RedXen
/
aports
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

configs/rspamd: add configs

This commit is contained in:
Alex D. 2021-01-10 03:44:49 +00:00
parent ebe58022fd
commit 7539d2575e
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
18 changed files with 1420 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
configs/rspamd/APKBUILD Normal file
View File

@ -0,0 +1,73 @@
# Contributor: Alex Denes <caskd@redxen.eu>
# Maintainer: Alex Denes <caskd@redxen.eu>
pkgname=redxen-config-rspamd
pkgver=2021.01.10
pkgrel=6
pkgdesc="RSpamD configuration"
url="https://git.redxen.eu/RedXen"
arch="noarch"
license="none"
depends="rspamd"
source="
rspamd.conf
composites.conf
groups.conf
logging.conf
statistic.conf
workers.conf
"
options="!check"
builddir="$srcdir"
_modules="
chartable
dkim
dmarc
fuzzy_check
greylist
maillist
milter_headers
phishing
rbl
redis
spf
"
for i in $_modules; do
subpackages="$pkgname-$i:_module:noarch $subpackages"
depends="$pkgname-$i=$pkgver-r$pkgrel $depends"
source="modules/$i.conf $source"
done
package() {
install -Dm644 rspamd.conf "$pkgdir"/etc/rspamd/redxen/rspamd.conf
install -Dm644 composites.conf "$pkgdir"/etc/rspamd/redxen/composites.conf
install -Dm644 groups.conf "$pkgdir"/etc/rspamd/redxen/groups.conf
install -Dm644 logging.conf "$pkgdir"/etc/rspamd/redxen/logging.conf
install -Dm644 statistic.conf "$pkgdir"/etc/rspamd/redxen/statistic.conf
install -Dm644 workers.conf "$pkgdir"/etc/rspamd/redxen/workers.conf
}
_module() {
local module=${subpkgname##$pkgname-}
depends=""
install -Dm644 "$srcdir"/"$module".conf "$subpkgdir"/etc/rspamd/redxen/modules/"$module".conf
}
sha512sums="99985993e5d7c525280020e7dc30106b3efbaa8ae2830a5069ad4270a8336d33efca74ed26103e1d2f5f341a0cffc4e0f77a2757fdeab27e3b492aa99ae7f977 spf.conf
d42a74d17771497960477878eedda2a00a434cbc1e994b015c21b4f631e24836cb6a7b14a24a2cb42ed15425b7758dc307a6cf602a770cfb0cc20b6f90064af9 redis.conf
a3849ae55a68c90afd913ed18f6b210803f5dbaa2beab5abf23a84b9b4bcb48e617023123724222c1f74a005bf03e1c94e3fa1ded5a6f252d9c2ac317dabc1a2 rbl.conf
6ca83b91e70e43eff6de380065fc5591c6669a27497a47d74e5e096df68afea6269cfad41be982bb144f2dfb92fd5765a600cf9c4067c4612bd1aa1bf5e6ebfd phishing.conf
72840316e3a8905a6e087147b33355c1250209831423871783a4cda5c22dd1ec376ff4da1db05a3a763bd763b6a8ce8b0af9cccf7a3b0c0d0bc507fd3fe40f8f milter_headers.conf
08966d0a3c077a12a1113f774e11d51d3c7d04bb45914e295324e8aa51c3d75b55395c256a905c6d9ae1e98a004a9e6b3b37d36fce810a426dd5d90408331c0a maillist.conf
8660fd01589476bbc01bbe75bed392faa55f55fa9b6fea77be79f339cefb43ddbacdbe193ad136c42da91d4ef7f1e1ec40fc5f8f4f398d04bcebf51d5a59ad1f greylist.conf
227f215b4e65bff86428502425f1295b21e0f6e8c4b990e4f19aa8e1bb3f1cee18d1b8644e1223edb606292c786e814acc68d276562c8fb4f23fdce6b538689a fuzzy_check.conf
e14c3683b48dde5584cbcd0bd5811f6111a201635dd7400d7703003b4c98255d10be9b64ee81784c1fe1df50159e12d6777086c5a18ee9b14be852d233cf6dc5 dmarc.conf
ad3fa5e3c4c3d7b882c9e85bdde3b1949a32f2f2c9dd43e38977d828e7b6740d31002c502f24a0ea2e27105d5a6b1af7b7140c5d8e306f90c3f7d28c1e4607d5 dkim.conf
dcec5c53bd29c345ed5c47727af9a8d11328cc8f69ae61064ba3b053ee306baa79b747067097b2354a1fecd6e6527d56d14c79be22c94531f2a5ddc41ce3ca7e chartable.conf
e95cd76aacc8c24ba499e5ff2853a3bef17a0b2b76fa46bb2fb7b31f73f7a62027f3569ee5ed283ede8611af68bd246e10e38dfe71665dea3073aad39068f109 rspamd.conf
667ec0331c811730e096e27f5e8659062239f46e3ccd148411984bb4d83b8770cc0d7d3c74dd5a2da71781e9b99d4bcb5a700cbd5f56ae8e17f7c4e50519ffb2 composites.conf
4ea651877607573126a731619801458798c1e8e4de3522462af4c71adc38141d09a0c75c2c83a33698e3c51095d0b7d364e1ceb3aa534a4157106370a7800e4a groups.conf
78df39cbc6e09cdc5e01d27e123d82aa677a70a6f5d59ba0be8d0ce6af012c5311e4a2527e4fbc586f9cdd8da033e9f05e2371970fa23db60eaa8c16c8e85f05 logging.conf
2d27d5ac1800ee28948f8fcc276cc5c62c97a19d01dde2263eadf3ec4f8eb3bbb8417f4271324c5cfbf1ebd60759aa9047849ea803da96c8632c21966b794e6c statistic.conf
8fd778a46ce497a2399b455ba423c5a6308082ac41ac21cac4dbf65447e151e115ef21ac9820ab84f445af8530bc915b8c7394d28eb4b8179c3143c1817093b8 workers.conf"

