# Metrics settings # Please don't modify this file as your changes might be overwritten with # the next update. # # You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine # parameters defined on the top level # # You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add # parameters defined on the top level # # For specific modules or configuration you can also modify # '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults # '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults # # See https://rspamd.com/doc/tutorials/writing_rules.html for details metric { name = "default"; # If this param is set to non-zero # then a metric would accept all symbols # unknown_weight = 1.0 actions { reject = 15; add_header = 6; greylist = 4; } group "excessqp" { max_score = 2.4; } group "excessb64" { max_score = 3.0; } group "header" { symbol "FORGED_SENDER" { weight = 0.30; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; } symbol "R_MIXED_CHARSET" { weight = 5.0; description = "Mixed characters in a message"; one_shot = true; } symbol "R_MIXED_CHARSET_URL" { weight = 7.0; description = "Mixed characters in a URL inside message"; one_shot = true; } symbol "FORGED_RECIPIENTS" { weight = 2.0; description = "Recipients are not the same as RCPT TO: mail command"; } symbol "FORGED_RECIPIENTS_MAILLIST" { weight = 0.0; description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; } symbol "FORGED_SENDER_MAILLIST" { weight = 0.0; description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; } symbol "ONCE_RECEIVED" { weight = 0.1; description = "One received header in a message"; } symbol "RDNS_NONE" { weight = 1.0; description = "Cannot resolve reverse DNS for sender's IP"; } symbol "ONCE_RECEIVED_STRICT" { weight = 4.0; description = "One received header with 'bad' patterns inside"; } symbol "MAILLIST" { weight = -0.2; description = "Message seems to be from maillist"; } } group "subject" { max_score = 6.0; } group "mua" { symbol "FORGED_MUA_MAILLIST" { weight = 0.0; description = "Avoid false positives for FORGED_MUA_* in maillist"; } } group "rbl" { symbol "DNSWL_BLOCKED" { weight = 0.0; description = "Resolver blocked due to excessive queries"; } symbol "RCVD_IN_DNSWL" { weight = 0.0; description = "Unrecognised result from dnswl.org"; } symbol "RCVD_IN_DNSWL_NONE" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, low none"; } symbol "RCVD_IN_DNSWL_LOW" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, low trust"; } symbol "RCVD_IN_DNSWL_MED" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, medium trust"; } symbol "RCVD_IN_DNSWL_HI" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, high trust"; } symbol "RBL_SPAMHAUS" { weight = 0.0; description = "Unrecognised result from Spamhaus zen"; } symbol "RBL_SPAMHAUS_SBL" { weight = 2.0; description = "From address is listed in zen sbl"; } symbol "RBL_SPAMHAUS_CSS" { weight = 2.0; description = "From address is listed in zen css"; } symbol "RBL_SPAMHAUS_XBL" { weight = 4.0; description = "From address is listed in zen xbl"; } symbol "RBL_SPAMHAUS_XBL_ANY" { weight = 4.0; description = "From or receive address is listed in zen xbl (any list)"; } symbol "RBL_SPAMHAUS_PBL" { weight = 2.0; description = "From address is listed in zen pbl (ISP list)"; } symbol "RBL_SPAMHAUS_DROP" { weight = 7.0; description = "From address is listed in zen drop bl"; } symbol "RECEIVED_SPAMHAUS_XBL" { weight = 3.0; description = "Received address is listed in zen xbl"; one_shot = true; } symbol "RWL_SPAMHAUS_WL" { weight = 0.0; description = "Unrecognised result from Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_IND" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_TRANS" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_IND_EXP" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_TRANS_EXP" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RBL_SENDERSCORE" { weight = 2.0; description = "From address is listed in senderscore.com BL"; } symbol "RBL_ABUSECH" { weight = 1.0; description = "From address is listed in ABUSE.CH BL"; } symbol "RBL_UCEPROTECT_LEVEL1" { weight = 1.0; description = "From address is listed in UCEPROTECT LEVEL1 BL"; } symbol "MAILSPIKE" { weight = 0.0; description = "Unrecognised result from Mailspike"; } symbol "RWL_MAILSPIKE_NEUTRAL" { weight = 0.0; description = "Neutral result from Mailspike"; } symbol "RBL_MAILSPIKE_WORST" { weight = 2.0; description = "From address is listed in RBL - worst possible reputation"; } symbol "RBL_MAILSPIKE_VERYBAD" { weight = 1.5; description = "From address is listed in RBL - very bad reputation"; } symbol "RBL_MAILSPIKE_BAD" { weight = 1.0; description = "From address is listed in RBL - bad reputation"; } symbol "RWL_MAILSPIKE_POSSIBLE" { weight = 0.0; description = "From address is listed in RWL - possibly legit"; } symbol "RWL_MAILSPIKE_GOOD" { weight = 0.0; description = "From address is listed in RWL - good reputation"; } symbol "RWL_MAILSPIKE_VERYGOOD" { weight = 0.0; description = "From address is listed in RWL - very good reputation"; } symbol "RWL_MAILSPIKE_EXCELLENT" { weight = 0.0; description = "From address is listed in RWL - excellent reputation"; } symbol "RBL_SORBS" { weight = 0.0; description = "Unrecognised result from SORBS RBL"; } symbol "RBL_SORBS_HTTP" { weight = 2.5; description = "List of Open HTTP Proxy Servers."; } symbol "RBL_SORBS_SOCKS" { weight = 2.5; description = "List of Open SOCKS Proxy Servers."; } symbol "RBL_SORBS_MISC" { weight = 1.0; description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists."; } symbol "RBL_SORBS_SMTP" { weight = 3.0; description = "List of Open SMTP relay servers."; } symbol "RBL_SORBS_RECENT" { weight = 1.5; description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; } symbol "RBL_SORBS_WEB" { weight = 0.4; description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)"; } symbol "RBL_SORBS_DUL" { weight = 2.0; description = "Dynamic IP Address ranges (NOT a Dial Up list!)"; } symbol "RBL_SORBS_BLOCK" { weight = 1.0; description = "List of hosts demanding that they never be tested by SORBS."; } symbol "RBL_SORBS_ZOMBIE" { weight = 1.0; description = "List of networks hijacked from their original owners, some of which have already used for spamming."; } symbol "RBL_SEM" { weight = 1.0; description = "Address is listed in Spameatingmonkey RBL"; } symbol "RBL_SEM_IPV6" { weight = 1.0; description = "Address is listed in Spameatingmonkey RBL (ipv6)"; } } group "bayes" { symbol "BAYES_SPAM" { weight = 4.0; description = "Message probably spam, probability: "; } symbol "BAYES_HAM" { weight = -3.0; description = "Message probably ham, probability: "; } } group "fuzzy" { symbol "FUZZY_UNKNOWN" { weight = 5.0; description = "Generic fuzzy hash match"; } symbol "FUZZY_DENIED" { weight = 12.0; description = "Denied fuzzy hash"; } symbol "FUZZY_PROB" { weight = 5.0; description = "Probable fuzzy hash"; } symbol "FUZZY_WHITE" { weight = -2.1; description = "Whitelisted fuzzy hash"; } } group "spf" { symbol "R_SPF_FAIL" { weight = 1.0; description = "SPF verification failed"; } symbol "R_SPF_SOFTFAIL" { weight = 0.0; description = "SPF verification soft-failed"; } symbol "R_SPF_NEUTRAL" { weight = 0.0; description = "SPF policy is neutral"; } symbol "R_SPF_ALLOW" { weight = -0.2; description = "SPF verification allows sending"; } symbol "R_SPF_DNSFAIL" { weight = 0.0; description = "SPF DNS failure"; } } group "dkim" { symbol "R_DKIM_REJECT" { weight = 1.0; description = "DKIM verification failed"; one_shot = true; } symbol "R_DKIM_TEMPFAIL" { weight = 0.0; description = "DKIM verification soft-failed"; } symbol "R_DKIM_ALLOW" { weight = -0.2; description = "DKIM verification succeed"; one_shot = true; } } group "surbl" { symbol "SURBL_BLOCKED" { weight = 0.0; description = "SURBL: blocked by policy/overusage"; } symbol "PH_SURBL_MULTI" { weight = 5.5; description = "SURBL: Phishing sites"; } symbol "MW_SURBL_MULTI" { weight = 5.5; description = "SURBL: Malware sites"; } symbol "ABUSE_SURBL" { weight = 5.5; description = "SURBL: ABUSE"; } symbol "CRACKED_SURBL" { weight = 4.0; description = "SURBL: cracked site"; } symbol "RAMBLER_URIBL" { weight = 4.5; description = "rambler.ru uribl"; } symbol "SEM_URIBL_UNKNOWN" { weight = 0.0; description = "Spameatingmonkey uribl: unknown result"; } symbol "SEM_URIBL" { weight = 3.5; description = "Spameatingmonkey uribl"; } symbol "SEM_URIBL_FRESH15_UNKNOWN" { weight = 0.0; description = "Spameatingmonkey Fresh15 uribl: unknown result"; } symbol "SEM_URIBL_FRESH15" { weight = 3.0; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; } symbol "DBL" { weight = 0.0; description = "DBL unknown result"; } symbol "DBL_SPAM" { weight = 6.5; description = "DBL uribl spam"; } symbol "DBL_PHISH" { weight = 6.5; description = "DBL uribl phishing"; } symbol "DBL_MALWARE" { weight = 6.5; description = "DBL uribl malware"; } symbol "DBL_BOTNET" { weight = 5.5; description = "DBL uribl botnet C&C domain"; } symbol "DBL_ABUSE" { weight = 6.5; description = "DBL uribl abused legit spam"; } symbol "DBL_ABUSE_REDIR" { weight = 1.5; description = "DBL uribl abused spammed redirector domain"; } symbol "DBL_ABUSE_PHISH" { weight = 7.5; description = "DBL uribl abused legit phish"; } symbol "DBL_ABUSE_MALWARE" { weight = 7.5; description = "DBL uribl abused legit malware"; } symbol "DBL_ABUSE_BOTNET" { weight = 5.5; description = "DBL uribl abused legit botnet C&C"; } symbol "DBL_PROHIBIT" { weight = 0.00000; description = "DBL uribl IP queries prohibited!"; } symbol "URIBL_MULTI" { weight = 0.0; description = "uribl.com: unrecognised result"; } symbol "URIBL_BLOCKED" { weight = 0.0; description = "uribl.com: query refused"; } symbol "URIBL_BLACK" { weight = 7.5; description = "uribl.com black url"; } symbol "URIBL_RED" { weight = 3.5; description = "uribl.com red url"; } symbol "URIBL_GREY" { weight = 1.5; description = "uribl.com grey url"; one_shot = true; } symbol "RAMBLER_EMAILBL" { weight = 9.5; description = "rambler.ru emailbl"; one_shot = true; } symbol "SBL_URIBL" { weight = 0.0; description = "SBL URIBL: Filtered result"; } symbol "URIBL_SBL" { weight = 6.5; description = "Spamhaus SBL URIBL"; } symbol "URIBL_SBL_CSS" { weight = 6.5; description = "Spamhaus SBL CSS URIBL"; } symbol "RBL_SARBL_BAD" { weight = 2.5; description = "A domain listed in the mail is blacklisted in SARBL"; } } group "phishing" { symbol "PHISHING" { weight = 4.0; description = "Phished URL"; one_shot = true; } symbol "PHISHED_OPENPHISH" { weight = 7.0; description = "Phished URL found in openphish.com"; } symbol "PHISHED_PHISHTANK" { weight = 7.0; description = "Phished URL found in phishtank.com"; } } group "hfilter" { symbol "HFILTER_HELO_BAREIP" { weight = 3.00; description = "Helo host is bare ip"; } symbol "HFILTER_HELO_BADIP" { weight = 4.50; description = "Helo host is very bad ip"; } symbol "HFILTER_HELO_1" { weight = 0.5; description = "Helo host checks (very low)"; } symbol "HFILTER_HELO_2" { weight = 1.00; description = "Helo host checks (low)"; } symbol "HFILTER_HELO_3" { weight = 2.00; description = "Helo host checks (medium)"; } symbol "HFILTER_HELO_4" { weight = 2.50; description = "Helo host checks (hard)"; } symbol "HFILTER_HELO_5" { weight = 3.00; description = "Helo host checks (very hard)"; } symbol "HFILTER_HOSTNAME_1" { weight = 0.5; description = "Hostname checks (very low)"; } symbol "HFILTER_HOSTNAME_2" { weight = 1.00; description = "Hostname checks (low)"; } symbol "HFILTER_HOSTNAME_3" { weight = 2.00; description = "Hostname checks (medium)"; } symbol "HFILTER_HOSTNAME_4" { weight = 2.50; description = "Hostname checks (hard)"; } symbol "HFILTER_HOSTNAME_5" { weight = 3.00; description = "Hostname checks (very hard)"; } symbol "HFILTER_HELO_NORESOLVE_MX" { weight = 0.20; description = "MX found in Helo and no resolve"; } symbol "HFILTER_HELO_NORES_A_OR_MX" { weight = 0.3; description = "Helo no resolve to A or MX"; } symbol "HFILTER_HELO_IP_A" { weight = 1.00; description = "Helo A IP != hostname IP"; } symbol "HFILTER_HELO_NOT_FQDN" { weight = 2.00; description = "Helo not FQDN"; } symbol "HFILTER_FROMHOST_NORESOLVE_MX" { weight = 0.5; description = "MX found in FROM host and no resolve"; } symbol "HFILTER_FROMHOST_NORES_A_OR_MX" { weight = 1.50; description = "FROM host no resolve to A or MX"; } symbol "HFILTER_FROMHOST_NOT_FQDN" { weight = 3.00; description = "FROM host not FQDN"; } symbol "HFILTER_FROM_BOUNCE" { weight = 0.00; description = "Bounce message"; } /* symbol { weight = 0.50; name = "HFILTER_MID_NORESOLVE_MX"; description = "MX found in Message-id host and no resolve"; } symbol { weight = 0.50; name = "HFILTER_MID_NORES_A_OR_MX"; description = "Message-id host no resolve to A or MX"; } symbol { weight = 0.50; name = "HFILTER_MID_NOT_FQDN"; description = "Message-id host not FQDN"; } */ symbol "HFILTER_HOSTNAME_UNKNOWN" { weight = 2.50; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; } symbol "HFILTER_RCPT_BOUNCEMOREONE" { weight = 1.50; description = "Message from bounce and over 1 recepient"; } symbol "HFILTER_URL_ONLY" { weight = 2.20; description = "URL only in body"; } symbol "HFILTER_URL_ONELINE" { weight = 2.50; description = "One line URL and text in body"; } } group "dmarc" { symbol "DMARC_POLICY_ALLOW" { weight = -0.5; description = "DMARC permit policy"; } symbol "DMARC_POLICY_ALLOW_WITH_FAILURES" { weight = -0.5; description = "DMARC permit policy with DKIM/SPF failure"; } symbol "DMARC_POLICY_REJECT" { weight = 2.0; description = "DMARC reject policy"; } symbol "DMARC_POLICY_QUARANTINE" { weight = 1.5; description = "DMARC quarantine policy"; } symbol "DMARC_POLICY_SOFTFAIL" { weight = 0.1; description = "DMARC failed"; } } group "mime_types" { symbol "MIME_GOOD" { weight = -0.1; description = "Known content-type"; one_shot = true; } symbol "MIME_BAD" { weight = 1.0; description = "Known bad content-type"; one_shot = true; } symbol "MIME_UNKNOWN" { weight = 0.1; description = "Missing or unknown content-type"; one_shot = true; } symbol "MIME_BAD_ATTACHMENT" { weight = 4.0; description = "Invalid attachement mime type"; one_shot = true; } symbol "MIME_ENCRYPTED_ARCHIVE" { weight = 2.0; description = "Encrypted archive in a message"; one_shot = true; } symbol "MIME_ARCHIVE_IN_ARCHIVE" { weight = 5.0; description = "Archive within another archive"; one_shot = true; } symbol "MIME_DOUBLE_BAD_EXTENSION" { weight = 3.0; # This rule has dynamic weight up to 4.0 description = "Bad extension cloaking"; one_shot = true; } symbol "MIME_BAD_EXTENSION" { weight = 2.0; # This rule has dynamic weight up to 4.0 description = "Bad extension"; one_shot = true; } } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" }