rspamd razor and pyzor modules enabled but not configured
117 views
Skip to first unread message
David Mehler
May 3, 2018, 7:10:01 PM5/3/18
to rspamd
Hello,
I'm trying to get razor and pyzor working with my rspamd setup. In my
log I am seeing:
2018-05-03 14:31:04 #43917(main) <ehzkcx>; cfg;
rspamd_config_is_module_enabled: lua module razor is enabled but has
not been configured
2018-05-03 14:31:04 #43917(main) <ehzkcx>; cfg;
rspamd_config_is_module_enabled: razor disabling unconfigured lua
module
same thing for pyzor. This is on rspamd 1.74, on FreeBSD 11.1. I've
got a file /usr/local/bin/razorsocket running out of inetd and a pyzor
running on 127.0.0.1 port 5953. If anyone needs to see my startup
configuration for either of these services let me know.
As I said I'm getting the above in my rspamd log file for both razor
and pyzor. I've included a complete configdump below, but in brief the
lines in my rspamd.conf.local are:
#cat rspamd.conf.local
pyzor {}
razor {}
Thanks.
Dave.
#rspamadm configdump
spamassassin {
match_limit = 100000;
ruleset = "/usr/local/etc/rspamd/local.d/spamassassin.cf";
}
dkim_signing {
use_esld = true;
allow_hdrfrom_mismatch = false;
selector = "dkim";
symbol = "DKIM_SIGNED";
use_domain_sign_local = "header";
auth_only = true;
allow_envfrom_empty = true;
try_fallback = true;
path = "/usr/local/etc/rspamd/dkim/$domain/dkim.key";
use_domain_sign_networks = "header";
use_redis = false;
allow_username_mismatch = false;
sign_local = true;
key_prefix = "DKIM_KEYS";
use_domain = "header";
allow_hdrfrom_multiple = false;
}
mx_check {
enabled = true;
key_prefix = "rmx";
symbol_good_mx = "MX_GOOD";
symbol_no_mx = "MX_MISSING";
symbol_bad_mx = "MX_INVALID";
timeout = 1;
expire = 86400;
}
regexp {
max_size = 1000000;
HAS_X_SOURCE {
re = "header_exists('X-Source') ||
header_exists('X-Source-Args') || header_exists('X-Source-Dir')";
group = "compromised_hosts";
description = "Has X-Source headers";
}
TRACKER_ID {
re = "/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr";
group = "header";
description = "Spam string at the end of message to make
statistics fault";
score = 3.840000;
}
FORGED_GENERIC_RECEIVED4 {
re = "Received=/^\\s*(.+\\n)*from localhost by
\\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d
[+-]\\d\\d\\d0[\\s\\r\\n]*$/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
FORGED_MUA_KMAIL_MSGID {
re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) &
(Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) & !(kmail_msgid)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from KMail but has
forged Message-ID";
score = 3;
}
FORGED_MUA_THEBAT_BOUN {
re = "(X-Mailer=/^The Bat! \\(v1\\./H) &
(Content-Type=/boundary/iH) & !(Content-Type=/boundary=\\\"?-{10}/H) &
!(X-Mailman-Version=/\\d/H)";
group = "header";
description = "Forged The Bat! MUA headers";
score = 2;
}
FORGED_MUA_THEBAT_MSGID_UNKNOWN {
re = "(X-Mailer=/^\\s*The Bat!/H) &
!(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH)
& !(Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from The Bat! but
has forged Message-ID";
score = 3;
}
PHP_XPS_PATTERN {
re = "X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi";
group = "compromised_hosts";
description = "Message contains X-PHP-Script pattern";
}
MISSING_SUBJECT {
re = "!raw_header_exists(Subject)";
group = "header";
description = "Subject header is missing";
score = 2;
}
FROM_EXCESS_BASE64 {
re = "From=/=\\?\\S+\\?B\\?/iX &
!From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "From that contains encoded characters while
base 64 is not needed as all symbols are 7bit";
score = 1.500000;
}
FORGED_MSGID_YAHOO {
re = "(Message-Id=/\\@yahoo\\.com\\b/iH) &
!(From=/\\@yahoo\\.com\\b/iH)";
group = "header";
description = "Forged yahoo msgid";
score = 2;
}
STOX_REPLY_TYPE {
re = "Content-Type=/text\\/plain; .* reply-type=original/H";
group = "header";
description = "Reply-type in content-type";
score = 1;
}
FORGED_GENERIC_RECEIVED {
re = "Received=/^\\s*(.+\\n)*from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by
(([\\w\\d-]+\\.)+[a-zA-Z]{2,6}|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3});
\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d
[+-]\\d\\d\\d0/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
SUBJ_EXCESS_BASE64 {
re = "Subject=/\\=\\?\\S+\\?B\\?/iX &
!Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "Subject is unnecessarily encoded in base64";
score = 1.500000;
}
SUSPICIOUS_RECIPS {
re = "compare_recipients_distance(0.65)";
group = "header";
description = "Recipients seems to be autogenerated (works if
recipients count is more than 5)";
score = 1.500000;
}
RCVD_DOUBLE_IP_SPAM {
re = "(Received=/from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by
\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with/H) |
(Received=/from\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+by\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3};/H)";
group = "header";
description = "Two received headers with ip addresses";
score = 2;
}
HIDDEN_SOURCE_OBJ {
re = "X-PHP-Script=/\\/\\..+/Hi ||
X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi ||
X-Source-Args=/\\/\\..+/Hi";
group = "compromised_hosts";
score = 2;
description = "UNIX hidden file/directory in path";
}
PRECEDENCE_BULK {
re = "Precedence=/bulk/Hi";
group = "upstream_spam_filters";
description = "Message marked as bulk";
score = 0;
}
FORGED_OUTLOOK_HTML {
re = "!Received=/from \\[\\S+\\] by
\\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H &
X-Mailer=/^Microsoft Outlook\\b/H & has_only_html_part()";
group = "header";
description = "Forged outlook HTML signature";
score = 5;
}
WWW_DOT_DOMAIN {
re = "From=/@www\\./Hi || Sender=/@www\\./Hi ||
Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)";
group = "compromised_hosts";
score = 0.500000;
description = "From/Sender/Reply-To or Envelope is @www.domain.com";
}
MIME_HEADER_CTYPE_ONLY {
re = "!(header_exists(Content-Disposition)) &
!(header_exists(Content-Transfer-Encoding)) &
(header_exists(Content-Type)) & !(raw_header_exists(MIME-Version)) &
!(content_type_is_type(text) & content_type_is_subtype(plain))";
group = "header";
description = "Only Content-Type header without other MIME headers";
score = 2;
}
MID_RHS_WWW {
re = "Message-Id=/@www\\./Hi";
group = "compromised_hosts";
score = 0.500000;
description = "Message-ID from www host";
}
ENVFROM_SERVICE_ACCT {
re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)";
group = "compromised_hosts";
score = 1;
description = "Envelope from is a service account";
}
SUSPICIOUS_BOUNDARY {