131
configs/rspamd/composites.conf Normal file
View File

@ -0,0 +1,131 @@
composites {
FORGED_RECIPIENTS_MAILLIST {
expression = "FORGED_RECIPIENTS & -MAILLIST";
}
FORGED_SENDER_MAILLIST {
expression = "FORGED_SENDER & -MAILLIST";
}
FORGED_SENDER_FORWARDING {
expression = "FORGED_SENDER & g:forwarding";
description = "Forged sender, but message is forwarded";
policy = "remove_weight";
}
SPF_FAIL_FORWARDING {
expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
policy = "remove_weight";
}
DMARC_POLICY_ALLOW_WITH_FAILURES {
expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
policy = "remove_weight";
}
FORGED_RECIPIENTS_FORWARDING {
expression = "FORGED_RECIPIENTS & g:forwarding";
policy = "remove_weight";
}
FORGED_SENDER_VERP_SRS {
expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
}
FORGED_MUA_MAILLIST {
expression = "g:mua & -MAILLIST";
}
RBL_SPAMHAUS_XBL_ANY {
expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
description = "From and Received address are listed in Spamhaus XBL";
}
AUTH_NA {
expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
score = 1.0;
policy = "remove_weight";
description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
}
DKIM_MIXED {
expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
policy = "remove_weight";
}
MAIL_RU_MAILER_BASE64 {
expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
}
YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
}
MAILER_1C_8_BASE64 {
expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
}
HACKED_WP_PHISHING {
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
description = "Phish message sent by hacked Wordpress instance";
policy = "leave";
}
COMPROMISED_ACCT_BULK {
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
description = "Likely to be from a compromised account";
score = 3.0;
policy = "leave";
}
UNDISC_RCPTS_BULK {
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
description = "Missing or undisclosed recipients with a bulk signature";
score = 3.0;
policy = "leave";
}
RCVD_UNAUTH_PBL {
expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
score = 2.0;
policy = "leave";
}
RCVD_DKIM_ARC_DNSWL_MED {
expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
score = -0.5;
policy = "leave";
}
RCVD_DKIM_ARC_DNSWL_HI {
expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
score = -1.0;
policy = "leave";
}
AUTOGEN_PHP_SPAMMY {
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
description = "Message was generated by PHP script and contains some spam indicators";
score = 1.0;
policy = "leave";
}
PHISH_EMOTION {
expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
description = "Phish message with subject trying to address users emotion";
score = 1.0;
policy = "leave";
}
HAS_ANON_DOMAIN {
expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
description = "Contains one or more domains trying to disguise owner/destination";
score = 0.1;
policy = "leave";
}
BAD_REP_POLICIES {
description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
score = 0.1;
}
VIOLATED_DIRECT_SPF {
description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";
expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";
policy = "leave";
score = 3.5;
}
LEAKED_PASSWORD_SPAM_FP {
description = "Looks like a BTC pattern but address syntax is invalid",
expression = "LEAKED_PASSWORD_SCAM_INVALID & LEAKED_PASSWORD_SCAM";
policy = "remove_all";
score = 0.0; # To negate LEAKED_PASSWORD_SCAM
}
IP_SCORE_FREEMAIL {
description = "Negate IP_SCORE when message comes from FreeMail";
expression = "FREEMAIL_FROM & IP_SCORE";
score = 0.0;
policy = "remove_weight";
}
}

