RedXen
/
aports
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
aports/configs/rspamd/groups.conf

823 lines
20 KiB
Plaintext
Raw Blame History

group "headers" {
symbols = {
"FORGED_SENDER" {
weight = 0.3;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
}
"R_MIXED_CHARSET" {
weight = 5.0;
description = "Mixed characters in a message";
one_shot = true;
}
"R_MIXED_CHARSET_URL" {
weight = 7.0;
description = "Mixed characters in a URL inside message";
one_shot = true;
}
"FORGED_RECIPIENTS" {
weight = 2.0;
description = "Recipients are not the same as RCPT TO: mail command";
}
"FORGED_RECIPIENTS_MAILLIST" {
weight = 0.0;
description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
}
"FORGED_SENDER_MAILLIST" {
weight = 0.0;
description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
}
"ONCE_RECEIVED" {
weight = 0.1;
description = "One received header in a message";
}
"RDNS_NONE" {
weight = 1.0;
description = "Cannot resolve reverse DNS for sender's IP";
}
"RDNS_DNSFAIL" {
weight = 0.0;
description = "PTR verification DNS error";
}
"ONCE_RECEIVED_STRICT" {
weight = 4.0;
description = "One received header with 'bad' patterns inside";
}
"MAILLIST" {
weight = -0.2;
description = "Message seems to be from maillist";
}
}
}
group "subject" {
symbols = {}
max_score = 6.0;
}
group "mua" {
symbols = {
"FORGED_MUA_MAILLIST" {
weight = 0.0;
description = "Avoid false positives for FORGED_MUA_* in maillist";
}
}
}
group "rbl" {
symbols = {
"DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries";
groups = ["dnswl", "blocked"];
}
"RCVD_IN_DNSWL" {
weight = 0.0;
description = "Unrecognised result from https://www.dnswl.org";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_NONE" {
weight = 0.0;
description = "Sender listed at https://www.dnswl.org, no trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_LOW" {
weight = -0.1;
description = "Sender listed at https://www.dnswl.org, low trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_MED" {
weight = -0.2;
description = "Sender listed at https://www.dnswl.org, medium trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_HI" {
weight = -0.5;
description = "Sender listed at https://www.dnswl.org, high trust";
groups = ["dnswl"];
}
"DWL_DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries (dwl)";
groups = ["dnswl", "blocked"];
}
"DWL_DNSWL" {
weight = 0.0;
description = "Unrecognised result from https://www.dnswl.org (dwl)";
groups = ["dnswl"];
}
"DWL_DNSWL_NONE" {
weight = 0.0;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust";
groups = ["dnswl"];
}
"DWL_DNSWL_LOW" {
weight = -1.0;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust";
groups = ["dnswl"];
}
"DWL_DNSWL_MED" {
weight = -2.0;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust";
groups = ["dnswl"];
}
"DWL_DNSWL_HI" {
weight = -3.5;
description = "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust";
groups = ["dnswl"];
}
"RBL_SPAMHAUS" {
weight = 0.0;
description = "Unrecognised result from Spamhaus ZEN";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_SBL" {
weight = 2.0;
description = "From address is listed in ZEN SBL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_CSS" {
weight = 2.0;
description = "From address is listed in ZEN CSS";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_XBL" {
weight = 4.0;
description = "From address is listed in ZEN XBL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_XBL_ANY" {
weight = 4.0;
description = "From or received address is listed in ZEN XBL (any list)";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_PBL" {