re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 5;
}
XAW_SERVICE_ACCT {
re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)
set sender to\\b/Hi";
group = "compromised_hosts";
score = 1;
description = "Message originally from a service account";
}
HAS_XAW {
re = "header_exists('X-Authentication-Warning')";
group = "compromised_hosts";
description = "Has X-Authentication-Warning header";
}
HAS_DATA_URI {
re = "/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i";
one_shot = true;
group = "HTML";
description = "Has Data URI encoding";
}
HAS_WP_URI {
re = "/\\/wp-[^\\/]+\\//Ui";
group = "compromised_hosts";
one_shot = true;
description = "Contains WordPress URIs";
}
R_SAJDING {
re = "Subject=/\\bsajding(?:om|a)?\\b/iH";
group = "header";
description = "Subject seems to be spam";
score = 8;
}
FORGED_GENERIC_RECEIVED3 {
re = "Received=/^\\s*(.+\\n)*by
\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with SMTP id
[a-zA-Z]{14}\\.\\d{13};[\\r\\n\\s]*\\w{3}, \\d+ \\w{3} 20\\d\\d
\\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0 \\(GMT\\)/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
R_NO_SPACE_IN_FROM {
re = "From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X";
group = "header";
description = "No space in from header";
score = 1;
}
SUSPICIOUS_BOUNDARY4 {
re = "(Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX)
& (Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/)";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 4;
}
HAS_X_ANTIABUSE {
re = "header_exists('X-AntiAbuse')";
group = "compromised_hosts";
description = "Has X-AntiAbuse headers";
}
FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN {
re = "(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
!((Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
| (Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H))
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Thunderbird but has forged Message-ID";
score = 2.500000;
}
HEADER_REPLYTO_DELIMITER_TAB {
re = "(check_header_delimiter_tab(Reply-To)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header Reply-To begins with tab";
score = 1;
}
HEADER_TO_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(To))";
group = "header";
description = "Header To has no delimiter between header name
and header value";
score = 1;
}
SUBJECT_ENDS_EXCLAIM {
re = "Subject=/!\\s*$/H";
group = "headers";
score = 0;
description = "Subject ends with an exclaimation";
}
RATWARE_MS_HASH {
re = "(Message-Id=/[0-9a-f]{4,}\\$[0-9a-f]{4,}\\$[0-9a-f]{4,}\\@\\S+/H)
& !(X-MimeOLE=/^Produced By Microsoft MimeOLE/H) & !(Received=/with
Microsoft Exchange Server/H)";
group = "header";
description = "Forged Exchange messages";
score = 2;
}
HAS_X_PHP_SCRIPT {
re = "header_exists('X-PHP-Script')";
group = "compromised_hosts";
description = "Has X-PHP-Script header";
}
HAS_GUC_PROXY_URI {
re = "/\\.googleusercontent\\.com\\/proxy/{url}i";
group = "experimental";
score = 0.010000;
description = "Has googleusercontent.com proxy URI";
}
HAS_X_POS {
re = "header_exists('X-PHP-Originating-Script')";
group = "compromised_hosts";
description = "Has X-PHP-Originating-Script header";
}
PHP_SCRIPT_ROOT {
re = "X-PHP-Originating-Script=/^0:/Hi";
group = "compromised_hosts";
score = 1;
description = "PHP Script executed by root UID";
}
MISSING_MIMEOLE {
re = "(header_exists(X-MSMail-Priority)) &
!(header_exists(X-MimeOLE)) & !(X-Mailer=/SquirrelMail\\b/H) &
!(X-Mailer=/^Microsoft (?:Office )?Outlook 1[245]\\.0/)";
group = "header";
description = "Mime-OLE is needed but absent (e.g. fake
Outlook or fake Exchange)";
score = 2;
}
FORGED_MUA_KMAIL_MSGID_UNKNOWN {
re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) &
!(Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from KMail but has
forged Message-ID";
score = 2.500000;
}
SUBJECT_HAS_EXCLAIM {
re = "Subject=/!/H & !Subject=/!\\s*$/H";
group = "headers";
score = 0;
description = "Subject contains an exclaimation";
}
SORTED_RECIPS {
re = "is_recipients_sorted()";
group = "header";
description = "Recipients list seems to be sorted";
score = 3.500000;
}
HTML_META_REFRESH_URL {
one_shot = true;
group = "HTML";
re = "/<meta\\s+http-equiv=\"refresh\"\\s+content=\"\\d+\\s*;\\s*url=/{sa_raw_body}i";
description = "Has HTML Meta refresh URL";
score = 5;
}
UNITEDINTERNET_SPAM {
re = "X-UI-Out-Filterresults=/^junk:/H";
group = "upstream_spam_filters";
description = "United Internet says this message is spam";
score = 5;
}
INTRODUCTION {
one_shot = true;
group = "scams";
re = "/\\b(?:my name is\\b|(?:i am|this
is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i";
description = "Sender introduces themselves";
score = 2;
}
HEADER_FROM_DELIMITER_TAB {
re = "(check_header_delimiter_tab(From)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header From begins with tab";
score = 1;
}
SPAM_FLAG {
re = "X-Spam-Flag=/^(?:yes|true)/Hi || X-Spam=/^yes$/Hi";
group = "upstream_spam_filters";
description = "Message was already marked as spam";
score = 5;
}
FORGED_MUA_THEBAT_MSGID {
re = "(X-Mailer=/^\\s*The Bat!/H) &
!(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH)
& (Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from The Bat! but
has forged Message-ID";
score = 4;
}
AOL_SPAM {
re = "X-AOL-Global-Disposition=/^S/H";
group = "upstream_spam_filters";
description = "AOL says this message is spam";
score = 5;
}
REPTO_QUOTE_YAHOO {
re = "(Reply-To=/\\\".*\\\"\\s*\\</H) &
((From=/\\@yahoo\\.com\\b/iH) | (Message-Id=/\\@yahoo\\.com\\b/iH))";
group = "header";
description = "Quoted reply-to from yahoo (seems to be forged)";
score = 2;
}
MICROSOFT_SPAM {
re = "X-Forefront-Antispam-Report=/SFV:SPM/H";
group = "upstream_spam_filters";
description = "Microsoft says the message is spam";
score = 4;
}
R_UNDISC_RCPT {
re = "(To=/^<?undisclosed[- ]recipient/Hi)";
group = "header";
description = "Recipients are absent or undisclosed";
score = 3;
}
MIME_HTML_ONLY {
re = "has_only_html_part()";
group = "headers";
description = "Messages that have only HTML part";
score = 0.200000;
}
FORGED_GENERIC_RECEIVED2 {
re = "Received=/^\\s*(.+\\n)*from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by
([\\w\\d-]+\\.)+[a-z]{2,6} id [\\w\\d]{12}; \\w{3}, \\d+ \\w{3}
20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
CT_EXTRA_SEMI {
re = "Content-Type=/;$/X";
group = "header";
score = 1;
description = "Content-Type ends with a semi-colon";
}
DATA_URI_OBFU {
one_shot = true;
group = "HTML";
re = "/data:text\\/(?:plain|html);base64,/{sa_raw_body}i";
score = 2;
description = "Uses Data URI encoding to obfuscate plain or
