<?xml version="1.0" encoding="UTF-8"?> <rspamd> <!-- Main section --> <tempdir>/tmp</tempdir> <pidfile>/var/run/rspamd.pid</pidfile> <filters>regexp,surbl,chartable,fuzzy_check,spf</filters> <statfile_pool_size>262144000</statfile_pool_size> <raw_mode>yes</raw_mode> <lua src="@ETC_PREFIX@/rspamd/lua/rspamd.lua" /> <!-- End of main section --> <!-- Logging section --> <logging> <level>info</level> <log_urls>yes</log_urls> <type>console</type> <!-- Other types <type filename="/var/log/rspamd/rspamd.log">file</type> <type facility="local7">syslog</type> --> <!-- Selective debug <debug_ip>127.0.0.1</debug_ip> <debug_symbols>SYMBOL1,SYMBOL2</debug_symbols> --> </logging> <!-- End of logging section --> <!-- Metrics section --> <metric> <name>default</name> <required_score>10.0</required_score> <!-- Sample actions --> <action>reject</action> <action>greylist:5</action> <action>add_header:5</action> <!-- Weights for symbols --> <!-- Subject is missing inside message --> <symbol weight="2.00" description="Subject is missing inside message">MISSING_SUBJECT</symbol> <!-- Message pretends to be send from Outlook but has 'strange' tags --> <symbol weight="2.10" description="Message pretends to be send from Outlook but has 'strange' tags ">FORGED_OUTLOOK_TAGS</symbol> <!-- Sender is forged (different From: header and smtp MAIL FROM: addresses) --> <symbol weight="5.00" description="Sender is forged (different From: header and smtp MAIL FROM: addresses)">FORGED_SENDER</symbol> <!-- Recipients seems to be autogenerated (works if recipients count is more than 5) --> <symbol weight="3.50" description="Recipients seems to be autogenerated (works if recipients count is more than 5)">SUSPICIOUS_RECIPS</symbol> <!-- Fake reply (has RE in subject, but has not References header) --> <symbol weight="6.00" description="Fake reply (has RE in subject, but has not References header)">FAKE_REPLY_C</symbol> <!-- Messages that have only HTML part --> <symbol weight="1.00" description="Messages that have only HTML part">MIME_HTML_ONLY</symbol> <!-- Forged yahoo msgid --> <symbol weight="2.00" description="Forged yahoo msgid">FORGED_MSGID_YAHOO</symbol> <!-- Forged The Bat! MUA headers --> <symbol weight="2.00" description="Forged The Bat! MUA headers">FORGED_MUA_THEBAT_BOUN</symbol> <!-- Charset is missing in a message --> <symbol weight="5.00" description="Charset is missing in a message">R_MISSING_CHARSET</symbol> <!-- Two received headers with ip addresses --> <symbol weight="2.00" description="Two received headers with ip addresses">RCVD_DOUBLE_IP_SPAM</symbol> <!-- Forged outlook HTML signature --> <symbol weight="5.00" description="Forged outlook HTML signature">FORGED_OUTLOOK_HTML</symbol> <!-- Recipients are absent or undisclosed --> <symbol weight="5.00" description="Recipients are absent or undisclosed">R_UNDISC_RCPT</symbol> <!-- White color on white background in HTML messages --> <symbol weight="9.00" description="White color on white background in HTML messages">R_WHITE_ON_WHITE</symbol> <!-- Short html part with a link to an image --> <symbol weight="3.00" description="Short html part with a link to an image">HTML_SHORT_LINK_IMG_2</symbol> <!-- Forged outlook MUA --> <symbol weight="3.00" description="Forged outlook MUA ">FORGED_MUA_OUTLOOK</symbol> <!-- Fake helo for verizon provider --> <symbol weight="2.00" description="Fake helo for verizon provider">FM_FAKE_HELO_VERIZON</symbol> <!--Quoted reply-to from yahoo (seems to be forged) --> <symbol weight="2.00" description="Quoted reply-to from yahoo (seems to be forged)">REPTO_QUOTE_YAHOO</symbol> <!-- Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange) --> <symbol weight="5.00" description="Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)">MISSING_MIMEOLE</symbol> <!-- To header is missing --> <symbol weight="2.00" description="To header is missing">MISSING_TO</symbol> <!