· 6 years ago · Aug 19, 2019, 04:42 PM
1spamassassin {
2}
3dkim_signing {
4 use_esld = true;
5 symbol = "DKIM_SIGNED";
6 allow_envfrom_empty = true;
7 sign_networks [
8 "127.2.4.7",
9 ]
10 check_pubkey = false;
11 allow_username_mismatch = false;
12 sign_local = true;
13 allow_hdrfrom_mismatch = false;
14 selector = "dkim";
15 auth_only = true;
16 try_fallback = true;
17 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
18 use_redis = false;
19 selector_map = "/etc/rspamd/dkim_selectors.map";
20 key_prefix = "DKIM_KEYS";
21 use_domain = "header";
22 allow_hdrfrom_multiple = false;
23}
24mx_check {
25 enabled = false;
26 key_prefix = "rmx";
27 symbol_good_mx = "MX_GOOD";
28 symbol_no_mx = "MX_MISSING";
29 symbol_bad_mx = "MX_INVALID";
30 timeout = 1;
31 expire = 86400;
32}
33regexp {
34 max_size = 1000000;
35 FORGED_MUA_POSTBOX_MSGID {
36 re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s\\([^)]+\\)\\sGecko\\/\\d+\\sPostboxApp\\/\\d+(?:\\.\\d+){2,3}$/H) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
37 group = "mua";
38 description = "Forged mail pretending to be from Postbox but has forged Message-ID";
39 score = 4;
40 }
41 TRACKER_ID {
42 group = "headers";
43 re = "/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr";
44 mime_only = true;
45 score = 3.840000;
46 description = "Spam string at the end of message to make statistics fault";
47 }
48 FORGED_GENERIC_RECEIVED4 {
49 re = "Received=/^\\s*(.+\\n)*from localhost by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0[\\s\\r\\n]*$/X";
50 group = "headers";
51 description = "Forged generic Received";
52 score = 3.600000;
53 }
54 HAS_DATA_URI {
55 re = "/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i";
56 one_shot = true;
57 group = "HTML";
58 description = "Has Data URI encoding";
59 }
60 HEADER_CC_DELIMITER_TAB {
61 re = "(check_header_delimiter_tab(Cc)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
62 group = "headers";
63 description = "Header To begins with tab";
64 score = 1;
65 }
66 FORGED_MUA_THEBAT_BOUN {
67 re = "(X-Mailer=/^The Bat! \\(v1\\./H) & (Content-Type=/boundary/iH) & !(Content-Type=/boundary=\\\"?-{10}/H) & !(X-Mailman-Version=/\\d/H)";
68 group = "headers";
69 description = "Forged The Bat! MUA headers";
70 score = 2;
71 }
72 FORGED_MUA_THEBAT_MSGID_UNKNOWN {
73 re = "(X-Mailer=/^\\s*The Bat!/H) & !(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH) & !(Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
74 group = "mua";
75 description = "Message pretends to be send from The Bat! but has forged Message-ID";
76 score = 3;
77 }
78 PHP_XPS_PATTERN {
79 re = "X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi";
80 group = "compromised_hosts";
81 description = "Message contains X-PHP-Script pattern";
82 }
83 WWW_DOT_DOMAIN {
84 re = "From=/@www\\./Hi || Sender=/@www\\./Hi || Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)";
85 group = "compromised_hosts";
86 score = 0.500000;
87 description = "From/Sender/Reply-To or Envelope is @www.domain.com";
88 }
89 TO_WRAPPED_IN_SPACES {
90 group = "headers";
91 re = "To=/<\\s[-.\\w]+\\@[-.\\w]+\\s>/X";
92 score = 2;
93 mime_only = true;
94 description = "To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)";
95 }
96 FROM_EXCESS_BASE64 {
97 group = "excessb64";
98 re = "From=/=\\?\\S+\\?B\\?/iX & !From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
99 mime_only = true;
100 score = 1.500000;
101 description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
102 }
103 FORGED_MSGID_YAHOO {
104 re = "(Message-Id=/\\@yahoo\\.com\\b/iH) & !(From=/\\@yahoo\\.com\\b/iH)";
105 group = "headers";
106 description = "Forged yahoo msgid";
107 score = 2;
108 }
109 MID_RHS_WWW {
110 re = "Message-Id=/@www\\./Hi";
111 group = "compromised_hosts";
112 score = 0.500000;
113 description = "Message-ID from www host";
114 }
115 FORGED_MUA_POSTBOX_MSGID_UNKNOWN {
116 re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s\\([^)]+\\)\\sGecko\\/\\d+\\sPostboxApp\\/\\d+(?:\\.\\d+){2,3}$/H) & !((Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) | (Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
117 group = "mua";
118 description = "Forged mail pretending to be from Postbox but has forged Message-ID";
119 score = 2.500000;
120 }
121 FAKE_REPLY_C {
122 re = "(Subject=/^R[eE]:/H) & (!((header_exists(References) | header_exists(In-Reply-To)))) & ((X-Mailer=/^Gnus v/H) | (X-Mailer=/^Microsoft Outlook Express 5/H) | (X-Mailer=/^Microsoft Outlook Express 6/H) | (X-Mailer=/^Mozilla 4/H) | (X-Mailer=/^SKYRiXgreen/H) | (X-Mailer=/^WWW-Mail \\d/H) | (User-Agent=/^Gnus/H) | (User-Agent=/^KNode/H) | (User-Agent=/^Mutt/H) | (User-Agent=/^Pan/H) | (User-Agent=/^Xnews/H)) & !(X-Mailer=/^Microsoft Outlook Express 6/H)";
123 group = "subject";
124 description = "Fake reply (has RE in subject, but has not References header)";
125 score = 6;
126 }
127 HAS_XAW {
128 re = "header_exists('X-Authentication-Warning')";
129 group = "compromised_hosts";
130 description = "Has X-Authentication-Warning header";
131 }
132 ENVFROM_SERVICE_ACCT {
133 re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)";
134 group = "compromised_hosts";
135 score = 1;
136 description = "Envelope from is a service account";
137 }
138 FORGED_GENERIC_RECEIVED {
139 re = "Received=/^\\s*(.+\\n)*from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by (([\\w\\d-]+\\.)+[a-zA-Z]{2,6}|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}); \\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X";
140 group = "headers";
141 description = "Forged generic Received";
142 score = 3.600000;
143 }
144 XAW_SERVICE_ACCT {
145 re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www) set sender to\\b/Hi";
146 group = "compromised_hosts";
147 score = 1;
148 description = "Message originally from a service account";
149 }
150 SUBJ_EXCESS_BASE64 {
151 re = "Subject=/\\=\\?\\S+\\?B\\?/iX & !Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
152 group = "excessb64";
153 description = "Subject is unnecessarily encoded in base64";
154 score = 1.500000;
155 }
156 SUSPICIOUS_RECIPS {
157 group = "headers";
158 re = "compare_recipients_distance(0.65)";
159 mime_only = true;
160 score = 1.500000;
161 description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
162 }
163 RCVD_DOUBLE_IP_SPAM {
164 re = "(Received=/from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with/H) | (Received=/from\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+by\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3};/H)";
165 group = "headers";
166 description = "Two received headers with ip addresses";
167 score = 2;
168 }
169 HIDDEN_SOURCE_OBJ {
170 re = "X-PHP-Script=/\\/\\..+/Hi || X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi || X-Source-Args=/\\/\\..+/Hi";
171 group = "compromised_hosts";
172 score = 2;
173 description = "UNIX hidden file/directory in path";
174 }
175 MISSING_MID {
176 group = "headers";
177 re = "!header_exists(Message-Id)";
178 mime_only = true;
179 score = 2.500000;
180 description = "Message id is missing";
181 }
182 FORGED_OUTLOOK_HTML {
183 group = "headers";
184 re = "!Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H & X-Mailer=/^Microsoft Outlook\\b/H & has_only_html_part()";
185 mime_only = true;
186 score = 5;
187 description = "Forged outlook HTML signature";
188 }
189 HAS_WP_URI {
190 re = "/\\/wp-[^\\/]+\\//Ui";
191 group = "compromised_hosts";
192 one_shot = true;
193 description = "Contains WordPress URIs";
194 }
195 MIME_HEADER_CTYPE_ONLY {
196 re = "!(header_exists(Content-Disposition)) & !(header_exists(Content-Transfer-Encoding)) & (header_exists(Content-Type)) & !(raw_header_exists(MIME-Version)) & !(content_type_is_type(text) & content_type_is_subtype(plain))";
197 group = "headers";
198 description = "Only Content-Type header without other MIME headers";
199 score = 2;
200 }
201 SUBJECT_HAS_CURRENCY {
202 re = "Subject=/[$€$¢¥₽]/Hu";
203 group = "headers";
204 score = 1;
205 description = "Subject contains currency";
206 }
207 HAS_ONION_URI {
208 re = "(/[a-z0-9]{16}\\.onion?/{url}i | /[a-z0-9]{56}\\.onion?/{url}i)";
209 group = "experimental";
210 score = 0;
211 description = "Contains .onion hidden service URI";
212 }
213 STRONGMAIL {
214 re = "Received=/^from\\s+strongmail\\s+\\(\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\]\\) by \\S+ \\(-\\); /mH";
215 group = "headers";
216 description = "Sent via rogue \"strongmail\" MTA";
217 score = 6;
218 }
219 HAS_X_ANTIABUSE {
220 re = "header_exists('X-AntiAbuse')";
221 group = "compromised_hosts";
222 description = "Has X-AntiAbuse headers";
223 }
224 HAS_X_SOURCE {
225 re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists('X-Source-Dir')";
226 group = "compromised_hosts";
227 description = "Has X-Source headers";
228 }
229 HAS_X_PHP_SCRIPT {
230 re = "header_exists('X-PHP-Script')";
231 group = "compromised_hosts";
232 description = "Has X-PHP-Script header";
233 }
234 HAS_X_POS {
235 re = "header_exists('X-PHP-Originating-Script')";
236 group = "compromised_hosts";
237 description = "Has X-PHP-Originating-Script header";
238 }
239 R_SAJDING {
240 group = "headers";
241 re = "Subject=/\\bsajding(?:om|a)?\\b/iH";
242 mime_only = true;
243 score = 8;
244 description = "Subject seems to be spam";
245 }
246 PHP_SCRIPT_ROOT {
247 re = "X-PHP-Originating-Script=/^0:/Hi";
248 group = "compromised_hosts";
249 score = 1;
250 description = "PHP Script executed by root UID";
251 }
252 R_NO_SPACE_IN_FROM {
253 group = "headers";
254 re = "From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X";
255 score = 1;
256 mime_only = true;
257 description = "No space in from header";
258 }
259 SUSPICIOUS_BOUNDARY4 {
260 re = "(Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX) & (Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/)";
261 group = "mua";
262 description = "Suspicious boundary in header Content-Type";
263 score = 4;
264 }
265 FROM_EXCESS_QP {
266 re = "From=/=\\?\\S+\\?Q\\?/iX & !From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
267 group = "excessqp";
268 description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
269 score = 1.200000;
270 }
271 FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN {
