configs/rspamd: add configs
This commit is contained in:
parent
ebe58022fd
commit
7539d2575e
|
@ -0,0 +1,73 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
pkgname=redxen-config-rspamd
|
||||
pkgver=2021.01.10
|
||||
pkgrel=6
|
||||
pkgdesc="RSpamD configuration"
|
||||
url="https://git.redxen.eu/RedXen"
|
||||
arch="noarch"
|
||||
license="none"
|
||||
depends="rspamd"
|
||||
source="
|
||||
rspamd.conf
|
||||
composites.conf
|
||||
groups.conf
|
||||
logging.conf
|
||||
statistic.conf
|
||||
workers.conf
|
||||
"
|
||||
options="!check"
|
||||
builddir="$srcdir"
|
||||
_modules="
|
||||
chartable
|
||||
dkim
|
||||
dmarc
|
||||
fuzzy_check
|
||||
greylist
|
||||
maillist
|
||||
milter_headers
|
||||
phishing
|
||||
rbl
|
||||
redis
|
||||
spf
|
||||
"
|
||||
|
||||
for i in $_modules; do
|
||||
subpackages="$pkgname-$i:_module:noarch $subpackages"
|
||||
depends="$pkgname-$i=$pkgver-r$pkgrel $depends"
|
||||
source="modules/$i.conf $source"
|
||||
done
|
||||
|
||||
|
||||
package() {
|
||||
install -Dm644 rspamd.conf "$pkgdir"/etc/rspamd/redxen/rspamd.conf
|
||||
install -Dm644 composites.conf "$pkgdir"/etc/rspamd/redxen/composites.conf
|
||||
install -Dm644 groups.conf "$pkgdir"/etc/rspamd/redxen/groups.conf
|
||||
install -Dm644 logging.conf "$pkgdir"/etc/rspamd/redxen/logging.conf
|
||||
install -Dm644 statistic.conf "$pkgdir"/etc/rspamd/redxen/statistic.conf
|
||||
install -Dm644 workers.conf "$pkgdir"/etc/rspamd/redxen/workers.conf
|
||||
}
|
||||
|
||||
_module() {
|
||||
local module=${subpkgname##$pkgname-}
|
||||
depends=""
|
||||
install -Dm644 "$srcdir"/"$module".conf "$subpkgdir"/etc/rspamd/redxen/modules/"$module".conf
|
||||
}
|
||||
|
||||
sha512sums="99985993e5d7c525280020e7dc30106b3efbaa8ae2830a5069ad4270a8336d33efca74ed26103e1d2f5f341a0cffc4e0f77a2757fdeab27e3b492aa99ae7f977 spf.conf
|
||||
d42a74d17771497960477878eedda2a00a434cbc1e994b015c21b4f631e24836cb6a7b14a24a2cb42ed15425b7758dc307a6cf602a770cfb0cc20b6f90064af9 redis.conf
|
||||
a3849ae55a68c90afd913ed18f6b210803f5dbaa2beab5abf23a84b9b4bcb48e617023123724222c1f74a005bf03e1c94e3fa1ded5a6f252d9c2ac317dabc1a2 rbl.conf
|
||||
6ca83b91e70e43eff6de380065fc5591c6669a27497a47d74e5e096df68afea6269cfad41be982bb144f2dfb92fd5765a600cf9c4067c4612bd1aa1bf5e6ebfd phishing.conf
|
||||
72840316e3a8905a6e087147b33355c1250209831423871783a4cda5c22dd1ec376ff4da1db05a3a763bd763b6a8ce8b0af9cccf7a3b0c0d0bc507fd3fe40f8f milter_headers.conf
|
||||
08966d0a3c077a12a1113f774e11d51d3c7d04bb45914e295324e8aa51c3d75b55395c256a905c6d9ae1e98a004a9e6b3b37d36fce810a426dd5d90408331c0a maillist.conf
|
||||
8660fd01589476bbc01bbe75bed392faa55f55fa9b6fea77be79f339cefb43ddbacdbe193ad136c42da91d4ef7f1e1ec40fc5f8f4f398d04bcebf51d5a59ad1f greylist.conf
|
||||
227f215b4e65bff86428502425f1295b21e0f6e8c4b990e4f19aa8e1bb3f1cee18d1b8644e1223edb606292c786e814acc68d276562c8fb4f23fdce6b538689a fuzzy_check.conf
|
||||
e14c3683b48dde5584cbcd0bd5811f6111a201635dd7400d7703003b4c98255d10be9b64ee81784c1fe1df50159e12d6777086c5a18ee9b14be852d233cf6dc5 dmarc.conf
|
||||
ad3fa5e3c4c3d7b882c9e85bdde3b1949a32f2f2c9dd43e38977d828e7b6740d31002c502f24a0ea2e27105d5a6b1af7b7140c5d8e306f90c3f7d28c1e4607d5 dkim.conf
|
||||
dcec5c53bd29c345ed5c47727af9a8d11328cc8f69ae61064ba3b053ee306baa79b747067097b2354a1fecd6e6527d56d14c79be22c94531f2a5ddc41ce3ca7e chartable.conf
|
||||
e95cd76aacc8c24ba499e5ff2853a3bef17a0b2b76fa46bb2fb7b31f73f7a62027f3569ee5ed283ede8611af68bd246e10e38dfe71665dea3073aad39068f109 rspamd.conf
|
||||
667ec0331c811730e096e27f5e8659062239f46e3ccd148411984bb4d83b8770cc0d7d3c74dd5a2da71781e9b99d4bcb5a700cbd5f56ae8e17f7c4e50519ffb2 composites.conf
|
||||
4ea651877607573126a731619801458798c1e8e4de3522462af4c71adc38141d09a0c75c2c83a33698e3c51095d0b7d364e1ceb3aa534a4157106370a7800e4a groups.conf
|
||||
78df39cbc6e09cdc5e01d27e123d82aa677a70a6f5d59ba0be8d0ce6af012c5311e4a2527e4fbc586f9cdd8da033e9f05e2371970fa23db60eaa8c16c8e85f05 logging.conf
|
||||
2d27d5ac1800ee28948f8fcc276cc5c62c97a19d01dde2263eadf3ec4f8eb3bbb8417f4271324c5cfbf1ebd60759aa9047849ea803da96c8632c21966b794e6c statistic.conf
|
||||
8fd778a46ce497a2399b455ba423c5a6308082ac41ac21cac4dbf65447e151e115ef21ac9820ab84f445af8530bc915b8c7394d28eb4b8179c3143c1817093b8 workers.conf"
|
|
@ -0,0 +1,131 @@
|
|||
composites {
|
||||
FORGED_RECIPIENTS_MAILLIST {
|
||||
expression = "FORGED_RECIPIENTS & -MAILLIST";
|
||||
}
|
||||
FORGED_SENDER_MAILLIST {
|
||||
expression = "FORGED_SENDER & -MAILLIST";
|
||||
}
|
||||
FORGED_SENDER_FORWARDING {
|
||||
expression = "FORGED_SENDER & g:forwarding";
|
||||
description = "Forged sender, but message is forwarded";
|
||||
policy = "remove_weight";
|
||||
}
|
||||
SPF_FAIL_FORWARDING {
|
||||
expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
|
||||
policy = "remove_weight";
|
||||
}
|
||||
DMARC_POLICY_ALLOW_WITH_FAILURES {
|
||||
expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
|
||||
policy = "remove_weight";
|
||||
}
|
||||
FORGED_RECIPIENTS_FORWARDING {
|
||||
expression = "FORGED_RECIPIENTS & g:forwarding";
|
||||
policy = "remove_weight";
|
||||
}
|
||||
FORGED_SENDER_VERP_SRS {
|
||||
expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
|
||||
}
|
||||
FORGED_MUA_MAILLIST {
|
||||
expression = "g:mua & -MAILLIST";
|
||||
}
|
||||
RBL_SPAMHAUS_XBL_ANY {
|
||||
expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
|
||||
description = "From and Received address are listed in Spamhaus XBL";
|
||||
}
|
||||
AUTH_NA {
|
||||
expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
|
||||