-- From that contains encoded characters while base 64 is not needed as all symbols are 7bit --> <symbol weight="2.0" description="From that contains encoded characters while base 64 is not needed as all symbols are 7bit">FROM_EXCESS_BASE64</symbol> <!-- Mixed characters in a message --> <symbol weight="5.00" description="Mixed characters in a message">R_MIXED_CHARSET</symbol> <!-- Recipients list seems to be sorted --> <symbol weight="3.50" description="Recipients list seems to be sorted">SORTED_RECIPS</symbol> <!-- Spambots signatures in received headers --> <symbol weight="3.00" description="Spambots signatures in received headers">R_RCVD_SPAMBOTS</symbol> <!-- To header seems to be autogenerated --> <symbol weight="2.00" description="To header seems to be autogenerated">R_TO_SEEMS_AUTO</symbol> <!-- Subject needs encoding --> <symbol weight="1.00" description="Subject needs encoding">SUBJECT_NEEDS_ENCODING</symbol> <!-- Spam string at the end of message to make statistics faults 0--> <symbol weight="3.84" description="Spam string at the end of message to make statistics faults 0">TRACKER_ID</symbol> <!-- No space in from header --> <symbol weight="3.00" description="No space in from header">R_NO_SPACE_IN_FROM</symbol> <!-- Subject seems to be spam --> <symbol weight="8.00" description="Subject seems to be spam">R_SAJDING</symbol> <!-- Detects bad content-transfer-encoding for text parts --> <symbol weight="3.00" description="Detects bad content-transfer-encoding for text parts">R_BAD_CTE_7BIT</symbol> <!-- Flash redirect on imageshack.us --> <symbol weight="10.00" description="Flash redirect on imageshack.us">R_FLASH_REDIR_IMGSHACK</symbol> <!-- Message id is incorrect --> <symbol weight="5.00" description="Message id is incorrect">INVALID_MSGID</symbol> <!-- Message id is missing --> <symbol weight="3.00" description="Message id is missing ">MISSING_MID</symbol> <!-- Recipients are not the same as RCPT TO: mail command --> <symbol weight="3.00" description="Recipients are not the same as RCPT TO: mail command">FORGED_RECIPIENTS</symbol> <!-- Forged Exchange messages --> <symbol weight="2.00" description="Forged Exchange messages ">RATWARE_MS_HASH</symbol> <!-- Reply-type in content-type --> <symbol weight="1.00" description="Reply-type in content-type">STOX_REPLY_TYPE</symbol> <!-- IP in received headers is in PBL --> <symbol weight="3.00" description="IP in received headers is in PBL">R_IP_PBL</symbol> <!-- One received header in a message --> <symbol weight="1.00" description="One received header in a message ">ONCE_RECEIVED</symbol> <!-- One received header with 'bad' patterns inside --> <symbol weight="4.00" description="One received header with 'bad' patterns inside">ONCE_RECEIVED_STRICT</symbol> <!-- Received headers contains addresses from RBL --> <symbol weight="1.00" description="Received headers contains addresses from RBL">RECEIVED_RBL</symbol> <!-- Text and HTML parts differ --> <symbol weight="3.00" description="Text and HTML parts differ">R_PARTS_DIFFER</symbol> <!-- Only Content-Type header without other MIME headers --> <symbol weight="2.00" description="Only Content-Type header without other MIME headers">MIME_HEADER_CTYPE_ONLY</symbol> <!-- Message contains empty parts and image --> <symbol weight="2.00" description="Message contains empty parts and image ">R_EMPTY_IMAGE</symbol> <!-- Drugs patterns inside message --> <symbol weight="2.00" description="Drugs patterns inside message">DRUGS_MANYKINDS</symbol> <!-- Specific drugs signatures --> <symbol weight="2.00" description="">DRUGS_ANXIETY</symbol> <symbol weight="2.00" description="">DRUGS_MUSCLE</symbol> <symbol weight="2.00" description="">DRUGS_ANXIETY_EREC</symbol> <symbol weight="2.00" description="">DRUGS_DIET</symbol> <symbol weight="2.00" description="">DRUGS_ERECTILE</symbol> <!