HTML in base64";
}
WP_COMPROMISED {
re = "/\\/wp-(?:content|includes)[^\\/]+\\//Ui";
group = "compromised_hosts";
one_shot = true;
description = "URL that is pointing to a compromised WordPress
installation";
}
SUSPICIOUS_BOUNDARY3 {
re = "Content-Type=/^\\s*multipart.+boundary=\"-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}\"[\\r\\n]*$/siX";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 3;
}
HAS_PHPMAILER_SIG {
re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi";
group = "compromised_hosts";
description = "PHPMailer signature";
}
MISSING_MID {
re = "!header_exists(Message-Id)";
group = "header";
description = "Message id is missing";
score = 2.500000;
}
SUBJECT_NEEDS_ENCODING {
re = "!(Subject=/=\\?\\S+\\?B\\?/iX) &
!(Subject=/=\\?\\S+\\?Q\\?/iX) &
(Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
group = "header";
description = "Subject needs encoding";
score = 1;
}
HAS_LIST_UNSUB {
re = "header_exists(List-Unsubscribe)";
group = "headers";
score = -0.010000;
description = "Has List-Unsubscribe header";
}
GOOGLE_FORWARDING_MID_MISSING {
re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X";
group = "header";
description = "Message was missing Message-ID pre-forwarding";
score = 2.500000;
}
CTE_CASE {
re = "Content-Transfer-Encoding=/^[78]B/X";
group = "header";
score = 0.500000;
description = "[78]Bit .vs. [78]bit";
}
X_PHPOS_FAKE {
re = "X-PHP-Originating-Script=/^\\d{7}:/Hi";
group = "headers";
score = 3;
description = "Fake X-PHP-Originating-Script header";
}
TO_EXCESS_QP {
re = "To=/=\\?\\S+\\?Q\\?/iX &
!To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "To that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
X_PHP_EVAL {
re = "X-PHP-Script=/eval\\(\\)\\'d/Hi ||
X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi";
group = "compromised_hosts";
score = 4;
description = "Message sent using eval'd PHP";
}
SUBJECT_ENDS_SPACES {
re = "Subject=/\\s+$/H";
group = "headers";
score = 0.500000;
description = "Subject ends with space characters";
}
SUBJECT_HAS_CURRENCY {
re = "Subject=/[$€$¢¥₽]/Hu";
group = "headers";
score = 1;
description = "Subject contains currency";
}
MISSING_TO {
re = "!raw_header_exists(To)";
group = "header";
description = "To header is missing";
score = 2;
}
SUBJECT_HAS_QUESTION {
re = "Subject=/\\?/H & !Subject=/\\?\\s*$/Hu";
group = "headers";
score = 0;
description = "Subject contains a question";
}
SUBJECT_ENDS_QUESTION {
re = "Subject=/\\?\\s*$/Hu";
group = "headers";
score = 1;
description = "Subject ends with a question";
}
FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN {
re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H)
& !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Seamonkey but has forged Message-ID";
score = 2.500000;
}
INVALID_MSGID {
re = "(header_exists(Message-Id)) & !((Message-Id=/^<?[^<>\\\\
\\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\
\\t\\n\\r\\x0b\\x80-\\xff]+>?\\s*$/H) | (Message-Id=/\\(.*\\)/H))";
group = "header";
description = "Message id is incorrect";
score = 1.700000;
}
CC_EXCESS_QP {
re = "Cc=/\\=\\?\\S+\\?Q\\?/iX &
!Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "Cc that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
FROM_EXCESS_QP {
re = "From=/=\\?\\S+\\?Q\\?/iX &
!From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "From that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
HAS_XOIP {
re = "header_exists('X-Originating-IP')";
group = "headers";
score = 0;
description = "Has X-Originating-IP header";
}
SUBJ_EXCESS_QP {
re = "Subject=/\\=\\?\\S+\\?Q\\?/iX &
!Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "Subect is unnecessarily encoded in quoted-printable";
score = 1.200000;
}
FORGED_MUA_OUTLOOK {
re = "((X-Mailer=/\\bOutlook Express [456]\\./H &
!Message-Id=/^<?[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\\@hotmail\\.com>?$/mH &
!Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H
& !(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H)) |
(X-Mailer=/^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\\./H &
!Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H
& !Message-Id=/^<?\\!\\~\\!>?/H &
!Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H &
!Message-Id=/^<?[A-F\\d]{36,40}\\@\\S+>?$/H &
!(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))) &
!X-Mailer=/^Microsoft Outlook, Build 10.0.3416$/H &
!X-Mailer=/^Microsoft Outlook Express 6.00.3790.3959$/H &
!Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H";
group = "mua";
description = "Forged outlook MUA";
score = 3;
}
R_RCVD_SPAMBOTS {
re = "Received=/^from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by [-.\\w+]{5,255};
[SMTWF][a-z][a-z], [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4}
\\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH";
group = "header";
description = "Spambots signatures in received headers";
score = 3;
}
TO_NEEDS_ENCODING {
re = "!(To=/=\\?\\S+\\?B\\?/iX) & !(To=/=\\?\\S+\\?Q\\?/iX) &
(To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
group = "header";
description = "To header needs encoding";
score = 1;
}
GOOGLE_FORWARDING_MID_BROKEN {
re = "Message-ID=/SMTPIN_ADDED_BROKEN\\@mx\\.google\\.com>$/X";
group = "header";
description = "Message had invalid Message-ID pre-forwarding";
score = 1.700000;
}
HAS_INTERSPIRE_SIG {
re = "((header_exists(X-Mailer-LID)) &
(header_exists(X-Mailer-RecptId)) & (header_exists(X-Mailer-SID)) &
(header_exists(X-Mailer-Sent-By))) |
(List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi)";
group = "header";
score = 1;
description = "Has Interspire fingerprint";
}
INVALID_POSTFIX_RECEIVED {
re = "Received=/ \\(Postfix\\) with ESMTP id
[A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2},
\\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d
[\\+\\-]\\d\\d\\d\\d$/X";
group = "header";
description = "Invalid Postfix Received";
score = 3;
}
HAS_ORG_HEADER {
re = "header_exists(Organization) || header_exists(Organisation)";
group = "headers";
score = 0;
description = "Has Organization header";
}
FAKE_RECEIVED_smtp_yandex_ru {
re = "(((From=/\\@mail\\.ru>?$/iX) &
((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX))) |
((From=/\\@gmail\\.com>?$/iX) &
((Return-path=/^\\s*<.+\\@gmail\\.com>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX))) |
((From=/\\@ukr\\.net>?$/iX) &
((Return-path=/^\\s*<.+\\@ukr\\.net>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX)))) & (Received=/from
\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+
)?helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\[UNAVAILABLE\\]
