group "headers" { symbols = { "FORGED_SENDER" { weight = 0.3; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; } "R_MIXED_CHARSET" { weight = 5.0; description = "Mixed characters in a message"; one_shot = true; } "R_MIXED_CHARSET_URL" { weight = 7.0; description = "Mixed characters in a URL inside message"; one_shot = true; } "FORGED_RECIPIENTS" { weight = 2.0; description = "Recipients are not the same as RCPT TO: mail command"; } "FORGED_RECIPIENTS_MAILLIST" { weight = 0.0; description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; } "FORGED_SENDER_MAILLIST" { weight = 0.0; description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; } "ONCE_RECEIVED" { weight = 0.1; description = "One received header in a message"; } "RDNS_NONE" { weight = 1.0; description = "Cannot resolve reverse DNS for sender's IP"; } "RDNS_DNSFAIL" { weight = 0.0; description = "PTR verification DNS error"; } "ONCE_RECEIVED_STRICT" { weight = 4.0; description = "One received header with 'bad' patterns inside"; } "MAILLIST" { weight = -0.2; description = "Message seems to be from maillist"; } } } group "subject" { symbols = {} max_score = 6.0; } group "mua" { symbols = { "FORGED_MUA_MAILLIST" { weight = 0.0; description = "Avoid false positives for FORGED_MUA_* in maillist"; } } } group "rbl" { symbols = { "DNSWL_BLOCKED" { weight = 0.0; description = "Resolver blocked due to excessive queries"; groups = ["dnswl", "blocked"]; } "RCVD_IN_DNSWL" { weight = 0.0; description = "Unrecognised result from https://www.dnswl.org"; groups = ["dnswl"]; } "RCVD_IN_DNSWL_NONE" { weight = 0.0; description = "Sender listed at https://www.dnswl.org, no trust"; groups = ["dnswl"]; } "RCVD_IN_DNSWL_LOW" { weight = -0.1; description = "Sender listed at https://www.dnswl.org, low trust"; groups = ["dnswl"]; } "RCVD_IN_DNSWL_MED" { weight = -0.2; description = "Sender listed at https://www.dnswl.org, medium trust"; groups = ["dnswl"]; } "RCVD_IN_DNSWL_HI" { weight = -0.5; description = "Sender listed at https://www.dnswl.org, high trust"; groups = ["dnswl"]; } "DWL_DNSWL_BLOCKED" { weight = 0.0; description = "Resolver blocked due to excessive queries (dwl)"; groups = ["dnswl", "blocked"]; } "DWL_DNSWL" { weight = 0.0; description = "Unrecognised result from https://www.dnswl.org (dwl)"; groups = ["dnswl"]; } "DWL_DNSWL_NONE" { weight = 0.0; description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust"; groups = ["dnswl"]; } "DWL_DNSWL_LOW" { weight = -1.0; description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust"; groups = ["dnswl"]; } "DWL_DNSWL_MED" { weight = -2.0; description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust"; groups = ["dnswl"]; } "DWL_DNSWL_HI" { weight = -3.5; description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust"; groups = ["dnswl"]; } "RBL_SPAMHAUS" { weight = 0.0; description = "Unrecognised result from Spamhaus ZEN"; groups = ["spamhaus"]; } "RBL_SPAMHAUS_SBL" { weight = 2.0; description = "From address is listed in ZEN SBL"; groups = ["spamhaus"]; } "RBL_SPAMHAUS_CSS" { weight = 2.0; description = "From address is listed in ZEN CSS"; groups = ["spamhaus"]; } "RBL_SPAMHAUS_XBL" { weight = 4.0; description = "From address is listed in ZEN XBL"; groups = ["spamhaus"]; } "RBL_SPAMHAUS_XBL_ANY" { weight = 4.0; description = "From or received address is listed in ZEN XBL (any list)"; groups = ["spamhaus"]; } "RBL_SPAMHAUS_PBL" { weight = 2.0; description = "From address is listed in ZEN PBL (ISP list)"; groups = ["spamhaus"]; } "RBL_SPAMHAUS_DROP" { weight = 7.0; description = "From address is listed in ZEN DROP BL"; groups = ["spamhaus"]; } "RECEIVED_SPAMHAUS_SBL" { weight = 1.0; description = "Received address is listed in ZEN SBL"; groups = ["spamhaus"]; one_shot = true; } "RECEIVED_SPAMHAUS_CSS" { weight = 1.0; description = "Received address is listed in ZEN CSS"; groups = ["spamhaus"]; one_shot = true; } "RECEIVED_SPAMHAUS_XBL" { weight = 3.0; description = "Received address is listed in ZEN XBL"; groups = ["spamhaus"]; one_shot = true; } "RECEIVED_SPAMHAUS_PBL" { weight = 0.0; description = "Received address is listed in ZEN PBL (ISP list)"; groups = ["spamhaus"]; one_shot = true; } "RECEIVED_SPAMHAUS_DROP" { weight = 6.0; description = "Received address is listed in ZEN DROP BL"; groups = ["spamhaus"]; one_shot = true; } "RBL_SENDERSCORE" { weight = 2.0; description = "From address is listed in senderscore.com BL"; } "MAILSPIKE" { weight = 0.0; description = "Unrecognised result from Mailspike"; groups = ["mailspike"]; } "RWL_MAILSPIKE_NEUTRAL" { weight = 0.0; description = "Neutral result from Mailspike"; groups = ["mailspike"]; } "RBL_MAILSPIKE_WORST" { weight = 2.0; description = "From address is listed in RBL - worst possible reputation"; groups = ["mailspike"]; } "RBL_MAILSPIKE_VERYBAD" { weight = 1.5; description = "From address is listed in RBL - very bad reputation"; groups = ["mailspike"]; } "RBL_MAILSPIKE_BAD" { weight = 1.0; description = "From address is listed in RBL - bad reputation"; groups = ["mailspike"]; } "RWL_MAILSPIKE_POSSIBLE" { weight = 0.0; description = "From address is listed in RWL - possibly legit"; groups = ["mailspike"]; } "RWL_MAILSPIKE_GOOD" { weight = 0.0; description = "From address is listed in RWL - good reputation"; groups = ["mailspike"]; } "RWL_MAILSPIKE_VERYGOOD" { weight = 0.0; description = "From address is listed in RWL - very good reputation"; groups = ["mailspike"]; } "RWL_MAILSPIKE_EXCELLENT" { weight = 0.0; description = "From address is listed in RWL - excellent reputation"; groups = ["mailspike"]; } "RBL_SEM" { weight = 1.0; description = "From address is listed in Spameatingmonkey RBL"; groups = ["sem"]; } "RBL_SEM_IPV6" { weight = 1.0; description = "From address is listed in Spameatingmonkey RBL (IPv6)"; groups = ["sem"]; } "RBL_VIRUSFREE_BOTNET" { weight = 2.0; description = "From address is listed in virusfree.cz BL"; } "RBL_NIXSPAM" { weight = 4.0; description = "From address is listed in NiX Spam (http://www.dnsbl.manitu.net/)"; } "RBL_BLOCKLISTDE" { weight = 4.0; description = "From address is listed in Blocklist (https://www.blocklist.de/)"; groups = ["blocklistde"]; } "RECEIVED_BLOCKLISTDE" { weight = 3.0; description = "Received address is listed in Blocklist (https://www.blocklist.de/)"; groups = ["blocklistde"]; one_shot = true; } } } group "statistics" { symbols = { "BAYES_SPAM" { weight = 5.1; description = "Message probably spam, probability: "; } "BAYES_HAM" { weight = -3.0; description = "Message probably ham, probability: "; } } } group "fuzzy" { symbols = { "FUZZY_UNKNOWN" { weight = 5.0; description = "Generic fuzzy hash match, bl.rspamd.com"; } "FUZZY_DENIED" { weight = 12.0; description = "Denied fuzzy hash, bl.rspamd.com"; } "FUZZY_PROB" { weight = 5.0; description = "Probable fuzzy hash, bl.rspamd.com"; } "FUZZY_WHITE" { weight = -2.1; description = "Whitelisted fuzzy hash, bl.rspamd.com"; } } } group "policies" { symbols = { "R_SPF_FAIL" { weight = 1.0; description = "SPF verification failed"; groups = ["spf"]; } "R_SPF_SOFTFAIL" { weight = 0.0; description = "SPF verification soft-failed"; groups = ["spf"]; } "R_SPF_NEUTRAL" { weight = 0.0; description = "SPF policy is neutral"; groups = ["spf"]; } "R_SPF_ALLOW" { weight = -0.2; description = "SPF verification allows sending"; groups = ["spf"]; } "R_SPF_DNSFAIL" { weight = 0.0; description = "SPF DNS failure"; groups = ["spf"]; } "R_DKIM_REJECT" { weight = 1.0; description = "DKIM verification failed"; one_shot = true; groups = ["dkim"]; } "R_DKIM_TEMPFAIL" { weight = 0.0; description = "DKIM verification soft-failed"; groups = ["dkim"]; } "R_DKIM_ALLOW" { weight = -0.2; description = "DKIM verification succeed"; one_shot = true; groups = ["dkim"]; } "DMARC_POLICY_ALLOW" { weight = -0.5; description = "DMARC permit policy"; groups = ["dmarc"]; } "DMARC_POLICY_ALLOW_WITH_FAILURES" { weight = -0.5; description = "DMARC permit policy with DKIM/SPF failure"; groups = ["dmarc"]; } "DMARC_POLICY_REJECT" { weight = 2.0; description = "DMARC reject policy"; groups = ["dmarc"]; } "DMARC_POLICY_QUARANTINE" { weight = 1.5; description = "DMARC quarantine policy"; groups = ["dmarc"]; } "DMARC_POLICY_SOFTFAIL" { weight = 0.1; description = "DMARC failed"; groups = ["dmarc"]; } "ARC_ALLOW" { weight = -1.0; description = "ARC checks success"; groups = ["arc"]; } "ARC_REJECT" { weight = 2.0; description = "ARC checks failed"; groups = ["arc"]; } "ARC_INVALID" { weight = 1.0; description = "ARC structure invalid"; groups = ["arc"]; } "ARC_DNSFAIL" { weight = 0.0; description = "ARC DNS error"; groups = ["arc"]; } "ARC_NA" { weight = 0.0; description = "ARC signature absent"; groups = ["arc"]; } } } group "whitelist" { max_score = 10.0; symbols = { "WHITELIST_SPF" { weight = -1.0; description = "Mail comes from the whitelisted domain and has a valid SPF policy"; } "BLACKLIST_SPF" { weight = 1.0; description = "Mail comes from the whitelisted domain and has no valid SPF policy"; } "WHITELIST_DKIM" { weight = -1.0; description = "Mail comes from the whitelisted domain and has a valid DKIM signature"; } "BLACKLIST_DKIM" { weight = 2.0; description = "Mail comes from the whitelisted domain and has non-valid DKIM signature"; } "WHITELIST_SPF_DKIM" { weight = -3.0; description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies"; } "BLACKLIST_SPF_DKIM" { weight = 3.0; description = "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature"; } "WHITELIST_DMARC" { weight = -7.0; description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies"; } "BLACKLIST_DMARC" { weight = 6.0; description = "Mail comes from the whitelisted domain and has valid failed DMARC and DKIM policies"; } } } group "surbl" { max_score = 12.5; symbols = { "SURBL_BLOCKED" { weight = 0.0; description = "SURBL: blocked by policy/overusage"; groups = ["surblorg", "blocked"]; } "PH_SURBL_MULTI" { weight = 5.5; description = "SURBL: Phishing sites"; groups = ["surblorg", "phishing"]; } "MW_SURBL_MULTI" { weight = 5.5; description = "SURBL: Malware sites"; groups = ["surblorg"]; } "ABUSE_SURBL" { weight = 5.5; description = "SURBL: ABUSE"; groups = ["surblorg"]; } "CRACKED_SURBL" { weight = 4.0; description = "SURBL: cracked site"; groups = ["surblorg"]; } "RSPAMD_URIBL" { weight = 4.5; description = "Rspamd uribl, bl.rspamd.com"; one_shot = true; groups = ["rspamdbl"]; } "RSPAMD_EMAILBL" { weight = 9.5; description = "Rspamd emailbl, bl.rspamd.com"; one_shot = true; groups = ["rspamdbl"]; } "MSBL_EBL" { weight = 7.5; description = "MSBL emailbl"; one_shot = true; groups = ["ebl"]; } "MSBL_EBL_GREY" { weight = 0.5; # TODO: test it description = "MSBL emailbl grey list"; one_shot = true; groups = ["ebl"]; } "SEM_URIBL_UNKNOWN" { weight = 0.0; description = "Spameatingmonkey uribl: unknown result"; groups = ["sem"]; } "SEM_URIBL" { weight = 3.5; description = "Spameatingmonkey uribl"; groups = ["sem"]; } "SEM_URIBL_FRESH15_UNKNOWN" { weight = 0.0; description = "Spameatingmonkey Fresh15 uribl: unknown result"; groups = ["sem"]; } "SEM_URIBL_FRESH15" { weight = 3.0; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; groups = ["sem"]; } "DBL" { weight = 0.0; description = "DBL unknown result"; groups = ["spamhaus"]; } "DBL_SPAM" { weight = 6.5; description = "DBL uribl spam"; groups = ["spamhaus"]; } "DBL_PHISH" { weight = 6.5; description = "DBL uribl phishing"; groups = ["spamhaus"]; } "DBL_MALWARE" { weight = 6.5; description = "DBL uribl malware"; groups = ["spamhaus"]; } "DBL_BOTNET" { weight = 5.5; description = "DBL uribl botnet C&C domain"; groups = ["spamhaus"]; } "DBL_ABUSE" { weight = 6.5; description = "DBL uribl abused legit spam"; groups = ["spamhaus"]; } "DBL_ABUSE_REDIR" { weight = 1.5; description = "DBL uribl abused spammed redirector domain"; groups = ["spamhaus"]; } "DBL_ABUSE_PHISH" { weight = 7.5; description = "DBL uribl abused legit phish"; groups = ["spamhaus"]; } "DBL_ABUSE_MALWARE" { weight = 7.5; description = "DBL uribl abused legit malware"; groups = ["spamhaus"]; } "DBL_ABUSE_BOTNET" { weight = 5.5; description = "DBL uribl abused legit botnet C&C"; groups = ["spamhaus"]; } "DBL_PROHIBIT" { weight = 0.0; description = "DBL uribl IP queries prohibited!"; groups = ["spamhaus"]; } "URIBL_MULTI" { weight = 0.0; description = "uribl.com: unrecognised result"; groups = ["uribl"]; } "URIBL_BLOCKED" { weight = 0.0; description = "uribl.com: query refused"; groups = ["uribl", "blocked"]; } "URIBL_BLACK" { weight = 7.5; description = "uribl.com black url"; groups = ["uribl"]; } "URIBL_RED" { weight = 3.5; description = "uribl.com red url"; groups = ["uribl"]; } "URIBL_GREY" { weight = 1.5; description = "uribl.com grey url"; one_shot = true; groups = ["uribl"]; } "SPAMHAUS_ZEN_URIBL" { weight = 0.0; description = "Spamhaus ZEN URIBL: Filtered result"; groups = ["spamhaus"]; } "URIBL_SBL" { weight = 6.5; description = "A domain in the message body resolves to an IP listed in Spamhaus SBL"; one_shot = true; groups = ["v"]; } "URIBL_SBL_CSS" { weight = 6.5; description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS"; one_shot = true; groups = ["spamhaus"]; } "URIBL_XBL" { weight = 1.5; description = "A domain in the message body resolves to an IP listed in Spamhaus XBL"; one_shot = true; groups = ["spamhaus"]; } "URIBL_PBL" { weight = 0.01; description = "A domain in the message body resolves to an IP listed in Spamhaus PBL"; groups = ["spamhaus"]; } "URIBL_DROP" { weight = 5.0; description = "A domain in the message body resolves to an IP listed in Spamhaus DROP"; one_shot = true; groups = ["spamhaus"]; } "RBL_SARBL_BAD" { weight = 2.5; description = "A domain in the message body is blacklisted in SARBL"; one_shot = true; } } } group "phishing" { max_score = 10.0; symbols = { "PHISHING" { weight = 4.0; description = "Phished URL"; one_shot = true; } "PHISHED_OPENPHISH" { weight = 7.0; description = "Phished URL found in openphish.com"; } "PHISHED_PHISHTANK" { weight = 7.0; description = "Phished