weight = 2.0;
description = "From address is listed in ZEN PBL (ISP list)";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_DROP" {
weight = 7.0;
description = "From address is listed in ZEN DROP BL";
groups = ["spamhaus"];
}
"RECEIVED_SPAMHAUS_SBL" {
weight = 1.0;
description = "Received address is listed in ZEN SBL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_CSS" {
weight = 1.0;
description = "Received address is listed in ZEN CSS";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_XBL" {
weight = 3.0;
description = "Received address is listed in ZEN XBL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_PBL" {
weight = 0.0;
description = "Received address is listed in ZEN PBL (ISP list)";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_DROP" {
weight = 6.0;
description = "Received address is listed in ZEN DROP BL";
groups = ["spamhaus"];
one_shot = true;
}
"RBL_SENDERSCORE" {
weight = 2.0;
description = "From address is listed in senderscore.com BL";
}
"MAILSPIKE" {
weight = 0.0;
description = "Unrecognised result from Mailspike";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_NEUTRAL" {
weight = 0.0;
description = "Neutral result from Mailspike";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_WORST" {
weight = 2.0;
description = "From address is listed in RBL - worst possible reputation";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_VERYBAD" {
weight = 1.5;
description = "From address is listed in RBL - very bad reputation";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_BAD" {
weight = 1.0;
description = "From address is listed in RBL - bad reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_POSSIBLE" {
weight = 0.0;
description = "From address is listed in RWL - possibly legit";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_GOOD" {
weight = 0.0;
description = "From address is listed in RWL - good reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_VERYGOOD" {
weight = 0.0;
description = "From address is listed in RWL - very good reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_EXCELLENT" {
weight = 0.0;
description = "From address is listed in RWL - excellent reputation";
groups = ["mailspike"];
}
"RBL_SEM" {
weight = 1.0;
description = "From address is listed in Spameatingmonkey RBL";
groups = ["sem"];
}
"RBL_SEM_IPV6" {
weight = 1.0;
description = "From address is listed in Spameatingmonkey RBL (IPv6)";
groups = ["sem"];
}
"RBL_VIRUSFREE_BOTNET" {
weight = 2.0;
description = "From address is listed in virusfree.cz BL";
}
"RBL_NIXSPAM" {
weight = 4.0;
description = "From address is listed in NiX Spam (http://www.dnsbl.manitu.net/)";
}
"RBL_BLOCKLISTDE" {
weight = 4.0;
description = "From address is listed in Blocklist (https://www.blocklist.de/)";
groups = ["blocklistde"];
}
"RECEIVED_BLOCKLISTDE" {
weight = 3.0;
description = "Received address is listed in Blocklist (https://www.blocklist.de/)";
groups = ["blocklistde"];
one_shot = true;
}
}
}
group "statistics" {
symbols = {
"BAYES_SPAM" {
weight = 5.1;
description = "Message probably spam, probability: ";
}
"BAYES_HAM" {
weight = -3.0;
description = "Message probably ham, probability: ";
}
}
}
group "fuzzy" {
symbols = {
"FUZZY_UNKNOWN" {
weight = 5.0;
description = "Generic fuzzy hash match, bl.rspamd.com";
}
"FUZZY_DENIED" {
weight = 12.0;
description = "Denied fuzzy hash, bl.rspamd.com";
}
"FUZZY_PROB" {
weight = 5.0;
description = "Probable fuzzy hash, bl.rspamd.com";
}
"FUZZY_WHITE" {
weight = -2.1;