\\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX)
| (Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+
helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from
\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO
smtp\\.yandex\\.ru\\)/iX) | (Received=/from smtp\\.yandex\\.ru
\\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) | (Received=/from
smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) |
(Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\)
\\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) | (Received=/from \\S+
\\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) |
(Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]
helo=smtp\\.yandex\\.ru\\)/iX)";
group = "header";
description = "Fake smtp.yandex.ru Received";
score = 4;
}
FAKE_RECEIVED_mail_ru {
re = "(Received=/from mail\\.ru \\(/mH) &
!(((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX)) &
(From=/\\@mail\\.ru>?$/iX))";
group = "header";
description = "Fake helo mail.ru in header Received from non
mail.ru sender address";
score = 4;
}
SUSPICIOUS_OPERA_10W_MSGID {
re = "(User-Agent=/^\\s*Opera Mail\\/10\\.\\d+
\\(Windows\\)$/H) &
(Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)";
group = "mua";
description = "Message pretends to be send from suspicious
Opera Mail/10.x (Windows) but has forged Message-ID, apparently from
KMail";
score = 4;
}
RCVD_ILLEGAL_CHARS {
re = "Received=/[\\x80-\\xff]/X";
group = "header";
description = "Header Received has raw illegal character";
score = 4;
}
FORGED_OUTLOOK_TAGS {
re = "!Received=/from \\[\\S+\\] by
\\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H &
X-Mailer=/^Microsoft Outlook\\b/H & content_type_is_type(text) &
content_type_is_subtype(/.?html/) & !(has_html_tag(html) &
has_html_tag(head) & has_html_tag(meta) & has_html_tag(body))";
group = "header";
description = "Message pretends to be send from Outlook but
has 'strange' tags";
score = 2.100000;
}
REPLYTO_EXCESS_QP {
re = "Reply-To=/\\=\\?\\S+\\?Q\\?/iX &
!Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "Reply-To that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
FORGED_MUA_THUNDERBIRD_MSGID {
re = "(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Thunderbird but has forged Message-ID";
score = 4;
}
HEADER_DATE_DELIMITER_TAB {
re = "(check_header_delimiter_tab(Date)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header Date begins with tab";
score = 1;
}
HEADER_CC_DELIMITER_TAB {
re = "(check_header_delimiter_tab(Cc)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header To begins with tab";
score = 1;
}
XM_UA_NO_VERSION {
re = "(!X-Mailer=/https?:/H && !User-Agent=/https?:/H) &&
(X-Mailer=/^[^0-9]+$/H || User-Agent=/^[^0-9]+$/H)";
group = "experimental";
score = 0.010000;
description = "X-Mailer/User-Agent has no version";
}
SUSPICIOUS_BOUNDARY2 {
re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 4;
}
TO_EXCESS_BASE64 {
re = "To=/=\\?\\S+\\?B\\?/iX &
!To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "To that contains encoded characters while base
64 is not needed as all symbols are 7bit";
score = 1.500000;
}
REPLYTO_EXCESS_BASE64 {
re = "Reply-To=/\\=\\?\\S+\\?B\\?/iX &
!Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "Reply-To that contains encoded characters while
base 64 is not needed as all symbols are 7bit";
score = 1.500000;
}
YANDEX_RU_MAILER {
re = "(X-Mailer=/^Yamail \\[ http:\\/\\/yandex\\.ru \\]
5\\.0$/H) & (Received=/^by web\\d{1,2}[a-z]\\.yandex\\.ru with
HTTP;/mH)";
group = "header";
description = "Sent with yandex.ru web-mail";
score = 0;
}
FORGED_MUA_OPERA_MSGID {
re = "(User-Agent=/^\\s*Opera Mail\\/1[01]\\.\\d+ /H) &
!(Message-ID=/^<?op\\.[a-z\\d]{14}\\@\\S+>?$/H) &
!((User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H) &
(Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from Opera Mail but
has forged Message-ID";
score = 4;
}
MAILER_1C_8 {
re = "X-Mailer=/^1C:Enterprise 8\\.[23]$/H";
group = "header";
description = "Sent with 1C:Enterprise 8";
score = 0;
}
R_MISSING_CHARSET {
re = "!is_empty_body() & content_type_is_type(text) &
!content_type_has_param(charset) & !compare_transfer_encoding(7bit)";
group = "header";
description = "Charset is missing in a message";
score = 2.500000;
}
HAS_GOOGLE_REDIR {
re = "/\\.google\\.com\\/url\\?/{url}i";
group = "experimental";
score = 0.010000;
description = "Has google.com/url redirection";
}
CC_EXCESS_BASE64 {
re = "Cc=/\\=\\?\\S+\\?B\\?/iX &
!Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "Cc that contains encoded characters while base
64 is not needed as all symbols are 7bit";
score = 1.500000;
}
FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN {
re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) &
!(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
!(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H))
& !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from Mozilla Mail
but has forged Message-ID";
score = 2.500000;
}
FROM_NEEDS_ENCODING {
re = "!(From=/=\\?\\S+\\?B\\?/iX) &
!(From=/=\\?\\S+\\?Q\\?/iX) &
(From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
group = "header";
description = "From header needs encoding";
score = 1;
}
HEADER_REPLYTO_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(Reply-To))";
group = "header";
description = "Header Reply-To has no delimiter between header
name and header value";
score = 1;
}
FM_FAKE_HELO_VERIZON {
re = "(X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^
]+verizon\\.net /iH) & !(X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^
]+verizon\\.net /iH)";
group = "header";
description = "Fake helo for verizon provider";
score = 2;
}
FORGED_MUA_SEAMONKEY_MSGID {
re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H)
& (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Seamonkey but has forged Message-ID";
score = 4;
}
FORGED_MUA_MOZILLA_MAIL_MSGID {
re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) &
!(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
!(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H))
& (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from Mozilla Mail
but has forged Message-ID";
score = 4;
}
X_PHP_FORGED_0X {
re = "X-PHP-Originating-Script=/^0\\d/X";
group = "header";
description = "X-PHP-Originating-Script header appears forged";
score = 4;
}
MAIL_RU_MAILER {
re = "(X-Mailer=/^Mail\\.Ru Mailer 1\\.0$/H) &
(Received=/^(?:from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\]
)?by e\\.mail\\.ru with HTTP;/mH)";
group = "header";
