conf/composites.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

# Composites setup
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
# parameters defined on the top level
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
# parameters defined on the top level
#
# For specific modules or configuration you can also modify
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details

composites {

    FORGED_RECIPIENTS_MAILLIST {
        expression = "FORGED_RECIPIENTS & -MAILLIST";
    }
    FORGED_SENDER_MAILLIST {
        expression = "FORGED_SENDER & -MAILLIST";
    }
    FORGED_SENDER_FORWARDING {
        expression = "FORGED_SENDER & g:forwarding";
        policy = "remove_weight";
    }
    SPF_FAIL_FORWARDING {
        expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
        policy = "remove_weight";
    }
    DMARC_POLICY_ALLOW_WITH_FAILURES {
        expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
        policy = "remove_weight";
    }
    FORGED_RECIPIENTS_FORWARDING {
        expression = "FORGED_RECIPIENTS & g:forwarding";
        policy = "remove_weight";
    }
    FORGED_SENDER_VERP_SRS {
        expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
    }
    FORGED_MUA_MAILLIST {
        expression = "g:mua and -MAILLIST";
    }
    RBL_SPAMHAUS_XBL_ANY {
        expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
        description = "From and Received address are listed in Spamhaus XBL";
    }
    AUTH_NA {
        expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA";
        score = 1.0;
        policy = "remove_weight";
        description = "Authenticating message via SPF/DKIM/DMARC not possible";
    }
    DKIM_MIXED {
        expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
        policy = "remove_weight";
    }
    MAIL_RU_MAILER_BASE64 {
        expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
    }
    YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
        expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
    }
    MAILER_1C_8_BASE64 {
        expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
    }
    HACKED_WP_PHISHING {
        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
        description = "Phish message sent by hacked Wordpress instance";
        policy = "leave";
    }
    COMPROMISED_ACCT_BULK {
        expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
        description = "Likely to be from a compromised account";
        score = 3.0;
        policy = "leave";
    }
    UNDISC_RCPTS_BULK {
        expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
        description = "Missing or undisclosed recipients with a bulk signature";
        score = 3.0;
        policy = "leave";
    }
    RCVD_UNAUTH_PBL {
        expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH";
        description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
        score = 2.0;
        policy = "leave";
    }
    RCVD_DKIM_ARC_DNSWL_MED {
        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
        description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
        score = -0.5;
        policy = "leave";
    }
    RCVD_DKIM_ARC_DNSWL_HI {
        expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
        description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
        score = -1.0;
        policy = "leave";
    }
    AUTOGEN_PHP_SPAMMY {
        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
        description = "Message was generated by PHP script and contains some spam indicators";
        score = 1.0;
    }
    PHISH_EMOTION {
        expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
        description = "Phish message with subject trying to address users emotion";
        score = 2.0;
    }
    HAS_ANON_DOMAIN {
        expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR";
        description = "Contains one or more domains trying to disguise owner/destination";
        score = 0.5;
    }
    BAD_REP_POLICIES {
      description = "Contains valid policies but are also marked by fuzzy/bayes";
      expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes)";
      score = 0.1;
    }

    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
}