description = "Whitelisted fuzzy hash, bl.rspamd.com";
}
}
}
group "policies" {
symbols = {
"R_SPF_FAIL" {
weight = 1.0;
description = "SPF verification failed";
groups = ["spf"];
}
"R_SPF_SOFTFAIL" {
weight = 0.0;
description = "SPF verification soft-failed";
groups = ["spf"];
}
"R_SPF_NEUTRAL" {
weight = 0.0;
description = "SPF policy is neutral";
groups = ["spf"];
}
"R_SPF_ALLOW" {
weight = -0.2;
description = "SPF verification allows sending";
groups = ["spf"];
}
"R_SPF_DNSFAIL" {
weight = 0.0;
description = "SPF DNS failure";
groups = ["spf"];
}
"R_DKIM_REJECT" {
weight = 1.0;
description = "DKIM verification failed";
one_shot = true;
groups = ["dkim"];
}
"R_DKIM_TEMPFAIL" {
weight = 0.0;
description = "DKIM verification soft-failed";
groups = ["dkim"];
}
"R_DKIM_ALLOW" {
weight = -0.2;
description = "DKIM verification succeed";
one_shot = true;
groups = ["dkim"];
}
"DMARC_POLICY_ALLOW" {
weight = -0.5;
description = "DMARC permit policy";
groups = ["dmarc"];
}
"DMARC_POLICY_ALLOW_WITH_FAILURES" {
weight = -0.5;
description = "DMARC permit policy with DKIM/SPF failure";
groups = ["dmarc"];
}
"DMARC_POLICY_REJECT" {
weight = 2.0;
description = "DMARC reject policy";
groups = ["dmarc"];
}
"DMARC_POLICY_QUARANTINE" {
weight = 1.5;
description = "DMARC quarantine policy";
groups = ["dmarc"];
}
"DMARC_POLICY_SOFTFAIL" {
weight = 0.1;
description = "DMARC failed";
groups = ["dmarc"];
}
"ARC_ALLOW" {
weight = -1.0;
description = "ARC checks success";
groups = ["arc"];
}
"ARC_REJECT" {
weight = 2.0;
description = "ARC checks failed";
groups = ["arc"];
}
"ARC_INVALID" {
weight = 1.0;
description = "ARC structure invalid";
groups = ["arc"];
}
"ARC_DNSFAIL" {
weight = 0.0;
description = "ARC DNS error";
groups = ["arc"];
}
"ARC_NA" {
weight = 0.0;
description = "ARC signature absent";
groups = ["arc"];
}
}
}
group "whitelist" {
max_score = 10.0;
symbols = {
"WHITELIST_SPF" {
weight = -1.0;
description = "Mail comes from the whitelisted domain and has a valid SPF policy";
}
"BLACKLIST_SPF" {
weight = 1.0;
description = "Mail comes from the whitelisted domain and has no valid SPF policy";
}
"WHITELIST_DKIM" {
weight = -1.0;
description = "Mail comes from the whitelisted domain and has a valid DKIM signature";
}
"BLACKLIST_DKIM" {
weight = 2.0;
description = "Mail comes from the whitelisted domain and has non-valid DKIM signature";
}
"WHITELIST_SPF_DKIM" {
weight = -3.0;
description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies";
}
"BLACKLIST_SPF_DKIM" {
weight = 3.0;
description = "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature";
}
"WHITELIST_DMARC" {
weight = -7.0;
description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies";
}
"BLACKLIST_DMARC" {
weight = 6.0;
description = "Mail comes from the whitelisted domain and has valid failed DMARC and DKIM policies";
}
}
}
group "surbl" {
max_score = 12.5;
symbols = {
"SURBL_BLOCKED" {
weight = 0.0;
description = "SURBL: blocked by policy/overusage";
groups = ["surblorg", "blocked"];
}
"PH_SURBL_MULTI" {
weight = 5.5;
description = "SURBL: Phishing sites";
groups = ["surblorg", "phishing"];
}
"MW_SURBL_MULTI" {
weight = 5.5;
description = "SURBL: Malware sites";
groups = ["surblorg"];
}
"ABUSE_SURBL" {
weight = 5.5;
description = "SURBL: ABUSE";
groups = ["surblorg"];
}
"CRACKED_SURBL" {
weight = 4.0;
description = "SURBL: cracked site";
groups = ["surblorg"];
}
"RSPAMD_URIBL" {
weight = 4.5;
description = "Rspamd uribl, bl.rspamd.com";
one_shot = true;
groups = ["rspamdbl"];
}
"RSPAMD_EMAILBL" {
weight = 9.5;
