# Composites setup # Please don't modify this file as your changes might be overwritten with # the next update. # # You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine # parameters defined on the top level # # You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add # parameters defined on the top level # # For specific modules or configuration you can also modify # '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults # '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults # # See https://rspamd.com/doc/tutorials/writing_rules.html for details composites { FORGED_RECIPIENTS_MAILLIST { expression = "FORGED_RECIPIENTS & -MAILLIST"; } FORGED_SENDER_MAILLIST { expression = "FORGED_SENDER & -MAILLIST"; } FORGED_SENDER_FORWARDING { expression = "FORGED_SENDER & g:forwarding"; policy = "remove_weight"; } SPF_FAIL_FORWARDING { expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)"; policy = "remove_weight"; } DMARC_POLICY_ALLOW_WITH_FAILURES { expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)"; policy = "remove_weight"; } FORGED_RECIPIENTS_FORWARDING { expression = "FORGED_RECIPIENTS & g:forwarding"; policy = "remove_weight"; } FORGED_SENDER_VERP_SRS { expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)"; } FORGED_MUA_MAILLIST { expression = "g:mua and -MAILLIST"; } RBL_SPAMHAUS_XBL_ANY { expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL"; } AUTH_NA { expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA"; score = 1.0; policy = "remove_weight"; } DKIM_MIXED { expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)" policy = "remove_weight"; } MAIL_RU_MAILER_BASE64 { expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)"; } YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS { expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS"; } MAILER_1C_8_BASE64 { expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)"; } HACKED_WP_PHISHING { expression = "HAS_X_POS & HAS_WP_URI & PHISHING"; policy = "leave"; } COMPROMISED_ACCT_BULK { expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK"; description = "Likely to be from a compromised account"; score = 3.0; policy = "leave"; } UNDISC_RCPTS_BULK { expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)"; description = "Missing or undisclosed recipients with a bulk signature"; score = 3.0; policy = "leave"; } RCVD_UNAUTH_PBL { expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH"; description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)"; score = 2.0; policy = "leave"; } RCVD_DKIM_ARC_DNSWL_MED { expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_MED"; description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL"; score = -0.5; policy = "leave"; } RCVD_DKIM_ARC_DNSWL_HI { expression = "(R_DKIM_ALLOW | ARC_ALLOW ) & RCVD_IN_DNSWL_HI"; description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL"; score = -2.0; policy = "leave"; } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf" }