score = 1.0;
|
||||
policy = "remove_weight";
|
||||
description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
|
||||
}
|
||||
DKIM_MIXED {
|
||||
expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
|
||||
policy = "remove_weight";
|
||||
}
|
||||
MAIL_RU_MAILER_BASE64 {
|
||||
expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
|
||||
}
|
||||
YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
|
||||
expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
|
||||
}
|
||||
MAILER_1C_8_BASE64 {
|
||||
expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
|
||||
description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
|
||||
}
|
||||
HACKED_WP_PHISHING {
|
||||
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
|
||||
description = "Phish message sent by hacked Wordpress instance";
|
||||
policy = "leave";
|
||||
}
|
||||
COMPROMISED_ACCT_BULK {
|
||||
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
|
||||
description = "Likely to be from a compromised account";
|
||||
score = 3.0;
|
||||
policy = "leave";
|
||||
}
|
||||
UNDISC_RCPTS_BULK {
|
||||
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
|
||||
description = "Missing or undisclosed recipients with a bulk signature";
|
||||
score = 3.0;
|
||||
policy = "leave";
|
||||
}
|
||||
RCVD_UNAUTH_PBL {
|
||||
expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
|
||||
description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
|
||||
score = 2.0;
|
||||
policy = "leave";
|
||||
}
|
||||
RCVD_DKIM_ARC_DNSWL_MED {
|
||||
expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
|
||||
description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
|
||||
score = -0.5;
|
||||
policy = "leave";
|
||||
}
|
||||
RCVD_DKIM_ARC_DNSWL_HI {
|
||||
expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
|
||||
description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
|
||||
score = -1.0;
|
||||
policy = "leave";
|
||||
}
|
||||
AUTOGEN_PHP_SPAMMY {
|
||||
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
|
||||
description = "Message was generated by PHP script and contains some spam indicators";
|
||||
score = 1.0;
|
||||
policy = "leave";
|
||||
}
|
||||
PHISH_EMOTION {
|
||||
expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
|
||||
description = "Phish message with subject trying to address users emotion";
|
||||
score = 1.0;
|
||||
policy = "leave";
|
||||
}
|
||||
HAS_ANON_DOMAIN {
|
||||
expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
|
||||
description = "Contains one or more domains trying to disguise owner/destination";
|
||||
score = 0.1;
|
||||
policy = "leave";
|
||||
}
|
||||
BAD_REP_POLICIES {
|
||||
description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
|
||||
expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
|
||||
score = 0.1;
|
||||
}
|
||||
VIOLATED_DIRECT_SPF {
|
||||
description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";
|
||||
expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";
|
||||
policy = "leave";
|
||||
score = 3.5;
|
||||
}
|
||||
LEAKED_PASSWORD_SPAM_FP {
|
||||
description = "Looks like a BTC pattern but address syntax is invalid",
|
||||
expression = "LEAKED_PASSWORD_SCAM_INVALID & LEAKED_PASSWORD_SCAM";
|
||||
policy = "remove_all";
|
||||
score = 0.0; # To negate LEAKED_PASSWORD_SCAM
|
||||
}
|
||||
IP_SCORE_FREEMAIL {
|
||||
description = "Negate IP_SCORE when message comes from FreeMail";
|
||||
expression = "FREEMAIL_FROM & IP_SCORE";
|
||||
score = 0.0;
|
||||
policy = "remove_weight";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,822 @@
|
|||
group "headers" {
|
||||
symbols = {
|
||||
"FORGED_SENDER" {
|
||||
weight = 0.3;
|
||||
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
|
||||
}
|
||||
"R_MIXED_CHARSET" {
|
||||
weight = 5.0;
|
||||
description = "Mixed characters in a message";
|
||||
one_shot = true;
|
||||
}
|
||||
"R_MIXED_CHARSET_URL" {
|
||||
weight = 7.0;
|
||||
description = "Mixed characters in a URL inside message";
|
||||
one_shot = true;
|
||||
}
|
||||
"FORGED_RECIPIENTS" {
|
||||
weight = 2.0;
|
||||
description = "Recipients are not the same as RCPT TO: mail command";
|
||||
}
|
||||
"FORGED_RECIPIENTS_MAILLIST" {
|
||||
weight = 0.0;
|
||||
description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
|
||||
}
|
||||
"FORGED_SENDER_MAILLIST" {
|
||||
weight = 0.0;
|
||||
description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
|
||||
}
|
||||
"ONCE_RECEIVED" {
|
||||
weight = 0.1;
|
||||
description = "One received header in a message";
|
||||
}
|
||||
"RDNS_NONE" {
|
||||
weight = 1.0;
|
||||
description = "Cannot resolve reverse DNS for sender's IP";
|
||||
}
|
||||
"RDNS_DNSFAIL" {
|
||||
weight = 0.0;
|
||||
description = "PTR verification DNS error";
|
||||
}
|
||||
"ONCE_RECEIVED_STRICT" {
|
||||
weight = 4.0;
|
||||
description = "One received header with 'bad' patterns inside";
|
||||
}
|
||||
"MAILLIST" {
|
||||
weight = -0.2;
|
||||
description = "Message seems to be from maillist";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "subject" {
|
||||
symbols = {}
|
||||
max_score = 6.0;
|
||||
}
|
||||
|
||||
group "mua" {
|
||||
symbols = {
|
||||
"FORGED_MUA_MAILLIST" {
|
||||
weight = 0.0;
|
||||
description = "Avoid false positives for FORGED_MUA_* in maillist";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "rbl" {
|
||||
symbols = {
|
||||
"DNSWL_BLOCKED" {
|
||||
weight = 0.0;
|
||||
description = "Resolver blocked due to excessive queries";
|
||||
groups = ["dnswl", "blocked"];