272 re = "(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & !((Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) | (Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
273 group = "mua";
274 description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
275 score = 2.500000;
276 }
277 FORGED_MUA_MOZILLA_MAIL_MSGID {
278 re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) & !(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & !(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H) & !(User-Agent=/^\\s*Mozilla\\/5\\.0\\s\\([^)]+\\)\\sGecko\\/\\d+\\sPostboxApp\\/\\d+(?:\\.\\d+){2,3}$/H)) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
279 group = "mua";
280 description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
281 score = 4;
282 }
283 HEADER_TO_EMPTY_DELIMITER {
284 re = "(check_header_delimiter_empty(To))";
285 group = "headers";
286 description = "Header To has no delimiter between header name and header value";
287 score = 1;
288 }
289 SUBJECT_ENDS_EXCLAIM {
290 re = "Subject=/!\\s*$/H";
291 group = "headers";
292 score = 0;
293 description = "Subject ends with an exclaimation";
294 }
295 RATWARE_MS_HASH {
296 re = "(Message-Id=/[0-9a-f]{4,}\\$[0-9a-f]{4,}\\$[0-9a-f]{4,}\\@\\S+/H) & !(X-MimeOLE=/^Produced By Microsoft MimeOLE/H) & !(Received=/with Microsoft Exchange Server/H)";
297 group = "headers";
298 description = "Forged Exchange messages";
299 score = 2;
300 }
301 LEAKED_PASSWORD_SCAM {
302 group = "scams";
303 re = "/^[13][1-9A-Za-z]{25,34}$/{words} & (/^pass(?:(?:word)|(?:phrase))$/i{words} | /^wallet$/{words} | /(?:victim|prey)/{words} | /webcam/{words} | /(?:mast[ur]{2}bati(?:on|ng)|onanism|solitary)/{words} | has_flag(bad_unicode) | header_exists(List-Unsubscribe) | lua:check_data_images)";
304 functions {
305 check_data_images = "/usr/share/rspamd/rules/regexp/misc.lua:80: attempt to index local 'task' (a nil value)";
306 }
307 description = "Contains password word and BTC wallet address";
308 score = 7;
309 }
310 HAS_GUC_PROXY_URI {
311 re = "/\\.googleusercontent\\.com\\/proxy/{url}i";
312 group = "experimental";
313 score = 0.010000;
314 description = "Has googleusercontent.com proxy URI";
315 }
316 UNITEDINTERNET_SPAM {
317 re = "X-UI-Out-Filterresults=/^junk:/H";
318 group = "upstream_spam_filters";
319 description = "United Internet says this message is spam";
320 score = 5;
321 }
322 SPAM_FLAG {
323 re = "X-Spam-Flag=/^(?:yes|true)/Hi || X-Spam=/^(?:yes|true)/Hi || X-Spam-Status=/^(?:yes|true)/Hi";
324 group = "upstream_spam_filters";
325 description = "Message was already marked as spam";
326 score = 5;
327 }
328 MISSING_MIMEOLE {
329 re = "(header_exists(X-MSMail-Priority)) & !(header_exists(X-MimeOLE)) & !(X-Mailer=/SquirrelMail\\b/H) & !(X-Mailer=/^Microsoft (?:Office )?Outlook [12]\\d\\.0/)";
330 group = "headers";
331 description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
332 score = 2;
333 }
334 REPLYTO_EXCESS_BASE64 {
335 re = "Reply-To=/\\=\\?\\S+\\?B\\?/iX & !Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
336 group = "excessb64";
337 description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
338 score = 1.500000;
339 }
340 SUBJECT_HAS_EXCLAIM {
341 re = "Subject=/!/H & !Subject=/!\\s*$/H";
342 group = "headers";
343 score = 0;
344 description = "Subject contains an exclaimation";
345 }
346 SORTED_RECIPS {
347 group = "headers";
348 re = "is_recipients_sorted()";
349 mime_only = true;
350 score = 3.500000;
351 description = "Recipients list seems to be sorted";
352 }
353 PRECEDENCE_BULK {
354 re = "Precedence=/bulk/Hi";
355 group = "upstream_spam_filters";
356 description = "Message marked as bulk";
357 score = 0;
358 }
359 AOL_SPAM {
360 re = "X-AOL-Global-Disposition=/^S/H";
361 group = "upstream_spam_filters";
362 description = "AOL says this message is spam";
363 score = 5;
364 }
365 INTRODUCTION {
366 one_shot = true;
367 group = "scams";
368 re = "/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i";
369 description = "Sender introduces themselves";
370 score = 2;
371 }
372 HEADER_FROM_DELIMITER_TAB {
373 re = "(check_header_delimiter_tab(From)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
374 group = "headers";
375 description = "Header From begins with tab";
376 score = 1;
377 }
378 MICROSOFT_SPAM {
379 re = "X-Forefront-Antispam-Report=/SFV:SPM/H";
380 group = "upstream_spam_filters";
381 description = "Microsoft says the message is spam";
382 score = 4;
383 }
384 FORGED_MUA_THEBAT_MSGID {
385 re = "(X-Mailer=/^\\s*The Bat!/H) & !(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH) & (Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
386 group = "mua";
387 description = "Message pretends to be send from The Bat! but has forged Message-ID";
388 score = 4;
389 }
390 KLMS_SPAM {
391 re = "X-KLMS-AntiSpam-Status=/^spam/H";
392 group = "upstream_spam_filters";
393 description = "Kaspersky Security for Mail Server says this message is spam";
394 score = 5;
395 }
396 REPTO_QUOTE_YAHOO {
397 re = "(Reply-To=/\\\".*\\\"\\s*\\</H) & ((From=/\\@yahoo\\.com\\b/iH) | (Message-Id=/\\@yahoo\\.com\\b/iH))";
398 group = "headers";
399 description = "Quoted reply-to from yahoo (seems to be forged)";
400 score = 2;
401 }
402 DATA_URI_OBFU {
403 one_shot = true;
404 group = "HTML";
405 re = "/data:text\\/(?:plain|html);base64,/{sa_raw_body}i";
406 score = 2;
407 description = "Uses Data URI encoding to obfuscate plain or HTML in base64";
408 }
409 R_UNDISC_RCPT {
410 group = "headers";
411 re = "(To=/^<?undisclosed[- ]recipient/Hi)";
412 mime_only = true;
413 score = 3;
414 description = "Recipients are absent or undisclosed";
415 }
416 MIME_HTML_ONLY {
417 re = "has_only_html_part()";
418 group = "headers";
419 description = "Messages that have only HTML part";
420 score = 0.200000;
421 }
422 FORGED_GENERIC_RECEIVED2 {
423 re = "Received=/^\\s*(.+\\n)*from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by ([\\w\\d-]+\\.)+[a-z]{2,6} id [\\w\\d]{12}; \\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X";
424 group = "headers";
425 description = "Forged generic Received";
426 score = 3.600000;
427 }
428 CT_EXTRA_SEMI {
429 re = "Content-Type=/;$/X";
430 group = "headers";
431 score = 1;
432 description = "Content-Type ends with a semi-colon";
433 }
434 HTML_META_REFRESH_URL {
435 one_shot = true;
436 group = "HTML";
437 re = "/<meta\\s+http-equiv=\"refresh\"\\s+content=\"\\d+\\s*;\\s*url=/{sa_raw_body}i";
438 description = "Has HTML Meta refresh URL";
439 score = 5;
440 }
441 WP_COMPROMISED {
442 re = "/\\/wp-(?:content|includes)[^\\/]+\\//Ui";
443 group = "compromised_hosts";
444 one_shot = true;
445 description = "URL that is pointing to a compromised WordPress installation";
446 }
447 SUSPICIOUS_BOUNDARY3 {
448 re = "Content-Type=/^\\s*multipart.+boundary=\"-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}\"[\\r\\n]*$/siX";
449 group = "mua";
450 description = "Suspicious boundary in header Content-Type";
451 score = 3;
452 }
453 HAS_PHPMAILER_SIG {
454 re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi";
455 group = "compromised_hosts";
456 description = "PHPMailer signature";
457 }
458 HAS_LIST_UNSUB {
459 re = "header_exists(List-Unsubscribe)";
460 group = "headers";
461 score = -0.010000;
462 description = "Has List-Unsubscribe header";
463 }
464 SUSPICIOUS_BOUNDARY {
465 re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
466 group = "mua";
467 description = "Suspicious boundary in header Content-Type";
468 score = 5;
469 }
470 X_PHPOS_FAKE {
471 re = "X-PHP-Originating-Script=/^\\d{7}:/Hi";
472 group = "headers";
473 score = 3;
474 description = "Fake X-PHP-Originating-Script header";
475 }
476 GOOGLE_FORWARDING_MID_MISSING {
477 re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X";
478 group = "headers";
479 description = "Message was missing Message-ID pre-forwarding";
480 score = 2.500000;
481 }
482 FAKE_RECEIVED_mail_ru {
483 re = "(Received=/from mail\\.ru \\(/mH) & !(((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) | (X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX)) & (From=/\\@mail\\.ru>?$/iX))";
484 group = "headers";
485 description = "Fake helo mail.ru in header Received from non mail.ru sender address";
486 score = 4;
487 }
488 SUBJECT_ENDS_SPACES {
489 re = "Subject=/\\s+$/H";
490 group = "headers";
491 score = 0.500000;
492 description = "Subject ends with space characters";
493 }
494 TO_EXCESS_QP {
495 re = "To=/=\\?\\S+\\?Q\\?/iX & !To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
496 group = "excessqp";
497 description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
498 score = 1.200000;
499 }
500 X_PHP_EVAL {
501 re = "X-PHP-Script=/eval\\(\\)\\'d/Hi || X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi";
502 group = "compromised_hosts";
503 score = 4;
504 description = "Message sent using eval'd PHP";
505 }
506 SUBJECT_HAS_QUESTION {
507 re = "Subject=/\\?/H & !Subject=/\\?\\s*$/Hu";
508 group = "headers";
509 score = 0;
510 description = "Subject contains a question";
511 }
512 SUBJECT_ENDS_QUESTION {
513 re = "Subject=/\\?\\s*$/Hu";
514 group = "headers";
515 score = 1;
516 description = "Subject ends with a question";
517 }
518 MISSING_TO {
519 group = "headers";
520 re = "!raw_header_exists(To)";
521 mime_only = true;
522 score = 2;
523 description = "To header is missing";
524 }
525 FORGED_GENERIC_RECEIVED3 {
526 re = "Received=/^\\s*(.+\\n)*by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with SMTP id [a-zA-Z]{14}\\.\\d{13};[\\r\\n\\s]*\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0 \\(GMT\\)/X";
527 group = "headers";
528 description = "Forged generic Received";
529 score = 3.600000;
530 }
531 CTE_CASE {
532 re = "Content-Transfer-Encoding=/^[78]B/X";
533 group = "headers";
534 score = 0.500000;
535 description = "[78]Bit .vs. [78]bit";
536 }
537 FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN {
538 re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H) & !((Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) | (Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
539 group = "mua";
540 description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
541 score = 2.500000;
542 }
543 GOOGLE_FORWARDING_MID_BROKEN {
544 re = "Message-ID=/SMTPIN_ADDED_BROKEN\\@mx\\.google\\.com>$/X";
545 group = "headers";
546 description = "Message had invalid Message-ID pre-forwarding";