description = "Sent with Mail.Ru web-mail";
score = 0;
}
HEADER_FROM_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(From))";
group = "header";
description = "Header From has no delimiter between header
name and header value";
score = 1;
}
FAKE_REPLY_C {
re = "(Subject=/^R[eE]:/H) & (!((header_exists(References) |
header_exists(In-Reply-To)))) & ((X-Mailer=/^Gnus v/H) |
(X-Mailer=/^Microsoft Outlook Express 5/H) | (X-Mailer=/^Microsoft
Outlook Express 6/H) | (X-Mailer=/^Mozilla 4/H) |
(X-Mailer=/^SKYRiXgreen/H) | (X-Mailer=/^WWW-Mail \\d/H) |
(User-Agent=/^Gnus/H) | (User-Agent=/^KNode/H) | (User-Agent=/^Mutt/H)
| (User-Agent=/^Pan/H) | (User-Agent=/^Xnews/H)) &
!(X-Mailer=/^Microsoft Outlook Express 6/H)";
group = "subject";
description = "Fake reply (has RE in subject, but has not
References header)";
score = 6;
}
HEADER_DATE_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(Date))";
group = "header";
description = "Header Date has no delimiter between header
name and header value";
score = 1;
}
HEADER_TO_DELIMITER_TAB {
re = "(check_header_delimiter_tab(To)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header To begins with tab";
score = 1;
}
HEADER_CC_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(Cc))";
group = "header";
description = "Header Cc has no delimiter between header name
and header value";
score = 1;
}
}
arc {
use_esld = true;
key_prefix = "ARC_KEYS";
allow_envfrom_empty = true;
symbol_sign = "ARC_SIGNED";
allow_username_mismatch = false;
sign_local = true;
allow_hdrfrom_mismatch = false;
selector = "dkim";
auth_only = true;
try_fallback = true;
path = "/usr/local/etc/rspamd/dkim/$domain/dkim.key";
use_redis = false;
use_domain_sign_local = "header";
use_domain_sign_networks = "header";
symbol = "ARC_SIGNED";
use_domain = "header";
allow_hdrfrom_multiple = false;
}
maillist {
symbol = "MAILLIST";
}
lua = "/usr/local/share/rspamd/rules/rspamd.lua";
surbl {
exceptions [
"/usr/local/etc/rspamd/2tld.inc",
"/var/db/rspamd/2tld.inc.local",
]
whitelist [
"/usr/local/etc/rspamd/surbl-whitelist.inc",
"/var/db/rspamd/surbl-whitelist.inc.local",
]
redirector_hosts_map = "/usr/local/etc/rspamd/redirectors.inc";
rules {
SURBL_MULTI {
bits {
CRACKED_SURBL = 128;
SURBL_BLOCKED = 1;
MW_SURBL_MULTI = 16;
ABUSE_SURBL = 64;
PH_SURBL_MULTI = 8;
}
suffix = "multi.surbl.org";
}
URIBL_MULTI {
bits {
URIBL_RED = 8;
URIBL_BLOCKED = 1;
URIBL_BLACK = 2;
URIBL_GREY = 4;
}
suffix = "multi.uribl.com";
}
RBL_SARBL_BAD {
suffix = "public.sarbl.org";
noip = true;
images = true;
}
SBL_URIBL {
suffix = "sbl.spamhaus.org";
ips {
URIBL_SBL = "127.0.0.2";
URIBL_SBL_CSS = "127.0.0.3";
}
resolve_ip = true;
}
SEM_URIBL_UNKNOWN {
bits {
SEM_URIBL = 2;
}
suffix = "uribl.spameatingmonkey.net";
no_ip = true;
}
SEM_URIBL_FRESH15_UNKNOWN {
bits {
SEM_URIBL_FRESH15 = 2;
}
suffix = "fresh15.spameatingmonkey.net";
no_ip = true;
}
DBL {
suffix = "dbl.spamhaus.org";
no_ip = true;
ips {
DBL_PROHIBIT = "127.0.1.255";
DBL_ABUSE_BOTNET = "127.0.1.106";
DBL_PHISH = "127.0.1.4";
DBL_ABUSE_REDIR = "127.0.1.103";
DBL_ABUSE_MALWARE = "127.0.1.105";
DBL_MALWARE = "127.0.1.5";
DBL_ABUSE_PHISH = "127.0.1.104";
DBL_ABUSE = "127.0.1.102";
DBL_BOTNET = "127.0.1.6";
DBL_SPAM = "127.0.1.2";
}
}
RSPAMD_URIBL {
process_script = <<EOD
function(url, suffix)
local cr = require "rspamd_cryptobox_hash"
h = cr.create(url):base32():sub(1, 32)
return string.format("%s.%s", h, suffix)
end
EOD;
suffix = "uribl.rspamd.com";
}
}
}
modules {
path = "/usr/local/share/rspamd/lua/";
}
antivirus {
clamav {
attachments_only = false;
patterns {
JUST_EICAR = "^Eicar-Test-Signature$";
}
symbol = "CLAM_VIRUS";
type = "clamav";
whitelist = "/usr/local/etc/rspamd/local.d/antivirus.wl";
servers = "/var/run/clamav/clamd.sock";
action = "reject";
}
}
whitelist {
rules {
WHITELIST_DMARC {
description = "Mail comes from the whitelisted domain and
has valid DMARC and DKIM policies";
score = -7;
domains [
"/usr/local/etc/rspamd/dmarc_whitelist.inc",
"/var/db/rspamd/dmarc_whitelist.inc.local",
]
valid_dmarc = true;
}
WHITELIST_SPF_DKIM {
valid_spf = true;
description = "Mail comes from the whitelisted domain and
has valid SPF and DKIM policies";
domains [
"/usr/local/etc/rspamd/spf_dkim_whitelist.inc",
"/var/db/rspamd/spf_dkim_whitelist.inc.local",
]
valid_dkim = true;
score = -3;
}
WHITELIST_DKIM {
score = -1;
domains [
"/usr/local/etc/rspamd/dkim_whitelist.inc",
"/var/db/rspamd/dkim_whitelist.inc.local",
]
valid_dkim = true;
description = "Mail comes from the whitelisted domain and
has a valid DKIM signature";
}
WHITELIST_SPF {
description = "Mail comes from the whitelisted domain and
has a valid SPF policy";
domains [
"/usr/local/etc/rspamd/spf_whitelist.inc",
"/var/db/rspamd/spf_whitelist.inc.local",
]
valid_spf = true;
score = -1;
}
}
}
neural {
train {
ham_score = -2;
max_usages = 20;
spam_score = 8;
learning_rate = 0.010000;
max_iterations = 25;
max_train = 1000;
}
enabled = true;
timeout = 20;
use_settings = false;
}
metric {
symbol {
RAZOR {
description = "Detected as spam by Vipul's Razor";
weight = 2;
}
MX_INVALID {
one_shot = "true";
description = "No connectable MX";
score = 1;
}
MX_MISSING {
one_shot = "true";
description = "No MX record";
score = 2;
}
PYZOR {
description = "Detected as spam by Pyzor";
weight = 2;
}
MX_GOOD {
one_shot = "true";
description = "MX was ok";
score = -0.500000;
}
IP_SCORE {
description = "IP reputation";
weight = 2;
}
}
}
hfilter {
rcpt_enabled = true;
helo_enabled = true;
from_enabled = true;
hostname_enabled = true;
url_enabled = true;
mid_enabled = false;
}
phishing {
redirector_domains [
"/usr/local/etc/rspamd/redirectors.inc:REDIRECTOR_FALSE",
"/usr/local/etc/rspamd/local.d/redirectors.inc:LOCAL_REDIRECTOR_FALSE",
]
openphish_map = "https://www.openphish.com/feed.txt";
symbol = "PHISHING";
openphish_enabled = true;
phishtank_map = "https://rspamd.com/phishtank/online-valid.json.zst";
openphish_premium = false;
phishtank_enabled = true;
}
mime_types {
file [
"/usr/local/etc/rspamd/mime_types.inc",
"/var/db/rspamd/mime_types.inc.local",
]
extension_map {
pdf [
"application/octet-stream",
"application/pdf",
]
html = "text/html";
txt [
"message/disposition-notification",
"text/plain",
"text/rfc822-headers",
]
}
}
logging {
filename = "/var/log/rspamd/rspamd.log";
log_format = <<EOD
id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user:
$,}$if_smtp_from{ from: <$>,}
(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
len: $len, time: $time_real real, $time_virtual virtual, dns req: $dns_req,
digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{,
mime_rcpts: <$>}$if_filename{, file: $}
