[![CircleCI](https://circleci.com/gh/vstakhov/rspamd/tree/master.svg?style=svg)](https://circleci.com/gh/vstakhov/rspamd/tree/master) ## Introduction [Rspamd](https://rspamd.com) is an advanced spam filtering system that allows evaluation of messages by a number of rules including regular expressions, statistical analysis and custom services such as URL black lists. Each message is analysed by Rspamd and given a `spam score`. According to this spam score and the user's settings Rspamd recommends an action for the MTA to apply to the message, for example, to pass, reject or add a header. Rspamd is designed to process hundreds of messages per second simultaneously and has a number of features available. You can watch the following [introduction video](https://www.youtube.com/watch?v=_fl9i-az_Q0) from the [FOSDEM-2016](http://fosdem.org) where I describe the main features of Rspamd and explain why Rspamd runs so fast. Rspamd is [packaged](https://rspamd.com/downloads.html) for the major Linux distributions and is also available via [FreeBSD ports](https://freshports.org/mail/rspamd) and NetBSD [pkgsrc](https://pkgsrc.org). ## Spam filtering features Rspamd distribution contains a number of mail processing features, including such techniques as: * **Regular expressions filtering** - allows basic processing of messages, their textual parts, MIME headers and SMTP data received by MTA against a set of expressions that includes both normal regular expressions and message processing functions. Rspamd expressions are the powerful tool that allows to filter messages based on some pre-defined rules. This feature is similar to regular expressions in SpamAssassin spam filter. * **SPF module** that allows to validate a message's sender against the policy defined in the DNS record of sender's domain. You can read about SPF policies [here](http://www.openspf.org/). A number of mail systems includes SPF support, such as `Gmail` or `Yahoo Mail`. * **DKIM module** validates a message cryptographic signature against a public key placed in the DNS record of sender's domain. Like SPF, this technique is widely spread and allows to validate that a message is sent from that specific domain. * **DNS black lists** allows to estimate reputation of sender's IP address or network. Rspamd uses a number of DNS lists including such lists as `SORBS` or `Spamhaus`. However, Rspamd doesn't trust any specific DNS list and use a conjunction of estimations instead that allows to avoid mistakes and false positives. Rspamd also uses positive and grey DNS lists for checking for trusted senders. * **URL black lists** are rather similar to DNS black lists but uses URLs in a message to make an estimation of sender's reputation. This technique is very useful for finding malicious or phished domains and filter such mail. * **Statistics** - Rspamd uses Bayesian classifier based on five-grams of input. This means that the input is estimated not based on individual words, but all input is organized in chains that are further estimated by Bayesian classifier. This approach allows to achieve better results than traditionally used monograms (or words literally speaking), that is described in details in the following [paper](http://osbf-lua.luaforge.net/papers/osbf-eddc.pdf). * **Fuzzy hashes** - for checking of malicious mail patterns Rspamd uses so called `fuzzy hashes`. Unlike normal hashes, these structures are targeted to hide small differences between text patterns allowing to find similar messages quickly. Rspamd has internal storage of such hashes and allows to block mass spam sendings quickly based on user's feedback that specifies messages reputation. Moreover, this allows to feed Rspamd with data from [`honeypots`](http://en.wikipedia.org/wiki/Honeypot_(computing)#Spam_versions) without polluting the statistical module. Rspamd uses the conjunction of different techniques to make the final decision about a message. This allows to improve the overall quality of filtering and reduce the number of false positives (e.g. when a innocent message is badly classified as a spam one). I have tried to simplify Rspamd usage by adding the following elements: * **Web interface** - Rspamd is shipped with the fully functional Ajax-based web interface that allows to observe Rspamd statistic, to configure rules, weights and lists, to scan and learn messages and to view the history of scans. The interface is self-hosted, requires zero configuration and follows the recent web applications standards. You don't need a web server or applications server to run WebUI - you just need to run Rspamd itself and a web browser. * **Integration with MTA** - Rspamd can work with the most popular mail transfer systems, such as Postfix, Exim or Sendmail. For Postfix and Sendmail, there is an [`Rmilter` project](https://github.com/vstakhov/rmilter), whilst for Exim there are several solutions to work with Rspamd. Should you require MTA integration then please consult with the [integration guide](https://rspamd.com/doc/integration.html). * **Extensive Lua API** - Rspamd ships with hundreds of [Lua functions](https://rspamd.com/doc/lua) that are available to write own rules for efficient and targeted spam filtering. * **Dynamic tables** - Rspamd allows to specify bulk lists as `dynamic maps` that are checked in runtime with updating data when they