-- 2 or 3 'advance fee' patterns in a message --> <symbol weight="3.30" description="2 'advance fee' patterns in a message">ADVANCE_FEE_2</symbol> <symbol weight="2.12" description="3 'advance fee' patterns in a message">ADVANCE_FEE_3</symbol> <!-- Lotto signatures --> <symbol weight="8.00" description="Lotto signatures">R_LOTTO</symbol> <!-- Statistics --> <symbol weight="3.00" description="Message probably spam, probability: ">BAYES_SPAM</symbol> <symbol weight="-3.00" description="Message probably ham, probability: ">BAYES_HAM</symbol> <!-- Fuzzy lists example --> <symbol weight="1.00" description="">R_FUZZY</symbol> <symbol weight="1.00" description="">R_FUZZY1</symbol> <symbol weight="1.00" description="">R_FUZZY2</symbol> <symbol weight="1.00" description="">R_FUZZY3</symbol> <!-- SPF rules --> <symbol weight="3.00" description="SPF verification failed">R_SPF_FAIL</symbol> <symbol weight="1.00" description="SPF verification soft-failed">R_SPF_SOFTFAIL</symbol> <symbol weight="-3.00" description="SPF verification alowed">R_SPF_ALLOW</symbol> <!-- Whitelisted client's IP --> <symbol weight="-2.00" description="Whitelisted client's IP">WHITELIST_IP</symbol> <!-- Message seems to be from maillist --> <symbol weight="-2.00" description="Message seems to be from maillist">MAILLIST</symbol> <!-- multi.surbl.org lists (more details at http://www.surbl.org) --> <!-- Phishing and malware sites --> <symbol weight="5.50" description="Phishing and malware sites">PH_SURBL_MULTI</symbol> <!-- Outblaze URI Blacklist --> <symbol weight="5.50" description="Outblaze URI Blacklist">OB_SURBL_MULTI</symbol> <!-- AbuseButler web sites --> <symbol weight="5.50" description="AbuseButler web sites">AB_SURBL_MULTI</symbol> <!-- SpamCop web sites --> <symbol weight="5.50" description="SpamCop web sites">SC_SURBL_MULTI</symbol> <!-- jwSpamSpy + Prolocation sites --> <symbol weight="5.50" description="jwSpamSpy + Prolocation sites">JP_SURBL_MULTI</symbol> <!-- sa-blacklist web sites --> <symbol weight="5.50" description="sa-blacklist web sites ">WS_SURBL_MULTI</symbol> <!-- rambler.ru uribl --> <symbol weight="9.50" description="rambler.ru uribl">RAMBLER_URIBL</symbol> <!-- rambler.ru emailbl --> <symbol weight="9.50" description="rambler.ru emailbl">RAMBLER_EMAILBL</symbol> <!-- Phished mail --> <symbol weight="5.0" description="Phished mail">PHISHING</symbol> <!-- Recipients are not the same as RCPT TO: mail command, but from maillist --> <symbol weight="-0.1" description="Recipients are not the same as RCPT TO: mail command, but from maillist">FORGED_RECIPIENTS_MAILLIST</symbol> </metric> <!-- End of metrics section --> <!-- Composites section --> <composite name="FORGED_RECIPIENTS_MAILLIST">FORGED_RECIPIENTS & MAILLIST</composite> <!-- End of composites section --> <!-- Workers section --> <worker> <type>fuzzy</type> <bind_socket>localhost:11335</bind_socket> <count>1</count> <maxfiles>2048</maxfiles> <maxcore>0</maxcore> <!-- Other params --> <hashfile>/tmp/fuzzy.db</hashfile> <use_judy>yes</use_judy> </worker> <worker> <type>controller</type> <bind_socket>localhost:11334</bind_socket> <count>1</count> <maxfiles>2048</maxfiles> <maxcore>0</maxcore> <!-- Other params --> <password>q1</password> </worker> <worker> <type>normal</type> <bind_socket>*:11333</bind_socket> <count>1</count> <maxfiles>2048</maxfiles> <maxcore>0</maxcore> <!-- Other params --> </worker> <!-- End of workers section --> <!-- Modules section --> <!-- fuzzy_check --> <module name="fuzzy_check"> <servers>localhost:11335</servers> <symbol>R_FUZZY</symbol> <min_bytes>300</min_bytes> <max_score>10</max_score> <mime_types>application/pdf</mime_types> <fuzzy_map>1:R_FUZZY1:10,2:R_FUZZY2:5,3:R_FUZZY3:-2.1</fuzzy_map> </module> <!