822
configs/rspamd/groups.conf Normal file
View File

@ -0,0 +1,822 @@
group "headers" {
symbols = {
"FORGED_SENDER" {
weight = 0.3;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
}
"R_MIXED_CHARSET" {
weight = 5.0;
description = "Mixed characters in a message";
one_shot = true;
}
"R_MIXED_CHARSET_URL" {
weight = 7.0;
description = "Mixed characters in a URL inside message";
one_shot = true;
}
"FORGED_RECIPIENTS" {
weight = 2.0;
description = "Recipients are not the same as RCPT TO: mail command";
}
"FORGED_RECIPIENTS_MAILLIST" {
weight = 0.0;
description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
}
"FORGED_SENDER_MAILLIST" {
weight = 0.0;
description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
}
"ONCE_RECEIVED" {
weight = 0.1;
description = "One received header in a message";
}
"RDNS_NONE" {
weight = 1.0;
description = "Cannot resolve reverse DNS for sender's IP";
}
"RDNS_DNSFAIL" {
weight = 0.0;
description = "PTR verification DNS error";
}
"ONCE_RECEIVED_STRICT" {
weight = 4.0;
description = "One received header with 'bad' patterns inside";
}
"MAILLIST" {
weight = -0.2;
description = "Message seems to be from maillist";
}
}
}
group "subject" {
symbols = {}
max_score = 6.0;
}
group "mua" {
symbols = {
"FORGED_MUA_MAILLIST" {
weight = 0.0;
description = "Avoid false positives for FORGED_MUA_* in maillist";
}
}
}
group "rbl" {
symbols = {
"DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries";
groups = ["dnswl", "blocked"];
}
"RCVD_IN_DNSWL" {
weight = 0.0;
description = "Unrecognised result from https://www.dnswl.org";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_NONE" {
weight = 0.0;
description = "Sender listed at https://www.dnswl.org, no trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_LOW" {
weight = -0.1;
description = "Sender listed at https://www.dnswl.org, low trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_MED" {
weight = -0.2;
description = "Sender listed at https://www.dnswl.org, medium trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_HI" {
weight = -0.5;
description = "Sender listed at https://www.dnswl.org, high trust";
groups = ["dnswl"];
}
"DWL_DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries (dwl)";
groups = ["dnswl", "blocked"];
}
"DWL_DNSWL" {
weight = 0.0;
description = "Unrecognised result from https://www.dnswl.org (dwl)";
groups = ["dnswl"];
}
"DWL_DNSWL_NONE" {
weight = 0.0;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust";
groups = ["dnswl"];
}
"DWL_DNSWL_LOW" {
weight = -1.0;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust";
groups = ["dnswl"];
}
"DWL_DNSWL_MED" {
weight = -2.0;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust";
groups = ["dnswl"];
}
"DWL_DNSWL_HI" {
weight = -3.5;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust";
groups = ["dnswl"];
}
"RBL_SPAMHAUS" {
weight = 0.0;
description = "Unrecognised result from Spamhaus ZEN";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_SBL" {
weight = 2.0;
description = "From address is listed in ZEN SBL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_CSS" {
weight = 2.0;
description = "From address is listed in ZEN CSS";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_XBL" {
weight = 4.0;
description = "From address is listed in ZEN XBL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_XBL_ANY" {
weight = 4.0;
description = "From or received address is listed in ZEN XBL (any list)";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_PBL" {
weight = 2.0;
description = "From address is listed in ZEN PBL (ISP list)";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_DROP" {
weight = 7.0;
description = "From address is listed in ZEN DROP BL";
groups = ["spamhaus"];
}
"RECEIVED_SPAMHAUS_SBL" {
weight = 1.0;
description = "Received address is listed in ZEN SBL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_CSS" {
weight = 1.0;
description = "Received address is listed in ZEN CSS";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_XBL" {
weight = 3.0;
description = "Received address is listed in ZEN XBL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_PBL" {
weight = 0.0;
description = "Received address is listed in ZEN PBL (ISP list)";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_DROP" {
weight = 6.0;
description = "Received address is listed in ZEN DROP BL";
groups = ["spamhaus"];
one_shot = true;
}
"RBL_SENDERSCORE" {
weight = 2.0;
description = "From address is listed in senderscore.com BL";
}
"MAILSPIKE" {
weight = 0.0;
description = "Unrecognised result from Mailspike";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_NEUTRAL" {
weight = 0.0;
description = "Neutral result from Mailspike";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_WORST" {
weight = 2.0;
description = "From address is listed in RBL - worst possible reputation";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_VERYBAD" {
weight = 1.5;
description = "From address is listed in RBL - very bad reputation";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_BAD" {
weight = 1.0;
description = "From address is listed in RBL - bad reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_POSSIBLE" {
weight = 0.0;
description = "From address is listed in RWL - possibly legit";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_GOOD" {
weight = 0.0;
description = "From address is listed in RWL - good reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_VERYGOOD" {
weight = 0.0;
description = "From address is listed in RWL - very good reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_EXCELLENT" {
weight = 0.0;
description = "From address is listed in RWL - excellent reputation";
groups = ["mailspike"];
}
"RBL_SEM" {
weight = 1.0;
description = "From address is listed in Spameatingmonkey RBL";
groups = ["sem"];
}
"RBL_SEM_IPV6" {
weight = 1.0;