are changed. Rspamd supports file, HTTP and HTTPS maps. ## Performance Rspamd is designed to be fast. The core of Rspamd is written in `C` and uses an event-driven model that allows to process multiple messages simultaneously and without blocking. Moreover, a set of techniques is used in Rspamd to process messages faster: * **Finite state machines processing** - Rspamd uses specialized finite state machines for the performance critical tasks to process input faster than a set of regular expressions. Of course, it is possible to implement these machines by ordinary `Perl regular expressions` but then they won't be compact or human-readable. On the contrary, Rspamd optimizes such actions as headers processing, received elements extraction, protocol operations by building the concrete automata for an assigned task. * **Expressions optimizer** - allows to optimize expressions by execution of `likely false` or `likely true` expressions in order in the branches. That allows to reduce number of expensive expressions calls when scanning a message. * **Symbols optimizer** - Rspamd tries to check first the rules that are frequent or inexpensive in terms of time or CPU resources which allows to block spam before processing of expensive rules (rules with negative weights are always checked before other ones). * **Event driven model** - Rspamd is designed not to block anywhere in the code and knowing that a spam check requires a lot of network operations, Rspamd can process many messages simultaneously increasing the efficiency of shared DNS caches and other system resources. Moreover, event-driven system normally scales automatically and you won't need to do any tuning in the most of cases. * **Hyperscan regular expressions engine** - Rspamd utilizes [Hyperscan](https://01.org/hyperscan) engine to match multiple regular expressions at the same time. You can watch the following [presentation](https://highsecure.ru/rspamd-hyperscan.pdf) where the main benefits of Hyperscan are described. * **Clever choice of data structures** - Rspamd tries to use the optimal data structure for each task. For example, it uses very efficient suffix tries for fast matching of a text against a set of multiple patterns. Or it uses radix bit trie for storing IP addresses information that provides O(1) access time complexity. ## Extensions Besides its `C` core, Rspamd provides an extensive [Lua](http://lua.org) API to access almost all the features available directly from `C`. Lua is an extremely easy to learn programming language though it is powerful enough to implement complex mail filters. In fact Rspamd has a significant amount of code written completely in Lua such as DNS blacklists checks, user's settings or different maps implementation. You can also write your own filters and rules in Lua adopting Rspamd functionality to your needs. Furthermore, Lua programs are very fast and their performance is rather [close](http://attractivechaos.github.io/plb/) to pure `C`. However, you should mention that for the most of performance critical tasks you usually use the Rspamd core functionality than Lua code. Anyway, you can also use `LuaJIT` with Rspamd if your goal is maximum performance. From the Lua API you can do the following tasks: * **Reading the configuration parameters** - Lua code has the full access to the parsed configuration knobs and you can easily modify your plugins behaviour by means of the main Rspamd configuration. * **Registering custom filters** - it is more than simple to add your own filters to Rspamd: just add new index to the global variable `rspamd_config`: ~~~lua rspamd_config.MYFILTER = function(task) -- Do something end ~~~ * **Full access to the content of messages** - you can access text parts, headers, SMTP data and so on and so forth by using of `task` object. The full list of methods could be found [here](https://rspamd.com/doc/lua/task.html). * **Pre- and post- filters** - you can register callbacks that are called before or after messages processing to make results more precise or to make some early decision, for example, to implement a rate limit. * **Registering functions for Rspamd** - you can write your own functions in Lua to extend Rspamd internal expression functions. * **Managing statistics** - Lua scripts can define a set of statistical files to be scanned or learned for a specific message allowing to create more complex statistical systems, e.g. based on an input language. Moreover, you can even learn Rspamd statistic from Lua scripts. * **Standalone Lua applications** - you can even write your own worker based on Rspamd core and performing some asynchronous logic in Lua. Of course, you can use the all features from Rspamd core, including such features as non-blocking IO, HTTP client and server, non-blocking Redis client, asynchronous DNS, UCL configuration and so on and so forth. * **API documentation** - Rspamd Lua API has an [extensive documentation](https://rspamd.com/doc/lua) where you can find examples, references and the guide about how to extend Rspamd with Lua. ## References * Home site: * Development: rt/42930/stable26 Nextcloud server, a safe home for all your data: https://github.com/nextcloud/serverwww-data
aboutsummaryrefslogtreecommitdiffstats
blob: a139bd74cd8cad2cea1671567ef8bd952a6448bf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409