· 7 years ago · May 07, 2018, 10:22 PM
1spamassassin {
2 pcre_only [
3 "RULE1",
4 "__RULE2",
5 ]
6 ruleset = "/etc/rspamd/spamassassin/local.cf";
7 match_limit = 100000;
8 alpha = 0.100000;
9}
10dkim_signing {
11 use_esld = true;
12 allow_hdrfrom_mismatch = false;
13 selector = "dkim";
14 symbol = "DKIM_SIGNED";
15 auth_only = true;
16 allow_envfrom_empty = true;
17 try_fallback = true;
18 use_redis = false;
19 allow_username_mismatch = false;
20 sign_local = true;
21 key_prefix = "DKIM_KEYS";
22 use_domain = "header";
23 allow_hdrfrom_multiple = false;
24}
25mx_check {
26 enabled = true;
27 key_prefix = "rmx";
28 symbol_good_mx = "MX_GOOD";
29 symbol_no_mx = "MX_MISSING";
30 symbol_bad_mx = "MX_INVALID";
31 timeout = 1;
32 expire = 86400;
33}
34regexp {
35 max_size = 1000000;
36 HAS_X_SOURCE {
37 re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists('X-Source-Dir')";
38 group = "compromised_hosts";
39 description = "Has X-Source headers";
40 }
41 TRACKER_ID {
42 re = "/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr";
43 group = "header";
44 description = "Spam string at the end of message to make statistics fault";
45 score = 3.840000;
46 }
47 FORGED_GENERIC_RECEIVED4 {
48 re = "Received=/^\\s*(.+\\n)*from localhost by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0[\\s\\r\\n]*$/X";
49 group = "header";
50 description = "Forged generic Received";
51 score = 3.600000;
52 }
53 FORGED_MUA_KMAIL_MSGID {
54 re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) & (Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) & !(kmail_msgid) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
55 group = "mua";
56 description = "Message pretends to be send from KMail but has forged Message-ID";
57 score = 3;
58 }
59 FORGED_MUA_THEBAT_BOUN {
60 re = "(X-Mailer=/^The Bat! \\(v1\\./H) & (Content-Type=/boundary/iH) & !(Content-Type=/boundary=\\\"?-{10}/H) & !(X-Mailman-Version=/\\d/H)";
61 group = "header";
62 description = "Forged The Bat! MUA headers";
63 score = 2;
64 }
65 FORGED_MUA_THEBAT_MSGID_UNKNOWN {
66 re = "(X-Mailer=/^\\s*The Bat!/H) & !(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH) & !(Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
67 group = "mua";
68 description = "Message pretends to be send from The Bat! but has forged Message-ID";
69 score = 3;
70 }
71 PHP_XPS_PATTERN {
72 re = "X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi";
73 group = "compromised_hosts";
74 description = "Message contains X-PHP-Script pattern";
75 }
76 MISSING_SUBJECT {
77 re = "!raw_header_exists(Subject)";
78 group = "header";
79 description = "Subject header is missing";
80 score = 2;
81 }
82 FROM_EXCESS_BASE64 {
83 re = "From=/=\\?\\S+\\?B\\?/iX & !From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
84 group = "excessb64";
85 description = "From that contains encoded characters while base 64 is not needed as all symbols are 7bit";
86 score = 1.500000;
87 }
88 FORGED_MSGID_YAHOO {
89 re = "(Message-Id=/\\@yahoo\\.com\\b/iH) & !(From=/\\@yahoo\\.com\\b/iH)";
90 group = "header";
91 description = "Forged yahoo msgid";
92 score = 2;
93 }
94 STOX_REPLY_TYPE {
95 re = "Content-Type=/text\\/plain; .* reply-type=original/H";
96 group = "header";
97 description = "Reply-type in content-type";
98 score = 1;
99 }
100 FORGED_GENERIC_RECEIVED {
101 re = "Received=/^\\s*(.+\\n)*from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by (([\\w\\d-]+\\.)+[a-zA-Z]{2,6}|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}); \\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X";
102 group = "header";
103 description = "Forged generic Received";
104 score = 3.600000;
105 }
106 SUBJ_EXCESS_BASE64 {
107 re = "Subject=/\\=\\?\\S+\\?B\\?/iX & !Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
108 group = "excessb64";
109 description = "Subject is unnecessarily encoded in base64";
110 score = 1.500000;
111 }
112 SUSPICIOUS_RECIPS {
113 re = "compare_recipients_distance(0.65)";
114 group = "header";
115 description = "Recipients seems to be autogenerated (works if recipients count is more than 5)";
116 score = 1.500000;
117 }
118 RCVD_DOUBLE_IP_SPAM {
119 re = "(Received=/from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with/H) | (Received=/from\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+by\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3};/H)";
120 group = "header";
121 description = "Two received headers with ip addresses";
122 score = 2;
123 }
124 HIDDEN_SOURCE_OBJ {
125 re = "X-PHP-Script=/\\/\\..+/Hi || X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi || X-Source-Args=/\\/\\..+/Hi";
126 group = "compromised_hosts";
127 score = 2;
128 description = "UNIX hidden file/directory in path";
129 }
130 PRECEDENCE_BULK {
131 re = "Precedence=/bulk/Hi";
132 group = "upstream_spam_filters";
133 description = "Message marked as bulk";
134 score = 0;
135 }
136 FORGED_OUTLOOK_HTML {
137 re = "!Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H & X-Mailer=/^Microsoft Outlook\\b/H & has_only_html_part()";
138 group = "header";
139 description = "Forged outlook HTML signature";
140 score = 5;
141 }
142 WWW_DOT_DOMAIN {
143 re = "From=/@www\\./Hi || Sender=/@www\\./Hi || Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)";
144 group = "compromised_hosts";
145 score = 0.500000;
146 description = "From/Sender/Reply-To or Envelope is @www.domain.com";
147 }
148 MIME_HEADER_CTYPE_ONLY {
149 re = "!(header_exists(Content-Disposition)) & !(header_exists(Content-Transfer-Encoding)) & (header_exists(Content-Type)) & !(raw_header_exists(MIME-Version)) & !(content_type_is_type(text) & content_type_is_subtype(plain))";
150 group = "header";
151 description = "Only Content-Type header without other MIME headers";
152 score = 2;
153 }
154 MID_RHS_WWW {
155 re = "Message-Id=/@www\\./Hi";
156 group = "compromised_hosts";
157 score = 0.500000;
158 description = "Message-ID from www host";
159 }
160 ENVFROM_SERVICE_ACCT {
161 re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)";
162 group = "compromised_hosts";
163 score = 1;
164 description = "Envelope from is a service account";
165 }
166 SUSPICIOUS_BOUNDARY {
167 re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
168 group = "mua";
169 description = "Suspicious boundary in header Content-Type";
170 score = 5;
171 }
172 XAW_SERVICE_ACCT {
173 re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www) set sender to\\b/Hi";
174 group = "compromised_hosts";
175 score = 1;
176 description = "Message originally from a service account";
177 }
178 HAS_XAW {
179 re = "header_exists('X-Authentication-Warning')";
180 group = "compromised_hosts";
181 description = "Has X-Authentication-Warning header";
182 }
183 HAS_DATA_URI {
184 re = "/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i";
185 one_shot = true;
186 group = "HTML";
187 description = "Has Data URI encoding";
188 }
189 HAS_WP_URI {
190 re = "/\\/wp-[^\\/]+\\//Ui";
191 group = "compromised_hosts";
192 one_shot = true;
193 description = "Contains WordPress URIs";
194 }
195 R_SAJDING {
196 re = "Subject=/\\bsajding(?:om|a)?\\b/iH";
197 group = "header";
198 description = "Subject seems to be spam";
199 score = 8;
200 }
201 FORGED_GENERIC_RECEIVED3 {
202 re = "Received=/^\\s*(.+\\n)*by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with SMTP id [a-zA-Z]{14}\\.\\d{13};[\\r\\n\\s]*\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0 \\(GMT\\)/X";
203 group = "header";
204 description = "Forged generic Received";
205 score = 3.600000;
206 }
207 R_NO_SPACE_IN_FROM {
208 re = "From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X";
209 group = "header";
210 description = "No space in from header";
211 score = 1;
212 }
213 SUSPICIOUS_BOUNDARY4 {
214 re = "(Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX) & (Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/)";
215 group = "mua";
216 description = "Suspicious boundary in header Content-Type";
217 score = 4;
218 }
219 HAS_X_ANTIABUSE {
220 re = "header_exists('X-AntiAbuse')";
221 group = "compromised_hosts";
222 description = "Has X-AntiAbuse headers";
223 }
224 FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN {
225 re = "(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & !((Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) | (Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
226 group = "mua";
227 description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
228 score = 2.500000;
229 }