-- forged_recipients --> <module name="forged_recipients"> <symbol_sender>FORGED_SENDER</symbol_sender> <symbol_rcpt>FORGED_RECIPIENTS</symbol_rcpt> </module> <!-- maillist --> <module name="maillist"> <symbol>MAILLIST</symbol> </module> <!-- surbl --> <module name="surbl"> <whitelist>file://@ETC_PREFIX@/rspamd/surbl-whitelist.inc</whitelist> <exceptions>file://@ETC_PREFIX@/rspamd/2tld.inc</exceptions> <bit_64>JP</bit_64> <bit_32>AB</bit_32> <bit_16>OB</bit_16> <bit_8>PH</bit_8> <bit_4>WS</bit_4> <bit_2>SC</bit_2> <suffix_RAMBLER_URIBL>uribl.rambler.ru</suffix_RAMBLER_URIBL> <option name="suffix_%b_SURBL_MULTI">multi.surbl.org</option> <redirector_read_timeout>10s</redirector_read_timeout> <redirector_connect_timeout>1s</redirector_connect_timeout> <redirector>localhost:8080</redirector> </module> <!-- received_rbl --> <module name="received_rbl"> <symbol>RECEIVED_RBL</symbol> <rbl>pbl.spamhaus.org</rbl> <rbl>xbl.spamhaus.org</rbl> <rbl>insecure-bl.rambler.ru</rbl> </module> <!-- whitelist --> <module name="whitelist"> <ip_whitelist>http://cebka.pp.ru/stuff/grey_whitelist.conf</ip_whitelist> <symbol_ip>WHITELIST_IP</symbol_ip> </module> <!-- chartable --> <module name="chartable"> <threshold>0.1</threshold> <symbol>R_MIXED_CHARSET</symbol> </module> <!-- once_received --> <module name="once_received"> <good_host>mail</good_host> <bad_host>static</bad_host> <bad_host>dynamic</bad_host> <symbol_strict>ONCE_RECEIVED_STRICT</symbol_strict> <symbol>ONCE_RECEIVED</symbol> </module> <!-- multimap --> <module name="multimap"> <!-- <rule>type = header, header = To, pattern = @(.+)>?$, map = file://@ETC_PREFIX@/rspamd/rcpt_test, symbol = R_RCPT_WHITELIST</rule> <rule>type = ip, map = file://@ETC_PREFIX@/rspamd/ip_test, symbol = R_IP_WHITELIST</rule> --> <rule>type = dnsbl, map = pbl.spamhaus.org, symbol = R_IP_PBL</rule> </module> <!-- phishing --> <module name="phishing"> <symbol>PHISHING</symbol> <!-- <domains>file://path/to/domains</domains> --> </module> <!-- Trie module --> <!-- <module name="trie"> <option name="rule">TRIE1:bad pattern</option> </module> --> <!-- Emails blacklist --> <module name="emails"> <option name="rule">symbol = RAMBLER_EMAILBL, dnsbl = email-bl.rambler.ru, domain_only = false</option> <!-- <option name="rule">symbol = R_BAD_EMAIL1, map = file:///tmp/emails.list, domain_only = true</option> --> </module> <!-- End of modules section --> <!-- Classifiers section --> <!-- <classifier type="winnow"> <tokenizer>osb-text</tokenizer> <metric>default</metric> <min_tokens>20</min_tokens> <statfile> <symbol>WINNOW_HAM</symbol> <size>100M</size> <path>/var/run/rspamd/data.ham</path> </statfile> <statfile> <symbol>WINNOW_SPAM</symbol> <size>100M</size> <path>/var/run/rspamd/data.spam</path> </statfile> </classifier> --> <!-- Example of slave <classifier type="bayes"> <tokenizer>osb-text</tokenizer> <metric>default</metric> <min_tokens>10</min_tokens> <learn_threshold>0.2</learn_threshold> <statfile> <symbol>BAYES_HAM</symbol> <size>10M</size> <path>/var/run/rspamd/bayes_slave.ham</path> <binlog_master>localhost:11334</binlog_master> <binlog>slave</binlog> </statfile> <statfile> <symbol>BAYES_SPAM</symbol> <size>10M</size> <path>/var/run/rspamd/bayes_slave.spam</path> <binlog>slave</binlog> <binlog_master>localhost:11334</binlog_master> </statfile> </classifier> --> <classifier type="bayes"> <tokenizer>osb-text</tokenizer> <metric>default</metric> <min_tokens>10</min_tokens> <statfile> <symbol>BAYES_HAM</symbol> <size>10M</size> <path>/var/run/rspamd/bayes.ham</path> <binlog>master</binlog> </statfile> <statfile> <symbol>BAYES_SPAM</symbol> <size>10M</size> <path>/var/run/rspamd/bayes.spam</path> <binlog>master</binlog> </statfile> </classifier> <!-- End of classifiers section --> <!-- Modules section --> <modules> <path>@ETC_PREFIX@/rspamd/plugins/lua/</path> </modules> <!-- End of modules section --> </rspamd>