description = "From address is listed in Spameatingmonkey RBL (IPv6)";
groups = ["sem"];
}
"RBL_VIRUSFREE_BOTNET" {
weight = 2.0;
description = "From address is listed in virusfree.cz BL";
}
"RBL_NIXSPAM" {
weight = 4.0;
description = "From address is listed in NiX Spam (http://www.dnsbl.manitu.net/)";
}
"RBL_BLOCKLISTDE" {
weight = 4.0;
description = "From address is listed in Blocklist (https://www.blocklist.de/)";
groups = ["blocklistde"];
}
"RECEIVED_BLOCKLISTDE" {
weight = 3.0;
description = "Received address is listed in Blocklist (https://www.blocklist.de/)";
groups = ["blocklistde"];
one_shot = true;
}
}
}
group "statistics" {
symbols = {
"BAYES_SPAM" {
weight = 5.1;
description = "Message probably spam, probability: ";
}
"BAYES_HAM" {
weight = -3.0;
description = "Message probably ham, probability: ";
}
}
}
group "fuzzy" {
symbols = {
"FUZZY_UNKNOWN" {
weight = 5.0;
description = "Generic fuzzy hash match, bl.rspamd.com";
}
"FUZZY_DENIED" {
weight = 12.0;
description = "Denied fuzzy hash, bl.rspamd.com";
}
"FUZZY_PROB" {
weight = 5.0;
description = "Probable fuzzy hash, bl.rspamd.com";
}
"FUZZY_WHITE" {
weight = -2.1;
description = "Whitelisted fuzzy hash, bl.rspamd.com";
}
}
}
group "policies" {
symbols = {
"R_SPF_FAIL" {
weight = 1.0;
description = "SPF verification failed";
groups = ["spf"];
}
"R_SPF_SOFTFAIL" {
weight = 0.0;
description = "SPF verification soft-failed";
groups = ["spf"];
}
"R_SPF_NEUTRAL" {
weight = 0.0;
description = "SPF policy is neutral";
groups = ["spf"];
}
"R_SPF_ALLOW" {
weight = -0.2;
description = "SPF verification allows sending";
groups = ["spf"];
}
"R_SPF_DNSFAIL" {
weight = 0.0;
description = "SPF DNS failure";
groups = ["spf"];
}
"R_DKIM_REJECT" {
weight = 1.0;
description = "DKIM verification failed";
one_shot = true;
groups = ["dkim"];
}
"R_DKIM_TEMPFAIL" {
weight = 0.0;
description = "DKIM verification soft-failed";
groups = ["dkim"];
}
"R_DKIM_ALLOW" {
weight = -0.2;
description = "DKIM verification succeed";
one_shot = true;
groups = ["dkim"];
}
"DMARC_POLICY_ALLOW" {
weight = -0.5;
description = "DMARC permit policy";
groups = ["dmarc"];
}
"DMARC_POLICY_ALLOW_WITH_FAILURES" {
weight = -0.5;
description = "DMARC permit policy with DKIM/SPF failure";
groups = ["dmarc"];
}
"DMARC_POLICY_REJECT" {
weight = 2.0;
description = "DMARC reject policy";
groups = ["dmarc"];
}
"DMARC_POLICY_QUARANTINE" {
weight = 1.5;
description = "DMARC quarantine policy";
groups = ["dmarc"];
}
"DMARC_POLICY_SOFTFAIL" {
weight = 0.1;
description = "DMARC failed";
groups = ["dmarc"];
}
"ARC_ALLOW" {
weight = -1.0;
description = "ARC checks success";
groups = ["arc"];
}
"ARC_REJECT" {
weight = 2.0;
description = "ARC checks failed";
groups = ["arc"];
}
"ARC_INVALID" {
weight = 1.0;
description = "ARC structure invalid";
groups = ["arc"];
}
"ARC_DNSFAIL" {
weight = 0.0;
description = "ARC DNS error";
groups = ["arc"];
}
"ARC_NA" {
weight = 0.0;
description = "ARC signature absent";
groups = ["arc"];
}
}
}
group "whitelist" {
max_score = 10.0;
symbols = {
"WHITELIST_SPF" {
weight = -1.0;
description = "Mail comes from the whitelisted domain and has a valid SPF policy";
}
"BLACKLIST_SPF" {
weight = 1.0;
description = "Mail comes from the whitelisted domain and has no valid SPF policy";
}
"WHITELIST_DKIM" {
weight = -1.0;
description = "Mail comes from the whitelisted domain and has a valid DKIM signature";
}
"BLACKLIST_DKIM" {
weight = 2.0;
description = "Mail comes from the whitelisted domain and has non-valid DKIM signature";
}
"WHITELIST_SPF_DKIM" {
weight = -3.0;
description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies";
}
"BLACKLIST_SPF_DKIM" {
weight = 3.0;
description = "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature";
}
"WHITELIST_DMARC" {
weight = -7.0;
description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies";
}
"BLACKLIST_DMARC" {
weight = 6.0;
description = "Mail comes from the whitelisted domain and has valid failed DMARC and DKIM policies";
}
}
}
group "surbl" {
max_score = 12.5;
symbols = {
"SURBL_BLOCKED" {
weight = 0.0;
description = "SURBL: blocked by policy/overusage";
groups = ["surblorg", "blocked"];
}
"PH_SURBL_MULTI" {
weight = 5.5;
description = "SURBL: Phishing sites";
groups = ["surblorg", "phishing"];
}
"MW_SURBL_MULTI" {
weight = 5.5;
description = "SURBL: Malware sites";
groups = ["surblorg"];
}
"ABUSE_SURBL" {
weight = 5.5;
description = "SURBL: ABUSE";
groups = ["surblorg"];
}
"CRACKED_SURBL" {
weight = 4.0;
description = "SURBL: cracked site";
groups = ["surblorg"];
}
"RSPAMD_URIBL" {
weight = 4.5;
description = "Rspamd uribl, bl.rspamd.com";
one_shot = true;
groups = ["rspamdbl"];
}
"RSPAMD_EMAILBL" {
weight = 9.5;
description = "Rspamd emailbl, bl.rspamd.com";
one_shot = true;
groups = ["rspamdbl"];
}
"MSBL_EBL" {
weight = 7.5;
description = "MSBL emailbl";
one_shot = true;
groups = ["ebl"];
}
"MSBL_EBL_GREY" {
weight = 0.5; # TODO: test it
description = "MSBL emailbl grey list";
one_shot = true;
groups = ["ebl"];
}
"SEM_URIBL_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey uribl: unknown result";
groups = ["sem"];
}
"SEM_URIBL" {
weight = 3.5;
description = "Spameatingmonkey uribl";
groups = ["sem"];
}
"SEM_URIBL_FRESH15_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey Fresh15 uribl: unknown result";
groups = ["sem"];
}
"SEM_URIBL_FRESH15" {
weight = 3.0;
description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
groups = ["sem"];
}
"DBL" {
weight = 0.0;
description = "DBL unknown result";
groups = ["spamhaus"];
}
"DBL_SPAM" {
weight = 6.5;
description = "DBL uribl spam";
groups = ["spamhaus"];
}
"DBL_PHISH" {
weight = 6.5;
description = "DBL uribl phishing";
groups = ["spamhaus"];
}
"DBL_MALWARE" {
weight = 6.5;
description = "DBL uribl malware";
groups = ["spamhaus"];
}
"DBL_BOTNET" {
weight = 5.5;
description = "DBL uribl botnet C&C domain";
groups = ["spamhaus"];