230 HEADER_REPLYTO_DELIMITER_TAB {
231 re = "(check_header_delimiter_tab(Reply-To)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
232 group = "header";
233 description = "Header Reply-To begins with tab";
234 score = 1;
235 }
236 HEADER_TO_EMPTY_DELIMITER {
237 re = "(check_header_delimiter_empty(To))";
238 group = "header";
239 description = "Header To has no delimiter between header name and header value";
240 score = 1;
241 }
242 SUBJECT_ENDS_EXCLAIM {
243 re = "Subject=/!\\s*$/H";
244 group = "headers";
245 score = 0;
246 description = "Subject ends with an exclaimation";
247 }
248 RATWARE_MS_HASH {
249 re = "(Message-Id=/[0-9a-f]{4,}\\$[0-9a-f]{4,}\\$[0-9a-f]{4,}\\@\\S+/H) & !(X-MimeOLE=/^Produced By Microsoft MimeOLE/H) & !(Received=/with Microsoft Exchange Server/H)";
250 group = "header";
251 description = "Forged Exchange messages";
252 score = 2;
253 }
254 HAS_X_PHP_SCRIPT {
255 re = "header_exists('X-PHP-Script')";
256 group = "compromised_hosts";
257 description = "Has X-PHP-Script header";
258 }
259 HAS_GUC_PROXY_URI {
260 re = "/\\.googleusercontent\\.com\\/proxy/{url}i";
261 group = "experimental";
262 score = 0.010000;
263 description = "Has googleusercontent.com proxy URI";
264 }
265 HAS_X_POS {
266 re = "header_exists('X-PHP-Originating-Script')";
267 group = "compromised_hosts";
268 description = "Has X-PHP-Originating-Script header";
269 }
270 PHP_SCRIPT_ROOT {
271 re = "X-PHP-Originating-Script=/^0:/Hi";
272 group = "compromised_hosts";
273 score = 1;
274 description = "PHP Script executed by root UID";
275 }
276 MISSING_MIMEOLE {
277 re = "(header_exists(X-MSMail-Priority)) & !(header_exists(X-MimeOLE)) & !(X-Mailer=/SquirrelMail\\b/H) & !(X-Mailer=/^Microsoft (?:Office )?Outlook 1[245]\\.0/)";
278 group = "header";
279 description = "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)";
280 score = 2;
281 }
282 FORGED_MUA_KMAIL_MSGID_UNKNOWN {
283 re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) & !(Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
284 group = "mua";
285 description = "Message pretends to be send from KMail but has forged Message-ID";
286 score = 2.500000;
287 }
288 SUBJECT_HAS_EXCLAIM {
289 re = "Subject=/!/H & !Subject=/!\\s*$/H";
290 group = "headers";
291 score = 0;
292 description = "Subject contains an exclaimation";
293 }
294 SORTED_RECIPS {
295 re = "is_recipients_sorted()";
296 group = "header";
297 description = "Recipients list seems to be sorted";
298 score = 3.500000;
299 }
300 HTML_META_REFRESH_URL {
301 one_shot = true;
302 group = "HTML";
303 re = "/<meta\\s+http-equiv=\"refresh\"\\s+content=\"\\d+\\s*;\\s*url=/{sa_raw_body}i";
304 description = "Has HTML Meta refresh URL";
305 score = 5;
306 }
307 UNITEDINTERNET_SPAM {
308 re = "X-UI-Out-Filterresults=/^junk:/H";
309 group = "upstream_spam_filters";
310 description = "United Internet says this message is spam";
311 score = 5;
312 }
313 INTRODUCTION {
314 one_shot = true;
315 group = "scams";
316 re = "/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i";
317 description = "Sender introduces themselves";
318 score = 2;
319 }
320 HEADER_FROM_DELIMITER_TAB {
321 re = "(check_header_delimiter_tab(From)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
322 group = "header";
323 description = "Header From begins with tab";
324 score = 1;
325 }
326 SPAM_FLAG {
327 re = "X-Spam-Flag=/^(?:yes|true)/Hi || X-Spam=/^yes$/Hi";
328 group = "upstream_spam_filters";
329 description = "Message was already marked as spam";
330 score = 5;
331 }
332 FORGED_MUA_THEBAT_MSGID {
333 re = "(X-Mailer=/^\\s*The Bat!/H) & !(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH) & (Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
334 group = "mua";
335 description = "Message pretends to be send from The Bat! but has forged Message-ID";
336 score = 4;
337 }
338 AOL_SPAM {
339 re = "X-AOL-Global-Disposition=/^S/H";
340 group = "upstream_spam_filters";
341 description = "AOL says this message is spam";
342 score = 5;
343 }
344 REPTO_QUOTE_YAHOO {
345 re = "(Reply-To=/\\\".*\\\"\\s*\\</H) & ((From=/\\@yahoo\\.com\\b/iH) | (Message-Id=/\\@yahoo\\.com\\b/iH))";
346 group = "header";
347 description = "Quoted reply-to from yahoo (seems to be forged)";
348 score = 2;
349 }
350 MICROSOFT_SPAM {
351 re = "X-Forefront-Antispam-Report=/SFV:SPM/H";
352 group = "upstream_spam_filters";
353 description = "Microsoft says the message is spam";
354 score = 4;
355 }
356 R_UNDISC_RCPT {
357 re = "(To=/^<?undisclosed[- ]recipient/Hi)";
358 group = "header";
359 description = "Recipients are absent or undisclosed";
360 score = 3;
361 }
362 MIME_HTML_ONLY {
363 re = "has_only_html_part()";
364 group = "headers";
365 description = "Messages that have only HTML part";
366 score = 0.200000;
367 }
368 FORGED_GENERIC_RECEIVED2 {
369 re = "Received=/^\\s*(.+\\n)*from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by ([\\w\\d-]+\\.)+[a-z]{2,6} id [\\w\\d]{12}; \\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X";
370 group = "header";
371 description = "Forged generic Received";
372 score = 3.600000;
373 }
374 CT_EXTRA_SEMI {
375 re = "Content-Type=/;$/X";
376 group = "header";
377 score = 1;
378 description = "Content-Type ends with a semi-colon";
379 }
380 DATA_URI_OBFU {
381 one_shot = true;
382 group = "HTML";
383 re = "/data:text\\/(?:plain|html);base64,/{sa_raw_body}i";
384 score = 2;
385 description = "Uses Data URI encoding to obfuscate plain or HTML in base64";
386 }
387 WP_COMPROMISED {
388 re = "/\\/wp-(?:content|includes)[^\\/]+\\//Ui";
389 group = "compromised_hosts";
390 one_shot = true;
391 description = "URL that is pointing to a compromised WordPress installation";
392 }
393 SUSPICIOUS_BOUNDARY3 {
394 re = "Content-Type=/^\\s*multipart.+boundary=\"-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}\"[\\r\\n]*$/siX";
395 group = "mua";
396 description = "Suspicious boundary in header Content-Type";
397 score = 3;
398 }
399 HAS_PHPMAILER_SIG {
400 re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi";
401 group = "compromised_hosts";
402 description = "PHPMailer signature";
403 }
404 MISSING_MID {
405 re = "!header_exists(Message-Id)";
406 group = "header";
407 description = "Message id is missing";
408 score = 2.500000;
409 }
410 SUBJECT_NEEDS_ENCODING {
411 re = "!(Subject=/=\\?\\S+\\?B\\?/iX) & !(Subject=/=\\?\\S+\\?Q\\?/iX) & (Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
412 group = "header";
413 description = "Subject needs encoding";
414 score = 1;
415 }
416 HAS_LIST_UNSUB {
417 re = "header_exists(List-Unsubscribe)";
418 group = "headers";
419 score = -0.010000;
420 description = "Has List-Unsubscribe header";
421 }
422 GOOGLE_FORWARDING_MID_MISSING {
423 re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X";
424 group = "header";
425 description = "Message was missing Message-ID pre-forwarding";
426 score = 2.500000;
427 }
428 CTE_CASE {
429 re = "Content-Transfer-Encoding=/^[78]B/X";
430 group = "header";
431 score = 0.500000;
432 description = "[78]Bit .vs. [78]bit";
433 }
434 X_PHPOS_FAKE {
435 re = "X-PHP-Originating-Script=/^\\d{7}:/Hi";
436 group = "headers";
437 score = 3;
438 description = "Fake X-PHP-Originating-Script header";
439 }
440 TO_EXCESS_QP {
441 re = "To=/=\\?\\S+\\?Q\\?/iX & !To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
442 group = "excessqp";
443 description = "To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
444 score = 1.200000;
445 }
446 X_PHP_EVAL {
447 re = "X-PHP-Script=/eval\\(\\)\\'d/Hi || X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi";
448 group = "compromised_hosts";
449 score = 4;
450 description = "Message sent using eval'd PHP";
451 }
452 SUBJECT_ENDS_SPACES {
453 re = "Subject=/\\s+$/H";
454 group = "headers";
455 score = 0.500000;
456 description = "Subject ends with space characters";
457 }
458 SUBJECT_HAS_CURRENCY {
459 re = "Subject=/[$€$¢¥₽]/Hu";
460 group = "headers";
461 score = 1;
462 description = "Subject contains currency";
463 }
464 MISSING_TO {
465 re = "!raw_header_exists(To)";
466 group = "header";
467 description = "To header is missing";
468 score = 2;
469 }
470 SUBJECT_HAS_QUESTION {
471 re = "Subject=/\\?/H & !Subject=/\\?\\s*$/Hu";
472 group = "headers";
473 score = 0;
474 description = "Subject contains a question";
475 }
476 SUBJECT_ENDS_QUESTION {
477 re = "Subject=/\\?\\s*$/Hu";
478 group = "headers";
479 score = 1;
480 description = "Subject ends with a question";
481 }
482 FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN {
483 re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H) & !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
484 group = "mua";
485 description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
486 score = 2.500000;
487 }
488 INVALID_MSGID {
489 re = "(header_exists(Message-Id)) & !((Message-Id=/^<?[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+>?\\s*$/H) | (Message-Id=/\\(.*\\)/H))";
490 group = "header";
491 description = "Message id is incorrect";
492 score = 1.700000;
493 }
494 CC_EXCESS_QP {
495 re = "Cc=/\\=\\?\\S+\\?Q\\?/iX & !Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
496 group = "excessqp";
497 description = "Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
498 score = 1.200000;
499 }
500 FROM_EXCESS_QP {
501 re = "From=/=\\?\\S+\\?Q\\?/iX & !From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
502 group = "excessqp";
503 description = "From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
504 score = 1.200000;
505 }
506 HAS_XOIP {
507 re = "header_exists('X-Originating-IP')";
508 group = "headers";
509 score = 0;
510 description = "Has X-Originating-IP header";
511 }
512 SUBJ_EXCESS_QP {
513 re = "Subject=/\\=\\?\\S+\\?Q\\?/iX & !Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
514 group = "excessqp";
515 description = "Subect is unnecessarily encoded in quoted-printable";
516 score = 1.200000;
517 }
518 FORGED_MUA_OUTLOOK {
519 re = "((X-Mailer=/\\bOutlook Express [456]\\./H & !Message-Id=/^<?[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\\@hotmail\\.com>?$/mH & !Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H & !(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H)) | (X-Mailer=/^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\\./H & !Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H & !Message-Id=/^<?\\!\\~\\!>?/H & !Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H & !Message-Id=/^<?[A-F\\d]{36,40}\\@\\S+>?$/H & !(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))) & !X-Mailer=/^Microsoft Outlook, Build 10.0.3416$/H & !X-Mailer=/^Microsoft Outlook Express 6.00.3790.3959$/H & !Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H";
520 group = "mua";
521 description = "Forged outlook MUA";
522 score = 3;
523 }
524 R_RCVD_SPAMBOTS {
525 re = "Received=/^from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by [-.\\w+]{5,255}; [SMTWF][a-z][a-z], [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4} \\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH";
526 group = "header";
527 description = "Spambots signatures in received headers";
528 score = 3;
529 }
530 TO_NEEDS_ENCODING {
531 re = "!(To=/=\\?\\S+\\?B\\?/iX) & !(To=/=\\?\\S+\\?Q\\?/iX) & (To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
532 group = "header";
533 description = "To header needs encoding";
534 score = 1;
535 }
536 GOOGLE_FORWARDING_MID_BROKEN {
537 re = "Message-ID=/SMTPIN_ADDED_BROKEN\\@mx\\.google\\.com>$/X";
538 group = "header";
539 description = "Message had invalid Message-ID pre-forwarding";
540 score = 1.700000;
541 }
542 HAS_INTERSPIRE_SIG {
543 re = "((header_exists(X-Mailer-LID)) & (header_exists(X-Mailer-RecptId)) & (header_exists(X-Mailer-SID)) & (header_exists(X-Mailer-Sent-By))) | (List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi)";
544 group = "header";
545 score = 1;
546 description = "Has Interspire fingerprint";
547 }
548 INVALID_POSTFIX_RECEIVED {
549 re = "Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X";
550 group = "header";
551 description = "Invalid Postfix Received";
552 score = 3;
553 }
554 HAS_ORG_HEADER {
555 re = "header_exists(Organization) || header_exists(Organisation)";
556 group = "headers";
557 score = 0;
558 description = "Has Organization header";
559 }
560 FAKE_RECEIVED_smtp_yandex_ru {
561 re = "(((From=/\\@mail\\.ru>?$/iX) & ((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) | (X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX))) | ((From=/\\@gmail\\.com>?$/iX) & ((Return-path=/^\\s*<.+\\@gmail\\.com>$/iX) | (X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX))) | ((From=/\\@ukr\\.net>?$/iX) & ((Return-path=/^\\s*<.+\\@ukr\\.net>$/iX) | (X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX)))) & (Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+ )?helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\[UNAVAILABLE\\] \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO smtp\\.yandex\\.ru\\)/iX) | (Received=/from smtp\\.yandex\\.ru \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) | (Received=/from smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) | (Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) | (Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) | (Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] helo=smtp\\.yandex\\.ru\\)/iX)";
562 group = "header";
563 description = "Fake smtp.yandex.ru Received";
564 score = 4;
565 }
566 FAKE_RECEIVED_mail_ru {
567 re = "(Received=/from mail\\.ru \\(/mH) & !(((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) | (X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX)) & (From=/\\@mail\\.ru>?$/iX))";
568 group = "header";
569 description = "Fake helo mail.ru in header Received from non mail.ru sender address";
570 score = 4;
571 }
572 SUSPICIOUS_OPERA_10W_MSGID {
573 re = "(User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H) & (Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)";
574 group = "mua";
575 description = "Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail";
576 score = 4;
577 }
578 RCVD_ILLEGAL_CHARS {
579 re = "Received=/[\\x80-\\xff]/X";
580 group = "header";
581 description = "Header Received has raw illegal character";
582 score = 4;
583 }
584 FORGED_OUTLOOK_TAGS {
585 re = "!Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H & X-Mailer=/^Microsoft Outlook\\b/H & content_type_is_type(text) & content_type_is_subtype(/.?html/) & !(has_html_tag(html) & has_html_tag(head) & has_html_tag(meta) & has_html_tag(body))";
586 group = "header";
587 description = "Message pretends to be send from Outlook but has 'strange' tags";
588 score = 2.100000;
589 }
590 REPLYTO_EXCESS_QP {
591 re = "Reply-To=/\\=\\?\\S+\\?Q\\?/iX & !Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
592 group = "excessqp";
593 description = "Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit";
594 score = 1.200000;
595 }
596 FORGED_MUA_THUNDERBIRD_MSGID {
597 re = "(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
598 group = "mua";
599 description = "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID";
600 score = 4;
601 }
602 HEADER_DATE_DELIMITER_TAB {
603 re = "(check_header_delimiter_tab(Date)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
604 group = "header";
605 description = "Header Date begins with tab";
606 score = 1;
607 }
608 HEADER_CC_DELIMITER_TAB {
609 re = "(check_header_delimiter_tab(Cc)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
610 group = "header";
611 description = "Header To begins with tab";
612 score = 1;
613 }
614 XM_UA_NO_VERSION {
615 re = "(!X-Mailer=/https?:/H && !User-Agent=/https?:/H) && (X-Mailer=/^[^0-9]+$/H || User-Agent=/^[^0-9]+$/H)";
616 group = "experimental";
617 score = 0.010000;
618 description = "X-Mailer/User-Agent has no version";
619 }
620 SUSPICIOUS_BOUNDARY2 {
621 re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
622 group = "mua";
623 description = "Suspicious boundary in header Content-Type";
624 score = 4;
625 }
626 TO_EXCESS_BASE64 {
627 re = "To=/=\\?\\S+\\?B\\?/iX & !To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
628 group = "excessb64";
629 description = "To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
630 score = 1.500000;
631 }
632 REPLYTO_EXCESS_BASE64 {
633 re = "Reply-To=/\\=\\?\\S+\\?B\\?/iX & !Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
634 group = "excessb64";
635 description = "Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit";
636 score = 1.500000;
637 }
638 YANDEX_RU_MAILER {
639 re = "(X-Mailer=/^Yamail \\[ http:\\/\\/yandex\\.ru \\] 5\\.0$/H) & (Received=/^by web\\d{1,2}[a-z]\\.yandex\\.ru with HTTP;/mH)";
640 group = "header";
641 description = "Sent with yandex.ru web-mail";
642 score = 0;
643 }
644 FORGED_MUA_OPERA_MSGID {
645 re = "(User-Agent=/^\\s*Opera Mail\\/1[01]\\.\\d+ /H) & !(Message-ID=/^<?op\\.[a-z\\d]{14}\\@\\S+>?$/H) & !((User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H) & (Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