URL found in phishtank.com"; } HACKED_WP_PHISHING { weight = 4.5; description = "Phishing message from hacked wordpress"; } } } group "hfilter" { symbols = { "HFILTER_HELO_BAREIP" { weight = 3.0; description = "Helo host is bare ip"; } "HFILTER_HELO_BADIP" { weight = 4.5; description = "Helo host is very bad ip"; } "HFILTER_HELO_1" { weight = 0.5; description = "Helo host checks (very low)"; } "HFILTER_HELO_2" { weight = 1.0; description = "Helo host checks (low)"; } "HFILTER_HELO_3" { weight = 2.0; description = "Helo host checks (medium)"; } "HFILTER_HELO_4" { weight = 2.5; description = "Helo host checks (hard)"; } "HFILTER_HELO_5" { weight = 3.0; description = "Helo host checks (very hard)"; } "HFILTER_HOSTNAME_1" { weight = 0.5; description = "Hostname checks (very low)"; } "HFILTER_HOSTNAME_2" { weight = 1.0; description = "Hostname checks (low)"; } "HFILTER_HOSTNAME_3" { weight = 2.0; description = "Hostname checks (medium)"; } "HFILTER_HOSTNAME_4" { weight = 2.5; description = "Hostname checks (hard)"; } "HFILTER_HOSTNAME_5" { weight = 3.0; description = "Hostname checks (very hard)"; } "HFILTER_HELO_NORESOLVE_MX" { weight = 0.2; description = "MX found in Helo and no resolve"; } "HFILTER_HELO_NORES_A_OR_MX" { weight = 0.3; description = "Helo no resolve to A or MX"; } "HFILTER_HELO_IP_A" { weight = 1.0; description = "Helo A IP != hostname IP"; } "HFILTER_HELO_NOT_FQDN" { weight = 2.0; description = "Helo not FQDN"; } "HFILTER_FROMHOST_NORESOLVE_MX" { weight = 0.5; description = "MX found in FROM host and no resolve"; } "HFILTER_FROMHOST_NORES_A_OR_MX" { weight = 1.5; description = "FROM host no resolve to A or MX"; } "HFILTER_FROMHOST_NOT_FQDN" { weight = 3.0; description = "FROM host not FQDN"; } "HFILTER_FROM_BOUNCE" { weight = 0.0; description = "Bounce message"; } "HFILTER_MID_NORESOLVE_MX" { weight = 0.5; description = "MX found in Message-id host and no resolve"; } "HFILTER_MID_NORES_A_OR_MX" { weight = 0.5; description = "Message-id host no resolve to A or MX"; } "HFILTER_MID_NOT_FQDN" { weight = 0.5; description = "Message-id host not FQDN"; } "HFILTER_HOSTNAME_UNKNOWN" { weight = 2.5; description = "Unknown client hostname (PTR or FCrDNS verification failed)"; } "HFILTER_RCPT_BOUNCEMOREONE" { weight = 1.5; description = "Message from bounce and over 1 recipient"; } "HFILTER_URL_ONLY" { weight = 2.2; description = "URL only in body"; } "HFILTER_URL_ONELINE" { weight = 2.5; description = "One line URL and text in body"; } } } group "mime_types" { symbols = { "MIME_GOOD" { weight = -0.1; description = "Known content-type"; one_shot = true; } "MIME_BAD" { weight = 1.0; description = "Known bad content-type"; one_shot = true; } "MIME_UNKNOWN" { weight = 0.1; description = "Missing or unknown content-type"; one_shot = true; } "MIME_BAD_ATTACHMENT" { weight = 4.0; description = "Invalid attachment mime type"; one_shot = true; } "MIME_ENCRYPTED_ARCHIVE" { weight = 2.0; description = "Encrypted archive in a message"; one_shot = true; } "MIME_ARCHIVE_IN_ARCHIVE" { weight = 5.0; description = "Archive within another archive"; one_shot = true; } "MIME_DOUBLE_BAD_EXTENSION" { weight = 3.0; # This rule has dynamic weight up to 4.0 description = "Bad extension cloaking"; one_shot = true; } "MIME_BAD_EXTENSION" { weight = 2.0; # This rule has dynamic weight up to 4.0 description = "Bad extension"; one_shot = true; } "MIME_BAD_UNICODE" { weight = 8.0; description = "Filename with known obscured unicode characters"; one_shot = true; } } }