}
"DBL_ABUSE" {
weight = 6.5;
description = "DBL uribl abused legit spam";
groups = ["spamhaus"];
}
"DBL_ABUSE_REDIR" {
weight = 1.5;
description = "DBL uribl abused spammed redirector domain";
groups = ["spamhaus"];
}
"DBL_ABUSE_PHISH" {
weight = 7.5;
description = "DBL uribl abused legit phish";
groups = ["spamhaus"];
}
"DBL_ABUSE_MALWARE" {
weight = 7.5;
description = "DBL uribl abused legit malware";
groups = ["spamhaus"];
}
"DBL_ABUSE_BOTNET" {
weight = 5.5;
description = "DBL uribl abused legit botnet C&C";
groups = ["spamhaus"];
}
"DBL_PROHIBIT" {
weight = 0.0;
description = "DBL uribl IP queries prohibited!";
groups = ["spamhaus"];
}
"URIBL_MULTI" {
weight = 0.0;
description = "uribl.com: unrecognised result";
groups = ["uribl"];
}
"URIBL_BLOCKED" {
weight = 0.0;
description = "uribl.com: query refused";
groups = ["uribl", "blocked"];
}
"URIBL_BLACK" {
weight = 7.5;
description = "uribl.com black url";
groups = ["uribl"];
}
"URIBL_RED" {
weight = 3.5;
description = "uribl.com red url";
groups = ["uribl"];
}
"URIBL_GREY" {
weight = 1.5;
description = "uribl.com grey url";
one_shot = true;
groups = ["uribl"];
}
"SPAMHAUS_ZEN_URIBL" {
weight = 0.0;
description = "Spamhaus ZEN URIBL: Filtered result";
groups = ["spamhaus"];
}
"URIBL_SBL" {
weight = 6.5;
description = "A domain in the message body resolves to an IP listed in Spamhaus SBL";
one_shot = true;
groups = ["v"];
}
"URIBL_SBL_CSS" {
weight = 6.5;
description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_XBL" {
weight = 1.5;
description = "A domain in the message body resolves to an IP listed in Spamhaus XBL";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_PBL" {
weight = 0.01;
description = "A domain in the message body resolves to an IP listed in Spamhaus PBL";
groups = ["spamhaus"];
}
"URIBL_DROP" {
weight = 5.0;
description = "A domain in the message body resolves to an IP listed in Spamhaus DROP";
one_shot = true;
groups = ["spamhaus"];
}
"RBL_SARBL_BAD" {
weight = 2.5;
description = "A domain in the message body is blacklisted in SARBL";
one_shot = true;
}
}
}
group "phishing" {
max_score = 10.0;
symbols = {
"PHISHING" {
weight = 4.0;
description = "Phished URL";
one_shot = true;
}
"PHISHED_OPENPHISH" {
weight = 7.0;
description = "Phished URL found in openphish.com";
}
"PHISHED_PHISHTANK" {
weight = 7.0;
description = "Phished URL found in phishtank.com";
}
HACKED_WP_PHISHING {
weight = 4.5;
description = "Phishing message from hacked wordpress";
}
}
}
group "hfilter" {
symbols = {
"HFILTER_HELO_BAREIP" {
weight = 3.0;
description = "Helo host is bare ip";
}
"HFILTER_HELO_BADIP" {
weight = 4.5;
description = "Helo host is very bad ip";
}
"HFILTER_HELO_1" {
weight = 0.5;
description = "Helo host checks (very low)";
}
"HFILTER_HELO_2" {
weight = 1.0;
description = "Helo host checks (low)";
}
"HFILTER_HELO_3" {
weight = 2.0;
description = "Helo host checks (medium)";
}
"HFILTER_HELO_4" {
weight = 2.5;
description = "Helo host checks (hard)";
}
"HFILTER_HELO_5" {
weight = 3.0;
description = "Helo host checks (very hard)";
}
"HFILTER_HOSTNAME_1" {
weight = 0.5;
description = "Hostname checks (very low)";
}
"HFILTER_HOSTNAME_2" {
weight = 1.0;
description = "Hostname checks (low)";
}
"HFILTER_HOSTNAME_3" {
weight = 2.0;
description = "Hostname checks (medium)";
}
"HFILTER_HOSTNAME_4" {
weight = 2.5;
description = "Hostname checks (hard)";
}
"HFILTER_HOSTNAME_5" {
weight = 3.0;
description = "Hostname checks (very hard)";
}
"HFILTER_HELO_NORESOLVE_MX" {
weight = 0.2;
description = "MX found in Helo and no resolve";
}
"HFILTER_HELO_NORES_A_OR_MX" {
weight = 0.3;
description = "Helo no resolve to A or MX";
}
"HFILTER_HELO_IP_A" {
weight = 1.0;
description = "Helo A IP != hostname IP";
}
"HFILTER_HELO_NOT_FQDN" {
weight = 2.0;
description = "Helo not FQDN";
}
"HFILTER_FROMHOST_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in FROM host and no resolve";
}
"HFILTER_FROMHOST_NORES_A_OR_MX" {
weight = 1.5;
description = "FROM host no resolve to A or MX";
}
"HFILTER_FROMHOST_NOT_FQDN" {
weight = 3.0;
description = "FROM host not FQDN";
}
"HFILTER_FROM_BOUNCE" {
weight = 0.0;
description = "Bounce message";
}
"HFILTER_MID_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in Message-id host and no resolve";
}
"HFILTER_MID_NORES_A_OR_MX" {
weight = 0.5;
description = "Message-id host no resolve to A or MX";
}
"HFILTER_MID_NOT_FQDN" {
weight = 0.5;
description = "Message-id host not FQDN";
}
"HFILTER_HOSTNAME_UNKNOWN" {
weight = 2.5;
description = "Unknown client hostname (PTR or FCrDNS verification failed)";
}
"HFILTER_RCPT_BOUNCEMOREONE" {
weight = 1.5;
description = "Message from bounce and over 1 recipient";
}
"HFILTER_URL_ONLY" {
weight = 2.2;
description = "URL only in body";
}
"HFILTER_URL_ONELINE" {
weight = 2.5;
description = "One line URL and text in body";
}
}
}
group "mime_types" {
symbols = {
"MIME_GOOD" {
weight = -0.1;
description = "Known content-type";
one_shot = true;
}
"MIME_BAD" {
weight = 1.0;
description = "Known bad content-type";
one_shot = true;
}
"MIME_UNKNOWN" {
weight = 0.1;
description = "Missing or unknown content-type";
one_shot = true;
}
"MIME_BAD_ATTACHMENT" {
weight = 4.0;
description = "Invalid attachment mime type";
one_shot = true;
}
"MIME_ENCRYPTED_ARCHIVE" {
weight = 2.0;
description = "Encrypted archive in a message";
one_shot = true;
}
"MIME_ARCHIVE_IN_ARCHIVE" {
weight = 5.0;
description = "Archive within another archive";
one_shot = true;
}
"MIME_DOUBLE_BAD_EXTENSION" {
weight = 3.0; # This rule has dynamic weight up to 4.0
description = "Bad extension cloaking";
one_shot = true;
}
"MIME_BAD_EXTENSION" {
weight = 2.0; # This rule has dynamic weight up to 4.0
description = "Bad extension";
one_shot = true;
}
"MIME_BAD_UNICODE" {
weight = 8.0;
description = "Filename with known obscured unicode characters";
one_shot = true;
}
}
}