547 score = 1.700000;
548 }
549 CC_EXCESS_QP {
550 re = "Cc=/\\=\\?\\S+\\?Q\\?/iX & !Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
551 group = "excessqp";
552 description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
553 score = 1.200000;
554 }
555 R_MISSING_CHARSET {
556 group = "headers";
557 re = "!is_empty_body() & content_type_is_type(text) & content_type_is_subtype(plain) & !content_type_has_param(charset) & !compare_transfer_encoding(7bit)";
558 mime_only = true;
559 score = 2.500000;
560 description = "Charset is missing in a message";
561 }
562 HAS_XOIP {
563 re = "header_exists('X-Originating-IP')";
564 group = "headers";
565 score = 0;
566 description = "Has X-Originating-IP header";
567 }
568 SUBJ_EXCESS_QP {
569 re = "Subject=/\\=\\?\\S+\\?Q\\?/iX & !Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
570 group = "excessqp";
571 description = "Subject is unnecessarily encoded in quoted-printable";
572 score = 1.200000;
573 }
574 FORGED_MUA_OUTLOOK {
575 re = "((X-Mailer=/\\bOutlook Express [456]\\./H & !Message-Id=/^<?[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\\@hotmail\\.com>?$/mH & !Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H & !(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H)) | (X-Mailer=/^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\\./H & !Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H & !Message-Id=/^<?\\!\\~\\!>?/H & !Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H & !Message-Id=/^<?[A-F\\d]{36,40}\\@\\S+>?$/H & !(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))) & !X-Mailer=/^Microsoft Outlook, Build 10.0.3416$/H & !X-Mailer=/^Microsoft Outlook Express 6.00.3790.3959$/H & !Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H";
576 group = "mua";
577 description = "Forged outlook MUA";
578 score = 3;
579 }
580 R_RCVD_SPAMBOTS {
581 group = "headers";
582 re = "Received=/^from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by [-.\\w+]{5,255}; [SMTWF][a-z][a-z], [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4} \\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH";
583 mime_only = true;
584 score = 3;
585 description = "Spambots signatures in received headers";
586 }
587 TO_NEEDS_ENCODING {
588 group = "headers";
589 re = "!(To=/=\\?\\S+\\?B\\?/iX) & !(To=/=\\?\\S+\\?Q\\?/iX) & (To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
590 score = 1;
591 mime_only = true;
592 description = "To header needs encoding";
593 }
594 INVALID_POSTFIX_RECEIVED {
595 re = "Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X";
596 group = "headers";
597 description = "Invalid Postfix Received";
598 score = 3;
599 }
600 HAS_INTERSPIRE_SIG {
601 re = "((header_exists(X-Mailer-LID)) & (header_exists(X-Mailer-RecptId)) & (header_exists(X-Mailer-SID)) & (header_exists(X-Mailer-Sent-By))) | (List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi)";
602 group = "headers";
603 score = 1;
604 description = "Has Interspire fingerprint";
605 }
606 FAKE_RECEIVED_smtp_yandex_ru {
607 re = "(((From=/\\@mail\\.ru>?$/iX) & ((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) | (X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX))) | ((From=/\\@gmail\\.com>?$/iX) & ((Return-path=/^\\s*<.+\\@gmail\\.com>$/iX) | (X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX))) | ((From=/\\@ukr\\.net>?$/iX) & ((Return-path=/^\\s*<.+\\@ukr\\.net>$/iX) | (X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX)))) & (Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+ )?helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\[UNAVAILABLE\\] \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO smtp\\.yandex\\.ru\\)/iX) | (Received=/from smtp\\.yandex\\.ru \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) | (Received=/from smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) | (Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) | (Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) | (Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX)";
608 group = "headers";
609 description = "Fake smtp.yandex.ru Received";
610 score = 4;
611 }
612 HAS_ORG_HEADER {
613 re = "header_exists(Organization) || header_exists(Organisation)";
614 group = "headers";
615 score = 0;
616 description = "Has Organization header";
617 }
618 RCVD_ILLEGAL_CHARS {
619 re = "Received=/[\\x80-\\xff]/X";
620 group = "headers";
621 description = "Header Received has raw illegal character";
622 score = 4;
623 }
624 MISSING_SUBJECT {
625 group = "headers";
626 re = "!raw_header_exists(Subject)";
627 score = 2;
628 mime_only = true;
629 description = "Subject header is missing";
630 }
631 SUSPICIOUS_OPERA_10W_MSGID {
632 re = "(User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H) & (Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)";
633 group = "mua";
634 description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
635 score = 4;
636 }
637 FM_FAKE_HELO_VERIZON {
638 re = "(X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^ ]+verizon\\.net /iH) & !(X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^ ]+verizon\\.net /iH)";
639 group = "headers";
640 description = "Fake helo for verizon provider";
641 score = 2;
642 }
643 HEADER_TO_DELIMITER_TAB {
644 re = "(check_header_delimiter_tab(To)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
645 group = "headers";
646 description = "Header To begins with tab";
647 score = 1;
648 }
649 FORGED_MUA_SEAMONKEY_MSGID {
650 re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
651 group = "mua";
652 description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
653 score = 4;
654 }
655 FORGED_MUA_THUNDERBIRD_MSGID {
656 re = "(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
657 group = "mua";
658 description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
659 score = 4;
660 }
661 HEADER_DATE_DELIMITER_TAB {
662 re = "(check_header_delimiter_tab(Date)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
663 group = "headers";
664 description = "Header Date begins with tab";
665 score = 1;
666 }
667 HEADER_REPLYTO_DELIMITER_TAB {
668 re = "(check_header_delimiter_tab(Reply-To)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
669 group = "headers";
670 description = "Header Reply-To begins with tab";
671 score = 1;
672 }
673 XM_UA_NO_VERSION {
674 re = "(!X-Mailer=/https?:/H && !User-Agent=/https?:/H) && (X-Mailer=/^[^0-9]+$/H || User-Agent=/^[^0-9]+$/H)";
675 group = "experimental";
676 score = 0.010000;
677 description = "X-Mailer/User-Agent has no version";
678 }
679 SUSPICIOUS_BOUNDARY2 {
680 re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
681 group = "mua";
682 description = "Suspicious boundary in header Content-Type";
683 score = 4;
684 }
685 TO_EXCESS_BASE64 {
686 re = "To=/=\\?\\S+\\?B\\?/iX & !To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
687 group = "excessb64";
688 description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
689 score = 1.500000;
690 }
691 CC_EXCESS_BASE64 {
692 re = "Cc=/\\=\\?\\S+\\?B\\?/iX & !Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
693 group = "excessb64";
694 description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
695 score = 1.500000;
696 }
697 YANDEX_RU_MAILER {
698 re = "(X-Mailer=/^Yamail \\[ http:\\/\\/yandex\\.ru \\] 5\\.0$/H) & (Received=/^by web\\d{1,2}[a-z]\\.yandex\\.ru with HTTP;/mH)";
699 group = "headers";
700 description = "Sent with yandex.ru web-mail";
701 score = 0;
702 }
703 FORGED_MUA_OPERA_MSGID {
704 re = "(User-Agent=/^\\s*Opera Mail\\/1[01]\\.\\d+ /H) & !(Message-ID=/^<?op\\.[a-z\\d]{14}\\@\\S+>?$/H) & !((User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H) & (Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
705 group = "mua";
706 description = "Message pretends to be send from Opera Mail but has forged Message-ID";
707 score = 4;
708 }
709 MAILER_1C_8 {
710 re = "X-Mailer=/^1C:Enterprise 8\\.[23]$/H";
711 group = "headers";
712 description = "Sent with 1C:Enterprise 8";
713 score = 0;
714 }
715 SUBJECT_NEEDS_ENCODING {
716 group = "headers";
717 re = "!(Subject=/=\\?\\S+\\?B\\?/iX) & !(Subject=/=\\?\\S+\\?Q\\?/iX) & (Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
718 score = 1;
719 mime_only = true;
720 description = "Subject needs encoding";
721 }
722 HAS_GOOGLE_REDIR {
723 re = "/\\.google\\.com\\/url\\?/{url}i";
724 group = "experimental";
725 score = 0.010000;
726 description = "Has google.com/url redirection";
727 }
728 REPLYTO_EXCESS_QP {
729 re = "Reply-To=/\\=\\?\\S+\\?Q\\?/iX & !Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
730 group = "excessqp";
731 description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
732 score = 1.200000;
733 }
734 FORGED_MUA_KMAIL_MSGID_UNKNOWN {
735 re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) & !(Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
736 group = "mua";
737 description = "Message pretends to be send from KMail but has forged Message-ID";
738 score = 2.500000;
739 }
740 FROM_NEEDS_ENCODING {
741 group = "headers";
742 re = "!(From=/=\\?\\S+\\?B\\?/iX) & !(From=/=\\?\\S+\\?Q\\?/iX) & (From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
743 score = 1;
744 mime_only = true;
745 description = "From header needs encoding";
746 }
747 HEADER_REPLYTO_EMPTY_DELIMITER {
748 re = "(check_header_delimiter_empty(Reply-To))";
749 group = "headers";
750 description = "Header Reply-To has no delimiter between header name and header value";
751 score = 1;
752 }
753 STOX_REPLY_TYPE {
754 re = "Content-Type=/text\\/plain; .* reply-type=original/H";
755 group = "headers";
756 description = "Reply-type in content-type";
757 score = 1;
758 }
759 FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN {
760 re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) & !(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & !(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H) & !(User-Agent=/^\\s*Mozilla\\/5\\.0\\s\\([^)]+\\)\\sGecko\\/\\d+\\sPostboxApp\\/\\d+(?:\\.\\d+){2,3}$/H)) & !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
761 group = "mua";
762 description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
763 score = 2.500000;
764 }
765 INVALID_MSGID {
766 re = "(header_exists(Message-Id)) & !((Message-Id=/^<?[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+>?\\s*$/H) | (Message-Id=/\\(.*\\)/H))";