646 group = "mua";
647 description = "Message pretends to be send from Opera Mail but has forged Message-ID";
648 score = 4;
649 }
650 MAILER_1C_8 {
651 re = "X-Mailer=/^1C:Enterprise 8\\.[23]$/H";
652 group = "header";
653 description = "Sent with 1C:Enterprise 8";
654 score = 0;
655 }
656 R_MISSING_CHARSET {
657 re = "!is_empty_body() & content_type_is_type(text) & !content_type_has_param(charset) & !compare_transfer_encoding(7bit)";
658 group = "header";
659 description = "Charset is missing in a message";
660 score = 2.500000;
661 }
662 HAS_GOOGLE_REDIR {
663 re = "/\\.google\\.com\\/url\\?/{url}i";
664 group = "experimental";
665 score = 0.010000;
666 description = "Has google.com/url redirection";
667 }
668 CC_EXCESS_BASE64 {
669 re = "Cc=/\\=\\?\\S+\\?B\\?/iX & !Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
670 group = "excessb64";
671 description = "Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit";
672 score = 1.500000;
673 }
674 FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN {
675 re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) & !(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & !(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H)) & !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
676 group = "mua";
677 description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
678 score = 2.500000;
679 }
680 FROM_NEEDS_ENCODING {
681 re = "!(From=/=\\?\\S+\\?B\\?/iX) & !(From=/=\\?\\S+\\?Q\\?/iX) & (From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
682 group = "header";
683 description = "From header needs encoding";
684 score = 1;
685 }
686 HEADER_REPLYTO_EMPTY_DELIMITER {
687 re = "(check_header_delimiter_empty(Reply-To))";
688 group = "header";
689 description = "Header Reply-To has no delimiter between header name and header value";
690 score = 1;
691 }
692 FM_FAKE_HELO_VERIZON {
693 re = "(X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^ ]+verizon\\.net /iH) & !(X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^ ]+verizon\\.net /iH)";
694 group = "header";
695 description = "Fake helo for verizon provider";
696 score = 2;
697 }
698 FORGED_MUA_SEAMONKEY_MSGID {
699 re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
700 group = "mua";
701 description = "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID";
702 score = 4;
703 }
704 FORGED_MUA_MOZILLA_MAIL_MSGID {
705 re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) & !(User-Agent=/^\\s*(Thunderbird|Mozilla Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) & !(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H)) & (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H) & !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H | Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H | Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
706 group = "mua";
707 description = "Message pretends to be send from Mozilla Mail but has forged Message-ID";
708 score = 4;
709 }
710 X_PHP_FORGED_0X {
711 re = "X-PHP-Originating-Script=/^0\\d/X";
712 group = "header";
713 description = "X-PHP-Originating-Script header appears forged";
714 score = 4;
715 }
716 MAIL_RU_MAILER {
717 re = "(X-Mailer=/^Mail\\.Ru Mailer 1\\.0$/H) & (Received=/^(?:from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] )?by e\\.mail\\.ru with HTTP;/mH)";
718 group = "header";
719 description = "Sent with Mail.Ru web-mail";
720 score = 0;
721 }
722 HEADER_FROM_EMPTY_DELIMITER {
723 re = "(check_header_delimiter_empty(From))";
724 group = "header";
725 description = "Header From has no delimiter between header name and header value";
726 score = 1;
727 }
728 FAKE_REPLY_C {
729 re = "(Subject=/^R[eE]:/H) & (!((header_exists(References) | header_exists(In-Reply-To)))) & ((X-Mailer=/^Gnus v/H) | (X-Mailer=/^Microsoft Outlook Express 5/H) | (X-Mailer=/^Microsoft Outlook Express 6/H) | (X-Mailer=/^Mozilla 4/H) | (X-Mailer=/^SKYRiXgreen/H) | (X-Mailer=/^WWW-Mail \\d/H) | (User-Agent=/^Gnus/H) | (User-Agent=/^KNode/H) | (User-Agent=/^Mutt/H) | (User-Agent=/^Pan/H) | (User-Agent=/^Xnews/H)) & !(X-Mailer=/^Microsoft Outlook Express 6/H)";
730 group = "subject";
731 description = "Fake reply (has RE in subject, but has not References header)";
732 score = 6;
733 }
734 HEADER_DATE_EMPTY_DELIMITER {
735 re = "(check_header_delimiter_empty(Date))";
736 group = "header";
737 description = "Header Date has no delimiter between header name and header value";
738 score = 1;
739 }
740 HEADER_TO_DELIMITER_TAB {
741 re = "(check_header_delimiter_tab(To)) & !((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) & ((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) | (Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
742 group = "header";
743 description = "Header To begins with tab";
744 score = 1;
745 }
746 HEADER_CC_EMPTY_DELIMITER {
747 re = "(check_header_delimiter_empty(Cc))";
748 group = "header";
749 description = "Header Cc has no delimiter between header name and header value";
750 score = 1;
751 }
752}
753arc {
754 use_esld = true;
755 allow_hdrfrom_mismatch = false;
756 selector = "2017";
757 key_prefix = "ARC_KEYS";
758 auth_only = true;
759 allow_envfrom_empty = true;
760 try_fallback = true;
761 path = "/var/lib/rspamd/dkim/$selector.key";
762 symbol_sign = "ARC_SIGNED";
763 use_redis = false;
764 allow_username_mismatch = true;
765 sign_local = true;
766 use_domain = "header";
767 allow_hdrfrom_multiple = false;
768}
769maillist {
770 symbol = "MAILLIST";
771}
772lua = "/usr/share/rspamd/rules/rspamd.lua";
773surbl {
774 exceptions = "file:///etc/rspamd/2tld.inc";
775 whitelist = "file:///etc/rspamd/surbl-whitelist.inc";
776 rules {
777 RAMBLER_URIBL {
778 images = true;
779 suffix = "uribl.rambler.ru";
780 }
781 RBL_SARBL_BAD {
782 suffix = "public.sarbl.org";
783 noip = true;
784 images = true;
785 }
786 SEM_URIBL_FRESH15_UNKNOWN {
787 bits {
788 SEM_URIBL_FRESH15 = 2;
789 }
790 suffix = "fresh15.spameatingmonkey.net";
791 no_ip = true;
792 noip = true;
793 }
794 SEM_URIBL_UNKNOWN {
795 bits {
796 SEM_URIBL = 2;
797 }
798 suffix = "uribl.spameatingmonkey.net";
799 no_ip = true;
800 noip = true;
801 }
802 SURBL_MULTI {
803 bits {
804 AB_SURBL_MULTI = 32;
805 SC_SURBL_MULTI = 2;
806 MW_SURBL_MULTI = 16;
807 ABUSE_SURBL = 64;
808 WS_SURBL_MULTI = 4;
809 CRACKED_SURBL = 128;
810 SURBL_BLOCKED = 1;
811 JP_SURBL_MULTI = 64;
812 PH_SURBL_MULTI = 8;
813 }
814 suffix = "multi.surbl.org";
815 }
816 URIBL_MULTI {
817 bits {
818 URIBL_RED = 8;
819 URIBL_BLOCKED = 1;
820 URIBL_BLACK = 2;
821 URIBL_GREY = 4;
822 }
823 suffix = "multi.uribl.com";
824 }
825 HOSTKAMA_URIBL {
826 suffix = "hostkarma.junkemailfilter.com";
827 monitored_domain = "INVALID";
828 enabled = false;
829 noip = true;
830 ips {
831 URIBL_HOSTKAMA_WHITE = "127.0.0.1";
832 URIBL_HOSTKAMA_24_48H = "127.0.2.1";
833 URIBL_HOSTKAMA_OLDER_10D = "127.0.2.3";
834 URIBL_HOSTKAMA_BLACK = "127.0.0.2";
835 URIBL_HOSTKAMA_LAST_10D = "127.0.2.2";
836 URIBL_HOSTKAMA_NOBLACK = "127.0.0.5";
837 URIBL_HOSTKAMA_BROWN = "127.0.0.4";
838 URIBL_HOSTKAMA_YELLOW = "127.0.0.3";
839 }
840 }
841 SBL_URIBL {
842 suffix = "sbl.spamhaus.org";
843 ips {
844 URIBL_SBL = "127.0.0.2";
845 URIBL_SBL_CSS = "127.0.0.3";
846 }
847 resolve_ip = true;
848 }
849 DBL {
850 noip = true;
851 suffix = "dbl.spamhaus.org";
852 no_ip = true;
853 ips {
854 DBL_PROHIBIT = "127.0.1.255";
855 DBL_ABUSE_BOTNET = "127.0.1.106";
856 DBL_PHISH = "127.0.1.4";
857 DBL_ABUSE_REDIR = "127.0.1.103";
858 DBL_ABUSE_MALWARE = "127.0.1.105";
859 DBL_MALWARE = "127.0.1.5";
860 DBL_ABUSE_PHISH = "127.0.1.104";
861 DBL_ABUSE = "127.0.1.102";
862 DBL_BOTNET = "127.0.1.6";
863 DBL_SPAM = "127.0.1.2";
864 }
865 }
866 RSPAMD_URIBL {
867 process_script = <<EOD
868function(url, suffix)
869 local cr = require "rspamd_cryptobox_hash"
870 h = cr.create(url):base32():sub(1, 32)
871 return string.format("%s.%s", h, suffix)
872end
873EOD;
874 suffix = "uribl.rspamd.com";
875 }
876 }
877}
878modules {
879 path = "/usr/share/rspamd/lua/";
880}
881antivirus {
882 clamav {
883 attachments_only = false;
884 symbol = "CLAM_VIRUS";
885 log_clean = true;
886 patterns {
887 JUST_EICAR = "^Eicar-Test-Signature$";
888 }
889 max_size = 356000;
890 type = "clamav";
891 whitelist = "/etc/rspamd/antivirus.wl";
892 servers = "127.0.0.1:3310";
893 action = "reject";
894 }
895}
896whitelist {
897 rules {
898 WHITELIST_DMARC {
899 description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies";
900 score = -7;
901 domains [
