# Metrics settings metric { name = "default"; actions { reject = 15; add_header = 6; greylist = 4; }; symbol { weight = 2.0; description = "Subject is missing inside message"; name = "MISSING_SUBJECT"; } symbol { weight = 2.100000; description = "Message pretends to be send from Outlook but has 'strange' tags "; name = "FORGED_OUTLOOK_TAGS"; } symbol { weight = 0.30; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; name = "FORGED_SENDER"; } symbol { weight = 3.500000; description = "Recipients seems to be autogenerated (works if recipients count is more than 5)"; name = "SUSPICIOUS_RECIPS"; } symbol { weight = 6.0; description = "Fake reply (has RE in subject, but has not References header)"; name = "FAKE_REPLY_C"; } symbol { weight = 1.0; description = "Messages that have only HTML part"; name = "MIME_HTML_ONLY"; } symbol { weight = 2.0; description = "Forged yahoo msgid"; name = "FORGED_MSGID_YAHOO"; } symbol { weight = 2.0; description = "Forged The Bat! MUA headers"; name = "FORGED_MUA_THEBAT_BOUN"; } symbol { weight = 5.0; description = "Charset is missing in a message"; name = "R_MISSING_CHARSET"; } symbol { weight = 2.0; description = "Two received headers with ip addresses"; name = "RCVD_DOUBLE_IP_SPAM"; } symbol { weight = 5.0; description = "Forged outlook HTML signature"; name = "FORGED_OUTLOOK_HTML"; } symbol { weight = 5.0; description = "Recipients are absent or undisclosed"; name = "R_UNDISC_RCPT"; } symbol { weight = 9.0; description = "White color on white background in HTML messages"; name = "R_WHITE_ON_WHITE"; } symbol { weight = 3.0; description = "Short html part with a link to an image"; name = "HTML_SHORT_LINK_IMG_2"; } symbol { weight = 3.0; description = "Forged outlook MUA"; name = "FORGED_MUA_OUTLOOK"; } symbol { weight = 0.0; description = "Forged outlook MUA, but from maillist"; name = "FORGED_MUA_OUTLOOK_MAILLIST"; } symbol { weight = 5.0; description = "Suspicious boundary in header Content-Type"; name = "SUSPICIOUS_BOUNDARY"; } symbol { weight = 4.0; description = "Suspicious boundary in header Content-Type"; name = "SUSPICIOUS_BOUNDARY2"; } symbol { weight = 3.0; description = "Suspicious boundary in header Content-Type"; name = "SUSPICIOUS_BOUNDARY3"; } symbol { weight = 4.0; description = "Suspicious boundary in header Content-Type"; name = "SUSPICIOUS_BOUNDARY4"; } symbol { weight = 4.0; description = "Message pretends to be send from The Bat! but has forged Message-ID"; name = "FORGED_MUA_THEBAT_MSGID"; } symbol { weight = 3.0; description = "Message pretends to be send from The Bat! but has forged Message-ID"; name = "FORGED_MUA_THEBAT_MSGID_UNKNOWN"; } symbol { weight = 3.0; description = "Message pretends to be send from KMail but has forged Message-ID"; name = "FORGED_MUA_KMAIL_MSGID"; } symbol { weight = 2.500000; description = "Message pretends to be send from KMail but has forged Message-ID"; name = "FORGED_MUA_KMAIL_MSGID_UNKNOWN"; } symbol { weight = 4.0; description = "Message pretends to be send from Opera Mail but has forged Message-ID"; name = "FORGED_MUA_OPERA_MSGID"; } symbol { weight = 4.0; description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail"; name = "SUSPICIOUS_OPERA_10W_MSGID"; } symbol { weight = 4.0; description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; name = "FORGED_MUA_MOZILLA_MAIL_MSGID"; } symbol { weight = 2.500000; description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; name = "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN"; } symbol { weight = 4.0; description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; name = "FORGED_MUA_THUNDERBIRD_MSGID"; } symbol { weight = 2.500000; description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; name = "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN"; } symbol { weight = 4.0; description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; name = "FORGED_MUA_SEAMONKEY_MSGID"; } symbol { weight = 2.500000; description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; name = "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN"; } symbol { weight = 2.0; description = "Fake helo for verizon provider"; name = "FM_FAKE_HELO_VERIZON"; } symbol { weight = 2.0; description = "Quoted reply-to from yahoo (seems to be forged)"; name = "REPTO_QUOTE_YAHOO"; } symbol { weight = 5.0; description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)"; name = "MISSING_MIMEOLE"; } symbol { weight = 2.0; description = "To header is missing"; name = "MISSING_TO"; } symbol { weight = 1.500000; description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit"; name = "FROM_EXCESS_BASE64"; } symbol { weight = 1.200000; description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; name = "FROM_EXCESS_QP"; } symbol { weight = 1.500000; description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; name = "TO_EXCESS_BASE64"; } symbol { weight = 1.200000; description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; name = "TO_EXCESS_QP"; } symbol { weight = 1.500000; description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; name = "REPLYTO_EXCESS_BASE64"; } symbol { weight = 1.200000; description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; name = "REPLYTO_EXCESS_QP"; } symbol { weight = 1.500000; description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit"; name = "CC_EXCESS_BASE64"; } symbol { weight = 1.200000; description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; name = "CC_EXCESS_QP"; } symbol { weight = 5.0; description = "Mixed characters in a message"; name = "R_MIXED_CHARSET"; } symbol { weight = 3.500000; description = "Recipients list seems to be sorted"; name = "SORTED_RECIPS"; } symbol { weight = 3.0; description = "Spambots signatures in received headers"; name = "R_RCVD_SPAMBOTS"; } symbol { weight = 2.0; description = "To header seems to be autogenerated"; name = "R_TO_SEEMS_AUTO"; } symbol { weight = 1.0; description = "Subject needs encoding"; name = "SUBJECT_NEEDS_ENCODING"; } symbol { weight = 3.840000; description = "Spam string at the end of message to make statistics faults 0"; name = "TRACKER_ID"; } symbol { weight = 1.0; description = "No space in from header"; name = "R_NO_SPACE_IN_FROM"; } symbol { weight = 8.0; description = "Subject seems to be spam"; name = "R_SAJDING"; } symbol { weight = 3.0; description = "Detects bad content-transfer-encoding for text parts"; name = "R_BAD_CTE_7BIT"; } symbol { weight = 10.0; description = "Flash redirect on imageshack.us"; name = "R_FLASH_REDIR_IMGSHACK"; } symbol { weight = 5.0; description = "Message id is incorrect"; name = "INVALID_MSGID"; } symbol { weight = 3.0; description = "Message id is missing "; name = "MISSING_MID"; } symbol { weight = 1.0; description = "Recipients are not the same as RCPT TO: mail command"; name = "FORGED_RECIPIENTS"; } symbol { weight = 0.0; description = "Recipients are not the same as RCPT TO: mail command, but from maillist"; name = "FORGED_RECIPIENTS_MAILLIST"; } symbol { weight = 2.0; description = "Forged Exchange messages "; name = "RATWARE_MS_HASH"; } symbol { weight = 1.0; description = "Reply-type in content-type"; name = "STOX_REPLY_TYPE"; } symbol { weight = 3.0; description = "IP in received headers is in PBL"; name = "R_IP_PBL"; } symbol { weight = 1.0; description = "One received header in a message "; name = "ONCE_RECEIVED"; } symbol { weight = 4.0; description = "One received header with 'bad' patterns inside"; name = "ONCE_RECEIVED_STRICT"; } symbol { name = "RCVD_IN_DNSWL"; weight = 0.0; description = "Sender listed at