16
configs/rspamd/logging.conf Normal file
View File

@ -0,0 +1,16 @@
logging {
type = "syslog";
level = "info";
# Show statistics for regular expressions
log_re_cache = true;
# Can be used for console logging
color = false;
# Log with microseconds resolution
log_usec = false;
# Enable debug for specific modules (e.g. `debug_modules = ["dkim", "re_cache"];`)
debug_modules = []
}

4
configs/rspamd/modules/chartable.conf Normal file
View File

@ -0,0 +1,4 @@
chartable {
threshold = 0.300000;
symbol = "R_MIXED_CHARSET";
}

7
configs/rspamd/modules/dkim.conf Normal file
View File

@ -0,0 +1,7 @@
dkim {
dkim_cache_size = 2k;
dkim_cache_expire = 1d;
time_jitter = 6h;
trusted_only = false;
skip_multi = false;
}

8
configs/rspamd/modules/dmarc.conf Normal file
View File

@ -0,0 +1,8 @@
dmarc {
reporting = true;
send_reports = false;
actions = {
quarantine = "add_header";
reject = "reject";
}
}

33
configs/rspamd/modules/fuzzy_check.conf Normal file
View File

@ -0,0 +1,33 @@
fuzzy_check {
min_bytes = 1k; # Since small parts and small attachments causes too many FP
timeout = 2s;
retransmits = 1;
rule "rspamd.com" {
algorithm = "mumhash";
servers = "round-robin:fuzzy1.rspamd.com:11335,fuzzy2.rspamd.com:11335";
encryption_key = "icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy";
symbol = "FUZZY_UNKNOWN";
mime_types = ["*"];
max_score = 20.0;
read_only = yes;
skip_unknown = yes;
short_text_direct_hash = true; # If less than min_length then use direct hash
min_length = 64; # Minimum words count to consider shingles
fuzzy_map = {
FUZZY_DENIED {
max_score = 20.0;
flag = 1;
}
FUZZY_PROB {
max_score = 10.0;
flag = 2;
}
FUZZY_WHITE {
max_score = 2.0;
flag = 3;
}
}
}
# Include dynamic conf for the rule
.include(try=true,priority=5) "${DBDIR}/dynamic/fuzzy_check.conf"
}