902 "/etc/rspamd/dmarc_whitelist.inc",
903 "/var/lib/rspamd/dmarc_whitelist.inc.local",
904 ]
905 valid_dmarc = true;
906 }
907 WHITELIST_SPF_DKIM {
908 valid_spf = true;
909 description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies";
910 domains [
911 "/etc/rspamd/spf_dkim_whitelist.inc",
912 "/var/lib/rspamd/spf_dkim_whitelist.inc.local",
913 ]
914 valid_dkim = true;
915 score = -3;
916 }
917 WHITELIST_DKIM {
918 score = -1;
919 domains [
920 "/etc/rspamd/dkim_whitelist.inc",
921 "/var/lib/rspamd/dkim_whitelist.inc.local",
922 ]
923 valid_dkim = true;
924 description = "Mail comes from the whitelisted domain and has a valid DKIM signature";
925 }
926 WHITELIST_SPF {
927 description = "Mail comes from the whitelisted domain and has a valid SPF policy";
928 domains [
929 "/etc/rspamd/spf_whitelist.inc",
930 "/var/lib/rspamd/spf_whitelist.inc.local",
931 ]
932 valid_spf = true;
933 score = -1;
934 }
935 }
936}
937neural {
938 train {
939 ham_score = -2;
940 max_usages = 20;
941 spam_score = 8;
942 learning_rate = 0.010000;
943 max_iterations = 25;
944 max_train = 1000;
945 }
946 enabled = "yes";
947 timeout = 20;
948 use_settings = false;
949}
950metric {
951 actions {
952 add_header = 6;
953 greylist = 4;
954 reject = 150;
955 }
956 symbol {
957 MX_MISSING {
958 one_shot = "true";
959 description = "No MX record";
960 score = 2;
961 }
962 MX_INVALID {
963 one_shot = "true";
964 description = "No connectable MX";
965 score = 1;
966 }
967 MX_GOOD {
968 one_shot = "true";
969 description = "MX was ok";
970 score = -0.500000;
971 }
972 }
973}
974hfilter {
975 rcpt_enabled = true;
976 helo_enabled = true;
977 from_enabled = true;
978 hostname_enabled = true;
979 url_enabled = true;
980 mid_enabled = false;
981}
982phishing {
983 redirector_domains [
984 "/etc/rspamd/redirectors.inc:REDIRECTOR_FALSE",
985 "/etc/rspamd/local.d/redirectors.inc:LOCAL_REDIRECTOR_FALSE",
986 ]
987 openphish_map = "https://www.openphish.com/feed.txt";
988 symbol = "PHISHING";
989 openphish_enabled = false;
990 phishtank_map = "https://rspamd.com/phishtank/online-valid.json.zst";
991 openphish_premium = false;
992 phishtank_enabled = false;
993}
994mime_types {
995 file [
996 "/etc/rspamd/mime_types.inc",
997 "/var/lib/rspamd/mime_types.inc.local",
998 ]
999 extension_map {
1000 pdf [
1001 "application/octet-stream",
1002 "application/pdf",
1003 ]
1004 html = "text/html";
1005 txt [
1006 "message/disposition-notification",
1007 "text/plain",
1008 "text/rfc822-headers",
1009 ]
1010 }
1011}
1012logging {
1013 filename = "/var/log/rspamd/rspamd.log";
1014 log_format = <<EOD
1015id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user: $,}$if_smtp_from{ from: <$>,}
1016(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
1017len: $len, time: $time_real real, $time_virtual virtual, dns req: $dns_req,
1018digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{, mime_rcpts: <$>}$if_filename{, file: $}
1019EOD;
1020 debug_modules [
1021 ]
1022 color = false;
1023 type = "file";
1024 log_re_cache = true;
1025 level = "silent";
1026}
1027rspamd_update {
1028 key = "qxuogdh5eghytji1utkkte1dn3n81c3y5twe61uzoddzwqzuxxyb";
1029 rules = "sign+https://updates.rspamd.com/rspamd-1.7.ucl";
1030}
1031fuzzy_check {
1032 retransmits = 1;
1033 rule {
1034 rspamd.com {
1035 symbol = "FUZZY_UNKNOWN";
1036 mime_types [
1037 "*",
1038 ]
1039 encryption_key = "icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy";
1040 read_only = true;
1041 fuzzy_map {
1042 FUZZY_PROB {
1043 flag = 2;
1044 max_score = 10;
1045 }
1046 FUZZY_DENIED {
1047 flag = 1;
1048 max_score = 20;
1049 }
1050 FUZZY_WHITE {
1051 flag = 3;
1052 max_score = 2;
1053 }
1054 }
1055 max_score = 20;
1056 short_text_direct_hash = true;
1057 skip_unknown = true;
1058 algorithm = "mumhash";
1059 servers = "fuzzy.rspamd.com:11335";
1060 }
1061 }
1062 timeout = 2;
1063 min_bytes = 1000;
1064}
1065composites {
1066 MAILER_1C_8_BASE64 {
1067 expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
1068 }
1069 RBL_SPAMHAUS_XBL_ANY {
1070 expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
1071 }
1072 AUTH_NA {
1073 score = 1;
1074 policy = "remove_weight";
1075 expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA";
1076 }
1077 SPF_FAIL_FORWARDING {
1078 policy = "remove_weight";
1079 expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
1080 }
1081 FORGED_MUA_MAILLIST {
1082 expression = "g:mua and -MAILLIST";
1083 }
1084 DMARC_POLICY_ALLOW_WITH_FAILURES {
1085 policy = "remove_weight";
1086 expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
1087 }
1088 FORGED_SENDER_MAILLIST {
1089 expression = "FORGED_SENDER & -MAILLIST";
1090 }
1091 YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
1092 expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
1093 }
1094 FORGED_SENDER_FORWARDING {
1095 expression = "FORGED_SENDER & g:forwarding";
1096 }
1097 DKIM_MIXED {
1098 policy = "remove_weight";
1099 expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)";
1100 }
1101 FORGED_RECIPIENTS_MAILLIST {
1102 expression = "FORGED_RECIPIENTS & -MAILLIST";
1103 }
1104 COMPROMISED_ACCT_BULK {
1105 description = "Likely to be from a compromised account";
1106 score = 3;
1107 policy = "leave";
1108 expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
1109 }
1110 UNDISC_RCPTS_BULK {
1111 description = "Missing or undisclosed recipients with a bulk signature";
1112 score = 3;
1113 policy = "leave";
1114 expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
1115 }
1116 HACKED_WP_PHISHING {
1117 policy = "leave";
1118 expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
1119 }
1120 FORGED_RECIPIENTS_FORWARDING {
1121 expression = "FORGED_RECIPIENTS & g:forwarding";
1122 }
1123 FORGED_SENDER_VERP_SRS {
1124 expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
1125 }
1126 MAIL_RU_MAILER_BASE64 {
1127 expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
1128 }
1129}
1130mid {
1131 source {
1132 url [
1133 "/etc/rspamd/mid.inc",
1134 "/etc/rspamd/local.d/mid.inc",
1135 ]
1136 }
1137}
1138url_reputation {
1139 enabled = false;
1140}
1141forged_recipients {
1142 symbol_sender = "FORGED_SENDER";
1143 symbol_rcpt = "FORGED_RECIPIENTS";
1144}
1145spamtrap {
1146 learn_fuzzy = false;
1147 enabled = false;
1148 learn_spam = false;
1149}
1150force_actions {
1151}
1152spf {
1153 spf_cache_expire = 86400;
1154 spf_cache_size = 2000;
1155}
1156clickhouse {
1157 limit = 1000;
1158 ipmask6 = 48;
1159 full_urls = false;
1160 timeout = 5;
1161 ipmask = 19;
1162}
1163group {
1164 statistics {
1165 symbols {
1166 BAYES_HAM {
1167 description = "Message probably ham, probability: ";
1168 weight = -3;
1169 }
1170 BAYES_SPAM {
1171 description = "Message probably spam, probability: ";
1172 weight = 4;
1173 }
1174 }
1175 }
1176 policies {
1177 symbols {
1178 R_SPF_SOFTFAIL {
1179 description = "SPF verification soft-failed";
1180 weight = 0;
1181 }
1182 DMARC_POLICY_ALLOW {
1183 description = "DMARC permit policy";
1184 weight = -0.500000;
1185 }
1186 R_DKIM_REJECT {
1187 one_shot = true;
1188 weight = 1;
1189 description = "DKIM verification failed";
1190 }
1191 R_SPF_FAIL {
1192 description = "SPF verification failed";
1193 weight = 1;
1194 }
1195 DMARC_POLICY_REJECT {
1196 description = "DMARC reject policy";
1197 weight = 2;
1198 }
1199 R_SPF_ALLOW {
1200 description = "SPF verification allows sending";
1201 weight = -0.200000;
1202 }
1203 ARC_ALLOW {
1204 description = "ARC checks success";
1205 weight = -1;
1206 }
1207 DMARC_POLICY_SOFTFAIL {
1208 description = "DMARC failed";
1209 weight = 0.100000;
1210 }
1211 R_SPF_DNSFAIL {
1212 description = "SPF DNS failure";
1213 weight = 0;
1214 }
1215 ARC_NA {
1216 description = "ARC signature absent";
1217 weight = 0;
1218 }
1219 R_SPF_NEUTRAL {
1220 description = "SPF policy is neutral";
1221 weight = 0;
1222 }
1223 R_DKIM_TEMPFAIL {
1224 description = "DKIM verification soft-failed";
1225 weight = 0;
1226 }
1227 ARC_DNSFAIL {
1228 description = "ARC DNS error";
1229 weight = 0;
1230 }
1231 DMARC_POLICY_QUARANTINE {
1232 description = "DMARC quarantine policy";
1233 weight = 1.500000;
1234 }
1235 ARC_INVALID {
1236 description = "ARC structure invalid";
1237 weight = 1;
1238 }
1239 ARC_REJECT {
1240 description = "ARC checks success";
1241 weight = 2;
1242 }
1243 DMARC_POLICY_ALLOW_WITH_FAILURES {
1244 description = "DMARC permit policy with DKIM/SPF failure";
1245 weight = -0.500000;
1246 }
1247 R_DKIM_ALLOW {
1248 one_shot = true;
1249 weight = -0.200000;