767 group = "headers";
768 description = "Message id is incorrect";
769 score = 1.700000;
770 }
771 X_PHP_FORGED_0X {
772 re = "X-PHP-Originating-Script=/^0\\d/X";
773 group = "headers";
774 description = "X-PHP-Originating-Script header appears forged";
775 score = 4;
776 }
777 MAIL_RU_MAILER {
778 re = "(X-Mailer=/^Mail\\.Ru Mailer 1\\.0$/H) & (Received=/^(?:from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] )?by e\\.mail\\.ru with HTTP;/mH)";
779 group = "headers";
780 description = "Sent with Mail.Ru web-mail";
781 score = 0;
782 }
783 HEADER_FROM_EMPTY_DELIMITER {
784 re = "(check_header_delimiter_empty(From))";
785 group = "headers";
786 description = "Header From has no delimiter between header name and header value";
787 score = 1;
788 }
789 FORGED_OUTLOOK_TAGS {
790 re = "!Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H & X-Mailer=/^Microsoft Outlook\\b/H & content_type_is_type(text) & content_type_is_subtype(/.?html/) & !(has_html_tag(html) & has_html_tag(head) & has_html_tag(meta) & has_html_tag(body))";
791 group = "headers";
792 description = "Message pretends to be send from Outlook but has 'strange' tags";
793 score = 2.100000;
794 }
795 HEADER_DATE_EMPTY_DELIMITER {
796 re = "(check_header_delimiter_empty(Date))";
797 group = "headers";
798 description = "Header Date has no delimiter between header name and header value";
799 score = 1;
800 }
801 FORGED_MUA_KMAIL_MSGID {
802 re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) & (Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) & !(kmail_msgid) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
803 group = "mua";
804 description = "Message pretends to be send from KMail but has forged Message-ID";
805 score = 3;
806 }
807 HEADER_CC_EMPTY_DELIMITER {
808 re = "(check_header_delimiter_empty(Cc))";
809 group = "headers";
810 description = "Header Cc has no delimiter between header name and header value";
811 score = 1;
812 }
813}
814arc {
815 use_esld = true;
816 allow_hdrfrom_mismatch = false;
817 selector = "arc";
818 key_prefix = "ARC_KEYS";
819 auth_only = true;
820 allow_envfrom_empty = true;
821 try_fallback = true;
822 symbol_sign = "ARC_SIGNED";
823 use_redis = false;
824 allow_username_mismatch = false;
825 sign_local = true;
826 sign_networks [
827 "127.2.4.7",
828 ]
829 use_domain = "header";
830 allow_hdrfrom_multiple = false;
831}
832maillist {
833 symbol = "MAILLIST";
834}
835lua = "/usr/share/rspamd/rules/rspamd.lua";
836surbl {
837 exceptions [
838 "https://maps.rspamd.com/rspamd/2tld.inc.zst",
839 "/var/lib/rspamd/2tld.inc.local",
840 "fallback+file:///etc/rspamd/2tld.inc",
841 ]
842 whitelist [
843 "https://maps.rspamd.com/rspamd/surbl-whitelist.inc.zst",
844 "/var/lib/rspamd/surbl-whitelist.inc.local",
845 "fallback+file:///etc/rspamd/surbl-whitelist.inc",
846 ]
847 rules {
848 SURBL_MULTI {
849 bits {
850 CRACKED_SURBL = 128;
851 SURBL_BLOCKED = 1;
852 MW_SURBL_MULTI = 16;
853 ABUSE_SURBL = 64;
854 PH_SURBL_MULTI = 8;
855 }
856 suffix = "multi.surbl.org";
857 check_dkim = true;
858 }
859 URIBL_MULTI {
860 bits {
861 URIBL_RED = 8;
862 URIBL_BLOCKED = 1;
863 URIBL_BLACK = 2;
864 URIBL_GREY = 4;
865 }
866 suffix = "multi.uribl.com";
867 check_dkim = true;
868 }
869 RBL_SARBL_BAD {
870 suffix = "public.sarbl.org";
871 noip = true;
872 images = true;
873 }
874 SEM_URIBL_UNKNOWN {
875 bits {
876 SEM_URIBL = 2;
877 }
878 suffix = "uribl.spameatingmonkey.net";
879 no_ip = true;
880 }
881 SPAMHAUS_ZEN_URIBL {
882 suffix = "zen.spamhaus.org";
883 ips {
884 URIBL_SBL_CSS = "127.0.0.3";
885 URIBL_SBL = "127.0.0.2";
886 URIBL_DROP = "127.0.0.9";
887 URIBL_PBL [
888 "127.0.0.10",
889 "127.0.0.11",
890 ]
891 URIBL_XBL [
892 "127.0.0.4",
893 "127.0.0.5",
894 "127.0.0.6",
895 "127.0.0.7",
896 ]
897 }
898 resolve_ip = true;
899 }
900 SEM_URIBL_FRESH15_UNKNOWN {
901 bits {
902 SEM_URIBL_FRESH15 = 2;
903 }
904 suffix = "fresh15.spameatingmonkey.net";
905 no_ip = true;
906 }
907 DBL {
908 ips {
909 DBL_PROHIBIT = "127.0.1.255";
910 DBL_ABUSE_BOTNET = "127.0.1.106";
911 DBL_PHISH = "127.0.1.4";
912 DBL_ABUSE_REDIR = "127.0.1.103";
913 DBL_ABUSE_MALWARE = "127.0.1.105";
914 DBL_MALWARE = "127.0.1.5";
915 DBL_ABUSE_PHISH = "127.0.1.104";
916 DBL_ABUSE = "127.0.1.102";
917 DBL_BOTNET = "127.0.1.6";
918 DBL_SPAM = "127.0.1.2";
919 }
920 suffix = "dbl.spamhaus.org";
921 no_ip = true;
922 check_dkim = true;
923 }
924 RSPAMD_URIBL {
925 suffix = "uribl.rspamd.com";
926 check_dkim = true;
927 process_script = <<EOD
928function(url, suffix)
929 local cr = require "rspamd_cryptobox_hash"
930 local h = cr.create(url):base32():sub(1, 32)
931 return string.format("%s.%s", h, suffix)
932end
933EOD;
934 }
935 }
936}
937modules {
938 path = "/usr/share/rspamd/plugins";
939 try_path = "/etc/rspamd/plugins.d/";
940 fallback_path = "/usr/share/rspamd/lua";
941}
942antivirus {
943 clamav {
944 attachments_only = false;
945 symbol = "CLAM_VIRUS";
946 type = "clamav";
947 action = "reject";
948 servers = "/var/run/clamav/clamd.ctl";
949 }
950}
951whitelist {
952 rules {
953 WHITELIST_DMARC {
954 inverse_symbol = "BLACKLIST_DMARC";
955 score = -7;
956 domains [
957 "https://maps.rspamd.com/rspamd/dmarc_whitelist_new.inc.zst",
958 "/var/lib/rspamd/dmarc_whitelist.inc.local",
959 "fallback+file:///etc/rspamd/dmarc_whitelist.inc",
960 ]
961 valid_dmarc = true;
962 }
963 WHITELIST_SPF_DKIM {
964 valid_spf = true;
965 inverse_symbol = "BLACKLIST_SPF_DKIM";
966 domains [
967 "https://maps.rspamd.com/rspamd/spf_dkim_whitelist.inc.zst",
968 "/var/lib/rspamd/spf_dkim_whitelist.inc.local",
969 "fallback+file:///etc/rspamd/spf_dkim_whitelist.inc",
970 ]
971 valid_dkim = true;
972 score = -3;
973 }
974 WHITELIST_DKIM {
975 inverse_symbol = "BLACKLIST_DKIM";
976 domains [
977 "/var/lib/rspamd/dkim_whitelist.inc.local",
978 "fallback+file:///etc/rspamd/dkim_whitelist.inc",
979 ]
980 valid_dkim = true;
981 score = -1;
982 }
983 WHITELIST_SPF {
984 inverse_symbol = "BLACKLIST_SPF";
985 domains [
986 "/var/lib/rspamd/spf_whitelist.inc.local",
987 "fallback+file:///etc/rspamd/spf_whitelist.inc",
988 ]
989 valid_spf = true;
990 score = -1;
991 }
992 }
993}
994neural {
995 train {
996 ham_score = -2;
997 max_usages = 20;
998 spam_score = 8;
999 learning_rate = 0.010000;
1000 max_iterations = 25;
1001 max_train = 1000;
1002 }
1003 enabled = "yes";
1004 timeout = 20;
1005 use_settings = false;
1006}
1007metric {
1008 actions {
1009 add_header = 2;
1010 greylist = 5;
1011 reject = 150;
1012 }
1013}
1014hfilter {
1015 rcpt_enabled = true;
1016 helo_enabled = true;
1017 from_enabled = true;
1018 hostname_enabled = true;
1019 url_enabled = true;
1020 mid_enabled = false;
1021}
1022phishing {
1023 redirector_domains [
1024 "https://maps.rspamd.com/rspamd/redirectors.inc.zst:REDIRECTOR_FALSE",
1025 "/etc/rspamd/local.d/redirectors.inc:LOCAL_REDIRECTOR_FALSE",
1026 "fallback+file:///etc/rspamd/redirectors.inc:REDIRECTOR_FALSE",
1027 ]
1028 openphish_map = "https://www.openphish.com/feed.txt";
1029 symbol = "PHISHING";
1030 openphish_enabled = false;
1031 openphish_premium = false;
1032 phishtank_enabled = true;
1033}
1034mime_types {
1035 file [
1036 "https://maps.rspamd.com/rspamd/mime_types.inc.zst",
1037 "/var/lib/rspamd/mime_types.inc.local",
1038 "fallback+file:///etc/rspamd/mime_types.inc",
1039 ]
1040 extension_map {
1041 pdf [
1042 "application/octet-stream",
1043 "application/pdf",
1044 ]
1045 html = "text/html";
1046 txt [
1047 "message/disposition-notification",
1048 "text/plain",
1049 "text/rfc822-headers",
1050 ]
1051 }
1052}
1053logging {
1054 filename = "/var/log/rspamd/rspamd.log";
1055 log_format = <<EOD
1056id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user: $,}$if_smtp_from{ from: <$>,}
1057(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
1058len: $len, time: $time_real real, $time_virtual virtual, dns req: $dns_req,
1059digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{, mime_rcpts: <$>}$if_filename{, file: $}$if_forced_action{, forced: $}
1060EOD;
1061 log_usec = false;
1062 color = false;
1063 type = "file";
1064 debug_modules [
1065 ]
1066 log_re_cache = true;
1067 level = "error";
1068}
1069rspamd_update {
1070 enabled = false;
1071 key = "qxuogdh5eghytji1utkkte1dn3n81c3y5twe61uzoddzwqzuxxyb";
1072 rules = "sign+https://updates.rspamd.com/rspamd-1.9.ucl";
1073}
1074fuzzy_check {
1075 retransmits = 1;
1076 rule {
1077 rspamd.com {
1078 symbol = "FUZZY_UNKNOWN";
1079 mime_types [
1080 "*",
1081 ]
1082 encryption_key = "icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy";
1083 read_only = true;
1084 fuzzy_map {
1085 FUZZY_PROB {
1086 flag = 2;
1087 max_score = 10;
1088 }
1089 FUZZY_DENIED {
1090 flag = 1;
1091 max_score = 20;
1092 }
1093 FUZZY_WHITE {
1094 flag = 3;
1095 max_score = 2;
1096 }
1097 }
1098 max_score = 20;
1099 short_text_direct_hash = true;
1100 skip_unknown = true;
1101 algorithm = "mumhash";
1102 servers = "round-robin:fuzzy1.rspamd.com:11335,fuzzy2.rspamd.com:11335";
1103 }
1104 }
1105 timeout = 2;
1106 min_bytes = 1000;
1107}
1108composites {
1109 MAILER_1C_8_BASE64 {
1110 description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
1111 expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
1112 }
1113 RBL_SPAMHAUS_XBL_ANY {
1114 description = "From and Received address are listed in Spamhaus XBL";
1115 expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
1116 }
1117 AUTH_NA {
1118 description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
1119 score = 1;
1120 policy = "remove_weight";
1121 expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
1122 }
1123 SPF_FAIL_FORWARDING {
1124 policy = "remove_weight";
1125 expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
1126 }
1127 FORGED_MUA_MAILLIST {
1128 expression = "g:mua & -MAILLIST";
1129 }
1130 DMARC_POLICY_ALLOW_WITH_FAILURES {
1131 policy = "remove_weight";
1132 expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
1133 }
1134 IP_SCORE_FREEMAIL {
1135 expression = "FREEMAIL_FROM & IP_SCORE";
1136 score = 0;
1137 policy = "remove_weight";
1138 description = "Negate IP_SCORE when message comes from FreeMail";
1139 }
1140 HAS_ANON_DOMAIN {
1141 description = "Contains one or more domains trying to disguise owner/destination";
1142 score = 0.100000;
1143 policy = "leave";