EOD;
debug_modules [
"pyzor",
"razor",
]
color = false;
type = "file";
log_re_cache = true;
level = "silent";
}
rspamd_update {
key = "qxuogdh5eghytji1utkkte1dn3n81c3y5twe61uzoddzwqzuxxyb";
rules = "sign+https://updates.rspamd.com/rspamd-1.7.ucl";
}
fuzzy_check {
retransmits = 1;
rule {
local {
fuzzy_map {
LOCAL_FUZZY_DENIED {
flag = 11;
max_score = 20;
}
LOCAL_FUZZY_WHITE {
flag = 13;
max_score = 2;
}
LOCAL_FUZZY_PROB {
flag = 12;
max_score = 10;
}
}
read_only = false;
algorithm = "mumhash";
symbol = "LOCAL_FUZZY_UNKNOWN";
skip_unknown = true;
mime_types [
"application/*",
]
servers = "127.0.0.1:11335";
max_score = 20;
}
rspamd.com {
symbol = "FUZZY_UNKNOWN";
mime_types [
"*",
]
encryption_key =
"icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy";
read_only = true;
fuzzy_map {
FUZZY_PROB {
flag = 2;
max_score = 10;
}
FUZZY_DENIED {
flag = 1;
max_score = 20;
}
FUZZY_WHITE {
flag = 3;
max_score = 2;
}
}
max_score = 20;
short_text_direct_hash = true;
skip_unknown = true;
algorithm = "mumhash";
servers = "fuzzy.rspamd.com:11335";
}
}
timeout = 2;
min_bytes = 1000;
}
composites {
MAILER_1C_8_BASE64 {
expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 |
MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
}
RBL_SPAMHAUS_XBL_ANY {
expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
}
AUTH_NA {
score = 1;
policy = "remove_weight";
expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA";
}
SPF_FAIL_FORWARDING {
policy = "remove_weight";
expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
}
FORGED_MUA_MAILLIST {
expression = "g:mua and -MAILLIST";
}
DMARC_POLICY_ALLOW_WITH_FAILURES {
policy = "remove_weight";
expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL |
R_SPF_FAIL | R_DKIM_REJECT)";
}
FORGED_SENDER_MAILLIST {
expression = "FORGED_SENDER & -MAILLIST";
}
YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
}
FORGED_SENDER_FORWARDING {
expression = "FORGED_SENDER & g:forwarding";
}
DKIM_MIXED {
policy = "remove_weight";
expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL |
R_DKIM_PERMFAIL | R_DKIM_REJECT)";
}
FORGED_RECIPIENTS_MAILLIST {
expression = "FORGED_RECIPIENTS & -MAILLIST";
}
COMPROMISED_ACCT_BULK {
description = "Likely to be from a compromised account";
score = 3;
policy = "leave";
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
}
UNDISC_RCPTS_BULK {
description = "Missing or undisclosed recipients with a bulk signature";
score = 3;
policy = "leave";
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
}
HACKED_WP_PHISHING {
policy = "leave";
expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
}
FORGED_RECIPIENTS_FORWARDING {
expression = "FORGED_RECIPIENTS & g:forwarding";
}
FORGED_SENDER_VERP_SRS {
expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
}
MAIL_RU_MAILER_BASE64 {
expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 |
MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 |
TO_EXCESS_BASE64)";
}
}
mid {
source {
url [
"/usr/local/etc/rspamd/mid.inc",
"/usr/local/etc/rspamd/local.d/mid.inc",
]
}
}
url_reputation {
enabled = true;
}
forged_recipients {
symbol_sender = "FORGED_SENDER";
symbol_rcpt = "FORGED_RECIPIENTS";
}
spamtrap {
learn_fuzzy = false;
enabled = false;
learn_spam = false;
}
force_actions {
}
spf {
spf_cache_expire = 86400;
spf_cache_size = 2000;
}
clickhouse {
limit = 1000;
ipmask6 = 48;
full_urls = false;
timeout = 5;
ipmask = 19;
}
razor {
}
group {
statistics {
symbols {
BAYES_HAM {
description = "Message probably ham, probability: ";
weight = -3;
}
BAYES_SPAM {
description = "Message probably spam, probability: ";
weight = 4;
}
}
}
policies {
symbols {
R_SPF_SOFTFAIL {
description = "SPF verification soft-failed";
weight = 0;
}
DMARC_POLICY_ALLOW {
description = "DMARC permit policy";
weight = -0.500000;
}
R_DKIM_REJECT {
one_shot = true;
weight = 1;
description = "DKIM verification failed";
}
R_SPF_FAIL {
description = "SPF verification failed";
weight = 1;
}
DMARC_POLICY_REJECT {
description = "DMARC reject policy";
weight = 2;
}
R_SPF_ALLOW {
description = "SPF verification allows sending";
weight = -0.200000;
}
ARC_ALLOW {
description = "ARC checks success";
weight = -1;
}
DMARC_POLICY_SOFTFAIL {
description = "DMARC failed";
weight = 0.100000;
}
R_SPF_DNSFAIL {
description = "SPF DNS failure";
weight = 0;
}
ARC_NA {
description = "ARC signature absent";
weight = 0;
}
R_SPF_NEUTRAL {
description = "SPF policy is neutral";
weight = 0;
}
R_DKIM_TEMPFAIL {
description = "DKIM verification soft-failed";
weight = 0;
}
ARC_DNSFAIL {
description = "ARC DNS error";
weight = 0;
}
DMARC_POLICY_QUARANTINE {
description = "DMARC quarantine policy";
weight = 1.500000;
}
ARC_INVALID {
description = "ARC structure invalid";
weight = 1;
}
ARC_REJECT {
description = "ARC checks success";
weight = 2;
}
DMARC_POLICY_ALLOW_WITH_FAILURES {
description = "DMARC permit policy with DKIM/SPF failure";
weight = -0.500000;
}
R_DKIM_ALLOW {
one_shot = true;
weight = -0.200000;
description = "DKIM verification succeed";
}
}
}
hfilter {
symbols {
HFILTER_HOSTNAME_UNKNOWN {
description = "Unknown client hostname (PTR or FCrDNS
verification failed)";
weight = 2.500000;
}
HFILTER_FROMHOST_NORESOLVE_MX {
description = "MX found in FROM host and no resolve";
weight = 0.500000;
}
HFILTER_HELO_2 {
description = "Helo host checks (low)";
weight = 1;
}
HFILTER_HELO_NORESOLVE_MX {
description = "MX found in Helo and no resolve";
weight = 0.200000;
}
HFILTER_HOSTNAME_4 {
description = "Hostname checks (hard)";
weight = 2.500000;
}
HFILTER_URL_ONLY {
description = "URL only in body";
weight = 2.200000;
}
HFILTER_FROM_BOUNCE {
description = "Bounce message";
weight = 0;
}
HFILTER_HOSTNAME_2 {
description = "Hostname checks (low)";
weight = 1;
}
HFILTER_HELO_BAREIP {
description = "Helo host is bare ip";
weight = 3;
}
HFILTER_HELO_3 {
description = "Helo host checks (medium)";
weight = 2;
}
HFILTER_URL_ONELINE {
description = "One line URL and text in body";
weight = 2.500000;
}
HFILTER_HOSTNAME_3 {
description = "Hostname checks (medium)";
weight = 2;
}
HFILTER_RCPT_BOUNCEMOREONE {
description = "Message from bounce and over 1 recipient";
weight = 1.500000;
}
HFILTER_FROMHOST_NOT_FQDN {
description = "FROM host not FQDN";
weight = 3;
}
HFILTER_HELO_5 {
description = "Helo host checks (very hard)";
weight = 3;
}
HFILTER_FROMHOST_NORES_A_OR_MX {
description = "FROM host no resolve to A or MX";
weight = 1.500000;
}
HFILTER_HELO_NOT_FQDN {
description = "Helo not FQDN";
weight = 2;
}
HFILTER_HELO_IP_A {
description = "Helo A IP != hostname IP";
weight = 1;
}
HFILTER_HELO_NORES_A_OR_MX {