1250 description = "DKIM verification succeed";
1251 }
1252 }
1253 }
1254 hfilter {
1255 symbols {
1256 HFILTER_HOSTNAME_UNKNOWN {
1257 description = "Unknown client hostname (PTR or FCrDNS verification failed)";
1258 weight = 2.500000;
1259 }
1260 HFILTER_FROMHOST_NORESOLVE_MX {
1261 description = "MX found in FROM host and no resolve";
1262 weight = 0.500000;
1263 }
1264 HFILTER_HELO_2 {
1265 description = "Helo host checks (low)";
1266 weight = 1;
1267 }
1268 HFILTER_HELO_NORESOLVE_MX {
1269 description = "MX found in Helo and no resolve";
1270 weight = 0.200000;
1271 }
1272 HFILTER_HOSTNAME_4 {
1273 description = "Hostname checks (hard)";
1274 weight = 2.500000;
1275 }
1276 HFILTER_URL_ONLY {
1277 description = "URL only in body";
1278 weight = 2.200000;
1279 }
1280 HFILTER_FROM_BOUNCE {
1281 description = "Bounce message";
1282 weight = 0;
1283 }
1284 HFILTER_HOSTNAME_2 {
1285 description = "Hostname checks (low)";
1286 weight = 1;
1287 }
1288 HFILTER_HELO_BAREIP {
1289 description = "Helo host is bare ip";
1290 weight = 3;
1291 }
1292 HFILTER_HELO_3 {
1293 description = "Helo host checks (medium)";
1294 weight = 2;
1295 }
1296 HFILTER_URL_ONELINE {
1297 description = "One line URL and text in body";
1298 weight = 2.500000;
1299 }
1300 HFILTER_HOSTNAME_3 {
1301 description = "Hostname checks (medium)";
1302 weight = 2;
1303 }
1304 HFILTER_RCPT_BOUNCEMOREONE {
1305 description = "Message from bounce and over 1 recipient";
1306 weight = 1.500000;
1307 }
1308 HFILTER_FROMHOST_NOT_FQDN {
1309 description = "FROM host not FQDN";
1310 weight = 3;
1311 }
1312 HFILTER_HELO_5 {
1313 description = "Helo host checks (very hard)";
1314 weight = 3;
1315 }
1316 HFILTER_FROMHOST_NORES_A_OR_MX {
1317 description = "FROM host no resolve to A or MX";
1318 weight = 1.500000;
1319 }
1320 HFILTER_HELO_NOT_FQDN {
1321 description = "Helo not FQDN";
1322 weight = 2;
1323 }
1324 HFILTER_HELO_IP_A {
1325 description = "Helo A IP != hostname IP";
1326 weight = 1;
1327 }
1328 HFILTER_HELO_NORES_A_OR_MX {
1329 description = "Helo no resolve to A or MX";
1330 weight = 0.300000;
1331 }
1332 HFILTER_HELO_1 {
1333 description = "Helo host checks (very low)";
1334 weight = 0.500000;
1335 }
1336 HFILTER_HELO_4 {
1337 description = "Helo host checks (hard)";
1338 weight = 2.500000;
1339 }
1340 HFILTER_HELO_BADIP {
1341 description = "Helo host is very bad ip";
1342 weight = 4.500000;
1343 }
1344 HFILTER_HOSTNAME_1 {
1345 description = "Hostname checks (very low)";
1346 weight = 0.500000;
1347 }
1348 HFILTER_HOSTNAME_5 {
1349 description = "Hostname checks (very hard)";
1350 weight = 3;
1351 }
1352 }
1353 }
1354 phishing {
1355 symbols {
1356 HACKED_WP_PHISHING {
1357 description = "Phishing message from hacked wordpress";
1358 weight = 4.500000;
1359 }
1360 PHISHED_OPENPHISH {
1361 description = "Phished URL found in openphish.com";
1362 weight = 7;
1363 }
1364 PHISHING {
1365 one_shot = true;
1366 weight = 4;
1367 description = "Phished URL";
1368 }
1369 PHISHED_PHISHTANK {
1370 description = "Phished URL found in phishtank.com";
1371 weight = 7;
1372 }
1373 }
1374 }
1375 surbl {
1376 symbols {
1377 MSBL_EBL {
1378 one_shot = true;
1379 weight = 7.500000;
1380 description = "MSBL emailbl";
1381 }
1382 URIBL_SBL_CSS {
1383 description = "Spamhaus SBL CSS URIBL";
1384 weight = 6.500000;
1385 }
1386 RBL_SARBL_BAD {
1387 description = "A domain listed in the mail is blacklisted in SARBL";
1388 weight = 2.500000;
1389 }
1390 URIBL_GREY {
1391 one_shot = true;
1392 weight = 1.500000;
1393 description = "uribl.com grey url";
1394 }
1395 SEM_URIBL {
1396 description = "Spameatingmonkey uribl";
1397 weight = 3.500000;
1398 }
1399 PH_SURBL_MULTI {
1400 description = "SURBL: Phishing sites";
1401 weight = 5.500000;
1402 }
1403 SEM_URIBL_UNKNOWN {
1404 description = "Spameatingmonkey uribl: unknown result";
1405 weight = 0;
1406 }
1407 SBL_URIBL {
1408 description = "SBL URIBL: Filtered result";
1409 weight = 0;
1410 }
1411 DBL_ABUSE_PHISH {
1412 description = "DBL uribl abused legit phish";
1413 weight = 7.500000;
1414 }
1415 URIBL_MULTI {
1416 description = "uribl.com: unrecognised result";
1417 weight = 0;
1418 }
1419 URIBL_SBL {
1420 description = "Spamhaus SBL URIBL";
1421 weight = 6.500000;
1422 }
1423 URIBL_RED {
1424 description = "uribl.com red url";
1425 weight = 3.500000;
1426 }
1427 URIBL_BLACK {
1428 description = "uribl.com black url";
1429 weight = 7.500000;
1430 }
1431 SEM_URIBL_FRESH15 {
1432 description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
1433 weight = 3;
1434 }
1435 URIBL_BLOCKED {
1436 description = "uribl.com: query refused";
1437 weight = 0;
1438 }
1439 DBL_SPAM {
1440 description = "DBL uribl spam";
1441 weight = 6.500000;
1442 }
1443 DBL_PROHIBIT {
1444 description = "DBL uribl IP queries prohibited!";
1445 weight = 0;
1446 }
1447 DBL_ABUSE_BOTNET {
1448 description = "DBL uribl abused legit botnet C&C";
1449 weight = 5.500000;
1450 }
1451 DBL_PHISH {
1452 description = "DBL uribl phishing";
1453 weight = 6.500000;
1454 }
1455 DBL_ABUSE_REDIR {
1456 description = "DBL uribl abused spammed redirector domain";
1457 weight = 1.500000;
1458 }
1459 DBL_ABUSE_MALWARE {
1460 description = "DBL uribl abused legit malware";
1461 weight = 7.500000;
1462 }
1463 MW_SURBL_MULTI {
1464 description = "SURBL: Malware sites";
1465 weight = 5.500000;
1466 }
1467 ABUSE_SURBL {
1468 description = "SURBL: ABUSE";
1469 weight = 5.500000;
1470 }
1471 DBL_ABUSE {
1472 description = "DBL uribl abused legit spam";
1473 weight = 6.500000;
1474 }
1475 CRACKED_SURBL {
1476 description = "SURBL: cracked site";
1477 weight = 4;
1478 }
1479 RSPAMD_URIBL {
1480 one_shot = true;
1481 weight = 4.500000;
1482 description = "Rspamd uribl, bl.rspamd.com";
1483 }
1484 DBL_BOTNET {
1485 description = "DBL uribl botnet C&C domain";
1486 weight = 5.500000;
1487 }
1488 DBL_MALWARE {
1489 description = "DBL uribl malware";
1490 weight = 6.500000;
1491 }
1492 SEM_URIBL_FRESH15_UNKNOWN {
1493 description = "Spameatingmonkey Fresh15 uribl: unknown result";
1494 weight = 0;
1495 }
1496 SURBL_BLOCKED {
1497 description = "SURBL: blocked by policy/overusage";
1498 weight = 0;
1499 }
1500 DBL {
1501 description = "DBL unknown result";
1502 weight = 0;
1503 }
1504 RSPAMD_EMAILBL {
1505 one_shot = true;
1506 weight = 9.500000;
1507 description = "Rspamd emailbl, bl.rspamd.com";
1508 }
1509 }
1510 max_score = 12.500000;
1511 }
1512 ungrouped {
1513 symbols {
1514 MX_MISSING {
1515 one_shot = "true";
1516 description = "No MX record";
1517 score = 2;
1518 }
1519 MX_INVALID {
1520 one_shot = "true";
1521 description = "No connectable MX";
1522 score = 1;
1523 }
1524 MX_GOOD {
1525 one_shot = "true";
1526 description = "MX was ok";
1527 score = -0.500000;
1528 }
1529 }
1530 }
1531 headers {
1532 symbols {
1533 R_MIXED_CHARSET {
1534 one_shot = true;
1535 weight = 5;
1536 description = "Mixed characters in a message";
1537 }
1538 FORGED_SENDER {
1539 description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
1540 weight = 0.300000;
1541 }
1542 RDNS_DNSFAIL {
1543 description = "PTR verification DNS error";
1544 weight = 0;
1545 }
1546 FORGED_RECIPIENTS_MAILLIST {
1547 description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
1548 weight = 0;
1549 }
1550 MAILLIST {
1551 description = "Message seems to be from maillist";
1552 weight = -0.200000;
1553 }
1554 ONCE_RECEIVED_STRICT {
1555 description = "One received header with 'bad' patterns inside";
1556 weight = 4;
1557 }
1558 FORGED_RECIPIENTS {
1559 description = "Recipients are not the same as RCPT TO: mail command";
1560 weight = 2;
1561 }
1562 RDNS_NONE {
1563 description = "Cannot resolve reverse DNS for sender's IP";
1564 weight = 1;
1565 }
1566 ONCE_RECEIVED {
1567 description = "One received header in a message";
1568 weight = 0.100000;
1569 }
1570 FORGED_SENDER_MAILLIST {
1571 description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
1572 weight = 0;
1573 }
1574 R_MIXED_CHARSET_URL {
1575 one_shot = true;
1576 weight = 7;
1577 description = "Mixed characters in a URL inside message";
1578 }
1579 }
1580 }
1581 mime_types {
1582 symbols {
1583 MIME_BAD_EXTENSION {
1584 one_shot = true;
1585 weight = 2;
1586 description = "Bad extension";
1587 }
1588 MIME_DOUBLE_BAD_EXTENSION {
1589 one_shot = true;
1590 weight = 3;
1591 description = "Bad extension cloaking";
1592 }
1593 MIME_GOOD {
1594 one_shot = true;
1595 weight = -0.100000;
1596 description = "Known content-type";
1597 }
1598 MIME_ARCHIVE_IN_ARCHIVE {
1599 one_shot = true;