description = "Rspamd emailbl, bl.rspamd.com";
one_shot = true;
groups = ["rspamdbl"];
}
"MSBL_EBL" {
weight = 7.5;
description = "MSBL emailbl";
one_shot = true;
groups = ["ebl"];
}
"MSBL_EBL_GREY" {
weight = 0.5; # TODO: test it
description = "MSBL emailbl grey list";
one_shot = true;
groups = ["ebl"];
}
"SEM_URIBL_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey uribl: unknown result";
groups = ["sem"];
}
"SEM_URIBL" {
weight = 3.5;
description = "Spameatingmonkey uribl";
groups = ["sem"];
}
"SEM_URIBL_FRESH15_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey Fresh15 uribl: unknown result";
groups = ["sem"];
}
"SEM_URIBL_FRESH15" {
weight = 3.0;
description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
groups = ["sem"];
}
"DBL" {
weight = 0.0;
description = "DBL unknown result";
groups = ["spamhaus"];
}
"DBL_SPAM" {
weight = 6.5;
description = "DBL uribl spam";
groups = ["spamhaus"];
}
"DBL_PHISH" {
weight = 6.5;
description = "DBL uribl phishing";
groups = ["spamhaus"];
}
"DBL_MALWARE" {
weight = 6.5;
description = "DBL uribl malware";
groups = ["spamhaus"];
}
"DBL_BOTNET" {
weight = 5.5;
description = "DBL uribl botnet C&C domain";
groups = ["spamhaus"];
}
"DBL_ABUSE" {
weight = 6.5;
description = "DBL uribl abused legit spam";
groups = ["spamhaus"];
}
"DBL_ABUSE_REDIR" {
weight = 1.5;
description = "DBL uribl abused spammed redirector domain";
groups = ["spamhaus"];
}
"DBL_ABUSE_PHISH" {
weight = 7.5;
description = "DBL uribl abused legit phish";
groups = ["spamhaus"];
}
"DBL_ABUSE_MALWARE" {
weight = 7.5;
description = "DBL uribl abused legit malware";
groups = ["spamhaus"];
}
"DBL_ABUSE_BOTNET" {
weight = 5.5;
description = "DBL uribl abused legit botnet C&C";
groups = ["spamhaus"];
}
"DBL_PROHIBIT" {
weight = 0.0;
description = "DBL uribl IP queries prohibited!";
groups = ["spamhaus"];
}
"URIBL_MULTI" {
weight = 0.0;
description = "uribl.com: unrecognised result";
groups = ["uribl"];
}
"URIBL_BLOCKED" {
weight = 0.0;
description = "uribl.com: query refused";
groups = ["uribl", "blocked"];
}
"URIBL_BLACK" {
weight = 7.5;
description = "uribl.com black url";
groups = ["uribl"];
}
"URIBL_RED" {
weight = 3.5;
description = "uribl.com red url";
groups = ["uribl"];
}
"URIBL_GREY" {
weight = 1.5;
description = "uribl.com grey url";
one_shot = true;
groups = ["uribl"];
}
"SPAMHAUS_ZEN_URIBL" {
weight = 0.0;
description = "Spamhaus ZEN URIBL: Filtered result";
groups = ["spamhaus"];
}
"URIBL_SBL" {
weight = 6.5;
description = "A domain in the message body resolves to an IP listed in Spamhaus SBL";
one_shot = true;
groups = ["v"];
}
"URIBL_SBL_CSS" {
weight = 6.5;
description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_XBL" {
weight = 1.5;
description = "A domain in the message body resolves to an IP listed in Spamhaus XBL";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_PBL" {
weight = 0.01;
description = "A domain in the message body resolves to an IP listed in Spamhaus PBL";
groups = ["spamhaus"];
}
"URIBL_DROP" {
weight = 5.0;
description = "A domain in the message body resolves to an IP listed in Spamhaus DROP";
one_shot = true;
groups = ["spamhaus"];
}
"RBL_SARBL_BAD" {
weight = 2.5;
description = "A domain in the message body is blacklisted in SARBL";
one_shot = true;
}
}
}
group "phishing" {
max_score = 10.0;
symbols = {
"PHISHING" {
weight = 4.0;
description = "Phished URL";
one_shot = true;
}
"PHISHED_OPENPHISH" {
weight = 7.0;
description = "Phished URL found in openphish.com";
}
"PHISHED_PHISHTANK" {
weight = 7.0;
description = "Phished URL found in phishtank.com";