description = "Helo no resolve to A or MX";
weight = 0.300000;
}
HFILTER_HELO_1 {
description = "Helo host checks (very low)";
weight = 0.500000;
}
HFILTER_HELO_4 {
description = "Helo host checks (hard)";
weight = 2.500000;
}
HFILTER_HELO_BADIP {
description = "Helo host is very bad ip";
weight = 4.500000;
}
HFILTER_HOSTNAME_1 {
description = "Hostname checks (very low)";
weight = 0.500000;
}
HFILTER_HOSTNAME_5 {
description = "Hostname checks (very hard)";
weight = 3;
}
}
}
phishing {
symbols {
HACKED_WP_PHISHING {
description = "Phishing message from hacked wordpress";
weight = 4.500000;
}
PHISHED_OPENPHISH {
description = "Phished URL found in openphish.com";
weight = 7;
}
PHISHING {
one_shot = true;
weight = 4;
description = "Phished URL";
}
PHISHED_PHISHTANK {
description = "Phished URL found in phishtank.com";
weight = 7;
}
}
}
surbl {
symbols {
MSBL_EBL {
one_shot = true;
weight = 7.500000;
description = "MSBL emailbl";
}
URIBL_SBL_CSS {
description = "Spamhaus SBL CSS URIBL";
weight = 6.500000;
}
RBL_SARBL_BAD {
description = "A domain listed in the mail is
blacklisted in SARBL";
weight = 2.500000;
}
URIBL_GREY {
one_shot = true;
weight = 1.500000;
description = "uribl.com grey url";
}
SEM_URIBL {
description = "Spameatingmonkey uribl";
weight = 3.500000;
}
PH_SURBL_MULTI {
description = "SURBL: Phishing sites";
weight = 5.500000;
}
SEM_URIBL_UNKNOWN {
description = "Spameatingmonkey uribl: unknown result";
weight = 0;
}
SBL_URIBL {
description = "SBL URIBL: Filtered result";
weight = 0;
}
DBL_ABUSE_PHISH {
description = "DBL uribl abused legit phish";
weight = 7.500000;
}
URIBL_MULTI {
description = "uribl.com: unrecognised result";
weight = 0;
}
URIBL_SBL {
description = "Spamhaus SBL URIBL";
weight = 6.500000;
}
URIBL_RED {
description = "uribl.com red url";
weight = 3.500000;
}
URIBL_BLACK {
description = "uribl.com black url";
weight = 7.500000;
}
SEM_URIBL_FRESH15 {
description = "Spameatingmonkey uribl. Domains
registered in the last 15 days
(.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
weight = 3;
}
URIBL_BLOCKED {
description = "uribl.com: query refused";
weight = 0;
}
DBL_SPAM {
description = "DBL uribl spam";
weight = 6.500000;
}
DBL_PROHIBIT {
description = "DBL uribl IP queries prohibited!";
weight = 0;
}
DBL_ABUSE_BOTNET {
description = "DBL uribl abused legit botnet C&C";
weight = 5.500000;
}
DBL_PHISH {
description = "DBL uribl phishing";
weight = 6.500000;
}
DBL_ABUSE_REDIR {
description = "DBL uribl abused spammed redirector domain";
weight = 1.500000;
}
DBL_ABUSE_MALWARE {
description = "DBL uribl abused legit malware";
weight = 7.500000;
}
MW_SURBL_MULTI {
description = "SURBL: Malware sites";
weight = 5.500000;
}
ABUSE_SURBL {
description = "SURBL: ABUSE";
weight = 5.500000;
}
DBL_ABUSE {
description = "DBL uribl abused legit spam";
weight = 6.500000;
}
CRACKED_SURBL {
description = "SURBL: cracked site";
weight = 4;
}
RSPAMD_URIBL {
one_shot = true;
weight = 4.500000;
description = "Rspamd uribl, bl.rspamd.com";
}
DBL_BOTNET {
description = "DBL uribl botnet C&C domain";
weight = 5.500000;
}
DBL_MALWARE {
description = "DBL uribl malware";
weight = 6.500000;
}
SEM_URIBL_FRESH15_UNKNOWN {
description = "Spameatingmonkey Fresh15 uribl: unknown result";
weight = 0;
}
SURBL_BLOCKED {
description = "SURBL: blocked by policy/overusage";
weight = 0;
}
DBL {
description = "DBL unknown result";
weight = 0;
}
RSPAMD_EMAILBL {
one_shot = true;
weight = 9.500000;
description = "Rspamd emailbl, bl.rspamd.com";
}
}
max_score = 12.500000;
}
ungrouped {
symbols {
RAZOR {
description = "Detected as spam by Vipul's Razor";
weight = 2;
}
MX_INVALID {
one_shot = "true";
description = "No connectable MX";
score = 1;
}
MX_MISSING {
one_shot = "true";
description = "No MX record";
score = 2;
}
PYZOR {
description = "Detected as spam by Pyzor";
weight = 2;
}
MX_GOOD {
one_shot = "true";
description = "MX was ok";
score = -0.500000;
}
IP_SCORE {
description = "IP reputation";
weight = 2;
}
}
}
headers {
symbols {
R_MIXED_CHARSET {
one_shot = true;
weight = 5;
description = "Mixed characters in a message";
}
FORGED_SENDER {
description = "Sender is forged (different From:
header and smtp MAIL FROM: addresses)";
weight = 0.300000;
}
RDNS_DNSFAIL {
description = "PTR verification DNS error";
weight = 0;
}
FORGED_RECIPIENTS_MAILLIST {
description = "Recipients are not the same as RCPT TO:
mail command, but a message from a maillist";
weight = 0;
}
MAILLIST {
description = "Message seems to be from maillist";
weight = -0.200000;
}
ONCE_RECEIVED_STRICT {
description = "One received header with 'bad' patterns inside";
weight = 4;
}
FORGED_RECIPIENTS {
description = "Recipients are not the same as RCPT TO:
mail command";
weight = 2;
}
RDNS_NONE {
description = "Cannot resolve reverse DNS for sender's IP";
weight = 1;
}
ONCE_RECEIVED {
description = "One received header in a message";
weight = 0.100000;
}
FORGED_SENDER_MAILLIST {
description = "Sender is not the same as MAIL FROM:
envelope, but a message is from a maillist";
weight = 0;
}
R_MIXED_CHARSET_URL {
one_shot = true;
weight = 7;
description = "Mixed characters in a URL inside message";
}
}
}
mime_types {
symbols {
MIME_BAD_EXTENSION {
one_shot = true;
weight = 2;
description = "Bad extension";
}
MIME_DOUBLE_BAD_EXTENSION {
one_shot = true;
weight = 3;
description = "Bad extension cloaking";
}
MIME_GOOD {
one_shot = true;
weight = -0.100000;
description = "Known content-type";
}
MIME_ARCHIVE_IN_ARCHIVE {
one_shot = true;
weight = 5;
description = "Archive within another archive";
}
MIME_ENCRYPTED_ARCHIVE {
one_shot = true;
weight = 2;
description = "Encrypted archive in a message";
}
MIME_BAD_ATTACHMENT {
one_shot = true;
weight = 4;
description = "Invalid attachment mime type";
}
MIME_BAD {
one_shot = true;
weight = 1;
description = "Known bad content-type";
}
MIME_UNKNOWN {
one_shot = true;
weight = 0.100000;
description = "Missing or unknown content-type";
}
}
}
subject {
symbols {
}
max_score = 6;
}
excessb64 {
max_score = 3;
}
mua {
symbols {
FORGED_MUA_MAILLIST {
description = "Avoid false positives for FORGED_MUA_*
in maillist";
weight = 0;
}
}
}
excessqp {
max_score = 2.400000;
}
rbl {
symbols {
RBL_SPAMHAUS_SBL {
description = "From address is listed in zen sbl";
weight = 2;
}
RBL_SPAMHAUS_XBL_ANY {
description = "From or received address is listed in
zen xbl (any list)";
weight = 4;
}
DNSWL_BLOCKED {
description = "Resolver blocked due to excessive queries";
weight = 0;
}
RBL_MAILSPIKE_WORST {
description = "From address is listed in RBL - worst
possible reputation";