1600 weight = 5;
1601 description = "Archive within another archive";
1602 }
1603 MIME_ENCRYPTED_ARCHIVE {
1604 one_shot = true;
1605 weight = 2;
1606 description = "Encrypted archive in a message";
1607 }
1608 MIME_BAD_ATTACHMENT {
1609 one_shot = true;
1610 weight = 4;
1611 description = "Invalid attachment mime type";
1612 }
1613 MIME_BAD {
1614 one_shot = true;
1615 weight = 1;
1616 description = "Known bad content-type";
1617 }
1618 MIME_UNKNOWN {
1619 one_shot = true;
1620 weight = 0.100000;
1621 description = "Missing or unknown content-type";
1622 }
1623 }
1624 }
1625 subject {
1626 symbols {
1627 }
1628 max_score = 6;
1629 }
1630 excessb64 {
1631 max_score = 3;
1632 }
1633 mua {
1634 symbols {
1635 FORGED_MUA_MAILLIST {
1636 description = "Avoid false positives for FORGED_MUA_* in maillist";
1637 weight = 0;
1638 }
1639 }
1640 }
1641 excessqp {
1642 max_score = 2.400000;
1643 }
1644 rbl {
1645 symbols {
1646 RBL_SPAMHAUS_SBL {
1647 description = "From address is listed in zen sbl";
1648 weight = 2;
1649 }
1650 RBL_SPAMHAUS_XBL_ANY {
1651 description = "From or received address is listed in zen xbl (any list)";
1652 weight = 4;
1653 }
1654 DNSWL_BLOCKED {
1655 description = "Resolver blocked due to excessive queries";
1656 weight = 0;
1657 }
1658 RBL_MAILSPIKE_WORST {
1659 description = "From address is listed in RBL - worst possible reputation";
1660 weight = 2;
1661 }
1662 RBL_MAILSPIKE_VERYBAD {
1663 description = "From address is listed in RBL - very bad reputation";
1664 weight = 1.500000;
1665 }
1666 RWL_MAILSPIKE_NEUTRAL {
1667 description = "Neutral result from Mailspike";
1668 weight = 0;
1669 }
1670 RCVD_IN_DNSWL_NONE {
1671 description = "Sender listed at http://www.dnswl.org, low none";
1672 weight = 0;
1673 }
1674 RBL_SPAMHAUS_PBL {
1675 description = "From address is listed in zen pbl (ISP list)";
1676 weight = 2;
1677 }
1678 RCVD_IN_DNSWL {
1679 description = "Unrecognised result from dnswl.org";
1680 weight = 0;
1681 }
1682 RWL_MAILSPIKE_GOOD {
1683 description = "From address is listed in RWL - good reputation";
1684 weight = 0;
1685 }
1686 RBL_MAILSPIKE_BAD {
1687 description = "From address is listed in RBL - bad reputation";
1688 weight = 1;
1689 }
1690 RBL_SEM_IPV6 {
1691 description = "Address is listed in Spameatingmonkey RBL (ipv6)";
1692 weight = 1;
1693 }
1694 RBL_SEM {
1695 description = "Address is listed in Spameatingmonkey RBL";
1696 weight = 1;
1697 }
1698 RCVD_IN_DNSWL_HI {
1699 description = "Sender listed at http://www.dnswl.org, high trust";
1700 weight = 0;
1701 }
1702 RBL_SENDERSCORE {
1703 description = "From address is listed in senderscore.com BL";
1704 weight = 2;
1705 }
1706 RBL_SPAMHAUS {
1707 description = "Unrecognised result from Spamhaus zen";
1708 weight = 0;
1709 }
1710 RBL_SPAMHAUS_DROP {
1711 description = "From address is listed in zen drop bl";
1712 weight = 7;
1713 }
1714 RWL_MAILSPIKE_VERYGOOD {
1715 description = "From address is listed in RWL - very good reputation";
1716 weight = 0;
1717 }
1718 MAILSPIKE {
1719 description = "Unrecognised result from Mailspike";
1720 weight = 0;
1721 }
1722 RCVD_IN_DNSWL_MED {
1723 description = "Sender listed at http://www.dnswl.org, medium trust";
1724 weight = 0;
1725 }
1726 RWL_MAILSPIKE_POSSIBLE {
1727 description = "From address is listed in RWL - possibly legit";
1728 weight = 0;
1729 }
1730 RBL_SPAMHAUS_XBL {
1731 description = "From address is listed in zen xbl";
1732 weight = 4;
1733 }
1734 RECEIVED_SPAMHAUS_XBL {
1735 one_shot = true;
1736 weight = 3;
1737 description = "Received address is listed in zen xbl";
1738 }
1739 RCVD_IN_DNSWL_LOW {
1740 description = "Sender listed at http://www.dnswl.org, low trust";
1741 weight = 0;
1742 }
1743 RBL_SPAMHAUS_CSS {
1744 description = "From address is listed in zen css";
1745 weight = 2;
1746 }
1747 RBL_ABUSECH {
1748 description = "From address is listed in ABUSE.CH BL";
1749 weight = 1;
1750 }
1751 RWL_MAILSPIKE_EXCELLENT {
1752 description = "From address is listed in RWL - excellent reputation";
1753 weight = 0;
1754 }
1755 }
1756 }
1757 neural {
1758 }
1759 fuzzy {
1760 symbols {
1761 FUZZY_UNKNOWN {
1762 description = "Generic fuzzy hash match, bl.rspamd.com";
1763 weight = 5;
1764 }
1765 FUZZY_PROB {
1766 description = "Probable fuzzy hash, bl.rspamd.com";
1767 weight = 5;
1768 }
1769 FUZZY_DENIED {
1770 description = "Denied fuzzy hash, bl.rspamd.com";
1771 weight = 12;
1772 }
1773 FUZZY_WHITE {
1774 description = "Whitelisted fuzzy hash, bl.rspamd.com";
1775 weight = -2.100000;
1776 }
1777 }
1778 }
1779}
1780metadata_exporter {
1781 rules {
1782 }
1783}
1784multimap {
1785 freemail_envfrom {
1786 filter = "email:domain";
1787 symbol = "FREEMAIL_ENVFROM";
1788 type = "from";
1789 score = 0;
1790 description = "Envelope From is a Freemail address";
1791 map = "https://maps.rspamd.com/freemail/free.txt.zst";
1792 }
1793 freemail_from {
1794 filter = "email:domain";
1795 score = 0;
1796 symbol = "FREEMAIL_FROM";
1797 type = "header";
1798 description = "From is a Freemail address";
1799 header = "from";
1800 map = "https://maps.rspamd.com/freemail/free.txt.zst";
1801 }
1802 disposable_replyto {
1803 filter = "email:domain";
1804 score = 0;
1805 symbol = "DISPOSABLE_REPLYTO";
1806 type = "header";
1807 description = "Reply-To a disposable e-mail address";
1808 header = "Reply-To";
1809 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
1810 }
1811 disposable_cc {
1812 filter = "email:domain";
1813 score = 0;
1814 symbol = "DISPOSABLE_CC";
1815 type = "header";
1816 description = "To a disposable e-mail address";
1817 header = "Cc";
1818 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
1819 }
1820 disposable_to {
1821 filter = "email:domain";
1822 score = 0;
1823 symbol = "DISPOSABLE_TO";
1824 type = "header";
1825 description = "To a disposable e-mail address";
1826 header = "To";
1827 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
1828 }
1829 disposable_from {
1830 filter = "email:domain";
1831 score = 0;
1832 symbol = "DISPOSABLE_FROM";
1833 type = "header";
1834 description = "From a Disposable e-mail address";
1835 header = "from";
1836 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
1837 }
1838 freemail_to {
1839 filter = "email:domain";
1840 score = 0;
1841 symbol = "FREEMAIL_TO";
1842 type = "header";
1843 description = "To is a Freemail address";
1844 header = "To";
1845 map = "https://maps.rspamd.com/freemail/free.txt.zst";
1846 }
1847 freemail_envrcpt {
1848 filter = "email:domain";
1849 symbol = "FREEMAIL_ENVRCPT";
1850 type = "rcpt";
1851 score = 0;
1852 description = "Envelope Recipient is a Freemail address";
1853 map = "https://maps.rspamd.com/freemail/free.txt.zst";
1854 }
1855 freemail_replyto {
1856 filter = "email:domain";
1857 score = 0;
1858 symbol = "FREEMAIL_REPLYTO";
1859 type = "header";
1860 description = "Reply-To is a Freemail address";
1861 header = "Reply-To";
1862 map = "https://maps.rspamd.com/freemail/free.txt.zst";
1863 }
1864 disposable_envfrom {
1865 filter = "email:domain";
1866 symbol = "DISPOSABLE_ENVFROM";
1867 type = "from";
1868 score = 0;
1869 description = "Envelope From is a Disposable e-mail address";
1870 map = "https://rspamd.com/freemail/disposable.txt.zst";
1871 }
1872 freemail_cc {
1873 filter = "email:domain";
1874 score = 0;
1875 symbol = "FREEMAIL_CC";
1876 type = "header";
1877 description = "To is a Freemail address";
1878 header = "Cc";
1879 map = "https://maps.rspamd.com/freemail/free.txt.zst";
1880 }
1881 disposable_envrcpt {
1882 filter = "email:domain";
1883 symbol = "DISPOSABLE_ENVRCPT";
1884 type = "rcpt";
1885 score = 0;
1886 description = "Envelope Recipient is a Disposable e-mail address";
1887 map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
1888 }
1889}
1890fann_redis {
1891 train {
1892 ham_score = -2;
1893 max_usages = 10;
1894 spam_score = 8;
1895 max_train = 10000;
1896 }
1897 use_settings = false;
1898}
1899worker {
1900 normal {
1901 task_timeout = 8;
1902 count = 1;
1903 bind_socket = "localhost:11333";
1904 mime = true;
1905 }
1906}
1907worker {
1908 controller {
1909 password = "$2$fx88njz5c99dzyenwdonaxcrch9h1ozo$59dcjx5acwfmeoyh6eqztnzrtprf6xj7fq8zeg37umfckkbo77qy";
1910 secure_ip = "127.0.0.1";
1911 secure_ip = "::1";
1912 static_dir = "/usr/share/rspamd/www";
1913 count = 1;
1914 bind_socket = "localhost:11334";
1915 }
1916}
1917worker {
1918 rspamd_proxy {
1919 max_retries = 5;
1920 timeout = 15;
1921 discard_on_reject = false;
1922 spam_header = "X-Spam";