1144 expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
1145 }
1146 VIOLATED_DIRECT_SPF {
1147 score = 3.500000;
1148 expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";
1149 policy = "leave";
1150 description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";
1151 }
1152 FORGED_SENDER_MAILLIST {
1153 expression = "FORGED_SENDER & -MAILLIST";
1154 }
1155 BAD_REP_POLICIES {
1156 score = 0.100000;
1157 expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
1158 description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
1159 }
1160 LEAKED_PASSWORD_SPAM_FP {
1161 score = 0;
1162 expression = "LEAKED_PASSWORD_SCAM_INVALID & LEAKED_PASSWORD_SCAM";
1163 policy = "remove_all";
1164 description = "Looks like a BTC pattern but address syntax is invalid";
1165 }
1166 YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
1167 expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
1168 }
1169 RCVD_DKIM_ARC_DNSWL_MED {
1170 description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
1171 score = -0.500000;
1172 policy = "leave";
1173 expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
1174 }
1175 UNDISC_RCPTS_BULK {
1176 description = "Missing or undisclosed recipients with a bulk signature";
1177 score = 3;
1178 policy = "leave";
1179 expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
1180 }
1181 FORGED_SENDER_FORWARDING {
1182 description = "Forged sender, but message is forwarded";
1183 policy = "remove_weight";
1184 expression = "FORGED_SENDER & g:forwarding";
1185 }
1186 DKIM_MIXED {
1187 policy = "remove_weight";
1188 expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)";
1189 }
1190 PHISH_EMOTION {
1191 description = "Phish message with subject trying to address users emotion";
1192 score = 1;
1193 policy = "leave";
1194 expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
1195 }
1196 RCVD_DKIM_ARC_DNSWL_HI {
1197 description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
1198 score = -1;
1199 policy = "leave";
1200 expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
1201 }
1202 FORGED_RECIPIENTS_MAILLIST {
1203 expression = "FORGED_RECIPIENTS & -MAILLIST";
1204 }
1205 COMPROMISED_ACCT_BULK {
1206 description = "Likely to be from a compromised account";
1207 score = 3;
1208 policy = "leave";
1209 expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
1210 }
1211 RCVD_UNAUTH_PBL {
1212 description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
1213 score = 2;
1214 policy = "leave";
1215 expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
1216 }
1217 AUTOGEN_PHP_SPAMMY {
1218 description = "Message was generated by PHP script and contains some spam indicators";
1219 score = 1;
1220 policy = "leave";
1221 expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
1222 }
1223 HACKED_WP_PHISHING {
1224 description = "Phish message sent by hacked Wordpress instance";
1225 policy = "leave";
1226 expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
1227 }
1228 FORGED_RECIPIENTS_FORWARDING {
1229 policy = "remove_weight";
1230 expression = "FORGED_RECIPIENTS & g:forwarding";
1231 }
1232 FORGED_SENDER_VERP_SRS {
1233 expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
1234 }
1235 MAIL_RU_MAILER_BASE64 {
1236 expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
1237 }
1238}
1239mid {
1240 source {
1241 url [
1242 "https://maps.rspamd.com/rspamd/mid.inc.zst",
1243 "/etc/rspamd/local.d/mid.inc",
1244 "fallback+file:///etc/rspamd/mid.inc",
1245 ]
1246 }
1247}
1248url_reputation {
1249 enabled = false;
1250}
1251forged_recipients {
1252 symbol_sender = "FORGED_SENDER";
1253 symbol_rcpt = "FORGED_RECIPIENTS";
1254}
1255spamtrap {
1256 learn_fuzzy = false;
1257 enabled = false;
1258 learn_spam = false;
1259}
1260force_actions {
1261}
1262spf {
1263 spf_cache_expire = 86400;
1264 spf_cache_size = 2000;
1265}
1266clickhouse {
1267 limit = 1000;
1268 ipmask6 = 48;
1269 full_urls = false;
1270 timeout = 5;
1271 ipmask = 19;
1272}
1273group {
1274 policies {
1275 symbols {
1276 R_SPF_SOFTFAIL {
1277 groups [
1278 "spf",
1279 ]
1280 weight = 0;
1281 description = "SPF verification soft-failed";
1282 }
1283 DMARC_POLICY_ALLOW {
1284 groups [
1285 "dmarc",
1286 ]
1287 weight = -0.500000;
1288 description = "DMARC permit policy";
1289 }
1290 R_DKIM_REJECT {
1291 one_shot = true;
1292 weight = 1;
1293 groups [
1294 "dkim",
1295 ]
1296 description = "DKIM verification failed";
1297 }
1298 R_SPF_FAIL {
1299 groups [
1300 "spf",
1301 ]
1302 weight = 1;
1303 description = "SPF verification failed";
1304 }
1305 DMARC_POLICY_REJECT {
1306 groups [
1307 "dmarc",
1308 ]
1309 weight = 2;
1310 description = "DMARC reject policy";
1311 }
1312 R_SPF_ALLOW {
1313 groups [
1314 "spf",
1315 ]
1316 weight = -0.200000;
1317 description = "SPF verification allows sending";
1318 }
1319 ARC_ALLOW {
1320 groups [
1321 "arc",
1322 ]
1323 weight = -1;
1324 description = "ARC checks success";
1325 }
1326 DMARC_POLICY_SOFTFAIL {
1327 groups [
1328 "dmarc",
1329 ]
1330 weight = 0.100000;
1331 description = "DMARC failed";
1332 }
1333 R_SPF_DNSFAIL {
1334 groups [
1335 "spf",
1336 ]
1337 weight = 0;
1338 description = "SPF DNS failure";
1339 }
1340 ARC_NA {
1341 groups [
1342 "arc",
1343 ]
1344 weight = 0;
1345 description = "ARC signature absent";
1346 }
1347 R_SPF_NEUTRAL {
1348 groups [
1349 "spf",
1350 ]
1351 weight = 0;
1352 description = "SPF policy is neutral";
1353 }
1354 R_DKIM_TEMPFAIL {
1355 groups [
1356 "dkim",
1357 ]
1358 weight = 0;
1359 description = "DKIM verification soft-failed";
1360 }
1361 ARC_DNSFAIL {
1362 groups [
1363 "arc",
1364 ]
1365 weight = 0;
1366 description = "ARC DNS error";
1367 }
1368 DMARC_POLICY_QUARANTINE {
1369 groups [
1370 "dmarc",
1371 ]
1372 weight = 1.500000;
1373 description = "DMARC quarantine policy";
1374 }
1375 ARC_INVALID {
1376 groups [
1377 "arc",
1378 ]
1379 weight = 1;
1380 description = "ARC structure invalid";
1381 }
1382 ARC_REJECT {
1383 groups [
1384 "arc",
1385 ]
1386 weight = 2;
1387 description = "ARC checks failed";
1388 }
1389 DMARC_POLICY_ALLOW_WITH_FAILURES {
1390 groups [
1391 "dmarc",
1392 ]
1393 weight = -0.500000;
1394 description = "DMARC permit policy with DKIM/SPF failure";
1395 }
1396 R_DKIM_ALLOW {
1397 one_shot = true;
1398 weight = -0.200000;
1399 groups [
1400 "dkim",
1401 ]
1402 description = "DKIM verification succeed";
1403 }
1404 }
1405 }
1406 hfilter {
1407 symbols {
1408 HFILTER_HOSTNAME_UNKNOWN {
1409 description = "Unknown client hostname (PTR or FCrDNS verification failed)";
1410 weight = 2.500000;
1411 }
1412 HFILTER_FROMHOST_NORESOLVE_MX {
1413 description = "MX found in FROM host and no resolve";
1414 weight = 0.500000;
1415 }
1416 HFILTER_HELO_2 {
1417 description = "Helo host checks (low)";
1418 weight = 1;
1419 }
1420 HFILTER_HELO_NORESOLVE_MX {
1421 description = "MX found in Helo and no resolve";
1422 weight = 0.200000;
1423 }
1424 HFILTER_HOSTNAME_4 {
1425 description = "Hostname checks (hard)";
1426 weight = 2.500000;
1427 }
1428 HFILTER_URL_ONLY {
1429 description = "URL only in body";
1430 weight = 2.200000;
1431 }
1432 HFILTER_FROM_BOUNCE {
1433 description = "Bounce message";
1434 weight = 0;
1435 }
1436 HFILTER_HOSTNAME_2 {
1437 description = "Hostname checks (low)";
1438 weight = 1;
1439 }
1440 HFILTER_HELO_BAREIP {
1441 description = "Helo host is bare ip";
1442 weight = 3;
1443 }
1444 HFILTER_HELO_3 {
1445 description = "Helo host checks (medium)";
1446 weight = 2;
1447 }
1448 HFILTER_URL_ONELINE {
1449 description = "One line URL and text in body";
1450 weight = 2.500000;
1451 }
1452 HFILTER_HOSTNAME_3 {
1453 description = "Hostname checks (medium)";
1454 weight = 2;
1455 }
1456 HFILTER_RCPT_BOUNCEMOREONE {
1457 description = "Message from bounce and over 1 recipient";
1458 weight = 1.500000;
1459 }
1460 HFILTER_FROMHOST_NOT_FQDN {
1461 description = "FROM host not FQDN";
1462 weight = 3;
1463 }
1464 HFILTER_HELO_5 {
1465 description = "Helo host checks (very hard)";
1466 weight = 3;
1467 }
1468 HFILTER_FROMHOST_NORES_A_OR_MX {
1469 description = "FROM host no resolve to A or MX";
1470 weight = 1.500000;
1471 }
1472 HFILTER_HELO_NOT_FQDN {
1473 description = "Helo not FQDN";
1474 weight = 2;
1475 }
1476 HFILTER_HELO_IP_A {
1477 description = "Helo A IP != hostname IP";
1478 weight = 1;
1479 }
1480 HFILTER_HELO_NORES_A_OR_MX {
1481 description = "Helo no resolve to A or MX";
1482 weight = 0.300000;
1483 }
1484 HFILTER_HELO_1 {
1485 description = "Helo host checks (very low)";
1486 weight = 0.500000;
1487 }
1488 HFILTER_HELO_4 {
1489 description = "Helo host checks (hard)";
1490 weight = 2.500000;
1491 }
1492 HFILTER_HELO_BADIP {
1493 description = "Helo host is very bad ip";
1494 weight = 4.500000;
1495 }
1496 HFILTER_HOSTNAME_1 {
1497 description = "Hostname checks (very low)";
1498 weight = 0.500000;
1499 }
1500 HFILTER_HOSTNAME_5 {
1501 description = "Hostname checks (very hard)";
1502 weight = 3;
1503 }
1504 }
1505 }
1506 phishing {
1507 symbols {
1508 HACKED_WP_PHISHING {
1509 description = "Phishing message from hacked wordpress";
1510 weight = 4.500000;
1511 }
1512 PHISHED_OPENPHISH {
1513 description = "Phished URL found in openphish.com";
1514 weight = 7;
1515 }
1516 PHISHING {
1517 one_shot = true;
1518 weight = 4;
1519 description = "Phished URL";
1520 }
1521 PHISHED_PHISHTANK {
1522 description = "Phished URL found in phishtank.com";
1523 weight = 7;
1524 }
1525 }
1526 max_score = 10;
1527 }
1528 mime_types {
1529 symbols {
1530 MIME_BAD {
1531 one_shot = true;
1532 weight = 1;
1533 description = "Known bad content-type";
1534 }
1535 MIME_BAD_UNICODE {
1536 one_shot = true;
1537 weight = 8;
1538 description = "Filename with known obscured unicode characters";
1539 }
1540 MIME_BAD_EXTENSION {
1541 one_shot = true;
1542 weight = 2;
1543 description = "Bad extension";
1544 }
1545 MIME_GOOD {
1546 one_shot = true;
1547 weight = -0.100000;
1548 description = "Known content-type";
1549 }
1550 MIME_ARCHIVE_IN_ARCHIVE {
1551 one_shot = true;
1552 weight = 5;
1553 description = "Archive within another archive";
1554 }
1555 MIME_DOUBLE_BAD_EXTENSION {
1556 one_shot = true;
1557 weight = 3;
1558 description = "Bad extension cloaking";
1559 }
1560 MIME_BAD_ATTACHMENT {
1561 one_shot = true;
1562 weight = 4;
1563 description = "Invalid attachment mime type";
1564 }
1565 MIME_ENCRYPTED_ARCHIVE {