11
configs/rspamd/modules/greylist.conf Normal file
View File

@ -0,0 +1,11 @@
greylist {
report_time = true;
expire = 1d;
timeout = 5min;
key_prefix = "rg";
max_data_len = 10k;
message = "Try again later";
action = "soft reject";
ipv4_mask = 19; # Mask bits for ipv4
ipv6_mask = 64; # Mask bits for ipv6
}

3
configs/rspamd/modules/maillist.conf Normal file
View File

@ -0,0 +1,3 @@
maillist {
symbol = "MAILLIST";
}

29
configs/rspamd/modules/milter_headers.conf Normal file
View File

@ -0,0 +1,29 @@
milter_headers {
extended_spam_headers = true;
authenticated_headers = ["authentication-results"];
spf_symbols {
pass = "R_SPF_ALLOW";
fail = "R_SPF_FAIL";
softfail = "R_SPF_SOFTFAIL";
neutral = "R_SPF_NEUTRAL";
temperror = "R_SPF_DNSFAIL";
none = "R_SPF_NA";
permerror = "R_SPF_PERMFAIL";
}
dkim_symbols {
pass = "R_DKIM_ALLOW";
fail = "R_DKIM_REJECT";
temperror = "R_DKIM_TEMPFAIL";
none = "R_DKIM_NA";
permerror = "R_DKIM_PERMFAIL";
}
dmarc_symbols {
pass = "DMARC_POLICY_ALLOW";
permerror = "DMARC_BAD_POLICY";
temperror = "DMARC_DNSFAIL";
none = "DMARC_NA";
reject = "DMARC_POLICY_REJECT";
softfail = "DMARC_POLICY_SOFTFAIL";
quarantine = "DMARC_POLICY_QUARANTINE";
}
}

5
configs/rspamd/modules/phishing.conf Normal file
View File

@ -0,0 +1,5 @@
phishing {
symbol = "PHISHING";
openphish_enabled = true;
phishtank_enabled = true;
}

143
configs/rspamd/modules/rbl.conf Normal file
View File

@ -0,0 +1,143 @@
rbl {
default_from = true;
default_received = false;
default_exclude_users = true;
default_unknown = true;
rbls {
spamhaus {
symbol = "RBL_SPAMHAUS";
rbl = "zen.spamhaus.org";
ipv6 = true;
returncodes {
RBL_SPAMHAUS_SBL = "127.0.0.2";
RBL_SPAMHAUS_CSS = "127.0.0.3";
RBL_SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
RBL_SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"];
RBL_SPAMHAUS_DROP = "127.0.0.9";
}
}
spamhaus_received {
symbol = "RECEIVED_SPAMHAUS";
rbl = "zen.spamhaus.org";
ipv6 = true;
received = true;
from = false;
ignore_whitelists = true;
returncodes {
RECEIVED_SPAMHAUS_SBL = "127.0.0.2";
RECEIVED_SPAMHAUS_CSS = "127.0.0.3";
RECEIVED_SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
RECEIVED_SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"];
RECEIVED_SPAMHAUS_DROP = "127.0.0.9";
}
}
mailspike {
symbol = "MAILSPIKE";
rbl = "rep.mailspike.net";
is_whitelist = true;
whitelist_exception = "MAILSPIKE";
whitelist_exception = "RWL_MAILSPIKE_GOOD";
whitelist_exception = "RWL_MAILSPIKE_NEUTRAL";
whitelist_exception = "RWL_MAILSPIKE_POSSIBLE";
whitelist_exception = "RBL_MAILSPIKE_WORST";
whitelist_exception = "RBL_MAILSPIKE_VERYBAD";
whitelist_exception = "RBL_MAILSPIKE_BAD";
returncodes {
RBL_MAILSPIKE_WORST = "127.0.0.10";
RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
RBL_MAILSPIKE_BAD = "127.0.0.12";
RWL_MAILSPIKE_NEUTRAL = ["127.0.0.16", "127.0.0.15", "127.0.0.14", "127.0.0.13"];
RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
RWL_MAILSPIKE_GOOD = "127.0.0.18";
RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
}
}
senderscore {
symbol = "RBL_SENDERSCORE";
rbl = "bl.score.senderscore.com";
}
sem {
symbol = "RBL_SEM";
rbl = "bl.spameatingmonkey.net";
ipv6 = false;
}
semIPv6 {
symbol = "RBL_SEM_IPV6";
rbl = "bl.ipv6.spameatingmonkey.net";
ipv4 = false;
ipv6 = true;
}
dnswl {
symbol = "RCVD_IN_DNSWL";
rbl = "list.dnswl.org";
ipv6 = true;
is_whitelist = true;
whitelist_exception = "RCVD_IN_DNSWL";
whitelist_exception = "RCVD_IN_DNSWL_NONE";
whitelist_exception = "RCVD_IN_DNSWL_LOW";
whitelist_exception = "DNSWL_BLOCKED";
returncodes {
RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
RCVD_IN_DNSWL_MED = "127.0.%d+.2";
RCVD_IN_DNSWL_HI = "127.0.%d+.3";
DNSWL_BLOCKED = "127.0.0.255";
}
}
virusfree {
symbol = "RBL_VIRUSFREE_UNKNOWN";
rbl = "bip.virusfree.cz";
ipv6 = true;
returncodes {
RBL_VIRUSFREE_BOTNET = "127.0.0.2";
}
}
nixspam {
symbol = "RBL_NIXSPAM";
rbl = "ix.dnsbl.manitu.net";
ipv6 = true;
}
blocklistde {
symbol = "RBL_BLOCKLISTDE";
rbl = "bl.blocklist.de";
ipv6 = true;
}
blocklistde_received {
symbol = "RECEIVED_BLOCKLISTDE";
rbl = "bl.blocklist.de";
ipv6 = true;
received = true;
from = false;
ignore_whitelists = true;
}
dnswl_dwl {
symbol = "DWL_DNSWL";
rbl = "dwl.dnswl.org";
dkim = true;
dkim_domainonly = false;
dkim_match_from = true;
ignore_whitelist = true;
unknown = false;
returncodes {
DWL_DNSWL_NONE = "127.0.%d+.0";
DWL_DNSWL_LOW = "127.0.%d+.1";
DWL_DNSWL_MED = "127.0.%d+.2";
DWL_DNSWL_HI = "127.0.%d+.3";
DWL_DNSWL_BLOCKED = "127.0.0.255";
}
}
}
}