http://www.dnswl.org"; } symbol { name = "RCVD_IN_DNSWL_LOW"; weight = -0.1; description = "Sender listed at http://www.dnswl.org, low trust"; } symbol { name = "RCVD_IN_DNSWL_MED"; weight = -1.0; description = "Sender listed at http://www.dnswl.org, medium trust"; } symbol { name = "RCVD_IN_DNSWL_HI"; weight = -5.0; description = "Sender listed at http://www.dnswl.org, high trust"; } symbol { name = "RBL_SPAMHAUS"; weight = 0.0; description = "From address is listed in zen"; } symbol { name = "RBL_SPAMHAUS_SBL"; weight = 2.0; description = "From address is listed in zen sbl"; } symbol { name = "RBL_SPAMHAUS_CSS"; weight = 2.0; description = "From address is listed in zen css"; } symbol { name = "RBL_SPAMHAUS_XBL"; weight = 4.0; description = "From address is listed in zen xbl"; } symbol { name = "RBL_SPAMHAUS_PBL"; weight = 2.0; description = "From address is listed in zen pbl"; } symbol { name = "RECEIVED_SPAMHAUS_XBL"; weight = 3.0; description = "Received address is listed in zen pbl"; } symbol { weight = 2.0; description = "From address is listed in senderscore.com BL"; name = "RBL_SENDERSCORE"; } symbol { weight = 2.0; description = "From address is listed in mailspike.com BL"; name = "RBL_MAILSPIKE"; } symbol { weight = 1.0; name = "RBL_SORBS"; description = "From address is listed in SORBS RBL"; } symbol { weight = 2.5; name = "RBL_SORBS_HTTP"; description = "List of Open HTTP Proxy Servers."; } symbol { weight = 2.5; name = "RBL_SORBS_SOCKS"; description = "List of Open SOCKS Proxy Servers."; } symbol { weight = 1.0; name = "RBL_SORBS_MISC"; description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists."; } symbol { weight = 3.0; name = "RBL_SORBS_SMTP"; description = "List of Open SMTP relay servers."; } symbol { weight = 1.5; name = "RBL_SORBS_RECENT"; description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; } symbol { weight = 0.4; name = "RBL_SORBS_WEB"; description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)"; } symbol { weight = 2.0; name = "RBL_SORBS_DUL"; description = "Dynamic IP Address ranges (NOT a Dial Up list!)"; } symbol { weight = 1.0; name = "RBL_SORBS_BLOCK"; description = "List of hosts demanding that they never be tested by SORBS."; } symbol { weight = 1.0; name = "RBL_SORBS_ZOMBIE"; description = "List of networks hijacked from their original owners, some of which have already used for spamming."; } symbol { name = "RBL_SEM_UNKNOWN"; weight = 0.0; description = "Address is listed in Spameatingmonkey RBL"; } symbol { name = "RBL_SEM"; weight = 1.0; description = "Address is listed in Spameatingmonkey RBL"; } symbol { weight = 3.0; description = "Text and HTML parts differ"; name = "R_PARTS_DIFFER"; } symbol { weight = 2.0; description = "Only Content-Type header without other MIME headers"; name = "MIME_HEADER_CTYPE_ONLY"; } symbol { weight = 2.0; description = "Message contains empty parts and image "; name = "R_EMPTY_IMAGE"; } symbol { weight = 2.0; description = "Drugs patterns inside message"; name = "DRUGS_MANYKINDS"; } symbol { weight = 2.0; description = ""; name = "DRUGS_ANXIETY"; } symbol { weight = 2.0; description = ""; name = "DRUGS_MUSCLE"; } symbol { weight = 2.0; description = ""; name = "DRUGS_ANXIETY_EREC"; } symbol { weight = 2.0; description = ""; name = "DRUGS_DIET"; } symbol { weight = 2.0; description = ""; name = "DRUGS_ERECTILE"; } symbol { weight = 3.300000; description = "2 'advance fee' patterns in a message"; name = "ADVANCE_FEE_2"; } symbol { weight = 2.120000; description = "3 'advance fee' patterns in a message"; name = "ADVANCE_FEE_3"; } symbol { weight = 8.0; description = "Lotto signatures"; name = "R_LOTTO"; } symbol { weight = 3.0; description = "Message probably spam, probability: "; name = "BAYES_SPAM"; } symbol { weight = -3.0; description = "Message probably ham, probability: "; name = "BAYES_HAM"; } symbol { weight = 5.0; description = "Generic fuzzy hash match"; name = "FUZZY_UNKNOWN"; } symbol { weight = 10.0; description = "Denied fuzzy hash"; name = "FUZZY_DENIED"; } symbol { weight = 5.0; description = "Probable fuzzy hash"; name = "FUZZY_PROB"; } symbol { weight = -2.1; description = "Whitelisted fuzzy hash"; name = "FUZZY_WHITE"; } symbol { weight = 1.0; description = "SPF verification failed"; name = "R_SPF_FAIL"; } symbol { weight = 0.0; description = "SPF verification soft-failed"; name = "R_SPF_SOFTFAIL"; } symbol { weight = -1.1; description = "SPF verification alowed"; name = "R_SPF_ALLOW"; } symbol { weight = 1.0; description = "DKIM verification failed"; name = "R_DKIM_REJECT"; } symbol { weight = 0.0; description = "SPF verification soft-failed"; name = "R_DKIM_TEMPFAIL"; } symbol { weight = -1.1; description = "DKIM verification succeed"; name = "R_DKIM_ALLOW"; } symbol { weight = -1.0; description = "Message seems to be from maillist"; name = "MAILLIST"; } symbol { weight = 5.500000; description = "Phishing and malware sites"; name = "PH_SURBL_MULTI"; } symbol { weight = 5.500000; description = "Outblaze URI Blacklist"; name = "OB_SURBL_MULTI"; } symbol { weight = 5.500000; description = "AbuseButler web sites"; name = "AB_SURBL_MULTI"; } symbol { weight = 5.500000; description = "SpamCop web sites"; name = "SC_SURBL_MULTI"; } symbol { weight = 5.500000; description = "jwSpamSpy + Prolocation sites"; name = "JP_SURBL_MULTI"; } symbol { weight = 5.500000; description = "sa-blacklist web sites "; name = "WS_SURBL_MULTI"; } symbol { weight = 4.500000; description = "rambler.ru uribl"; name = "RAMBLER_URIBL"; } symbol { weight = 0.0; name = "SEM_URIBL_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; } symbol { weight = 3.5; name = "SEM_URIBL"; description = "Spameatingmonkey uribl"; } symbol { weight = 0.0; name = "SEM_URIBL_FRESH15_UNKNOWN"; description = "Spameatingmonkey uribl unknown"; } symbol { weight = 3.0; name = "SEM_URIBL_FRESH15"; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; } symbol { weight = 5.500000; description = "DBL uribl"; name = "DBL"; } symbol { weight = 7.5; description = "uribl.com black url"; name = "URIBL_BLACK"; } symbol { weight = 3.5; description = "uribl.com red url"; name = "URIBL_RED"; } symbol { weight = 1.5; description = "uribl.com grey url"; name = "URIBL_GREY"; } symbol { weight = 9.500000; description = "rambler.ru emailbl"; name = "RAMBLER_EMAILBL"; } symbol { weight = 5.0; description = "Phished mail"; name = "PHISHING"; } symbol { weight = 1.0; description = "Header From begins with tab"; name = "HEADER_FROM_DELIMITER_TAB"; } symbol { weight = 1.0; description = "Header To begins with tab"; name = "HEADER_TO_DELIMITER_TAB"; } symbol { weight = 1.0; description = "Header Cc begins with tab"; name = "HEADER_CC_DELIMITER_TAB"; } symbol { weight = 1.0; description = "Header Reply-To begins with tab"; name = "HEADER_REPLYTO_DELIMITER_TAB"; } symbol { weight = 1.0; description = "Header Date begins with tab"; name = "HEADER_DATE_DELIMITER_TAB"; } symbol { weight = 1.0; description = "Header From has no delimiter between header name and header value"; name = "HEADER_FROM_EMPTY_DELIMITER"; } symbol { weight = 1.0; description = "Header To has no delimiter between header name and header value"; name = "HEADER_TO_EMPTY_DELIMITER"; } symbol { weight = 1.0; description = "Header Cc has no delimiter between header name and header value"; name = "HEADER_CC_EMPTY_DELIMITER"; } symbol { weight = 1.0; description = "Header Reply-To has no delimiter between header name and header value"; name = "HEADER_REPLYTO_EMPTY_DELIMITER"; } symbol { weight = 1.0; description = "Header Date has no delimiter between