1566 one_shot = true;
1567 weight = 2;
1568 description = "Encrypted archive in a message";
1569 }
1570 MIME_UNKNOWN {
1571 one_shot = true;
1572 weight = 0.100000;
1573 description = "Missing or unknown content-type";
1574 }
1575 }
1576 }
1577 mua {
1578 symbols {
1579 FORGED_MUA_MAILLIST {
1580 description = "Avoid false positives for FORGED_MUA_* in maillist";
1581 weight = 0;
1582 }
1583 }
1584 }
1585 rbl {
1586 symbols {
1587 DNSWL_BLOCKED {
1588 groups [
1589 "dnswl",
1590 "blocked",
1591 ]
1592 weight = 0;
1593 description = "Resolver blocked due to excessive queries";
1594 }
1595 RBL_MAILSPIKE_WORST {
1596 groups [
1597 "mailspike",
1598 ]
1599 weight = 2;
1600 description = "From address is listed in RBL - worst possible reputation";
1601 }
1602 RBL_MAILSPIKE_VERYBAD {
1603 groups [
1604 "mailspike",
1605 ]
1606 weight = 1.500000;
1607 description = "From address is listed in RBL - very bad reputation";
1608 }
1609 RWL_MAILSPIKE_NEUTRAL {
1610 groups [
1611 "mailspike",
1612 ]
1613 weight = 0;
1614 description = "Neutral result from Mailspike";
1615 }
1616 RBL_SEM {
1617 groups [
1618 "sem",
1619 ]
1620 weight = 1;
1621 description = "From address is listed in Spameatingmonkey RBL";
1622 }
1623 RCVD_IN_DNSWL {
1624 groups [
1625 "dnswl",
1626 ]
1627 weight = 0;
1628 description = "Unrecognised result from https://www.dnswl.org";
1629 }
1630 RWL_MAILSPIKE_GOOD {
1631 groups [
1632 "mailspike",
1633 ]
1634 weight = 0;
1635 description = "From address is listed in RWL - good reputation";
1636 }
1637 DWL_DNSWL_NONE {
1638 groups [
1639 "dnswl",
1640 ]
1641 weight = 0;
1642 description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust";
1643 }
1644 RCVD_IN_DNSWL_HI {
1645 groups [
1646 "dnswl",
1647 ]
1648 weight = -0.500000;
1649 description = "Sender listed at https://www.dnswl.org, high trust";
1650 }
1651 RBL_SPAMHAUS_DROP {
1652 groups [
1653 "spamhaus",
1654 ]
1655 weight = 7;
1656 description = "From address is listed in ZEN DROP BL";
1657 }
1658 MAILSPIKE {
1659 groups [
1660 "mailspike",
1661 ]
1662 weight = 0;
1663 description = "Unrecognised result from Mailspike";
1664 }
1665 RBL_SPAMHAUS_XBL {
1666 groups [
1667 "spamhaus",
1668 ]
1669 weight = 4;
1670 description = "From address is listed in ZEN XBL";
1671 }
1672 RCVD_IN_DNSWL_LOW {
1673 groups [
1674 "dnswl",
1675 ]
1676 weight = -0.100000;
1677 description = "Sender listed at https://www.dnswl.org, low trust";
1678 }
1679 RWL_MAILSPIKE_EXCELLENT {
1680 groups [
1681 "mailspike",
1682 ]
1683 weight = 0;
1684 description = "From address is listed in RWL - excellent reputation";
1685 }
1686 RBL_SPAMHAUS_SBL {
1687 groups [
1688 "spamhaus",
1689 ]
1690 weight = 2;
1691 description = "From address is listed in ZEN SBL";
1692 }
1693 RBL_SPAMHAUS_XBL_ANY {
1694 groups [
1695 "spamhaus",
1696 ]
1697 weight = 4;
1698 description = "From or received address is listed in ZEN XBL (any list)";
1699 }
1700 DWL_DNSWL_LOW {
1701 groups [
1702 "dnswl",
1703 ]
1704 weight = -1;
1705 description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust";
1706 }
1707 DWL_DNSWL_BLOCKED {
1708 groups [
1709 "dnswl",
1710 "blocked",
1711 ]
1712 weight = 0;
1713 description = "Resolver blocked due to excessive queries (dwl)";
1714 }
1715 RCVD_IN_DNSWL_NONE {
1716 groups [
1717 "dnswl",
1718 ]
1719 weight = 0;
1720 description = "Sender listed at https://www.dnswl.org, no trust";
1721 }
1722 RBL_SPAMHAUS_PBL {
1723 groups [
1724 "spamhaus",
1725 ]
1726 weight = 2;
1727 description = "From address is listed in ZEN PBL (ISP list)";
1728 }
1729 RBL_SPAMHAUS_CSS {
1730 groups [
1731 "spamhaus",
1732 ]
1733 weight = 2;
1734 description = "From address is listed in ZEN CSS";
1735 }
1736 RWL_MAILSPIKE_VERYGOOD {
1737 groups [
1738 "mailspike",
1739 ]
1740 weight = 0;
1741 description = "From address is listed in RWL - very good reputation";
1742 }
1743 RECEIVED_SPAMHAUS_SBL {
1744 groups [
1745 "spamhaus",
1746 ]
1747 weight = 1;
1748 one_shot = true;
1749 description = "Received address is listed in ZEN SBL";
1750 }
1751 RBL_MAILSPIKE_BAD {
1752 groups [
1753 "mailspike",
1754 ]
1755 weight = 1;
1756 description = "From address is listed in RBL - bad reputation";
1757 }
1758 RBL_SEM_IPV6 {
1759 groups [
1760 "sem",
1761 ]
1762 weight = 1;
1763 description = "From address is listed in Spameatingmonkey RBL (IPv6)";
1764 }
1765 RBL_BLOCKLISTDE {
1766 groups [
1767 "blocklistde",
1768 ]
1769 weight = 4;
1770 description = "From address is listed in Blocklist (https://www.blocklist.de/)";
1771 }
1772 DWL_DNSWL_MED {
1773 groups [
1774 "dnswl",
1775 ]
1776 weight = -2;
1777 description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust";
1778 }
1779 RBL_SENDERSCORE {
1780 description = "From address is listed in senderscore.com BL";
1781 weight = 2;
1782 }
1783 RBL_NIXSPAM {
1784 description = "From address is listed in NiX Spam (http://www.dnsbl.manitu.net/)";
1785 weight = 4;
1786 }
1787 RECEIVED_SPAMHAUS_PBL {
1788 groups [
1789 "spamhaus",
1790 ]
1791 weight = 0;
1792 one_shot = true;
1793 description = "Received address is listed in ZEN PBL (ISP list)";
1794 }
1795 RECEIVED_BLOCKLISTDE {
1796 groups [
1797 "blocklistde",
1798 ]
1799 weight = 3;
1800 one_shot = true;
1801 description = "Received address is listed in Blocklist (https://www.blocklist.de/)";
1802 }
1803 RECEIVED_SPAMHAUS_CSS {
1804 groups [
1805 "spamhaus",
1806 ]
1807 weight = 1;
1808 one_shot = true;
1809 description = "Received address is listed in ZEN CSS";
1810 }
1811 RCVD_IN_DNSWL_MED {
1812 groups [
1813 "dnswl",
1814 ]
1815 weight = -0.200000;
1816 description = "Sender listed at https://www.dnswl.org, medium trust";
1817 }
1818 RECEIVED_SPAMHAUS_DROP {
1819 groups [
1820 "spamhaus",
1821 ]
1822 weight = 6;
1823 one_shot = true;
1824 description = "Received address is listed in ZEN DROP BL";
1825 }
1826 RBL_VIRUSFREE_BOTNET {
1827 description = "From address is listed in virusfree.cz BL";
1828 weight = 2;
1829 }
1830 RECEIVED_SPAMHAUS_XBL {
1831 groups [
1832 "spamhaus",
1833 ]
1834 weight = 3;
1835 one_shot = true;
1836 description = "Received address is listed in ZEN XBL";
1837 }
1838 RWL_MAILSPIKE_POSSIBLE {
1839 groups [
1840 "mailspike",
1841 ]
1842 weight = 0;
1843 description = "From address is listed in RWL - possibly legit";
1844 }
1845 DWL_DNSWL_HI {
1846 groups [
1847 "dnswl",
1848 ]
1849 weight = -3.500000;
1850 description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust";
1851 }
1852 RBL_SPAMHAUS {
1853 groups [
1854 "spamhaus",
1855 ]
1856 weight = 0;
1857 description = "Unrecognised result from Spamhaus ZEN";
1858 }
1859 DWL_DNSWL {
1860 groups [
1861 "dnswl",
1862 ]
1863 weight = 0;
1864 description = "Unrecognised result from https://www.dnswl.org (dwl)";
1865 }
1866 }
1867 }
1868 fuzzy {
1869 symbols {
1870 FUZZY_UNKNOWN {
1871 description = "Generic fuzzy hash match, bl.rspamd.com";
1872 weight = 5;
1873 }
1874 FUZZY_PROB {
1875 description = "Probable fuzzy hash, bl.rspamd.com";
1876 weight = 5;
1877 }
1878 FUZZY_DENIED {
1879 description = "Denied fuzzy hash, bl.rspamd.com";
1880 weight = 12;
1881 }
1882 FUZZY_WHITE {
1883 description = "Whitelisted fuzzy hash, bl.rspamd.com";
1884 weight = -2.100000;
1885 }
1886 }
1887 }
1888 statistics {
1889 symbols {
1890 BAYES_HAM {
1891 description = "Message probably ham, probability: ";
1892 weight = -3;
1893 }
1894 BAYES_SPAM {
1895 description = "Message probably spam, probability: ";
1896 weight = 5.100000;
1897 }
1898 }
1899 }
1900 surbl {
1901 symbols {
1902 MSBL_EBL {
1903 one_shot = true;
1904 weight = 7.500000;
1905 groups [
1906 "ebl",
1907 ]
1908 description = "MSBL emailbl";
1909 }
1910 SEM_URIBL {
1911 groups [
1912 "sem",
1913 ]
1914 weight = 3.500000;
1915 description = "Spameatingmonkey uribl";
1916 }
1917 PH_SURBL_MULTI {
1918 groups [
1919 "surblorg",
1920 "phishing",
1921 ]
1922 weight = 5.500000;
1923 description = "SURBL: Phishing sites";
1924 }
1925 URIBL_XBL {
1926 one_shot = true;
1927 weight = 1.500000;
1928 groups [
1929 "spamhaus",
1930 ]
1931 description = "A domain in the message body resolves to an IP listed in Spamhaus XBL";
1932 }
1933 DBL_ABUSE_PHISH {
1934 groups [
1935 "spamhaus",
1936 ]
1937 weight = 7.500000;
1938 description = "DBL uribl abused legit phish";
1939 }
1940 URIBL_MULTI {
1941 groups [
1942 "uribl",
1943 ]
1944 weight = 0;
1945 description = "uribl.com: unrecognised result";
1946 }
1947 SPAMHAUS_ZEN_URIBL {
1948 groups [
1949 "spamhaus",
1950 ]
1951 weight = 0;
1952 description = "Spamhaus ZEN URIBL: Filtered result";
1953 }
1954 SEM_URIBL_FRESH15 {
1955 groups [
1956 "sem",
1957 ]
1958 weight = 3;
1959 description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
1960 }
1961 DBL_ABUSE_BOTNET {
1962 groups [
1963 "spamhaus",
1964 ]
1965 weight = 5.500000;
1966 description = "DBL uribl abused legit botnet C&C";
1967 }
1968 DBL_ABUSE_REDIR {
1969 groups [
1970 "spamhaus",
1971 ]
1972 weight = 1.500000;
1973 description = "DBL uribl abused spammed redirector domain";
1974 }
1975 MW_SURBL_MULTI {
1976 groups [
1977 "surblorg",
1978 ]
1979 weight = 5.500000;
1980 description = "SURBL: Malware sites";
1981 }
1982 DBL_MALWARE {
1983 groups [
1984 "spamhaus",
1985 ]
1986 weight = 6.500000;
1987 description = "DBL uribl malware";
1988 }
1989 CRACKED_SURBL {
1990 groups [
1991 "surblorg",
1992 ]
1993 weight = 4;
1994 description = "SURBL: cracked site";
1995 }
1996 RSPAMD_URIBL {
1997 one_shot = true;
1998 weight = 4.500000;
1999 groups [
2000 "rspamdbl",
2001 ]
2002 description = "Rspamd uribl, bl.rspamd.com";
2003 }
2004 SURBL_BLOCKED {
2005 groups [
2006 "surblorg",
2007 "blocked",
2008 ]
2009 weight = 0;
2010 description = "SURBL: blocked by policy/overusage";
2011 }
2012 RBL_SARBL_BAD {
2013 one_shot = true;
2014 weight = 2.500000;
2015 description = "A domain in the message body is blacklisted in SARBL";
2016 }
2017 SEM_URIBL_FRESH15_UNKNOWN {
2018 groups [
2019 "sem",
2020 ]
2021 weight = 0;
2022 description = "Spameatingmonkey Fresh15 uribl: unknown result";
2023 }
2024 SEM_URIBL_UNKNOWN {
2025 groups [
2026 "sem",
2027 ]
2028 weight = 0;
2029 description = "Spameatingmonkey uribl: unknown result";
2030 }
2031 URIBL_SBL {
2032 one_shot = true;
2033 weight = 6.500000;
2034 groups [
2035 "v",
2036 ]
2037 description = "A domain in the message body resolves to an IP listed in Spamhaus SBL";