1923 quarantine_on_reject = false;
1924 reject_message = "Spam message rejected";
1925 count = 1;
1926 type = "proxy";
1927 upstream {
1928 local {
1929 hosts = "localhost";
1930 self_scan = true;
1931 default = true;
1932 }
1933 }
1934 bind_socket = "localhost:11332";
1935 milter = true;
1936 }
1937}
1938worker {
1939 fuzzy {
1940 backend = "redis";
1941 allow_update [
1942 "localhost",
1943 ]
1944 count = -1;
1945 bind_socket = "localhost:11335";
1946 expire = 7776000;
1947 }
1948}
1949dmarc {
1950 servers = "127.0.0.1";
1951}
1952milter_headers {
1953 extended_spam_headers = true;
1954 use [
1955 "x-spamd-bar",
1956 "x-spam-level",
1957 "x-virus",
1958 "authentication-results",
1959 ]
1960 skip_local = false;
1961 skip_authenticated = false;
1962 routines {
1963 x-spam-level {
1964 header = "X-Spam-Level";
1965 remove = 1;
1966 char = "*";
1967 }
1968 x-virus {
1969 header = "X-Virus";
1970 remove = 1;
1971 symbols [
1972 "CLAM_VIRUS",
1973 "FPROT_VIRUS",
1974 ]
1975 }
1976 x-spam-status {
1977 header = "X-Spam-Status";
1978 remove = 1;
1979 }
1980 authentication-results {
1981 add_smtp_user = false;
1982 }
1983 }
1984}
1985actions {
1986 greylist = 4;
1987 add_header = 6;
1988 reject = 150;
1989}
1990elastic {
1991 limit = 10;
1992 import_kibana = false;
1993 debug = false;
1994 timeout = 5;
1995 index_pattern = "rspamd-%Y.%m.%d";
1996}
1997url_tags {
1998 enabled = false;
1999}
2000options {
2001 cache_file = "/var/lib/rspamd/symbols.cache";
2002 map_watch_interval = 300;
2003 tempdir = "/tmp";
2004 history_rows = 200;
2005 url_tld = "/usr/share/rspamd/effective_tld_names.dat";
2006 hs_cache_dir = "/var/lib/rspamd/";
2007 pidfile = "/run/rspamd/rspamd.pid";
2008 local_addrs = "127.0.0.0/8, ::1";
2009 rrd = "/var/lib/rspamd/rspamd.rrd";
2010 check_all_filters = false;
2011 explicit_modules [
2012 "settings",
2013 "bayes_expiry",
2014 ]
2015 control_socket = "/var/lib/rspamd/rspamd.sock mode=0600";
2016 allow_raw_input = true;
2017 dynamic_conf = "/var/lib/rspamd/rspamd_dynamic";
2018 dns {
2019 sockets = 16;
2020 timeout = 1;
2021 retransmits = 5;
2022 }
2023 raw_mode = false;
2024 filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
2025 classify_headers [
2026 "User-Agent",
2027 "X-Mailer",
2028 "Content-Type",
2029 "X-MimeOLE",
2030 ]
2031 words_decay = 200;
2032 history_file = "/var/lib/rspamd/rspamd.history";
2033 one_shot = false;
2034 map_file_watch_multiplier = 0.100000;
2035}
2036emails {
2037 rules {
2038 MSBL_EBL {
2039 expect_ip = "127.0.0.2";
2040 hash = "sha1";
2041 check_replyto = true;
2042 domain_only = false;
2043 dnsbl = "ebl.msbl.org";
2044 }
2045 RSPAMD_EMAILBL {
2046 encoding = "base32";
2047 hashlen = 32;
2048 hash = "blake2";
2049 check_replyto = true;
2050 delimiter = ".";
2051 dnsbl = "email.rspamd.com";
2052 }
2053 }
2054}
2055asn {
2056 provider_info {
2057 ip6 = "asn6.rspamd.com";
2058 ip4 = "asn.rspamd.com";
2059 }
2060 provider_type = "rspamd";
2061}
2062chartable {
2063 symbol = "R_MIXED_CHARSET";
2064 threshold = 0.300000;
2065}
2066dcc {
2067 timeout = 2;
2068}
2069history_redis {
2070 nrows = 200;
2071 subject_privacy = false;
2072 compress = true;
2073 key_prefix = "rs_history";
2074}
2075classifier {
2076 bayes {
2077 backend = "redis";
2078 min_tokens = 11;
2079 min_learns = 200;
2080 learn_condition = <<EOD
2081return function(task, is_spam, is_unlearn)
2082 local prob = task:get_mempool():get_variable('bayes_prob', 'double')
2083
2084 if prob then
2085 local in_class = false
2086 local cl
2087 if is_spam then
2088 cl = 'spam'
2089 in_class = prob >= 0.95
2090 else
2091 cl = 'ham'
2092 in_class = prob <= 0.05
2093 end
2094
2095 if in_class then
2096 return false,string.format('already in class %s; probability %.2f%%',
2097 cl, math.abs((prob - 0.5) * 200.0))
2098 end
2099 end
2100
2101 return true
2102end
2103EOD;
2104 statfile {
2105 spam = false;
2106 symbol = "BAYES_HAM";
2107 }
2108 statfile {
2109 spam = true;
2110 symbol = "BAYES_SPAM";
2111 }
2112 autolearn = true;
2113 tokenizer {
2114 name = "osb";
2115 }
2116 servers = "127.0.0.1:6379";
2117 per_user = <<EOD
2118return function(task)
2119 local rcpt = task:get_recipients(1)
2120
2121if rcpt then
2122 one_rcpt = rcpt[1]
2123 if one_rcpt['domain'] then
2124 return one_rcpt['domain']
2125 end
2126end
2127
2128return nil
2129end
2130EOD;
2131 }
2132}
2133url_redirector {
2134 max_size = 10000;
2135 nested_limit = 1;
2136 check_ssl = false;
2137 key_prefix = "rdr:";
2138 expire = 86400;
2139 timeout = 10;
2140}
2141metric_exporter {
2142}
2143trie {
2144}
2145replies {
2146 symbol = "REPLY";
2147 message = "Message is reply to one we originated";
2148 expire = 86400;
2149 key_prefix = "rr";
2150}
2151greylist {
2152 ipv6_mask = 64;
2153 whitelist_domains_url [
2154 "/etc/rspamd/local.d/greylist-whitelist-domains.inc",
2155 ]
2156 expire = 86400;
2157 ipv4_mask = 19;
2158 message = "Try again later";
2159 max_data_len = 10000;
2160 action = "soft reject";
2161 key_prefix = "rg";
2162 timeout = 300;
2163}
2164redis {
2165 servers = "127.0.0.1";
2166 disabled_modules [
2167 "ratelimit",
2168 "greylist",
2169 ]
2170}
2171rbl {
2172 default_exclude_users = true;
2173 default_received = false;
2174 default_unknown = true;
2175 default_from = true;
2176 rbls {
2177 mailspike {
2178 symbol = "MAILSPIKE";
2179 is_whitelist = true;
2180 returncodes {
2181 RWL_MAILSPIKE_NEUTRAL [
2182 "127.0.0.16",
2183 "127.0.0.15",
2184 "127.0.0.14",
2185 "127.0.0.13",
2186 ]
2187 RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
2188 RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
2189 RBL_MAILSPIKE_BAD = "127.0.0.12";
2190 RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
2191 RBL_MAILSPIKE_WORST = "127.0.0.10";
2192 RWL_MAILSPIKE_GOOD = "127.0.0.18";
2193 RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
2194 }
2195 rbl = "rep.mailspike.net";
2196 whitelist_exception = "MAILSPIKE";
2197 whitelist_exception = "RWL_MAILSPIKE_GOOD";
2198 whitelist_exception = "RWL_MAILSPIKE_NEUTRAL";
2199 whitelist_exception = "RWL_MAILSPIKE_POSSIBLE";
2200 whitelist_exception = "RBL_MAILSPIKE_WORST";
2201 whitelist_exception = "RBL_MAILSPIKE_VERYBAD";
2202 whitelist_exception = "RBL_MAILSPIKE_BAD";
2203 }
2204 sem {
2205 rbl = "bl.spameatingmonkey.net";
2206 ipv6 = false;
2207 symbol = "RBL_SEM";
2208 }
2209 senderscore {
2210 rbl = "bl.score.senderscore.com";
2211 symbol = "RBL_SENDERSCORE";
2212 }
2213 spamhaus_xbl {
2214 ignore_whitelists = true;
2215 returncodes {
2216 RECEIVED_SPAMHAUS_XBL [
2217 "127.0.0.4",
2218 "127.0.0.5",
2219 "127.0.0.6",
2220 "127.0.0.7",
2221 ]
2222 }
2223 symbol = "RECEIVED_SPAMHAUS";
2224 from = false;
2225 rbl = "zen.spamhaus.org";
2226 received = true;
2227 ipv6 = true;
2228 }
2229 semIPv6 {
2230 ipv4 = false;
2231 rbl = "bl.ipv6.spameatingmonkey.net";
2232 ipv6 = true;
2233 symbol = "RBL_SEM_IPV6";
2234 }
2235 abusech {
2236 rbl = "spam.abuse.ch";
2237 symbol = "RBL_ABUSECH";
2238 }
2239 dnswl {
2240 symbol = "RCVD_IN_DNSWL";
2241 is_whitelist = true;
2242 returncodes {
2243 RCVD_IN_DNSWL_MED = "127.0.%d+.2";
2244 RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
2245 RCVD_IN_DNSWL_HI = "127.0.%d+.3";
2246 RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
2247 DNSWL_BLOCKED = "127.0.0.255";
2248 }
2249 ipv6 = true;
2250 rbl = "list.dnswl.org";
2251 whitelist_exception = "RCVD_IN_DNSWL";
2252 whitelist_exception = "RCVD_IN_DNSWL_NONE";
2253 whitelist_exception = "RCVD_IN_DNSWL_LOW";
2254 whitelist_exception = "DNSWL_BLOCKED";
2255 }
2256 psbl {
2257 symbol = "RCVD_IN_PSBL";
2258 rbl = "psbl.surriel.com";
2259 }
2260 spamhaus {
2261 returncodes {
2262 RBL_SPAMHAUS_SBL = "127.0.0.2";
2263 RBL_SPAMHAUS_XBL [
2264 "127.0.0.4",
2265 "127.0.0.5",
2266 "127.0.0.6",
2267 "127.0.0.7",
2268 ]
2269 RBL_SPAMHAUS_CSS = "127.0.0.3";
2270 RBL_SPAMHAUS_DROP = "127.0.0.9";
2271 RBL_SPAMHAUS_PBL [
2272 "127.0.0.10",
2273 "127.0.0.11",
2274 ]
2275 }
2276 symbol = "RBL_SPAMHAUS";
2277 disabled = true;
2278 rbl = "zen.spamhaus.org";
2279 ipv6 = true;
2280 }
2281 }
2282}
2283dkim {
2284 trusted_only = false;
2285 dkim_cache_size = 2000;
2286 dkim_cache_expire = 86400;
2287 time_jitter = 21600;
2288 skip_multi = false;
2289}
2290ratelimit {
2291 max_rcpt = 5;
2292 whitelisted_rcpts = "postmaster,mailer-daemon";
2293}
2294once_received {
2295 bad_host = "static";
2296 bad_host = "dynamic";
2297 good_host = "mail";
2298 symbol_strict = "ONCE_RECEIVED_STRICT";
2299 symbol_mx = "DIRECT_TO_MX";
2300 symbol = "ONCE_RECEIVED";
2301}
2302ip_score {
2303}