|
||||
}
|
||||
"RCVD_IN_DNSWL" {
|
||||
weight = 0.0;
|
||||
description = "Unrecognised result from https://www.dnswl.org";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"RCVD_IN_DNSWL_NONE" {
|
||||
weight = 0.0;
|
||||
description = "Sender listed at https://www.dnswl.org, no trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"RCVD_IN_DNSWL_LOW" {
|
||||
weight = -0.1;
|
||||
description = "Sender listed at https://www.dnswl.org, low trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"RCVD_IN_DNSWL_MED" {
|
||||
weight = -0.2;
|
||||
description = "Sender listed at https://www.dnswl.org, medium trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"RCVD_IN_DNSWL_HI" {
|
||||
weight = -0.5;
|
||||
description = "Sender listed at https://www.dnswl.org, high trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"DWL_DNSWL_BLOCKED" {
|
||||
weight = 0.0;
|
||||
description = "Resolver blocked due to excessive queries (dwl)";
|
||||
groups = ["dnswl", "blocked"];
|
||||
}
|
||||
"DWL_DNSWL" {
|
||||
weight = 0.0;
|
||||
description = "Unrecognised result from https://www.dnswl.org (dwl)";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"DWL_DNSWL_NONE" {
|
||||
weight = 0.0;
|
||||
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"DWL_DNSWL_LOW" {
|
||||
weight = -1.0;
|
||||
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"DWL_DNSWL_MED" {
|
||||
weight = -2.0;
|
||||
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"DWL_DNSWL_HI" {
|
||||
weight = -3.5;
|
||||
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust";
|
||||
groups = ["dnswl"];
|
||||
}
|
||||
"RBL_SPAMHAUS" {
|
||||
weight = 0.0;
|
||||
description = "Unrecognised result from Spamhaus ZEN";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SPAMHAUS_SBL" {
|
||||
weight = 2.0;
|
||||
description = "From address is listed in ZEN SBL";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SPAMHAUS_CSS" {
|
||||
weight = 2.0;
|
||||
description = "From address is listed in ZEN CSS";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SPAMHAUS_XBL" {
|
||||
weight = 4.0;
|
||||
description = "From address is listed in ZEN XBL";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SPAMHAUS_XBL_ANY" {
|
||||
weight = 4.0;
|
||||
description = "From or received address is listed in ZEN XBL (any list)";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SPAMHAUS_PBL" {
|
||||
weight = 2.0;
|
||||
description = "From address is listed in ZEN PBL (ISP list)";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SPAMHAUS_DROP" {
|
||||
weight = 7.0;
|
||||
description = "From address is listed in ZEN DROP BL";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RECEIVED_SPAMHAUS_SBL" {
|
||||
weight = 1.0;
|
||||
description = "Received address is listed in ZEN SBL";
|
||||
groups = ["spamhaus"];
|
||||
one_shot = true;
|
||||
}
|
||||
"RECEIVED_SPAMHAUS_CSS" {
|
||||
weight = 1.0;
|
||||
description = "Received address is listed in ZEN CSS";
|
||||
groups = ["spamhaus"];
|
||||
one_shot = true;
|
||||
}
|
||||
"RECEIVED_SPAMHAUS_XBL" {
|
||||
weight = 3.0;
|
||||
description = "Received address is listed in ZEN XBL";
|
||||
groups = ["spamhaus"];
|
||||
one_shot = true;
|
||||
}
|
||||
"RECEIVED_SPAMHAUS_PBL" {
|
||||
weight = 0.0;
|
||||
description = "Received address is listed in ZEN PBL (ISP list)";
|
||||
groups = ["spamhaus"];
|
||||
one_shot = true;
|
||||
}
|
||||
"RECEIVED_SPAMHAUS_DROP" {
|
||||
weight = 6.0;
|
||||
description = "Received address is listed in ZEN DROP BL";
|
||||
groups = ["spamhaus"];
|
||||
one_shot = true;
|
||||
}
|
||||
"RBL_SENDERSCORE" {
|
||||
weight = 2.0;
|
||||
description = "From address is listed in senderscore.com BL";
|
||||
}
|
||||
"MAILSPIKE" {
|
||||
weight = 0.0;
|
||||
description = "Unrecognised result from Mailspike";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RWL_MAILSPIKE_NEUTRAL" {
|
||||
weight = 0.0;
|
||||
description = "Neutral result from Mailspike";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RBL_MAILSPIKE_WORST" {
|
||||
weight = 2.0;
|
||||
description = "From address is listed in RBL - worst possible reputation";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RBL_MAILSPIKE_VERYBAD" {
|
||||
weight = 1.5;
|
||||
description = "From address is listed in RBL - very bad reputation";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RBL_MAILSPIKE_BAD" {
|
||||
weight = 1.0;
|
||||
description = "From address is listed in RBL - bad reputation";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RWL_MAILSPIKE_POSSIBLE" {
|
||||
weight = 0.0;
|
||||
description = "From address is listed in RWL - possibly legit";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RWL_MAILSPIKE_GOOD" {
|
||||
weight = 0.0;
|
||||
description = "From address is listed in RWL - good reputation";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RWL_MAILSPIKE_VERYGOOD" {
|
||||
weight = 0.0;
|
||||
description = "From address is listed in RWL - very good reputation";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RWL_MAILSPIKE_EXCELLENT" {
|
||||
weight = 0.0;
|
||||
description = "From address is listed in RWL - excellent reputation";
|
||||
groups = ["mailspike"];
|
||||
}
|
||||
"RBL_SEM" {
|
||||
weight = 1.0;
|
||||
description = "From address is listed in Spameatingmonkey RBL";
|
||||
groups = ["sem"];
|
||||
}
|
||||
"RBL_SEM_IPV6" {
|
||||
weight = 1.0;
|
||||
description = "From address is listed in Spameatingmonkey RBL (IPv6)";
|
||||
groups = ["sem"];
|