2038 }
2039 URIBL_GREY {
2040 one_shot = true;
2041 weight = 1.500000;
2042 groups [
2043 "uribl",
2044 ]
2045 description = "uribl.com grey url";
2046 }
2047 DBL_SPAM {
2048 groups [
2049 "spamhaus",
2050 ]
2051 weight = 6.500000;
2052 description = "DBL uribl spam";
2053 }
2054 MSBL_EBL_GREY {
2055 one_shot = true;
2056 weight = 0.500000;
2057 groups [
2058 "ebl",
2059 ]
2060 description = "MSBL emailbl grey list";
2061 }
2062 URIBL_BLOCKED {
2063 groups [
2064 "uribl",
2065 "blocked",
2066 ]
2067 weight = 0;
2068 description = "uribl.com: query refused";
2069 }
2070 DBL_PHISH {
2071 groups [
2072 "spamhaus",
2073 ]
2074 weight = 6.500000;
2075 description = "DBL uribl phishing";
2076 }
2077 URIBL_DROP {
2078 one_shot = true;
2079 weight = 5;
2080 groups [
2081 "spamhaus",
2082 ]
2083 description = "A domain in the message body resolves to an IP listed in Spamhaus DROP";
2084 }
2085 URIBL_PBL {
2086 groups [
2087 "spamhaus",
2088 ]
2089 weight = 0.010000;
2090 description = "A domain in the message body resolves to an IP listed in Spamhaus PBL";
2091 }
2092 ABUSE_SURBL {
2093 groups [
2094 "surblorg",
2095 ]
2096 weight = 5.500000;
2097 description = "SURBL: ABUSE";
2098 }
2099 URIBL_SBL_CSS {
2100 one_shot = true;
2101 weight = 6.500000;
2102 groups [
2103 "spamhaus",
2104 ]
2105 description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS";
2106 }
2107 URIBL_RED {
2108 groups [
2109 "uribl",
2110 ]
2111 weight = 3.500000;
2112 description = "uribl.com red url";
2113 }
2114 DBL_ABUSE {
2115 groups [
2116 "spamhaus",
2117 ]
2118 weight = 6.500000;
2119 description = "DBL uribl abused legit spam";
2120 }
2121 DBL_BOTNET {
2122 groups [
2123 "spamhaus",
2124 ]
2125 weight = 5.500000;
2126 description = "DBL uribl botnet C&C domain";
2127 }
2128 URIBL_BLACK {
2129 groups [
2130 "uribl",
2131 ]
2132 weight = 7.500000;
2133 description = "uribl.com black url";
2134 }
2135 DBL_PROHIBIT {
2136 groups [
2137 "spamhaus",
2138 ]
2139 weight = 0;
2140 description = "DBL uribl IP queries prohibited!";
2141 }
2142 DBL_ABUSE_MALWARE {
2143 groups [
2144 "spamhaus",
2145 ]
2146 weight = 7.500000;
2147 description = "DBL uribl abused legit malware";
2148 }
2149 DBL {
2150 groups [
2151 "spamhaus",
2152 ]
2153 weight = 0;
2154 description = "DBL unknown result";
2155 }
2156 RSPAMD_EMAILBL {
2157 one_shot = true;
2158 weight = 9.500000;
2159 groups [
2160 "rspamdbl",
2161 ]
2162 description = "Rspamd emailbl, bl.rspamd.com";
2163 }
2164 }
2165 max_score = 12.500000;
2166 }
2167 headers {
2168 symbols {
2169 R_MIXED_CHARSET {
2170 one_shot = true;
2171 weight = 5;
2172 description = "Mixed characters in a message";
2173 }
2174 FORGED_SENDER {
2175 description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
2176 weight = 0.300000;
2177 }
2178 RDNS_DNSFAIL {
2179 description = "PTR verification DNS error";
2180 weight = 0;
2181 }
2182 FORGED_RECIPIENTS_MAILLIST {
2183 description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
2184 weight = 0;
2185 }
2186 MAILLIST {
2187 description = "Message seems to be from maillist";
2188 weight = -0.200000;
2189 }
2190 ONCE_RECEIVED_STRICT {
2191 description = "One received header with 'bad' patterns inside";
2192 weight = 4;
2193 }
2194 FORGED_RECIPIENTS {
2195 description = "Recipients are not the same as RCPT TO: mail command";
2196 weight = 2;
2197 }
2198 RDNS_NONE {
2199 description = "Cannot resolve reverse DNS for sender's IP";
2200 weight = 1;
2201 }
2202 ONCE_RECEIVED {
2203 description = "One received header in a message";
2204 weight = 0.100000;
2205 }
2206 FORGED_SENDER_MAILLIST {
2207 description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
2208 weight = 0;
2209 }
2210 R_MIXED_CHARSET_URL {
2211 one_shot = true;
2212 weight = 7;
2213 description = "Mixed characters in a URL inside message";
2214 }
2215 }
2216 }
2217 subject {
2218 symbols {
2219 }
2220 max_score = 6;
2221 }
2222 external_services {
2223 }
2224 excessqp {
2225 max_score = 2.400000;
2226 }
2227 antivirus {
2228 }
2229 whitelist {
2230 symbols {
2231 BLACKLIST_DKIM {
2232 description = "Mail comes from the whitelisted domain and has non-valid DKIM signature";
2233 weight = 2;
2234 }
2235 WHITELIST_SPF_DKIM {
2236 description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies";
2237 weight = -3;
2238 }
2239 WHITELIST_DKIM {
2240 description = "Mail comes from the whitelisted domain and has a valid DKIM signature";
2241 weight = -1;
2242 }
2243 BLACKLIST_SPF {
2244 description = "Mail comes from the whitelisted domain and has no valid SPF policy";
2245 weight = 1;
2246 }
2247 BLACKLIST_SPF_DKIM {
2248 description = "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature";
2249 weight = 3;
2250 }
2251 WHITELIST_DMARC {
2252 description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies";
2253 weight = -7;
2254 }
2255 BLACKLIST_DMARC {
2256 description = "Mail comes from the whitelisted domain and has valid failed DMARC and DKIM policies";
2257 weight = 6;
2258 }
2259 WHITELIST_SPF {
2260 description = "Mail comes from the whitelisted domain and has a valid SPF policy";
2261 weight = -1;
2262 }
2263 }
2264 max_score = 10;
2265 }
2266 neural {
2267 }
2268 excessb64 {
2269 max_score = 3;
2270 }
2271}
2272metadata_exporter {
2273 rules {
2274 }
2275}
2276multimap {
2277 freemail_envfrom {
2278 filter = "email:domain";
2279 symbol = "FREEMAIL_ENVFROM";
2280 type = "from";
2281 score = 0;
2282 description = "Envelope From is a Freemail address";
2283 map = "https://maps.rspamd.com/freemail/free.txt.zst";
2284 }
2285 IP_WHITELIST {
2286 prefilter = true;
2287 score = -5;
2288 symbol = "LOCAL_WL_IP";
2289 type = "ip";
2290 action = "accept";
2291 description = "Local IP whitelist";
2292 map = "/etc/rspamd/local.d/ip_whitelist.map";
2293 }
2294 freemail_from {
2295 filter = "email:domain";
2296 score = 0;
2297 symbol = "FREEMAIL_FROM";
2298 type = "header";
2299 description = "From is a Freemail address";
2300 header = "from";
2301 map = "https://maps.rspamd.com/freemail/free.txt.zst";
2302 }
2303 disposable_replyto {
2304 filter = "email:domain";
2305 score = 0;
2306 symbol = "DISPOSABLE_REPLYTO";
2307 type = "header";
2308 description = "Reply-To a disposable e-mail address";
2309 header = "Reply-To";
2310 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
2311 }
2312 disposable_cc {
2313 filter = "email:domain";
2314 score = 0;
2315 symbol = "DISPOSABLE_CC";
2316 type = "header";
2317 description = "To a disposable e-mail address";
2318 header = "Cc";
2319 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
2320 }
2321 disposable_to {
2322 filter = "email:domain";
2323 score = 0;
2324 symbol = "DISPOSABLE_TO";
2325 type = "header";
2326 description = "To a disposable e-mail address";
2327 header = "To";
2328 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
2329 }
2330 disposable_from {
2331 filter = "email:domain";
2332 score = 0;
2333 symbol = "DISPOSABLE_FROM";
2334 type = "header";
2335 description = "From a Disposable e-mail address";
2336 header = "from";
2337 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
2338 }
2339 freemail_to {
2340 filter = "email:domain";
2341 score = 0;
2342 symbol = "FREEMAIL_TO";
2343 type = "header";
2344 description = "To is a Freemail address";
2345 header = "To";
2346 map = "https://maps.rspamd.com/freemail/free.txt.zst";
2347 }
2348 freemail_envrcpt {
2349 filter = "email:domain";
2350 symbol = "FREEMAIL_ENVRCPT";
2351 type = "rcpt";
2352 score = 0;
2353 description = "Envelope Recipient is a Freemail address";
2354 map = "https://maps.rspamd.com/freemail/free.txt.zst";
2355 }
2356 freemail_replyto {
2357 filter = "email:domain";
2358 score = 0;
2359 symbol = "FREEMAIL_REPLYTO";
2360 type = "header";
2361 description = "Reply-To is a Freemail address";
2362 header = "Reply-To";
2363 map = "https://maps.rspamd.com/freemail/free.txt.zst";
2364 }
2365 disposable_envfrom {
2366 filter = "email:domain";
2367 symbol = "DISPOSABLE_ENVFROM";
2368 type = "from";
2369 score = 0;
2370 description = "Envelope From is a Disposable e-mail address";
2371 map = "https://rspamd.com/freemail/disposable.txt.zst";
2372 }
2373 freemail_cc {
2374 filter = "email:domain";
2375 score = 0;
2376 symbol = "FREEMAIL_CC";
2377 type = "header";
2378 description = "To is a Freemail address";
2379 header = "Cc";
2380 map = "https://maps.rspamd.com/freemail/free.txt.zst";
2381 }
2382 disposable_envrcpt {
2383 filter = "email:domain";
2384 symbol = "DISPOSABLE_ENVRCPT";
2385 type = "rcpt";
2386 score = 0;
2387 description = "Envelope Recipient is a Disposable e-mail address";
2388 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
2389 }
2390}
2391worker {
2392 normal {
2393 bind_socket = "localhost:11333";
2394 mime = true;
2395 }
2396}
2397worker {
2398 controller {
2399 password = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
2400 secure_ip = "127.0.0.1";
2401 secure_ip = "::1";
2402 static_dir = "/usr/share/rspamd/www";
2403 count = 1;
2404 bind_socket = "localhost:11334";
2405 }
2406}
2407worker {
2408 rspamd_proxy {
2409 max_retries = 5;
2410 timeout = 120;
2411 spam_header = "X-Spam";
2412 quarantine_on_reject = false;
2413 reject_message = "Spam message rejected";
2414 discard_on_reject = false;
2415 milter = true;
2416 upstream {
2417 local {
2418 hosts = "localhost";
2419 default = true;
2420 }
2421 }
2422 bind_socket = "localhost:11332";
2423 count = 1;
2424 }
2425}
2426worker {
2427 fuzzy {
2428 backend = "redis";
2429 allow_update [
2430 "localhost",
2431 ]
2432 count = -1;
2433 bind_socket = "localhost:11335";
2434 expire = 7776000;
2435 }
2436}
2437dmarc {
2438}
2439milter_headers {
2440 extended_spam_headers = true;
2441 use [
2442 ]
2443}
2444external_services {
2445 oletools {
2446 whitelist = "/etc/rspamd/antivirus.wl";
2447 mime_parts_filter_ext {
2448 ppsx = "ppsx";
2449 doc = "doc";
2450 pot = "pot";
2451 ppsm = "ppsm";
2452 dotx = "dotx";
2453 potm = "potm";
2454 xlsm = "xlsm";
2455 pps = "pps";
2456 ppa = "ppa";
2457 xltm = "xltm";
2458 pptm = "pptm";
2459 xls = "xls";
2460 ppam = "ppam";
2461 dot = "dot";
2462 docm = "docm";
2463 dotm = "dotm";
2464 ppt = "ppt";
2465 pptx = "pptx";
2466 xltx = "xltx";
2467 potx = "potx";
2468 xlsb = "xlsb";
2469 xlam = "xlam";
2470 xlsx = "xlsx";
2471 xla = "xla";
2472 docx = "docx";
2473 xlt = "xlt";