4
configs/rspamd/modules/redis.conf Normal file
View File

@ -0,0 +1,4 @@
redis {
servers = "redis.routinginfo.redxen.localhost:7551";
db = 1;
}

6
configs/rspamd/modules/spf.conf Normal file
View File

@ -0,0 +1,6 @@
spf {
spf_cache_size = 2k;
spf_cache_expire = 1d;
disable_ipv6 = false;
min_cache_ttl = 10m;
}

63
configs/rspamd/rspamd.conf Normal file
View File

@ -0,0 +1,63 @@
options {
pidfile = "$RUNDIR/rspamd.pid";
filters = "chartable,dkim,dmarc,greylist,maillist,milter_headers,phishing,rbl,redis,spf";
raw_mode = false;
one_shot = false;
cache_file = "$DBDIR/symbols.cache";
map_watch_interval = 5min;
map_file_watch_multiplier = 0.1;
dynamic_conf = "$DBDIR/rspamd_dynamic";
history_file = "$DBDIR/rspamd.history";
check_all_filters = false;
dns {
timeout = 1s;
sockets = 16;
retransmits = 5;
}
tempdir = "/tmp";
url_tld = "${SHAREDIR}/effective_tld_names.dat";
classify_headers = [
"User-Agent",
"X-Mailer",
"Content-Type",
"X-MimeOLE",
];
control_socket = "$DBDIR/rspamd.sock mode=0600";
history_rows = 200;
explicit_modules = ["settings", "bayes_expiry"];
# Scan messages even if they are not MIME
allow_raw_input = true;
# Start ignore words when reaching the following limit, so the total
# amount of words processed will not be *LIKELY more than the twice of that limit
words_decay = 600;
# Local networks
local_addrs = [10.0.0.0/8];
hs_cache_dir = "${DBDIR}/";
# Timeout for messages processing (must be larger than any internal timeout used)
task_timeout = 8s;
# Emit soft reject when timeout takes place
soft_reject_on_timeout = true;
}
actions {
reject = 8;
add_header = 3;
greylist = 1;
}
.include "${CONFDIR}/redxen/workers.conf"
.include "${CONFDIR}/redxen/logging.conf"
.include "${CONFDIR}/redxen/composites.conf"
.include "${CONFDIR}/redxen/groups.conf"
.include "${CONFDIR}/redxen/statistic.conf"
lua = "$RULESDIR/rspamd.lua"
.include(glob=true) "${CONFDIR}/redxen/modules/*.conf"
modules {
path = "${PLUGINSDIR}";
}

28
configs/rspamd/statistic.conf Normal file
View File

@ -0,0 +1,28 @@
classifier "bayes" {
tokenizer {
name = "osb";
}
cache {}
new_schema = true;
store_tokens = false;
signatures = false;
min_tokens = 11;
backend = "redis";
min_learns = 200;
statfile {
symbol = "BAYES_HAM";
spam = false;
}
statfile {
symbol = "BAYES_SPAM";
spam = true;
}
learn_condition = 'return require("lua_bayes_learn").can_learn';
autolearn {
spam_threshold = 6.0; # When to learn spam (score >= threshold)
ham_threshold = -0.5; # When to learn ham (score <= threshold)
check_balance = true; # Check spam and ham balance
min_balance = 0.9; # Keep diff for spam/ham learns for at least this value
}
}

34
configs/rspamd/workers.conf Normal file
View File

@ -0,0 +1,34 @@
worker "normal" {
count = 1;
bind_socket = "localhost:11333";
mime = true;
}
worker "controller" {
count = -1;
bind_socket = "localhost:11334";
}
worker "rspamd_proxy" {
count = 1;
bind_socket = "localhost:11332";
milter = yes;
timeout = 120s; # Needed for Milter usually
max_retries = 5;
discard_on_reject = false;
quarantine_on_reject = false;
spam_header = "X-Spam";
reject_message = "RedXen Mail: Spam message rejected";
upstream "local" {
default = yes;
hosts = "localhost";
}
}
worker "fuzzy" {
count = 1;
bind_socket = "localhost:11335";
backend = "redis";
expire = 90d;
allow_update = [];
}