||||
}
|
||||
"RBL_VIRUSFREE_BOTNET" {
|
||||
weight = 2.0;
|
||||
description = "From address is listed in virusfree.cz BL";
|
||||
}
|
||||
"RBL_NIXSPAM" {
|
||||
weight = 4.0;
|
||||
description = "From address is listed in NiX Spam (http://www.dnsbl.manitu.net/)";
|
||||
}
|
||||
"RBL_BLOCKLISTDE" {
|
||||
weight = 4.0;
|
||||
description = "From address is listed in Blocklist (https://www.blocklist.de/)";
|
||||
groups = ["blocklistde"];
|
||||
}
|
||||
"RECEIVED_BLOCKLISTDE" {
|
||||
weight = 3.0;
|
||||
description = "Received address is listed in Blocklist (https://www.blocklist.de/)";
|
||||
groups = ["blocklistde"];
|
||||
one_shot = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "statistics" {
|
||||
symbols = {
|
||||
"BAYES_SPAM" {
|
||||
weight = 5.1;
|
||||
description = "Message probably spam, probability: ";
|
||||
}
|
||||
"BAYES_HAM" {
|
||||
weight = -3.0;
|
||||
description = "Message probably ham, probability: ";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "fuzzy" {
|
||||
symbols = {
|
||||
"FUZZY_UNKNOWN" {
|
||||
weight = 5.0;
|
||||
description = "Generic fuzzy hash match, bl.rspamd.com";
|
||||
}
|
||||
"FUZZY_DENIED" {
|
||||
weight = 12.0;
|
||||
description = "Denied fuzzy hash, bl.rspamd.com";
|
||||
}
|
||||
"FUZZY_PROB" {
|
||||
weight = 5.0;
|
||||
description = "Probable fuzzy hash, bl.rspamd.com";
|
||||
}
|
||||
"FUZZY_WHITE" {
|
||||
weight = -2.1;
|
||||
description = "Whitelisted fuzzy hash, bl.rspamd.com";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "policies" {
|
||||
symbols = {
|
||||
"R_SPF_FAIL" {
|
||||
weight = 1.0;
|
||||
description = "SPF verification failed";
|
||||
groups = ["spf"];
|
||||
}
|
||||
"R_SPF_SOFTFAIL" {
|
||||
weight = 0.0;
|
||||
description = "SPF verification soft-failed";
|
||||
groups = ["spf"];
|
||||
}
|
||||
"R_SPF_NEUTRAL" {
|
||||
weight = 0.0;
|
||||
description = "SPF policy is neutral";
|
||||
groups = ["spf"];
|
||||
}
|
||||
"R_SPF_ALLOW" {
|
||||
weight = -0.2;
|
||||
description = "SPF verification allows sending";
|
||||
groups = ["spf"];
|
||||
}
|
||||
"R_SPF_DNSFAIL" {
|
||||
weight = 0.0;
|
||||
description = "SPF DNS failure";
|
||||
groups = ["spf"];
|
||||
}
|
||||
"R_DKIM_REJECT" {
|
||||
weight = 1.0;
|
||||
description = "DKIM verification failed";
|
||||
one_shot = true;
|
||||
groups = ["dkim"];
|
||||
}
|
||||
"R_DKIM_TEMPFAIL" {
|
||||
weight = 0.0;
|
||||
description = "DKIM verification soft-failed";
|
||||
groups = ["dkim"];
|
||||
}
|
||||
"R_DKIM_ALLOW" {
|
||||
weight = -0.2;
|
||||
description = "DKIM verification succeed";
|
||||
one_shot = true;
|
||||
groups = ["dkim"];
|
||||
}
|
||||
"DMARC_POLICY_ALLOW" {
|
||||
weight = -0.5;
|
||||
description = "DMARC permit policy";
|
||||
groups = ["dmarc"];
|
||||
}
|
||||
"DMARC_POLICY_ALLOW_WITH_FAILURES" {
|
||||
weight = -0.5;
|
||||
description = "DMARC permit policy with DKIM/SPF failure";
|
||||
groups = ["dmarc"];
|
||||
}
|
||||
"DMARC_POLICY_REJECT" {
|
||||
weight = 2.0;
|
||||
description = "DMARC reject policy";
|
||||
groups = ["dmarc"];
|
||||
}
|
||||
"DMARC_POLICY_QUARANTINE" {
|
||||
weight = 1.5;
|
||||
description = "DMARC quarantine policy";
|
||||
groups = ["dmarc"];
|
||||
}
|
||||
"DMARC_POLICY_SOFTFAIL" {
|
||||
weight = 0.1;
|
||||
description = "DMARC failed";
|
||||
groups = ["dmarc"];
|
||||
}
|
||||
"ARC_ALLOW" {
|
||||
weight = -1.0;
|
||||
description = "ARC checks success";
|
||||
groups = ["arc"];
|
||||
}
|
||||
"ARC_REJECT" {
|
||||
weight = 2.0;
|
||||
description = "ARC checks failed";
|
||||
groups = ["arc"];
|
||||
}
|
||||
"ARC_INVALID" {
|
||||
weight = 1.0;
|
||||
description = "ARC structure invalid";
|
||||
groups = ["arc"];
|
||||
}
|
||||
"ARC_DNSFAIL" {
|
||||
weight = 0.0;
|
||||
description = "ARC DNS error";
|
||||
groups = ["arc"];
|
||||
}
|
||||
"ARC_NA" {
|
||||
weight = 0.0;
|
||||
description = "ARC signature absent";
|
||||
groups = ["arc"];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "whitelist" {
|
||||
max_score = 10.0;
|
||||
symbols = {
|
||||
"WHITELIST_SPF" {
|
||||
weight = -1.0;
|
||||
description = "Mail comes from the whitelisted domain and has a valid SPF policy";
|
||||
}
|
||||
"BLACKLIST_SPF" {
|
||||
weight = 1.0;
|
||||
description = "Mail comes from the whitelisted domain and has no valid SPF policy";
|
||||
}
|
||||
"WHITELIST_DKIM" {
|
||||
weight = -1.0;
|
||||
description = "Mail comes from the whitelisted domain and has a valid DKIM signature";
|
||||
}
|
||||
"BLACKLIST_DKIM" {
|
||||
weight = 2.0;
|
||||
description = "Mail comes from the whitelisted domain and has non-valid DKIM signature";
|
||||
}
|
||||
"WHITELIST_SPF_DKIM" {
|
||||
weight = -3.0;
|
||||
description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies";
|
||||
}
|
||||
"BLACKLIST_SPF_DKIM" {
|
||||
weight = 3.0;
|
||||
description = "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature";
|
||||
}
|
||||
"WHITELIST_DMARC" {
|
||||
weight = -7.0;
|
||||
description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies";
|
||||
}
|
||||
"BLACKLIST_DMARC" {
|
||||
weight = 6.0;
|
||||
description = "Mail comes from the whitelisted domain and has valid failed DMARC and DKIM policies";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "surbl" {
|
||||
max_score = 12.5;
|
||||
symbols = {
|
||||
"SURBL_BLOCKED" {
|
||||
weight = 0.0;
|
||||
description = "SURBL: blocked by policy/overusage";
|
||||
groups = ["surblorg", "blocked"];
|
||||
}
|
||||
"PH_SURBL_MULTI" {
|
||||
weight = 5.5;
|
||||
