VERYBAD" { weight = 1.5; description = "From address is listed in RBL"; } - symbol { - name = "RBL_MAILSPIKE_BAD"; + symbol "RBL_MAILSPIKE_BAD" { weight = 1.0; description = "From address is listed in RBL"; } - symbol { - name = "RWL_MAILSPIKE_POSSIBLE"; + symbol "RWL_MAILSPIKE_POSSIBLE" { weight = 0.0; description = "From address is listed in RWL"; } - symbol { - name = "RWL_MAILSPIKE_GOOD"; + symbol "RWL_MAILSPIKE_GOOD" { weight = 0.0; description = "From address is listed in RWL"; } - symbol { - name = "RWL_MAILSPIKE_VERYGOOD"; + symbol "RWL_MAILSPIKE_VERYGOOD" { weight = 0.0; description = "From address is listed in RWL"; } - symbol { - name = "RWL_MAILSPIKE_EXCELLENT"; + symbol "RWL_MAILSPIKE_EXCELLENT" { weight = 0.0; description = "From address is listed in RWL"; } - symbol { + symbol "RBL_SORBS" { weight = 0.0; - name = "RBL_SORBS"; description = "Unrecognised result from SORBS RBL"; } - symbol { + symbol "RBL_SORBS_HTTP" { weight = 2.5; - name = "RBL_SORBS_HTTP"; description = "List of Open HTTP Proxy Servers."; } - symbol { + symbol "RBL_SORBS_SOCKS" { weight = 2.5; - name = "RBL_SORBS_SOCKS"; description = "List of Open SOCKS Proxy Servers."; } - symbol { + symbol "RBL_SORBS_MISC" { weight = 1.0; - name = "RBL_SORBS_MISC"; description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists."; } - symbol { + symbol "RBL_SORBS_SMTP" { weight = 3.0; - name = "RBL_SORBS_SMTP"; description = "List of Open SMTP relay servers."; } - symbol { + symbol "RBL_SORBS_RECENT" { weight = 1.5; - name = "RBL_SORBS_RECENT"; description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; } - symbol { + symbol "RBL_SORBS_WEB" { weight = 0.4; - name = "RBL_SORBS_WEB"; description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)"; } - symbol { + symbol "RBL_SORBS_DUL" { weight = 2.0; - name = "RBL_SORBS_DUL"; description = "Dynamic IP Address ranges (NOT a Dial Up list!)"; } - symbol { + symbol "RBL_SORBS_BLOCK" { weight = 1.0; - name = "RBL_SORBS_BLOCK"; description = "List of hosts demanding that they never be tested by SORBS."; } - symbol { + symbol "RBL_SORBS_ZOMBIE" { weight = 1.0; - name = "RBL_SORBS_ZOMBIE"; description = "List of networks hijacked from their original owners, some of which have already used for spamming."; } - symbol { + symbol "RBL_SEM" { weight = 1.0; - name = "RBL_SEM"; description = "Address is listed in Spameatingmonkey RBL"; } - symbol { + symbol "RBL_SEM_IPV6" { weight = 1.0; - name = "RBL_SEM_IPV6"; description = "Address is listed in Spameatingmonkey RBL (ipv6)"; } } - group { - name = "bayes"; + group "bayes" { - symbol { + symbol "BAYES_SPAM" { weight = 4.0; description = "Message probably spam, probability: "; - name = "BAYES_SPAM"; } - symbol { + symbol "BAYES_HAM" { weight = -3.0; description = "Message probably ham, probability: "; - name = "BAYES_HAM"; } } - group { - name = "fuzzy"; - symbol { + group "fuzzy" { + symbol "FUZZY_UNKNOWN" { weight = 5.0; description = "Generic fuzzy hash match"; - name = "FUZZY_UNKNOWN"; } - symbol { + symbol "FUZZY_DENIED" { weight = 12.0; description = "Denied fuzzy hash"; - name = "FUZZY_DENIED"; } - symbol { + symbol "FUZZY_PROB" { weight = 5.0; description = "Probable fuzzy hash"; - name = "FUZZY_PROB"; } - symbol { + symbol "FUZZY_WHITE" { weight = -2.1; description = "Whitelisted fuzzy hash"; - name = "FUZZY_WHITE"; - } } + } - group { - name = "spf"; - symbol { + group "spf" { + symbol "R_SPF_FAIL" { weight = 1.0; description = "SPF verification failed"; - name = "R_SPF_FAIL"; } - symbol { + symbol "R_SPF_SOFTFAIL" { weight = 0.0; description = "SPF verification soft-failed"; - name = "R_SPF_SOFTFAIL"; } - symbol { + symbol "R_SPF_NEUTRAL" { weight = 0.0; description = "SPF policy is neutral"; - name = "R_SPF_NEUTRAL"; } - symbol { + symbol "R_SPF_ALLOW" { weight = -1.5; description = "SPF verification alowed"; - name = "R_SPF_ALLOW"; - } } + } - group { - name = "dkim"; - symbol { + group "dkim" { + symbol "R_DKIM_REJECT" { weight = 1.0; description = "DKIM verification failed"; - name = "R_DKIM_REJECT"; } - symbol { + symbol "R_DKIM_TEMPFAIL" { weight = 0.0; description = "DKIM verification soft-failed"; - name = "R_DKIM_TEMPFAIL"; } - symbol { + symbol "R_DKIM_ALLOW" { weight = -1.1; description = "DKIM verification succeed"; - name = "R_DKIM_ALLOW"; one_shot = true; } } - group { - name = "surbl"; - symbol { + group "surbl" { + symbol "SURBL_BLOCKED" { weight = 0.0; description = "SURBL: blocked by policy/overusage"; - name = "SURBL_BLOCKED"; } - symbol { + symbol "PH_SURBL_MULTI" { weight = 5.5; description = "SURBL: Phishing sites"; - name = "PH_SURBL_MULTI"; } - symbol { + symbol "MW_SURBL_MULTI" { weight = 5.5; description = "SURBL: Malware sites"; - name = "MW_SURBL_MULTI"; } - symbol { + symbol "ABUSE_SURBL" { weight = 5.5; description = "SURBL: ABUSE"; - name = "ABUSE_SURBL"; } - symbol { + symbol "CRACKED_SURBL" { weight = 4.0; description = "SURBL: cracked site"; - name = "CRACKED_SURBL"; } - symbol { + symbol "WS_SURBL_MULTI" { weight = 5.5; description = "SURBL: sa-blacklist web sites "; - name = "WS_SURBL_MULTI"; } - symbol { + symbol "RAMBLER_URIBL" { weight = 4.5; description = "rambler.ru uribl"; - name = "RAMBLER_URIBL"; } - symbol { + symbol "SEM_URIBL_UNKNOWN" { weight = 0.0; - name = "SEM_URIBL_UNKNOWN"; description = "Spameatingmonkey uribl: unknown result"; } - symbol { + symbol "SEM_URIBL" { weight = 3.5; - name = "SEM_URIBL"; description = "Spameatingmonkey uribl"; } - symbol { + symbol "SEM_URIBL_FRESH15_UNKNOWN" { weight = 0.0; - name = "SEM_URIBL_FRESH15_UNKNOWN"; description = "Spameatingmonkey Fresh15 uribl: unknown result"; } - symbol { + symbol "SEM_URIBL_FRESH15" { weight = 3.0; - name = "SEM_URIBL_FRESH15"; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; } - symbol { + symbol "DBL" { weight = 0.0; description = "DBL unknown result"; - name = "DBL"; } - symbol { + symbol "DBL_SPAM" { weight = 6.5; description = "DBL uribl spam"; - name = "DBL_SPAM"; } - symbol { + symbol "DBL_PHISH" { weight = 6.5; description = "DBL uribl phishing"; - name = "DBL_PHISH"; } - symbol { + symbol "DBL_MALWARE" { weight = 6.5; description = "DBL uribl malware"; - name = "DBL_MALWARE"; } - symbol { + symbol "DBL_BOTNET" { weight = 5.5; description = "DBL uribl botnet C&C domain"; - name = "DBL_BOTNET"; } - symbol { + symbol "DBL_ABUSE" { weight = 6.5; description = "DBL uribl abused legit spam"; - name = "DBL_ABUSE"; } - symbol { + symbol "DBL_ABUSE_REDIR" { weight = 1.5; description = "DBL uribl abused spammed redirector domain"; - name = "DBL_ABUSE_REDIR"; } - symbol { + symbol "DBL_ABUSE_PHISH" { weight = 7.5; description = "DBL uribl abused legit phish"; - name = "DBL_ABUSE_PHISH"; } - symbol { + symbol "DBL_ABUSE_MALWARE" { weight = 7.5; description = "DBL uribl abused legit malware"; - name = "DBL_ABUSE_MALWARE"; } - symbol { + symbol "DBL_ABUSE_BOTNET" { weight = 5.5; description = "DBL uribl abused legit botnet C&C"; - name = "DBL_ABUSE_BOTNET"; } - symbol { + symbol "DBL_PROHIBIT" { weight = 0.00000; description = "DBL uribl IP queries prohibited!"; - name = "DBL_PROHIBIT"; } - symbol { + symbol "URIBL_MULTI" { weight = 0.0; description = "uribl.com: unrecognised result"; - name = "URIBL_MULTI"; } - symbol { + symbol "URIBL_BLOCKED" { weight = 0.0; description = "uribl.com: query refused"; - name = "URIBL_BLOCKED"; } - symbol { + symbol "URIBL_BLACK" { weight = 7.5; description = "uribl.com black url"; - name = "URIBL_BLACK"; } - symbol { + symbol "URIBL_RED" { weight = 3.5; description = "uribl.com red url"; - name = "URIBL_RED"; } - symbol { + symbol "URIBL_GREY" { weight = 1.5; description = "uribl.com grey url"; - name = "URIBL_GREY"; } - symbol { + symbol "RAMBLER_EMAILBL" { weight = 9.5; description = "rambler.ru emailbl"; - name = "RAMBLER_EMAILBL"; } - symbol { + symbol "SBL_URIBL" { weight = 0.0; description = "SBL URIBL: Filtered result"; - name = "SBL_URIBL"; } - symbol { + symbol "URIBL_SBL" { weight = 6.5; description = "Spamhaus SBL URIBL"; - name = "URIBL_SBL"; } - symbol { + symbol "URIBL_SBL_CSS" { weight = 6.5; description = "Spamhaus SBL CSS URIBL"; - name = "URIBL_SBL_CSS"; } } - group { - name = "phishing"; - - symbol { + group "phishing" { + symbol "PHISHING" { weight = 3.0; description = "Phished mail"; - name = "PHISHING"; } } - group { - name = "date"; + group "date" { - symbol { + symbol "DATE_IN_FUTURE" { weight = 4.0; description = "Message date is in future"; - name = "DATE_IN_FUTURE"; } - symbol { + symbol "DATE_IN_PAST" { weight = 1.0; description = "Message date is in past"; - name = "DATE_IN_PAST"; } - symbol { + symbol "MISSING_DATE" { weight = 1.0; description = "Message date is missing"; - name = "MISSING_DATE"; } } - group { - name = "hfilter"; - - symbol { + group "hfilter" { + symbol "HFILTER_HELO_BAREIP" { weight = 3.00; - name = "HFILTER_HELO_BAREIP"; description = "Helo host is bare ip"; } - symbol { + symbol "HFILTER_HELO_BADIP" { weight = 4.50; - name = "HFILTER_HELO_BADIP"; description = "Helo host is very bad ip"; } - symbol { + symbol "HFILTER_HELO_UNKNOWN" { weight = 2.00; - name = "HFILTER_HELO_UNKNOWN"; description = "Helo host empty or unknown"; } - symbol { + symbol "HFILTER_HELO_1" { weight = 0.5; - name = "HFILTER_HELO_1"; description = "Helo host checks (very low)"; } - symbol { + symbol "HFILTER_HELO_2" { weight = 1.00; - name = "HFILTER_HELO_2"; description = "Helo host checks (low)"; } - symbol { + symbol "HFILTER_HELO_3" { weight = 2.00; - name = "HFILTER_HELO_3"; description = "Helo host checks (medium)"; } - symbol { + symbol "HFILTER_HELO_4" { weight = 2.50; - name = "HFILTER_HELO_4"; description = "Helo host checks (hard)"; } - symbol { + symbol "HFILTER_HELO_5" { weight = 3.00; - name = "HFILTER_HELO_5"; description = "Helo host checks (very hard)"; } - symbol { + symbol "HFILTER_HOSTNAME_1" { weight = 0.5; - name = "HFILTER_HOSTNAME_1"; description = "Hostname checks (very low)"; } - symbol { + symbol "HFILTER_HOSTNAME_2" { weight = 1.00; - name = "HFILTER_HOSTNAME_2"; description = "Hostname checks (low)"; } - symbol { + symbol "HFILTER_HOSTNAME_3" { weight = 2.00; - name = "HFILTER_HOSTNAME_3"; description = "Hostname checks (medium)"; } - symbol { + symbol "HFILTER_HOSTNAME_4" { weight = 2.50; - name = "HFILTER_HOSTNAME_4"; description = "Hostname checks (hard)"; } - symbol { + symbol "HFILTER_HOSTNAME_5" { weight = 3.00; - name = "HFILTER_HOSTNAME_5"; description = "Hostname checks (very hard)"; } - symbol { + symbol "HFILTER_HELO_NORESOLVE_MX" { weight = 0.20; - name = "HFILTER_HELO_NORESOLVE_MX"; description = "MX found in Helo and no resolve"; } - symbol { + symbol "HFILTER_HELO_NORES_A_OR_MX" { weight = 0.3; - name = "HFILTER_HELO_NORES_A_OR_MX"; description = "Helo no resolve to A or MX"; } - symbol { + symbol "HFILTER_HELO_IP_A" { weight = 1.00; - name = "HFILTER_HELO_IP_A"; description = "Helo A IP != hostname IP"; } - symbol { + symbol "HFILTER_HELO_NOT_FQDN" { weight = 2.00; - name = "HFILTER_HELO_NOT_FQDN"; description = "Helo not FQDN"; } - symbol { + symbol "HFILTER_FROMHOST_NORESOLVE_MX" { weight = 0.5; - name = "HFILTER_FROMHOST_NORESOLVE_MX"; description = "MX found in FROM host and no resolve"; } - symbol { + symbol "HFILTER_FROMHOST_NORES_A_OR_MX" { weight = 1.50; - name = "HFILTER_FROMHOST_NORES_A_OR_MX"; description = "FROM host no resolve to A or MX"; } - symbol { + symbol "HFILTER_FROMHOST_NOT_FQDN" { weight = 3.00; - name = "HFILTER_FROMHOST_NOT_FQDN"; description = "FROM host not FQDN"; } - symbol { + symbol "HFILTER_FROM_BOUNCE" { weight = 0.00; - name = "HFILTER_FROM_BOUNCE"; description = "Bounce message"; } /* @@ -1171,76 +943,61 @@ metric { description = "Message-id host not FQDN"; } */ - symbol { + symbol "HFILTER_HOSTNAME_UNKNOWN" { weight = 2.50; - name = "HFILTER_HOSTNAME_UNKNOWN"; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; } - symbol { + symbol "HFILTER_RCPT_BOUNCEMOREONE" { weight = 1.50; - name = "HFILTER_RCPT_BOUNCEMOREONE"; description = "Message from bounce and over 1 recepient"; } - symbol { + symbol "HFILTER_URL_ONLY" { weight = 1.50; - name = "HFILTER_URL_ONLY"; description = "URL only in body"; } - symbol { + symbol "HFILTER_URL_ONELINE" { weight = 2.20; - name = "HFILTER_URL_ONELINE"; description = "One line URL and text in body"; } } - group { - name = "dmarc"; + group "dmarc" { - symbol { + symbol "DMARC_POLICY_ALLOW" { weight = -1.0; - name = "DMARC_POLICY_ALLOW"; description = "DMARC permit policy"; } - symbol { + symbol "DMARC_POLICY_REJECT" { weight = 2.0; - name = "DMARC_POLICY_REJECT"; description = "DMARC reject policy"; } - symbol { + symbol "DMARC_POLICY_QUARANTINE" { weight = 1.5; - name = "DMARC_POLICY_QUARANTINE"; description = "DMARC quarantine policy"; } - symbol { + symbol "DMARC_POLICY_SOFTFAIL" { weight = 0.1; - name = "DMARC_POLICY_SOFTFAIL"; description = "DMARC failed"; } } - group { - name = "mime_types"; - - symbol { + group "mime_types" { + symbol "MIME_GOOD" { weight = -0.1; - name = "MIME_GOOD"; description = "Known content-type"; one_shot = true; } - symbol { + symbol "MIME_BAD" { weight = 1.0; - name = "MIME_BAD"; description = "Known bad content-type"; one_shot = true; } - symbol { + symbol "MIME_UNKNOWN" { weight = 0.1; - name = "MIME_UNKNOWN"; description = "Missing or unknown content-type"; one_shot = true; } - symbol { + symbol "MIME_BAD_ATTACHMENT" { weight = 4.0; - name = "MIME_BAD_ATTACHMENT"; description = "Invalid attachement mime type"; one_shot = true; } -- cgit v1.2.3