}
HACKED_WP_PHISHING {
weight = 4.5;
description = "Phishing message from hacked wordpress";
}
}
}
group "hfilter" {
symbols = {
"HFILTER_HELO_BAREIP" {
weight = 3.0;
description = "Helo host is bare ip";
}
"HFILTER_HELO_BADIP" {
weight = 4.5;
description = "Helo host is very bad ip";
}
"HFILTER_HELO_1" {
weight = 0.5;
description = "Helo host checks (very low)";
}
"HFILTER_HELO_2" {
weight = 1.0;
description = "Helo host checks (low)";
}
"HFILTER_HELO_3" {
weight = 2.0;
description = "Helo host checks (medium)";
}
"HFILTER_HELO_4" {
weight = 2.5;
description = "Helo host checks (hard)";
}
"HFILTER_HELO_5" {
weight = 3.0;
description = "Helo host checks (very hard)";
}
"HFILTER_HOSTNAME_1" {
weight = 0.5;
description = "Hostname checks (very low)";
}
"HFILTER_HOSTNAME_2" {
weight = 1.0;
description = "Hostname checks (low)";
}
"HFILTER_HOSTNAME_3" {
weight = 2.0;
description = "Hostname checks (medium)";
}
"HFILTER_HOSTNAME_4" {
weight = 2.5;
description = "Hostname checks (hard)";
}
"HFILTER_HOSTNAME_5" {
weight = 3.0;
description = "Hostname checks (very hard)";
}
"HFILTER_HELO_NORESOLVE_MX" {
weight = 0.2;
description = "MX found in Helo and no resolve";
}
"HFILTER_HELO_NORES_A_OR_MX" {
weight = 0.3;
description = "Helo no resolve to A or MX";
}
"HFILTER_HELO_IP_A" {
weight = 1.0;
description = "Helo A IP != hostname IP";
}
"HFILTER_HELO_NOT_FQDN" {
weight = 2.0;
description = "Helo not FQDN";
}
"HFILTER_FROMHOST_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in FROM host and no resolve";
}
"HFILTER_FROMHOST_NORES_A_OR_MX" {
weight = 1.5;
description = "FROM host no resolve to A or MX";
}
"HFILTER_FROMHOST_NOT_FQDN" {
weight = 3.0;
description = "FROM host not FQDN";
}
"HFILTER_FROM_BOUNCE" {
weight = 0.0;
description = "Bounce message";
}
"HFILTER_MID_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in Message-id host and no resolve";
}
"HFILTER_MID_NORES_A_OR_MX" {
weight = 0.5;
description = "Message-id host no resolve to A or MX";
}
"HFILTER_MID_NOT_FQDN" {
weight = 0.5;
description = "Message-id host not FQDN";
}
"HFILTER_HOSTNAME_UNKNOWN" {
weight = 2.5;
description = "Unknown client hostname (PTR or FCrDNS verification failed)";
}
"HFILTER_RCPT_BOUNCEMOREONE" {
weight = 1.5;
description = "Message from bounce and over 1 recipient";
}
"HFILTER_URL_ONLY" {
weight = 2.2;
description = "URL only in body";
}
"HFILTER_URL_ONELINE" {
weight = 2.5;
description = "One line URL and text in body";
}
}
}
group "mime_types" {
symbols = {
"MIME_GOOD" {
weight = -0.1;
description = "Known content-type";
one_shot = true;
}
"MIME_BAD" {
weight = 1.0;
description = "Known bad content-type";
one_shot = true;
}
"MIME_UNKNOWN" {
weight = 0.1;
description = "Missing or unknown content-type";
one_shot = true;
}
"MIME_BAD_ATTACHMENT" {
weight = 4.0;
description = "Invalid attachment mime type";
one_shot = true;
}
"MIME_ENCRYPTED_ARCHIVE" {
weight = 2.0;
description = "Encrypted archive in a message";
one_shot = true;
}
"MIME_ARCHIVE_IN_ARCHIVE" {
weight = 5.0;
description = "Archive within another archive";
one_shot = true;
}
"MIME_DOUBLE_BAD_EXTENSION" {
weight = 3.0; # This rule has dynamic weight up to 4.0
description = "Bad extension cloaking";
one_shot = true;
}
"MIME_BAD_EXTENSION" {
weight = 2.0; # This rule has dynamic weight up to 4.0
description = "Bad extension";
one_shot = true;
}
"MIME_BAD_UNICODE" {
weight = 8.0;
description = "Filename with known obscured unicode characters";
one_shot = true;
}
}
}
Reference in New Issue View Git Blame Copy Permalink