description = "SURBL: Phishing sites";
|
||||
groups = ["surblorg", "phishing"];
|
||||
}
|
||||
"MW_SURBL_MULTI" {
|
||||
weight = 5.5;
|
||||
description = "SURBL: Malware sites";
|
||||
groups = ["surblorg"];
|
||||
}
|
||||
"ABUSE_SURBL" {
|
||||
weight = 5.5;
|
||||
description = "SURBL: ABUSE";
|
||||
groups = ["surblorg"];
|
||||
}
|
||||
"CRACKED_SURBL" {
|
||||
weight = 4.0;
|
||||
description = "SURBL: cracked site";
|
||||
groups = ["surblorg"];
|
||||
}
|
||||
"RSPAMD_URIBL" {
|
||||
weight = 4.5;
|
||||
description = "Rspamd uribl, bl.rspamd.com";
|
||||
one_shot = true;
|
||||
groups = ["rspamdbl"];
|
||||
}
|
||||
"RSPAMD_EMAILBL" {
|
||||
weight = 9.5;
|
||||
description = "Rspamd emailbl, bl.rspamd.com";
|
||||
one_shot = true;
|
||||
groups = ["rspamdbl"];
|
||||
}
|
||||
"MSBL_EBL" {
|
||||
weight = 7.5;
|
||||
description = "MSBL emailbl";
|
||||
one_shot = true;
|
||||
groups = ["ebl"];
|
||||
}
|
||||
"MSBL_EBL_GREY" {
|
||||
weight = 0.5; # TODO: test it
|
||||
description = "MSBL emailbl grey list";
|
||||
one_shot = true;
|
||||
groups = ["ebl"];
|
||||
}
|
||||
"SEM_URIBL_UNKNOWN" {
|
||||
weight = 0.0;
|
||||
description = "Spameatingmonkey uribl: unknown result";
|
||||
groups = ["sem"];
|
||||
}
|
||||
"SEM_URIBL" {
|
||||
weight = 3.5;
|
||||
description = "Spameatingmonkey uribl";
|
||||
groups = ["sem"];
|
||||
}
|
||||
"SEM_URIBL_FRESH15_UNKNOWN" {
|
||||
weight = 0.0;
|
||||
description = "Spameatingmonkey Fresh15 uribl: unknown result";
|
||||
groups = ["sem"];
|
||||
}
|
||||
"SEM_URIBL_FRESH15" {
|
||||
weight = 3.0;
|
||||
description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
|
||||
groups = ["sem"];
|
||||
}
|
||||
"DBL" {
|
||||
weight = 0.0;
|
||||
description = "DBL unknown result";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_SPAM" {
|
||||
weight = 6.5;
|
||||
description = "DBL uribl spam";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_PHISH" {
|
||||
weight = 6.5;
|
||||
description = "DBL uribl phishing";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_MALWARE" {
|
||||
weight = 6.5;
|
||||
description = "DBL uribl malware";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_BOTNET" {
|
||||
weight = 5.5;
|
||||
description = "DBL uribl botnet C&C domain";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_ABUSE" {
|
||||
weight = 6.5;
|
||||
description = "DBL uribl abused legit spam";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_ABUSE_REDIR" {
|
||||
weight = 1.5;
|
||||
description = "DBL uribl abused spammed redirector domain";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_ABUSE_PHISH" {
|
||||
weight = 7.5;
|
||||
description = "DBL uribl abused legit phish";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_ABUSE_MALWARE" {
|
||||
weight = 7.5;
|
||||
description = "DBL uribl abused legit malware";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_ABUSE_BOTNET" {
|
||||
weight = 5.5;
|
||||
description = "DBL uribl abused legit botnet C&C";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"DBL_PROHIBIT" {
|
||||
weight = 0.0;
|
||||
description = "DBL uribl IP queries prohibited!";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"URIBL_MULTI" {
|
||||
weight = 0.0;
|
||||
description = "uribl.com: unrecognised result";
|
||||
groups = ["uribl"];
|
||||
}
|
||||
"URIBL_BLOCKED" {
|
||||
weight = 0.0;
|
||||
description = "uribl.com: query refused";
|
||||
groups = ["uribl", "blocked"];
|
||||
}
|
||||
"URIBL_BLACK" {
|
||||
weight = 7.5;
|
||||
description = "uribl.com black url";
|
||||
groups = ["uribl"];
|
||||
}
|
||||
"URIBL_RED" {
|
||||
weight = 3.5;
|
||||
description = "uribl.com red url";
|
||||
groups = ["uribl"];
|
||||
}
|
||||
"URIBL_GREY" {
|
||||
weight = 1.5;
|
||||
description = "uribl.com grey url";
|
||||
one_shot = true;
|
||||
groups = ["uribl"];
|
||||
}
|
||||
"SPAMHAUS_ZEN_URIBL" {
|
||||
weight = 0.0;
|
||||
description = "Spamhaus ZEN URIBL: Filtered result";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"URIBL_SBL" {
|
||||
weight = 6.5;
|
||||
description = "A domain in the message body resolves to an IP listed in Spamhaus SBL";
|
||||
one_shot = true;
|
||||
groups = ["v"];
|
||||
}
|
||||
"URIBL_SBL_CSS" {
|
||||
weight = 6.5;
|
||||
description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS";
|
||||
one_shot = true;
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"URIBL_XBL" {
|
||||
weight = 1.5;
|
||||
description = "A domain in the message body resolves to an IP listed in Spamhaus XBL";
|
||||
one_shot = true;
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"URIBL_PBL" {
|
||||
weight = 0.01;
|
||||
description = "A domain in the message body resolves to an IP listed in Spamhaus PBL";
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"URIBL_DROP" {
|
||||
weight = 5.0;
|
||||
description = "A domain in the message body resolves to an IP listed in Spamhaus DROP";
|
||||
one_shot = true;
|
||||
groups = ["spamhaus"];
|
||||
}
|
||||
"RBL_SARBL_BAD" {
|
||||
weight = 2.5;
|
||||
description = "A domain in the message body is blacklisted in SARBL";
|
||||
one_shot = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "phishing" {
|
||||
max_score = 10.0;
|
||||
symbols = {
|
||||
"PHISHING" {
|
||||
weight = 4.0;
|
||||
description = "Phished URL";
|
||||
one_shot = true;
|
||||
}
|
||||
"PHISHED_OPENPHISH" {
|
||||
weight = 7.0;
|
||||
description = "Phished URL found in openphish.com";
|
||||
}
|
||||
"PHISHED_PHISHTANK" {
|
||||
weight = 7.0;
|
||||