2474 }
2475 patterns {
2476 }
2477 mime_parts_filter_regex {
2478 DOC2 = "application/msword";
2479 XLS = "application/vnd.ms-excel.*";
2480 GEN2 = "application/vnd.openxmlformats-officedocument.*";
2481 DOC3 = "application/vnd.ms-word.*";
2482 PPT = "application/vnd.ms-powerpoint.*";
2483 }
2484 }
2485 dcc {
2486 whitelist = "/etc/rspamd/antivirus.wl";
2487 max_size = 20000000;
2488 patterns {
2489 }
2490 }
2491}
2492actions {
2493 greylist = 5;
2494 add_header = 2;
2495 reject = 150;
2496}
2497elastic {
2498 limit = 10;
2499 import_kibana = false;
2500 debug = false;
2501 timeout = 5;
2502 index_pattern = "rspamd-%Y.%m.%d";
2503}
2504url_tags {
2505 enabled = false;
2506}
2507options {
2508 cache_file = "/var/lib/rspamd/symbols.cache";
2509 map_watch_interval = 300;
2510 limits {
2511 limit_whitelist_ip = "/etc/rspamd/local.d/ip_whitelist.map";
2512 }
2513 tempdir = "/tmp";
2514 history_rows = 200;
2515 url_tld = "/usr/share/rspamd/effective_tld_names.dat";
2516 soft_reject_on_timeout = false;
2517 task_timeout = 8;
2518 hs_cache_dir = "/var/lib/rspamd/";
2519 pidfile = "/run/rspamd/rspamd.pid";
2520 local_addrs [
2521 "192.168.0.0/16",
2522 "10.0.0.0/8",
2523 "172.16.0.0/12",
2524 "fd00::/8",
2525 "169.254.0.0/16",
2526 "fe80::/10",
2527 "192.168.0.0/16",
2528 "10.0.0.0/8",
2529 "172.16.0.0/12",
2530 "169.254.0.0/16",
2531 "127.2.4.7",
2532 ]
2533 rrd = "/var/lib/rspamd/rspamd.rrd";
2534 check_all_filters = false;
2535 explicit_modules [
2536 "settings",
2537 "bayes_expiry",
2538 ]
2539 control_socket = "/var/lib/rspamd/rspamd.sock mode=0600";
2540 allow_raw_input = true;
2541 dynamic_conf = "/var/lib/rspamd/rspamd_dynamic";
2542 dns {
2543 sockets = 100;
2544 retransmits = 5;
2545 timeout = 1;
2546 nameserver = "master-slave:127.0.0.1,10.0.0.32";
2547 }
2548 raw_mode = false;
2549 filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
2550 classify_headers [
2551 "User-Agent",
2552 "X-Mailer",
2553 "Content-Type",
2554 "X-MimeOLE",
2555 ]
2556 words_decay = 600;
2557 history_file = "/var/lib/rspamd/rspamd.history";
2558 one_shot = false;
2559 map_file_watch_multiplier = 0.100000;
2560}
2561reputation {
2562}
2563emails {
2564 rules {
2565 MSBL_EBL {
2566 returncodes {
2567 MSBL_EBL [
2568 "127.0.0.2",
2569 "127.0.0.3",
2570 ]
2571 MSBL_EBL_GREY [
2572 "127.0.1.2",
2573 "127.0.1.3",
2574 ]
2575 }
2576 hash = "sha1";
2577 check_replyto = true;
2578 domain_only = false;
2579 dnsbl = "ebl.msbl.org";
2580 }
2581 RSPAMD_EMAILBL {
2582 returncodes {
2583 RSPAMD_EMAILBL = "127.0.0.2";
2584 }
2585 encoding = "base32";
2586 hashlen = 32;
2587 hash = "blake2";
2588 check_replyto = true;
2589 delimiter = ".";
2590 dnsbl = "email.rspamd.com";
2591 }
2592 }
2593}
2594asn {
2595 provider_info {
2596 ip6 = "asn6.rspamd.com";
2597 ip4 = "asn.rspamd.com";
2598 }
2599 provider_type = "rspamd";
2600}
2601settings {
2602}
2603settings {
2604 sign_authenticated {
2605 authenticated = true;
2606 apply {
2607 symbols_enabled [
2608 "DKIM_SIGNED",
2609 ]
2610 flags [
2611 "skip_process",
2612 ]
2613 }
2614 }
2615 sign_id {
2616 apply {
2617 symbols_enabled [
2618 "DKIM_SIGNED",
2619 ]
2620 flags [
2621 "skip_process",
2622 ]
2623 }
2624 id = "dkim";
2625 }
2626 sign_networks {
2627 ip [
2628 "172.16.0.0/16",
2629 "10.0.0.0/8",
2630 ]
2631 apply {
2632 symbols_enabled [
2633 "DKIM_SIGNED",
2634 ]
2635 flags [
2636 "skip_process",
2637 ]
2638 }
2639 }
2640}
2641chartable {
2642 symbol = "R_MIXED_CHARSET";
2643 threshold = 0.300000;
2644}
2645dcc {
2646 enabled = false;
2647 timeout = 2;
2648 socket = "/var/dcc/dccifd";
2649}
2650history_redis {
2651 nrows = 200;
2652 subject_privacy = false;
2653 compress = true;
2654 key_prefix = "rs_history";
2655}
2656classifier {
2657 bayes {
2658 backend = "sqlite3";
2659 min_tokens = 11;
2660 languages_enabled = true;
2661 cache {
2662 path = "/var/lib/rspamd/learn_cache.sqlite";
2663 }
2664 statfile {
2665 path = "/var/lib/rspamd/bayes.ham.sqlite";
2666 spam = false;
2667 symbol = "BAYES_HAM";
2668 }
2669 statfile {
2670 path = "/var/lib/rspamd/bayes.spam.sqlite";
2671 spam = true;
2672 symbol = "BAYES_SPAM";
2673 }
2674 autolearn = true;
2675 tokenizer {
2676 name = "osb";
2677 }
2678 learn_condition = <<EOD
2679return function(task, is_spam, is_unlearn)
2680 local learn_type = task:get_request_header('Learn-Type')
2681
2682 if not (learn_type and tostring(learn_type) == 'bulk') then
2683 local prob = task:get_mempool():get_variable('bayes_prob', 'double')
2684
2685 if prob then
2686 local in_class = false
2687 local cl
2688 if is_spam then
2689 cl = 'spam'
2690 in_class = prob >= 0.95
2691 else
2692 cl = 'ham'
2693 in_class = prob <= 0.05
2694 end
2695
2696 if in_class then
2697 return false,string.format('already in class %s; probability %.2f%%',
2698 cl, math.abs((prob - 0.5) * 200.0))
2699 end
2700 end
2701 end
2702
2703 return true
2704end
2705EOD;
2706 min_learns = 200;
2707 }
2708}
2709url_redirector {
2710 max_size = 10000;
2711 nested_limit = 1;
2712 check_ssl = false;
2713 key_prefix = "rdr:";
2714 expire = 86400;
2715 timeout = 10;
2716}
2717metric_exporter {
2718}
2719trie {
2720}
2721replies {
2722 symbol = "REPLY";
2723 message = "Message is reply to one we originated";
2724 expire = 86400;
2725 key_prefix = "rr";
2726}
2727greylist {
2728 ipv6_mask = 64;
2729 whitelist_domains_url [
2730 "/etc/rspamd/local.d/greylist-whitelist-domains.inc",
2731 ]
2732 expire = 86400;
2733 ipv4_mask = 19;
2734 message = "Try again later";
2735 max_data_len = 10000;
2736 action = "soft reject";
2737 key_prefix = "rg";
2738 timeout = 300;
2739}
2740redis {
2741 servers = "127.0.0.1";
2742}
2743rbl {
2744 default_exclude_users = true;
2745 default_received = false;
2746 default_unknown = true;
2747 default_from = true;
2748 rbls {
2749 virusfree {
2750 returncodes {
2751 RBL_VIRUSFREE_BOTNET = "127.0.0.2";
2752 }
2753 rbl = "bip.virusfree.cz";
2754 ipv6 = true;
2755 symbol = "RBL_VIRUSFREE_UNKNOWN";
2756 }
2757 blocklistde_received {
2758 ignore_whitelists = true;
2759 symbol = "RECEIVED_BLOCKLISTDE";
2760 from = false;
2761 rbl = "bl.blocklist.de";
2762 received = true;
2763 ipv6 = true;
2764 }
2765 mailspike {
2766 symbol = "MAILSPIKE";
2767 is_whitelist = true;
2768 returncodes {
2769 RWL_MAILSPIKE_NEUTRAL [
2770 "127.0.0.16",
2771 "127.0.0.15",
2772 "127.0.0.14",
2773 "127.0.0.13",
2774 ]
2775 RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
2776 RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
2777 RBL_MAILSPIKE_BAD = "127.0.0.12";
2778 RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
2779 RBL_MAILSPIKE_WORST = "127.0.0.10";
2780 RWL_MAILSPIKE_GOOD = "127.0.0.18";
2781 RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
2782 }
2783 rbl = "rep.mailspike.net";
2784 whitelist_exception = "MAILSPIKE";
2785 whitelist_exception = "RWL_MAILSPIKE_GOOD";
2786 whitelist_exception = "RWL_MAILSPIKE_NEUTRAL";
2787 whitelist_exception = "RWL_MAILSPIKE_POSSIBLE";
2788 whitelist_exception = "RBL_MAILSPIKE_WORST";
2789 whitelist_exception = "RBL_MAILSPIKE_VERYBAD";
2790 whitelist_exception = "RBL_MAILSPIKE_BAD";
2791 }
2792 sem {
2793 rbl = "bl.spameatingmonkey.net";
2794 ipv6 = false;
2795 symbol = "RBL_SEM";
2796 }
2797 nixspam {
2798 rbl = "ix.dnsbl.manitu.net";
2799 ipv6 = true;
2800 symbol = "RBL_NIXSPAM";
2801 }
2802 senderscore {
2803 rbl = "bl.score.senderscore.com";
2804 symbol = "RBL_SENDERSCORE";
2805 }
2806 dnswl_dwl {
2807 unknown = false;
2808 returncodes {
2809 DWL_DNSWL_NONE = "127.0.%d+.0";
2810 DWL_DNSWL_MED = "127.0.%d+.2";
2811 DWL_DNSWL_LOW = "127.0.%d+.1";
2812 DWL_DNSWL_HI = "127.0.%d+.3";
2813 DWL_DNSWL_BLOCKED = "127.0.0.255";
2814 }
2815 dkim_match_from = true;
2816 symbol = "DWL_DNSWL";
2817 dkim = true;
2818 rbl = "dwl.dnswl.org";
2819 dkim_domainonly = false;
2820 ignore_whitelist = true;
2821 }
2822 semIPv6 {
2823 ipv4 = false;
2824 rbl = "bl.ipv6.spameatingmonkey.net";
2825 ipv6 = true;
2826 symbol = "RBL_SEM_IPV6";
2827 }
2828 blocklistde {
2829 rbl = "bl.blocklist.de";
2830 ipv6 = true;
2831 symbol = "RBL_BLOCKLISTDE";
2832 }
2833 exclude_local = true;
2834 dnswl {
2835 symbol = "RCVD_IN_DNSWL";
2836 is_whitelist = true;
2837 returncodes {
2838 RCVD_IN_DNSWL_MED = "127.0.%d+.2";
2839 RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
2840 RCVD_IN_DNSWL_HI = "127.0.%d+.3";
2841 RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
2842 DNSWL_BLOCKED = "127.0.0.255";
2843 }
2844 ipv6 = true;
2845 rbl = "list.dnswl.org";
2846 whitelist_exception = "RCVD_IN_DNSWL";
2847 whitelist_exception = "RCVD_IN_DNSWL_NONE";
2848 whitelist_exception = "RCVD_IN_DNSWL_LOW";
2849 whitelist_exception = "DNSWL_BLOCKED";
2850 }
2851 spamhaus_received {
2852 ignore_whitelists = true;
2853 returncodes {
2854 RECEIVED_SPAMHAUS_CSS = "127.0.0.3";
2855 RECEIVED_SPAMHAUS_XBL [
2856 "127.0.0.4",
2857 "127.0.0.5",
2858 "127.0.0.6",
2859 "127.0.0.7",
2860 ]
2861 RECEIVED_SPAMHAUS_DROP = "127.0.0.9";
2862 RECEIVED_SPAMHAUS_SBL = "127.0.0.2";
2863 RECEIVED_SPAMHAUS_PBL [
2864 "127.0.0.10",
2865 "127.0.0.11",
2866 ]
2867 }
2868 symbol = "RECEIVED_SPAMHAUS";
2869 from = false;
2870 rbl = "zen.spamhaus.org";
2871 received = true;
2872 ipv6 = true;
2873 }
2874 spamhaus {
2875 returncodes {
2876 RBL_SPAMHAUS_SBL = "127.0.0.2";
2877 RBL_SPAMHAUS_XBL [
2878 "127.0.0.4",
2879 "127.0.0.5",
2880 "127.0.0.6",
2881 "127.0.0.7",
2882 ]
2883 RBL_SPAMHAUS_CSS = "127.0.0.3";
2884 RBL_SPAMHAUS_DROP = "127.0.0.9";
2885 RBL_SPAMHAUS_PBL [
2886 "127.0.0.10",
2887 "127.0.0.11",
2888 ]
2889 }
2890 rbl = "zen.spamhaus.org";
2891 ipv6 = true;
2892 symbol = "RBL_SPAMHAUS";
2893 }
2894 }
2895}
2896dkim {
2897 trusted_only = false;
2898 dkim_cache_size = 2000;
2899 dkim_cache_expire = 86400;
2900 time_jitter = 21600;
2901 skip_multi = false;
2902}
2903ratelimit {
2904 whitelisted_ip = "/etc/rspamd/local.d/ip_whitelist.map";
2905 whitelisted_rcpts = "postmaster,mailer-daemon";
2906 rates {
2907 ip_limit {
2908 selector = "ip";
2909 bucket {
2910 burst = 10000;
2911 rate = 100;
2912 }
2913 }
2914 }
2915 max_rcpt = 5;
2916}
2917once_received {
2918 bad_host = "static";
2919 bad_host = "dynamic";
2920 good_host = "mail";
2921 symbol_strict = "ONCE_RECEIVED_STRICT";
2922 symbol_mx = "DIRECT_TO_MX";
2923 symbol = "ONCE_RECEIVED";
2924}
2925ip_score {
2926 whitelist = "/etc/rspamd/local.d/ip_whitelist.map";
2927}