# Metrics settings # Please don't modify this file as your changes might be overwritten with # the next update. # # You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine # parameters defined on the top level # # You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add # parameters defined on the top level # # For specific modules or configuration you can also modify # '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults # '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults # # See https://rspamd.com/doc/tutorials/writing_rules.html for details metric { name = "default"; # If this param is set to non-zero # then a metric would accept all symbols # unknown_weight = 1.0 actions { reject = 15; add_header = 6; greylist = 4; } group "header" { symbol "MISSING_SUBJECT" { weight = 2.0; description = "Subject is missing inside message"; } symbol "FORGED_OUTLOOK_TAGS" { weight = 2.100000; description = "Message pretends to be send from Outlook but has 'strange' tags "; } symbol "FORGED_SENDER" { weight = 0.30; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; } symbol "SUSPICIOUS_RECIPS" { weight = 1.500000; description = "Recipients seems to be autogenerated (works if recipients count is more than 5)"; } symbol "MIME_HTML_ONLY" { weight = 1.0; description = "Messages that have only HTML part"; } symbol "FORGED_MSGID_YAHOO" { weight = 2.0; description = "Forged yahoo msgid"; } symbol "FORGED_MUA_THEBAT_BOUN" { weight = 2.0; description = "Forged The Bat! MUA headers"; } symbol "R_MISSING_CHARSET" { weight = 5.0; description = "Charset is missing in a message"; } symbol "RCVD_DOUBLE_IP_SPAM" { weight = 2.0; description = "Two received headers with ip addresses"; } symbol "FORGED_OUTLOOK_HTML" { weight = 5.0; description = "Forged outlook HTML signature"; } symbol "R_UNDISC_RCPT" { weight = 5.0; description = "Recipients are absent or undisclosed"; } symbol "FM_FAKE_HELO_VERIZON" { weight = 2.0; description = "Fake helo for verizon provider"; } symbol "REPTO_QUOTE_YAHOO" { weight = 2.0; description = "Quoted reply-to from yahoo (seems to be forged)"; } symbol "MISSING_MIMEOLE" { weight = 5.0; description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)"; } symbol "MISSING_TO" { weight = 2.0; description = "To header is missing"; } symbol "FROM_EXCESS_BASE64" { weight = 1.5; description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit"; } symbol "FROM_EXCESS_QP" { weight = 1.2; description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; } symbol "TO_EXCESS_BASE64" { weight = 1.5; description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; } symbol "TO_EXCESS_QP" { weight = 1.2; description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; } symbol "REPLYTO_EXCESS_BASE64" { weight = 1.5; description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit"; } symbol "REPLYTO_EXCESS_QP" { weight = 1.2; description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; } symbol "CC_EXCESS_BASE64" { weight = 1.5; description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit"; } symbol "CC_EXCESS_QP" { weight = 1.2; description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit"; } symbol "R_MIXED_CHARSET" { weight = 5.0; description = "Mixed characters in a message"; } symbol "SORTED_RECIPS" { weight = 3.500000; description = "Recipients list seems to be sorted"; } symbol "R_RCVD_SPAMBOTS" { weight = 3.0; description = "Spambots signatures in received headers"; } symbol "SUBJECT_NEEDS_ENCODING" { weight = 1.0; description = "Subject needs encoding"; } symbol "TRACKER_ID" { weight = 3.84; description = "Spam string at the end of message to make statistics faults 0"; } symbol "R_NO_SPACE_IN_FROM" { weight = 1.0; description = "No space in from header"; } symbol "R_SAJDING" { weight = 8.0; description = "Subject seems to be spam"; } symbol "R_BAD_CTE_7BIT" { weight = 3.0; description = "Detects bad content-transfer-encoding for text parts"; } symbol "R_FLASH_REDIR_IMGSHACK" { weight = 10.0; description = "Flash redirect on imageshack.us"; } symbol "INVALID_MSGID" { weight = 1.7; description = "Message id is incorrect"; } symbol "MISSING_MID" { weight = 2.5; description = "Message id is missing "; } symbol "FORGED_RECIPIENTS" { weight = 2.0; description = "Recipients are not the same as RCPT TO: mail command"; } symbol "FORGED_RECIPIENTS_MAILLIST" { weight = 0.0; description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; } symbol "FORGED_SENDER_MAILLIST" { weight = 0.0; description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; } symbol "RATWARE_MS_HASH" { weight = 2.0; description = "Forged Exchange messages"; } symbol "STOX_REPLY_TYPE" { weight = 1.0; description = "Reply-type in content-type"; } symbol "ONCE_RECEIVED" { weight = 0.1; description = "One received header in a message"; } symbol "RDNS_NONE" { weight = 1.0; description = "Cannot resolve reverse DNS for sender's IP"; } symbol "ONCE_RECEIVED_STRICT" { weight = 4.0; description = "One received header with 'bad' patterns inside"; } symbol "MIME_HEADER_CTYPE_ONLY" { weight = 2.0; description = "Only Content-Type header without other MIME headers"; } symbol "MAILLIST" { weight = -0.2; description = "Message seems to be from maillist"; } symbol "HEADER_FROM_DELIMITER_TAB" { weight = 1.0; description = "Header From begins with tab"; } symbol "HEADER_TO_DELIMITER_TAB" { weight = 1.0; description = "Header To begins with tab"; } symbol "HEADER_CC_DELIMITER_TAB" { weight = 1.0; description = "Header Cc begins with tab"; } symbol "HEADER_REPLYTO_DELIMITER_TAB" { weight = 1.0; description = "Header Reply-To begins with tab"; } symbol "HEADER_DATE_DELIMITER_TAB" { weight = 1.0; description = "Header Date begins with tab"; } symbol "HEADER_FROM_EMPTY_DELIMITER" { weight = 1.0; description = "Header From has no delimiter between header name and header value"; } symbol "HEADER_TO_EMPTY_DELIMITER" { weight = 1.0; description = "Header To has no delimiter between header name and header value"; } symbol "HEADER_CC_EMPTY_DELIMITER" { weight = 1.0; description = "Header Cc has no delimiter between header name and header value"; } symbol "HEADER_REPLYTO_EMPTY_DELIMITER" { weight = 1.0; description = "Header Reply-To has no delimiter between header name and header value"; } symbol "HEADER_DATE_EMPTY_DELIMITER" { weight = 1.0; description = "Header Date has no delimiter between header name and header value"; } symbol "RCVD_ILLEGAL_CHARS" { weight = 4.0; description = "Header Received has raw illegal character"; } symbol "FAKE_RECEIVED_mail_ru" { weight = 4.0; description = "Fake helo mail.ru in header Received from non mail.ru sender address"; } symbol "FAKE_RECEIVED_smtp_yandex_ru" { weight = 4.0; description = "Fake smtp.yandex.ru Received"; } symbol "FORGED_GENERIC_RECEIVED" { weight = 3.6; description = "Forged generic Received"; } symbol "FORGED_GENERIC_RECEIVED2" { weight = 3.6; description = "Forged generic Received"; } symbol "FORGED_GENERIC_RECEIVED3" { weight = 3.6; description = "Forged generic Received"; } symbol "FORGED_GENERIC_RECEIVED4" { weight = 3.6; description = "Forged generic Received"; } symbol "FORGED_GENERIC_RECEIVED5" { weight = 4.6; description = "Forged generic Received"; } symbol "INVALID_POSTFIX_RECEIVED" { weight = 3.0; description = "Invalid Postfix Received"; } } group "subject" { max_score = 6.0; symbol "FAKE_REPLY_C" { weight = 6.0; description = "Fake reply (has RE in subject, but has not References header)"; } symbol "LONG_SUBJ" { weight = 6.0; description = "Subject is too long"; } symbol "SUBJ_ALL_CAPS" { weight = 3.0; description = "No lower case letters in subject"; } } group "mua" { symbol "FORGED_MUA_THEBAT_MSGID" { weight = 4.0; description = "Message pretends to be send from The Bat! but has forged Message-ID"; } symbol "FORGED_MUA_THEBAT_MSGID_UNKNOWN" { weight = 3.0; description = "Message pretends to be send from The Bat! but has forged Message-ID"; } symbol "FORGED_MUA_KMAIL_MSGID" { weight = 3.0; description = "Message pretends to be send from KMail but has forged Message-ID"; } symbol "FORGED_MUA_KMAIL_MSGID_UNKNOWN" { weight = 2.5; description = "Message pretends to be send from KMail but has forged Message-ID"; } symbol "FORGED_MUA_OPERA_MSGID" { weight = 4.0; description = "Message pretends to be send from Opera Mail but has forged Message-ID"; } symbol "SUSPICIOUS_OPERA_10W_MSGID" { weight = 4.0; description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail"; } symbol "FORGED_MUA_MOZILLA_MAIL_MSGID" { weight = 4.0; description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; } symbol "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN" { weight = 2.5; description = "Message pretends to be send from Mozilla Mail but has forged Message-ID"; } symbol "FORGED_MUA_THUNDERBIRD_MSGID" { weight = 4.0; description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; } symbol "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN" { weight = 2.5; description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID"; } symbol "FORGED_MUA_SEAMONKEY_MSGID" { weight = 4.0; description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; } symbol "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN" { weight = 2.5; description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID"; } symbol "FORGED_MUA_OUTLOOK" { weight = 3.0; description = "Forged outlook MUA"; } symbol "FORGED_MUA_MAILLIST" { weight = 0.0; description = "Avoid false positives for FORGED_MUA_* in maillist"; } } group "body" { symbol "R_WHITE_ON_WHITE" { weight = 9.0; description = "White color on white background in HTML messages"; } symbol "HTML_SHORT_LINK_IMG_1" { weight = 3.0; description = "Short html part with a link to an image"; } symbol "HTML_SHORT_LINK_IMG_2" { weight = 1.0; description = "Short html part with a link to an image"; } symbol "HTML_SHORT_LINK_IMG_3" { weight = 0.5; description = "Short html part with a link to an image"; } symbol "SUSPICIOUS_BOUNDARY" { weight = 5.0; description = "Suspicious boundary in header Content-Type"; } symbol "SUSPICIOUS_BOUNDARY2" { weight = 4.0; description = "Suspicious boundary in header Content-Type"; } symbol "SUSPICIOUS_BOUNDARY3" { weight = 3.0; description = "Suspicious boundary in header Content-Type"; } symbol "SUSPICIOUS_BOUNDARY4" { weight = 4.0; description = "Suspicious boundary in header Content-Type"; } symbol "R_PARTS_DIFFER" { weight = 1.0; description = "Text and HTML parts differ"; } symbol "R_EMPTY_IMAGE" { weight = 2.0; description = "Message contains empty parts and image"; } symbol "DRUGS_MANYKINDS" { weight = 2.0; description = "Drugs patterns inside message"; } symbol "DRUGS_ANXIETY" { weight = 2.0; description = ""; } symbol "DRUGS_MUSCLE" { weight = 2.0; description = ""; } symbol "DRUGS_ANXIETY_EREC" { weight = 2.0; description = ""; } symbol "DRUGS_DIET" { weight = 2.0; description = ""; } symbol "DRUGS_ERECTILE" { weight = 2.0; description = ""; } symbol "ADVANCE_FEE_2" { weight = 3.300000; description = "2 'advance fee' patterns in a message"; } symbol "ADVANCE_FEE_3" { weight = 2.120000; description = "3 'advance fee' patterns in a message"; } symbol "R_LOTTO" { weight = 8.0; description = "Lotto signatures"; } } group "rbl" { symbol "DNSWL_BLOCKED" { weight = 0.0; description = "Resolver blocked due to excessive queries"; } symbol "RCVD_IN_DNSWL" { weight = 0.0; description = "Unrecognised result from dnswl.org"; } symbol "RCVD_IN_DNSWL_NONE" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, low none"; } symbol "RCVD_IN_DNSWL_LOW" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, low trust"; } symbol "RCVD_IN_DNSWL_MED" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, medium trust"; } symbol "RCVD_IN_DNSWL_HI" { weight = 0.0; description = "Sender listed at http://www.dnswl.org, high trust"; } symbol "RBL_SPAMHAUS" { weight = 0.0; description = "Unrecognised result from Spamhaus zen"; } symbol "RBL_SPAMHAUS_SBL" { weight = 2.0; description = "From address is listed in zen sbl"; } symbol "RBL_SPAMHAUS_CSS" { weight = 2.0; description = "From address is listed in zen css"; } symbol "RBL_SPAMHAUS_XBL" { weight = 4.0; description = "From address is listed in zen xbl"; } symbol "RBL_SPAMHAUS_XBL1" { weight = 4.0; description = "From address is listed in zen xbl (obsoleted/reserved)"; } symbol "RBL_SPAMHAUS_XBL2" { weight = 4.0; description = "From address is listed in zen xbl (obsoleted/reserved)"; } symbol "RBL_SPAMHAUS_XBL3" { weight = 4.0; description = "From address is listed in zen xbl (reserved)"; } symbol "RBL_SPAMHAUS_XBL_ANY" { weight = 4.0; description = "From or receive address is listed in zen xbl (any list)"; } symbol "RBL_SPAMHAUS_PBL" { weight = 2.0; description = "From address is listed in zen pbl (ISP list)"; } symbol "RBL_SPAMHAUS_PBL1" { weight = 2.0; description = "From address is listed in zen pbl (Spamhaus list)"; } symbol "RECEIVED_SPAMHAUS_XBL" { weight = 3.0; description = "Received address is listed in zen xbl"; one_shot = true; } symbol "RWL_SPAMHAUS_WL" { weight = 0.0; description = "Unrecognised result from Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_IND" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_TRANS" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_IND_EXP" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RWL_SPAMHAUS_WL_TRANS_EXP" { weight = 0.0; description = "Sender listed at Spamhaus whitelist"; } symbol "RBL_SENDERSCORE" { weight = 2.0; description = "From address is listed in senderscore.com BL"; } symbol "RBL_ABUSECH" { weight = 1.0; description = "From address is listed in ABUSE.CH BL"; } symbol "RBL_UCEPROTECT_LEVEL1" { weight = 1.0; description = "From address is listed in UCEPROTECT LEVEL1 BL"; } symbol "RBL_MAILSPIKE" { weight = 0.0; description = "Unrecognised result from Mailspike blacklist"; } symbol "RWL_MAILSPIKE" { weight = 0.0; description = "Unrecognised result from Mailspike whitelist"; } symbol "RBL_MAILSPIKE_ZOMBIE" { weight = 2.0; description = "From address is listed in RBL"; } symbol "RBL_MAILSPIKE_WORST" { weight = 2.0; description = "From address is listed in RBL"; } symbol "RBL_MAILSPIKE_VERYBAD" { weight = 1.5; description = "From address is listed in RBL"; } symbol "RBL_MAILSPIKE_BAD" { weight = 1.0; description = "From address is listed in RBL"; } symbol "RWL_MAILSPIKE_POSSIBLE" { weight = 0.0; description = "From address is listed in RWL"; } symbol "RWL_MAILSPIKE_GOOD" { weight = 0.0; description = "From address is listed in RWL"; } symbol "RWL_MAILSPIKE_VERYGOOD" { weight = 0.0; description = "From address is listed in RWL"; } symbol "RWL_MAILSPIKE_EXCELLENT" { weight = 0.0; description = "From address is listed in RWL"; } symbol "RBL_SORBS" { weight = 0.0; description = "Unrecognised result from SORBS RBL"; } symbol "RBL_SORBS_HTTP" { weight = 2.5; description = "List of Open HTTP Proxy Servers."; } symbol "RBL_SORBS_SOCKS" { weight = 2.5; description = "List of Open SOCKS Proxy Servers."; } symbol "RBL_SORBS_MISC" { weight = 1.0; description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists."; } symbol "RBL_SORBS_SMTP" { weight = 3.0; description = "List of Open SMTP relay servers."; } symbol "RBL_SORBS_RECENT" { weight = 1.5; description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; } symbol "RBL_SORBS_WEB" { weight = 0.4; description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)"; } symbol "RBL_SORBS_DUL" { weight = 2.0; description = "Dynamic IP Address ranges (NOT a Dial Up list!)"; } symbol "RBL_SORBS_BLOCK" { weight = 1.0; description = "List of hosts demanding that they never be tested by SORBS."; } symbol "RBL_SORBS_ZOMBIE" { weight = 1.0; description = "List of networks hijacked from their original owners, some of which have already used for spamming."; } symbol "RBL_SEM" { weight = 1.0; description = "Address is listed in Spameatingmonkey RBL"; } symbol "RBL_SEM_IPV6" { weight = 1.0; description = "Address is listed in Spameatingmonkey RBL (ipv6)"; } } group "bayes" { symbol "BAYES_SPAM" { weight = 4.0; description = "Message probably spam, probability: "; } symbol "BAYES_HAM" { weight = -3.0; description = "Message probably ham, probability: "; } } group "fuzzy" { symbol "FUZZY_UNKNOWN" { weight = 5.0; description = "Generic fuzzy hash match"; } symbol "FUZZY_DENIED" { weight = 12.0; description = "Denied fuzzy hash"; } symbol "FUZZY_PROB" { weight = 5.0; description = "Probable fuzzy hash"; } symbol "FUZZY_WHITE" { weight = -2.1; description = "Whitelisted fuzzy hash"; } } group "spf" { symbol "R_SPF_FAIL" { weight = 1.0; description = "SPF verification failed"; } symbol "R_SPF_SOFTFAIL" { weight = 0.0; description = "SPF verification soft-failed"; } symbol "R_SPF_NEUTRAL" { weight = 0.0; description = "SPF policy is neutral"; } symbol "R_SPF_ALLOW" { weight = -1.5; description = "SPF verification alowed"; } } group "dkim" { symbol "R_DKIM_REJECT" { weight = 1.0; description = "DKIM verification failed"; } symbol "R_DKIM_TEMPFAIL" { weight = 0.0; description = "DKIM verification soft-failed"; } symbol "R_DKIM_ALLOW" { weight = -1.1; description = "DKIM verification succeed"; one_shot = true; } } group "surbl" { symbol "SURBL_BLOCKED" { weight = 0.0; description = "SURBL: blocked by policy/overusage"; } symbol "PH_SURBL_MULTI" { weight = 5.5; description = "SURBL: Phishing sites"; } symbol "MW_SURBL_MULTI" { weight = 5.5; description = "SURBL: Malware sites"; } symbol "ABUSE_SURBL" { weight = 5.5; description = "SURBL: ABUSE"; } symbol "CRACKED_SURBL" { weight = 4.0; description = "SURBL: cracked site"; } symbol "WS_SURBL_MULTI" { weight = 5.5; description = "SURBL: sa-blacklist web sites "; } symbol "RAMBLER_URIBL" { weight = 4.5; description = "rambler.ru uribl"; } symbol "SEM_URIBL_UNKNOWN" { weight = 0.0; description = "Spameatingmonkey uribl: unknown result"; } symbol "SEM_URIBL" { weight = 3.5; description = "Spameatingmonkey uribl"; } symbol "SEM_URIBL_FRESH15_UNKNOWN" { weight = 0.0; description = "Spameatingmonkey Fresh15 uribl: unknown result"; } symbol "SEM_URIBL_FRESH15" { weight = 3.0; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; } symbol "DBL" { weight = 0.0; description = "DBL unknown result"; } symbol "DBL_SPAM" { weight = 6.5; description = "DBL uribl spam"; } symbol "DBL_PHISH" { weight = 6.5; description = "DBL uribl phishing"; } symbol "DBL_MALWARE" { weight = 6.5; description = "DBL uribl malware"; } symbol "DBL_BOTNET" { weight = 5.5; description = "DBL uribl botnet C&C domain"; } symbol "DBL_ABUSE" { weight = 6.5; description = "DBL uribl abused legit spam"; } symbol "DBL_ABUSE_REDIR" { weight = 1.5; description = "DBL uribl abused spammed redirector domain"; } symbol "DBL_ABUSE_PHISH" { weight = 7.5; description = "DBL uribl abused legit phish"; } symbol "DBL_ABUSE_MALWARE" { weight = 7.5; description = "DBL uribl abused legit malware"; } symbol "DBL_ABUSE_BOTNET" { weight = 5.5; description = "DBL uribl abused legit botnet C&C"; } symbol "DBL_PROHIBIT" { weight = 0.00000; description = "DBL uribl IP queries prohibited!"; } symbol "URIBL_MULTI" { weight = 0.0; description = "uribl.com: unrecognised result"; } symbol "URIBL_BLOCKED" { weight = 0.0; description = "uribl.com: query refused"; } symbol "URIBL_BLACK" { weight = 7.5; description = "uribl.com black url"; } symbol "URIBL_RED" { weight = 3.5; description = "uribl.com red url"; } symbol "URIBL_GREY" { weight = 1.5; description = "uribl.com grey url"; } symbol "RAMBLER_EMAILBL" { weight = 9.5; description = "rambler.ru emailbl"; } symbol "SBL_URIBL" { weight = 0.0; description = "SBL URIBL: Filtered result"; } symbol "URIBL_SBL" { weight = 6.5; description = "Spamhaus SBL URIBL"; } symbol "URIBL_SBL_CSS" { weight = 6.5; description = "Spamhaus SBL CSS URIBL"; } } group "phishing" { symbol "PHISHING" { weight = 4.0; description = "Phished mail"; one_shot = true; } } group "date" { symbol "DATE_IN_FUTURE" { weight = 4.0; description = "Message date is in future"; } symbol "DATE_IN_PAST" { weight = 1.0; description = "Message date is in past"; } symbol "MISSING_DATE" { weight = 1.0; description = "Message date is missing"; } } group "hfilter" { symbol "HFILTER_HELO_BAREIP" { weight = 3.00; description = "Helo host is bare ip"; } symbol "HFILTER_HELO_BADIP" { weight = 4.50; description = "Helo host is very bad ip"; } symbol "HFILTER_HELO_UNKNOWN" { weight = 2.00; description = "Helo host empty or unknown"; } symbol "HFILTER_HELO_1" { weight = 0.5; description = "Helo host checks (very low)"; } symbol "HFILTER_HELO_2" { weight = 1.00; description = "Helo host checks (low)"; } symbol "HFILTER_HELO_3" { weight = 2.00; description = "Helo host checks (medium)"; } symbol "HFILTER_HELO_4" { weight = 2.50; description = "Helo host checks (hard)"; } symbol "HFILTER_HELO_5" { weight = 3.00; description = "Helo host checks (very hard)"; } symbol "HFILTER_HOSTNAME_1" { weight = 0.5; description = "Hostname checks (very low)"; } symbol "HFILTER_HOSTNAME_2" { weight = 1.00; description = "Hostname checks (low)"; } symbol "HFILTER_HOSTNAME_3" { weight = 2.00; description = "Hostname checks (medium)"; } symbol "HFILTER_HOSTNAME_4" { weight = 2.50; description = "Hostname checks (hard)"; } symbol "HFILTER_HOSTNAME_5" { weight = 3.00; description = "Hostname checks (very hard)"; } symbol "HFILTER_HELO_NORESOLVE_MX" { weight = 0.20; description = "MX found in Helo and no resolve"; } symbol "HFILTER_HELO_NORES_A_OR_MX" { weight = 0.3; description = "Helo no resolve to A or MX"; } symbol "HFILTER_HELO_IP_A" { weight = 1.00; description = "Helo A IP != hostname IP"; } symbol "HFILTER_HELO_NOT_FQDN" { weight = 2.00; description = "Helo not FQDN"; } symbol "HFILTER_FROMHOST_NORESOLVE_MX" { weight = 0.5; description = "MX found in FROM host and no resolve"; } symbol "HFILTER_FROMHOST_NORES_A_OR_MX" { weight = 1.50; description = "FROM host no resolve to A or MX"; } symbol "HFILTER_FROMHOST_NOT_FQDN" { weight = 3.00; description = "FROM host not FQDN"; } symbol "HFILTER_FROM_BOUNCE" { weight = 0.00; description = "Bounce message"; } /* symbol { weight = 0.50; name = "HFILTER_MID_NORESOLVE_MX"; description = "MX found in Message-id host and no resolve"; } symbol { weight = 0.50; name = "HFILTER_MID_NORES_A_OR_MX"; description = "Message-id host no resolve to A or MX"; } symbol { weight = 0.50; name = "HFILTER_MID_NOT_FQDN"; description = "Message-id host not FQDN"; } */ symbol "HFILTER_HOSTNAME_UNKNOWN" { weight = 2.50; description = "Unknown hostname (no PTR or no resolve PTR to hostname)"; } symbol "HFILTER_RCPT_BOUNCEMOREONE" { weight = 1.50; description = "Message from bounce and over 1 recepient"; } symbol "HFILTER_URL_ONLY" { weight = 1.50; description = "URL only in body"; } symbol "HFILTER_URL_ONELINE" { weight = 2.20; description = "One line URL and text in body"; } } group "dmarc" { symbol "DMARC_POLICY_ALLOW" { weight = -1.0; description = "DMARC permit policy"; } symbol "DMARC_POLICY_REJECT" { weight = 2.0; description = "DMARC reject policy"; } symbol "DMARC_POLICY_QUARANTINE" { weight = 1.5; description = "DMARC quarantine policy"; } symbol "DMARC_POLICY_SOFTFAIL" { weight = 0.1; description = "DMARC failed"; } } group "mime_types" { symbol "MIME_GOOD" { weight = -0.1; description = "Known content-type"; one_shot = true; } symbol "MIME_BAD" { weight = 1.0; description = "Known bad content-type"; one_shot = true; } symbol "MIME_UNKNOWN" { weight = 0.1; description = "Missing or unknown content-type"; one_shot = true; } symbol "MIME_BAD_ATTACHMENT" { weight = 4.0; description = "Invalid attachement mime type"; one_shot = true; } } group "url" { symbol "R_SUSPICIOUS_URL" { weight = 6.0; description = "Obfusicated or suspicious URL has been found in a message"; one_shot = true; } } .include(try=true; priority=1) "$LOCAL_CONFDIR/local.d/metrics.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" }