description = "Phished URL found in phishtank.com";
|
||||
}
|
||||
HACKED_WP_PHISHING {
|
||||
weight = 4.5;
|
||||
description = "Phishing message from hacked wordpress";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "hfilter" {
|
||||
symbols = {
|
||||
"HFILTER_HELO_BAREIP" {
|
||||
weight = 3.0;
|
||||
description = "Helo host is bare ip";
|
||||
}
|
||||
"HFILTER_HELO_BADIP" {
|
||||
weight = 4.5;
|
||||
description = "Helo host is very bad ip";
|
||||
}
|
||||
"HFILTER_HELO_1" {
|
||||
weight = 0.5;
|
||||
description = "Helo host checks (very low)";
|
||||
}
|
||||
"HFILTER_HELO_2" {
|
||||
weight = 1.0;
|
||||
description = "Helo host checks (low)";
|
||||
}
|
||||
"HFILTER_HELO_3" {
|
||||
weight = 2.0;
|
||||
description = "Helo host checks (medium)";
|
||||
}
|
||||
"HFILTER_HELO_4" {
|
||||
weight = 2.5;
|
||||
description = "Helo host checks (hard)";
|
||||
}
|
||||
"HFILTER_HELO_5" {
|
||||
weight = 3.0;
|
||||
description = "Helo host checks (very hard)";
|
||||
}
|
||||
"HFILTER_HOSTNAME_1" {
|
||||
weight = 0.5;
|
||||
description = "Hostname checks (very low)";
|
||||
}
|
||||
"HFILTER_HOSTNAME_2" {
|
||||
weight = 1.0;
|
||||
description = "Hostname checks (low)";
|
||||
}
|
||||
"HFILTER_HOSTNAME_3" {
|
||||
weight = 2.0;
|
||||
description = "Hostname checks (medium)";
|
||||
}
|
||||
"HFILTER_HOSTNAME_4" {
|
||||
weight = 2.5;
|
||||
description = "Hostname checks (hard)";
|
||||
}
|
||||
"HFILTER_HOSTNAME_5" {
|
||||
weight = 3.0;
|
||||
description = "Hostname checks (very hard)";
|
||||
}
|
||||
"HFILTER_HELO_NORESOLVE_MX" {
|
||||
weight = 0.2;
|
||||
description = "MX found in Helo and no resolve";
|
||||
}
|
||||
"HFILTER_HELO_NORES_A_OR_MX" {
|
||||
weight = 0.3;
|
||||
description = "Helo no resolve to A or MX";
|
||||
}
|
||||
"HFILTER_HELO_IP_A" {
|
||||
weight = 1.0;
|
||||
description = "Helo A IP != hostname IP";
|
||||
}
|
||||
"HFILTER_HELO_NOT_FQDN" {
|
||||
weight = 2.0;
|
||||
description = "Helo not FQDN";
|
||||
}
|
||||
"HFILTER_FROMHOST_NORESOLVE_MX" {
|
||||
weight = 0.5;
|
||||
description = "MX found in FROM host and no resolve";
|
||||
}
|
||||
"HFILTER_FROMHOST_NORES_A_OR_MX" {
|
||||
weight = 1.5;
|
||||
description = "FROM host no resolve to A or MX";
|
||||
}
|
||||
"HFILTER_FROMHOST_NOT_FQDN" {
|
||||
weight = 3.0;
|
||||
description = "FROM host not FQDN";
|
||||
}
|
||||
"HFILTER_FROM_BOUNCE" {
|
||||
weight = 0.0;
|
||||
description = "Bounce message";
|
||||
}
|
||||
"HFILTER_MID_NORESOLVE_MX" {
|
||||
weight = 0.5;
|
||||
description = "MX found in Message-id host and no resolve";
|
||||
}
|
||||
"HFILTER_MID_NORES_A_OR_MX" {
|
||||
weight = 0.5;
|
||||
description = "Message-id host no resolve to A or MX";
|
||||
}
|
||||
"HFILTER_MID_NOT_FQDN" {
|
||||
weight = 0.5;
|
||||
description = "Message-id host not FQDN";
|
||||
}
|
||||
"HFILTER_HOSTNAME_UNKNOWN" {
|
||||
weight = 2.5;
|
||||
description = "Unknown client hostname (PTR or FCrDNS verification failed)";
|
||||
}
|
||||
"HFILTER_RCPT_BOUNCEMOREONE" {
|
||||
weight = 1.5;
|
||||
description = "Message from bounce and over 1 recipient";
|
||||
}
|
||||
"HFILTER_URL_ONLY" {
|
||||
weight = 2.2;
|
||||
description = "URL only in body";
|
||||
}
|
||||
"HFILTER_URL_ONELINE" {
|
||||
weight = 2.5;
|
||||
description = "One line URL and text in body";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "mime_types" {
|
||||
symbols = {
|
||||
"MIME_GOOD" {
|
||||
weight = -0.1;
|
||||
description = "Known content-type";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_BAD" {
|
||||
weight = 1.0;
|
||||
description = "Known bad content-type";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_UNKNOWN" {
|
||||
weight = 0.1;
|
||||
description = "Missing or unknown content-type";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_BAD_ATTACHMENT" {
|
||||
weight = 4.0;
|
||||
description = "Invalid attachment mime type";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_ENCRYPTED_ARCHIVE" {
|
||||
weight = 2.0;
|
||||
description = "Encrypted archive in a message";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_ARCHIVE_IN_ARCHIVE" {
|
||||
weight = 5.0;
|
||||
description = "Archive within another archive";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_DOUBLE_BAD_EXTENSION" {
|
||||
weight = 3.0; # This rule has dynamic weight up to 4.0
|
||||
description = "Bad extension cloaking";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_BAD_EXTENSION" {
|
||||
weight = 2.0; # This rule has dynamic weight up to 4.0
|
||||
description = "Bad extension";
|
||||
one_shot = true;
|
||||
}
|
||||
"MIME_BAD_UNICODE" {
|
||||
weight = 8.0;
|
||||
description = "Filename with known obscured unicode characters";
|
||||
one_shot = true;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
logging {
|
||||
type = "syslog";
|
||||
level = "info";
|
||||
|
||||
# Show statistics for regular expressions
|
||||
log_re_cache = true;
|
||||
|
||||
# Can be used for console logging
|
||||
color = false;
|
||||
|
||||
# Log with microseconds resolution
|
||||
log_usec = false;
|
||||
|
||||
# Enable debug for specific modules (e.g. `debug_modules = ["dkim", "re_cache"];`)
|
||||
debug_modules = []
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
chartable {
|
||||
threshold = 0.300000;
|
||||
symbol = "R_MIXED_CHARSET";
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
dkim {
|
||||
dkim_cache_size = 2k;
|
||||
dkim_cache_expire = 1d;
|
||||
time_jitter = 6h;
|
||||
trusted_only = false;
|
||||
skip_multi = false;