header name and header value"; name = "HEADER_DATE_EMPTY_DELIMITER"; } symbol { weight = 4.0; description = "Header Received has raw illegal character"; name = "RCVD_ILLEGAL_CHARS"; } symbol { weight = 4.0; description = "Fake helo mail.ru in header Received from non mail.ru sender address"; name = "FAKE_RECEIVED_mail_ru"; } symbol { weight = 4.0; description = "Fake smtp.yandex.ru Received"; name = "FAKE_RECEIVED_smtp_yandex_ru"; } symbol { weight = 3.600000; description = "Forged generic Received"; name = "FORGED_GENERIC_RECEIVED"; } symbol { weight = 3.600000; description = "Forged generic Received"; name = "FORGED_GENERIC_RECEIVED2"; } symbol { weight = 3.600000; description = "Forged generic Received"; name = "FORGED_GENERIC_RECEIVED3"; } symbol { weight = 3.600000; description = "Forged generic Received"; name = "FORGED_GENERIC_RECEIVED4"; } symbol { weight = 4.600000; description = "Forged generic Received"; name = "FORGED_GENERIC_RECEIVED5"; } symbol { weight = 3.0; description = "Invalid Postfix Received"; name = "INVALID_POSTFIX_RECEIVED"; } symbol { weight = 5.0; description = "Invalid Exim Received"; name = "INVALID_EXIM_RECEIVED"; } symbol { weight = 3.0; description = "Invalid Exim Received"; name = "INVALID_EXIM_RECEIVED2"; } symbol { weight = 4.0; description = "Message date is in future"; name = "DATE_IN_FUTURE"; } symbol { weight = 1.0; description = "Message date is in past"; name = "DATE_IN_PAST"; } # hfilter symbols symbol { weight = 1.00; name = "HFILTER_HELO_1"; description = "Helo host checks (very low)"; } symbol { weight = 2.00; name = "HFILTER_HELO_2"; description = "Helo host checks (low)"; } symbol { weight = 3.00; name = "HFILTER_HELO_3"; description = "Helo host checks (medium)"; } symbol { weight = 3.50; name = "HFILTER_HELO_4"; description = "Helo host checks (hard)"; } symbol { weight = 4.00; name = "HFILTER_HELO_5"; description = "Helo host checks (very hard)"; } symbol { weight = 1.00; name = "HFILTER_HOSTNAME_1"; description = "Hostname checks (very low)"; } symbol { weight = 2.00; name = "HFILTER_HOSTNAME_2"; description = "Hostname checks (low)"; } symbol { weight = 3.00; name = "HFILTER_HOSTNAME_3"; description = "Hostname checks (medium)"; } symbol { weight = 3.50; name = "HFILTER_HOSTNAME_4"; description = "Hostname checks (hard)"; } symbol { weight = 4.00; name = "HFILTER_HOSTNAME_5"; description = "Hostname checks (very hard)"; } symbol { weight = 1.50; name = "HFILTER_HELO_NORESOLVE_MX"; description = "MX found in Helo and no resolve"; } symbol { weight = 2.00; name = "HFILTER_HELO_NORES_A_OR_MX"; description = "Helo no resolve to A or MX"; } symbol { weight = 1.00; name = "HFILTER_HELO_IP_A"; description = "Helo A IP != hostname IP"; } symbol { weight = 3.00; name = "HFILTER_HELO_NOT_FQDN"; description = "Helo not FQDN"; } symbol { weight = 1.50; name = "HFILTER_FROMHOST_NORESOLVE_MX"; description = "MX found in FROM host and no resolve"; } symbol { weight = 3.50; name = "HFILTER_FROMHOST_NORES_A_OR_MX"; description = "FROM host no resolve to A or MX"; } symbol { weight = 4.00; name = "HFILTER_FROMHOST_NOT_FQDN"; description = "FROM host not FQDN"; } symbol { weight = 0.50; name = "HFILTER_MID_NORESOLVE_MX"; description = "MX found in Message-id host and no resolve"; } symbol { weight = 0.50; name = "HFILTER_MID_NORES_A_OR_MX"; description = "Message-id host no resolve to A or MX"; } symbol { weight = 0.50; name = "HFILTER_MID_NOT_FQDN"; description = "Message-id host not FQDN"; } symbol { weight = 4.00; name = "HFILTER_HOSTNAME_UNKNOWN"; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; } symbol { weight = 3.50; name = "HFILTER_URL_ONLY"; description = "URL only in body"; } symbol { weight = 2.20; name = "HFILTER_URL_ONELINE"; description = "One line URL and text in body"; } }