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
dmarc {
|
||||
reporting = true;
|
||||
send_reports = false;
|
||||
actions = {
|
||||
quarantine = "add_header";
|
||||
reject = "reject";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
fuzzy_check {
|
||||
min_bytes = 1k; # Since small parts and small attachments causes too many FP
|
||||
timeout = 2s;
|
||||
retransmits = 1;
|
||||
rule "rspamd.com" {
|
||||
algorithm = "mumhash";
|
||||
servers = "round-robin:fuzzy1.rspamd.com:11335,fuzzy2.rspamd.com:11335";
|
||||
encryption_key = "icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy";
|
||||
symbol = "FUZZY_UNKNOWN";
|
||||
mime_types = ["*"];
|
||||
max_score = 20.0;
|
||||
read_only = yes;
|
||||
skip_unknown = yes;
|
||||
short_text_direct_hash = true; # If less than min_length then use direct hash
|
||||
min_length = 64; # Minimum words count to consider shingles
|
||||
fuzzy_map = {
|
||||
FUZZY_DENIED {
|
||||
max_score = 20.0;
|
||||
flag = 1;
|
||||
}
|
||||
FUZZY_PROB {
|
||||
max_score = 10.0;
|
||||
flag = 2;
|
||||
}
|
||||
FUZZY_WHITE {
|
||||
max_score = 2.0;
|
||||
flag = 3;
|
||||
}
|
||||
}
|
||||
}
|
||||
# Include dynamic conf for the rule
|
||||
.include(try=true,priority=5) "${DBDIR}/dynamic/fuzzy_check.conf"
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
greylist {
|
||||
report_time = true;
|
||||
expire = 1d;
|
||||
timeout = 5min;
|
||||
key_prefix = "rg";
|
||||
max_data_len = 10k;
|
||||
message = "Try again later";
|
||||
action = "soft reject";
|
||||
ipv4_mask = 19; # Mask bits for ipv4
|
||||
ipv6_mask = 64; # Mask bits for ipv6
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
maillist {
|
||||
symbol = "MAILLIST";
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
milter_headers {
|
||||
extended_spam_headers = true;
|
||||
authenticated_headers = ["authentication-results"];
|
||||
spf_symbols {
|
||||
pass = "R_SPF_ALLOW";
|
||||
fail = "R_SPF_FAIL";
|
||||
softfail = "R_SPF_SOFTFAIL";
|
||||
neutral = "R_SPF_NEUTRAL";
|
||||
temperror = "R_SPF_DNSFAIL";
|
||||
none = "R_SPF_NA";
|
||||
permerror = "R_SPF_PERMFAIL";
|
||||
}
|
||||
dkim_symbols {
|
||||
pass = "R_DKIM_ALLOW";
|
||||
fail = "R_DKIM_REJECT";
|
||||
temperror = "R_DKIM_TEMPFAIL";
|
||||
none = "R_DKIM_NA";
|
||||
permerror = "R_DKIM_PERMFAIL";
|
||||
}
|
||||
dmarc_symbols {
|
||||
pass = "DMARC_POLICY_ALLOW";
|
||||
permerror = "DMARC_BAD_POLICY";
|
||||
temperror = "DMARC_DNSFAIL";
|
||||
none = "DMARC_NA";
|
||||
reject = "DMARC_POLICY_REJECT";
|
||||
softfail = "DMARC_POLICY_SOFTFAIL";
|
||||
quarantine = "DMARC_POLICY_QUARANTINE";
|
||||
}
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
phishing {
|
||||
symbol = "PHISHING";
|
||||
openphish_enabled = true;
|
||||
phishtank_enabled = true;
|
||||
}
|
|
@ -0,0 +1,143 @@
|
|||
rbl {
|
||||
default_from = true;
|
||||
default_received = false;
|
||||
default_exclude_users = true;
|
||||
default_unknown = true;
|
||||
rbls {
|
||||
spamhaus {
|
||||
symbol = "RBL_SPAMHAUS";
|
||||
rbl = "zen.spamhaus.org";
|
||||
ipv6 = true;
|
||||
returncodes {
|
||||
RBL_SPAMHAUS_SBL = "127.0.0.2";
|
||||
RBL_SPAMHAUS_CSS = "127.0.0.3";
|
||||
RBL_SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
|
||||
RBL_SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"];
|
||||
RBL_SPAMHAUS_DROP = "127.0.0.9";
|
||||
}
|
||||
}
|
||||
|
||||
spamhaus_received {
|
||||
symbol = "RECEIVED_SPAMHAUS";
|
||||
rbl = "zen.spamhaus.org";
|
||||
ipv6 = true;
|
||||
received = true;
|
||||
from = false;
|
||||
ignore_whitelists = true;
|
||||
returncodes {
|
||||
RECEIVED_SPAMHAUS_SBL = "127.0.0.2";
|
||||
RECEIVED_SPAMHAUS_CSS = "127.0.0.3";
|
||||
RECEIVED_SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
|
||||
RECEIVED_SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"];
|
||||
RECEIVED_SPAMHAUS_DROP = "127.0.0.9";
|
||||
}
|
||||
}
|
||||
|
||||
mailspike {
|
||||
symbol = "MAILSPIKE";
|
||||
rbl = "rep.mailspike.net";
|
||||
is_whitelist = true;
|
||||
whitelist_exception = "MAILSPIKE";
|
||||
whitelist_exception = "RWL_MAILSPIKE_GOOD";
|
||||
whitelist_exception = "RWL_MAILSPIKE_NEUTRAL";
|
||||
whitelist_exception = "RWL_MAILSPIKE_POSSIBLE";
|
||||
whitelist_exception = "RBL_MAILSPIKE_WORST";
|
||||
whitelist_exception = "RBL_MAILSPIKE_VERYBAD";
|
||||
whitelist_exception = "RBL_MAILSPIKE_BAD";
|
||||
returncodes {
|
||||
RBL_MAILSPIKE_WORST = "127.0.0.10";
|
||||
RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
|
||||
RBL_MAILSPIKE_BAD = "127.0.0.12";
|
||||
RWL_MAILSPIKE_NEUTRAL = ["127.0.0.16", "127.0.0.15", "127.0.0.14", "127.0.0.13"];
|
||||
RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
|
||||
RWL_MAILSPIKE_GOOD = "127.0.0.18";
|
||||
RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
|
||||
RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
|
||||
}
|
||||
}
|
||||
|
||||
senderscore {
|
||||
symbol = "RBL_SENDERSCORE";
|
||||
rbl = "bl.score.senderscore.com";
|
||||
}
|
||||
|
||||
sem {
|
||||
symbol = "RBL_SEM";
|
||||
rbl = "bl.spameatingmonkey.net";
|
||||
ipv6 = false;
|
||||
}
|
||||
|
||||
semIPv6 {
|
||||
symbol = "RBL_SEM_IPV6";
|
||||
rbl = "bl.ipv6.spameatingmonkey.net";
|
||||
ipv4 = false;
|
||||
ipv6 = true;
|
||||
}
|
||||
|
||||
dnswl {
|
||||
symbol = "RCVD_IN_DNSWL";
|
||||
rbl = "list.dnswl.org";
|
||||
ipv6 = true;
|
||||
is_whitelist = true;
|
||||
whitelist_exception = "RCVD_IN_DNSWL";
|
||||
whitelist_exception = "RCVD_IN_DNSWL_NONE";
|
||||
whitelist_exception = "RCVD_IN_DNSWL_LOW";
|
||||
whitelist_exception = "DNSWL_BLOCKED";
|
||||
returncodes {
|
||||
RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
|
||||
RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
|
||||
RCVD_IN_DNSWL_MED = "127.0.%d+.2";
|
||||
RCVD_IN_DNSWL_HI = "127.0.%d+.3";
|
||||
DNSWL_BLOCKED = "127.0.0.255";
|
||||
}
|
||||
}
|
||||
|
||||
virusfree {
|
||||
symbol = "RBL_VIRUSFREE_UNKNOWN";
|
||||
rbl = "bip.virusfree.cz";
|
||||
ipv6 = true;
|
||||
returncodes {
|
||||
RBL_VIRUSFREE_BOTNET = "127.0.0.2";
|
||||
}
|
||||
}
|
||||
|
||||
nixspam {
|
||||
symbol = "RBL_NIXSPAM";
|
||||
rbl = "ix.dnsbl.manitu.net";
|
||||
ipv6 = true;
|
||||
}
|
||||
|
||||
blocklistde {
|
||||
symbol = "RBL_BLOCKLISTDE";
|
||||
rbl = "bl.blocklist.de";
|
||||
ipv6 = true;
|
||||
}
|
||||
|
||||
blocklistde_received {
|
||||
symbol = "RECEIVED_BLOCKLISTDE";
|
||||
rbl = "bl.blocklist.de";
|
||||
ipv6 = true;
|
||||
received = true;
|
||||
from = false;
|
||||
ignore_whitelists = true;
|
||||
}
|
||||
|
||||
dnswl_dwl {
|
||||
symbol = "DWL_DNSWL";
|
||||
rbl = "dwl.dnswl.org";
|
||||
dkim = true;
|
||||
dkim_domainonly = false;
|
||||
dkim_match_from = true;
|
||||
ignore_whitelist = true;
|
||||
unknown = false;
|
||||
|
||||
returncodes {
|
||||
DWL_DNSWL_NONE = "127.0.%d+.0";
|
||||
DWL_DNSWL_LOW = "127.0.%d+.1";
|
||||
DWL_DNSWL_MED = "127.0.%d+.2";
|
||||
DWL_DNSWL_HI = "127.0.%d+.3";
|
||||
DWL_DNSWL_BLOCKED = "127.0.0.255";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
redis {
|
||||
servers = "redis.routinginfo.redxen.localhost:7551";
|
||||
db = 1;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
spf {
|
||||
spf_cache_size = 2k;
|
||||
spf_cache_expire = 1d;
|
||||
disable_ipv6 = false;
|
||||
min_cache_ttl = 10m;
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
options {
|
||||
pidfile = "$RUNDIR/rspamd.pid";
|
||||
filters = "chartable,dkim,dmarc,greylist,maillist,milter_headers,phishing,rbl,redis,spf";
|
||||
raw_mode = false;
|
||||
one_shot = false;
|
||||
cache_file = "$DBDIR/symbols.cache";
|
||||
map_watch_interval = 5min;
|
||||
map_file_watch_multiplier = 0.1;
|
||||
dynamic_conf = "$DBDIR/rspamd_dynamic";
|
||||
history_file = "$DBDIR/rspamd.history";
|
||||
check_all_filters = false;
|
||||
dns {
|
||||
timeout = 1s;
|
||||
sockets = 16;
|
||||
retransmits = 5;
|
||||
}
|
||||
tempdir = "/tmp";
|
||||
url_tld = "${SHAREDIR}/effective_tld_names.dat";
|
||||
classify_headers = [
|
||||
"User-Agent",
|
||||
"X-Mailer",
|
||||
"Content-Type",
|
||||
"X-MimeOLE",
|
||||
];
|
||||
control_socket = "$DBDIR/rspamd.sock mode=0600";
|
||||
history_rows = 200;
|
||||
explicit_modules = ["settings", "bayes_expiry"];
|
||||
|
||||
# Scan messages even if they are not MIME
|
||||
allow_raw_input = true;
|
||||
|
||||
# Start ignore words when reaching the following limit, so the total
|
||||
# amount of words processed will not be *LIKELY more than the twice of that limit
|
||||
words_decay = 600;
|
||||
|
||||
# Local networks
|
||||
local_addrs = [10.0.0.0/8];
|
||||
hs_cache_dir = "${DBDIR}/";
|
||||
|
||||
# Timeout for messages processing (must be larger than any internal timeout used)
|
||||
task_timeout = 8s;
|
||||
|
||||
# Emit soft reject when timeout takes place
|
||||
soft_reject_on_timeout = true;
|
||||
}
|
||||
|
||||
actions {
|
||||
reject = 8;
|
||||
add_header = 3;
|
||||
greylist = 1;
|
||||
}
|
||||
|
||||
.include "${CONFDIR}/redxen/workers.conf"
|
||||
.include "${CONFDIR}/redxen/logging.conf"
|
||||
.include "${CONFDIR}/redxen/composites.conf"
|
||||
.include "${CONFDIR}/redxen/groups.conf"
|
||||
.include "${CONFDIR}/redxen/statistic.conf"
|
||||
|
||||
lua = "$RULESDIR/rspamd.lua"
|
||||
.include(glob=true) "${CONFDIR}/redxen/modules/*.conf"
|
||||
modules {
|
||||
path = "${PLUGINSDIR}";
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
classifier "bayes" {
|
||||
tokenizer {
|
||||
name = "osb";
|
||||
}
|
||||
cache {}
|
||||
new_schema = true;
|
||||
store_tokens = false;
|
||||
signatures = false;
|
||||
min_tokens = 11;
|
||||
backend = "redis";
|
||||
min_learns = 200;
|
||||
statfile {
|
||||
symbol = "BAYES_HAM";
|
||||
spam = false;
|
||||
}
|
||||
statfile {
|
||||
symbol = "BAYES_SPAM";
|
||||
spam = true;
|
||||
}
|
||||
learn_condition = 'return require("lua_bayes_learn").can_learn';
|
||||
|
||||
autolearn {
|
||||
spam_threshold = 6.0; # When to learn spam (score >= threshold)
|
||||
ham_threshold = -0.5; # When to learn ham (score <= threshold)
|
||||
check_balance = true; # Check spam and ham balance
|
||||
min_balance = 0.9; # Keep diff for spam/ham learns for at least this value
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
worker "normal" {
|
||||
count = 1;
|
||||
bind_socket = "localhost:11333";
|
||||
mime = true;
|
||||
}
|
||||
|
||||
worker "controller" {
|
||||
count = -1;
|
||||
bind_socket = "localhost:11334";
|
||||
}
|
||||
|
||||
worker "rspamd_proxy" {
|
||||
count = 1;
|
||||
bind_socket = "localhost:11332";
|
||||
milter = yes;
|
||||
timeout = 120s; # Needed for Milter usually
|
||||
max_retries = 5;
|
||||
discard_on_reject = false;
|
||||
quarantine_on_reject = false;
|
||||
spam_header = "X-Spam";
|
||||
reject_message = "RedXen Mail: Spam message rejected";
|
||||
upstream "local" {
|
||||
default = yes;
|
||||
hosts = "localhost";
|
||||
}
|
||||
}
|
||||
|
||||
worker "fuzzy" {
|
||||
count = 1;
|
||||
bind_socket = "localhost:11335";
|
||||
backend = "redis";
|
||||
expire = 90d;
|
||||
allow_update = [];
|
||||
}
|
Loading…
Reference in New Issue