weight = 2;
}
RBL_MAILSPIKE_VERYBAD {
description = "From address is listed in RBL - very
bad reputation";
weight = 1.500000;
}
RWL_MAILSPIKE_NEUTRAL {
description = "Neutral result from Mailspike";
weight = 0;
}
RCVD_IN_DNSWL_NONE {
description = "Sender listed at http://www.dnswl.org, low none";
weight = 0;
}
RBL_SPAMHAUS_PBL {
description = "From address is listed in zen pbl (ISP list)";
weight = 2;
}
RCVD_IN_DNSWL {
description = "Unrecognised result from dnswl.org";
weight = 0;
}
RWL_MAILSPIKE_GOOD {
description = "From address is listed in RWL - good reputation";
weight = 0;
}
RBL_MAILSPIKE_BAD {
description = "From address is listed in RBL - bad reputation";
weight = 1;
}
RBL_SEM_IPV6 {
description = "Address is listed in Spameatingmonkey
RBL (ipv6)";
weight = 1;
}
RBL_SEM {
description = "Address is listed in Spameatingmonkey RBL";
weight = 1;
}
RCVD_IN_DNSWL_HI {
description = "Sender listed at http://www.dnswl.org,
high trust";
weight = 0;
}
RBL_SENDERSCORE {
description = "From address is listed in senderscore.com BL";
weight = 2;
}
RBL_SPAMHAUS {
description = "Unrecognised result from Spamhaus zen";
weight = 0;
}
RBL_SPAMHAUS_DROP {
description = "From address is listed in zen drop bl";
weight = 7;
}
RWL_MAILSPIKE_VERYGOOD {
description = "From address is listed in RWL - very
good reputation";
weight = 0;
}
MAILSPIKE {
description = "Unrecognised result from Mailspike";
weight = 0;
}
RCVD_IN_DNSWL_MED {
description = "Sender listed at http://www.dnswl.org,
medium trust";
weight = 0;
}
RWL_MAILSPIKE_POSSIBLE {
description = "From address is listed in RWL - possibly legit";
weight = 0;
}
RBL_SPAMHAUS_XBL {
description = "From address is listed in zen xbl";
weight = 4;
}
RECEIVED_SPAMHAUS_XBL {
one_shot = true;
weight = 3;
description = "Received address is listed in zen xbl";
}
RCVD_IN_DNSWL_LOW {
description = "Sender listed at http://www.dnswl.org,
low trust";
weight = 0;
}
RBL_SPAMHAUS_CSS {
description = "From address is listed in zen css";
weight = 2;
}
RBL_ABUSECH {
description = "From address is listed in ABUSE.CH BL";
weight = 1;
}
RWL_MAILSPIKE_EXCELLENT {
description = "From address is listed in RWL -
excellent reputation";
weight = 0;
}
}
}
neural {
symbols {
NEURAL_SPAM {
description = "Neural network spam";
weight = 3;
}
NEURAL_HAM {
description = "Neural network ham";
weight = -3;
}
}
}
fuzzy {
symbols {
FUZZY_UNKNOWN {
description = "Generic fuzzy hash match, bl.rspamd.com";
weight = 5;
}
FUZZY_PROB {
description = "Probable fuzzy hash, bl.rspamd.com";
weight = 5;
}
FUZZY_DENIED {
description = "Denied fuzzy hash, bl.rspamd.com";
weight = 12;
}
FUZZY_WHITE {
description = "Whitelisted fuzzy hash, bl.rspamd.com";
weight = -2.100000;
}
}
}
}
metadata_exporter {
rules {
}
}
multimap {
freemail_envfrom {
filter = "email:domain";
symbol = "FREEMAIL_ENVFROM";
type = "from";
score = 0;
description = "Envelope From is a Freemail address";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
freemail_from {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_FROM";
type = "header";
description = "From is a Freemail address";
header = "from";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
disposable_replyto {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_REPLYTO";
type = "header";
description = "Reply-To a disposable e-mail address";
header = "Reply-To";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
disposable_cc {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_CC";
type = "header";
description = "To a disposable e-mail address";
header = "Cc";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
disposable_to {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_TO";
type = "header";
description = "To a disposable e-mail address";
header = "To";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
disposable_from {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_FROM";
type = "header";
description = "From a Disposable e-mail address";
header = "from";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
freemail_to {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_TO";
type = "header";
description = "To is a Freemail address";
header = "To";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
freemail_envrcpt {
filter = "email:domain";
symbol = "FREEMAIL_ENVRCPT";
type = "rcpt";
score = 0;
description = "Envelope Recipient is a Freemail address";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
freemail_replyto {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_REPLYTO";
type = "header";
description = "Reply-To is a Freemail address";
header = "Reply-To";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
disposable_envfrom {
filter = "email:domain";
symbol = "DISPOSABLE_ENVFROM";
type = "from";
score = 0;
description = "Envelope From is a Disposable e-mail address";
map = "https://rspamd.com/freemail/disposable.txt.zst";
}
freemail_cc {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_CC";
type = "header";
description = "To is a Freemail address";
header = "Cc";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
disposable_envrcpt {
filter = "email:domain";
symbol = "DISPOSABLE_ENVRCPT";
type = "rcpt";
score = 0;
description = "Envelope Recipient is a Disposable e-mail address";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
}
worker {
normal {
task_timeout = 8;
enabled = false;
bind_socket = "localhost:11333";
mime = true;
}
}
storag {
controller {
password = "$2$or9n9ffj4qsogh7i8d9qi5u1hxt53q6o$ntp4kj...";
secure_ip = "127.0.0.1";
°<re_ik = "::1";
static_dir = "/usr/local/share/rspamd/www";
count = 1;
bind_socket = "/var/run/rspamd/rspamd.sock mode=0666 owner=nobody";
( ôÿÿÿX6 = "127.0.0.1:11334";
}
}
storag {
rspamd_proxy {
max_retries = 5;
timeout = 120;
discard_on_reject = false;
spam_header = "X-Spam";
quarantine_on_reject = false;
reject_message = "Spam message rejected";
count = 1;
type = "proxy";
upstream {
local {
hosts = "localhost";
self_scan = true;
default = true;
}
}
bind_socket = "/var/run/rspamd/milter.sock mode=0666 owner=nobody";
milter = true;
}
}
storag {
fuzzy {
backend = "redis";
allow_update [
"localhost",
]
count = -1;
bind_socket = "localhost:11335";
expire = 7776000;
}
}
dmarc {
}
milter_headers {
extended_spam_headers = true;
use [
"x-spam-level",
"authentication-results",
]
spam_header_value = "YES";
authenticated_headers [
"authentication-results",
]
local_headers [
"x-spamd-level",
]
spam_header = "X-Spam-Flag";
skip_authenticated = false;
skip_local = false;
}
actions {
rewrite_subject = 5;
add_header = 4;
greylist = 999;
reject = 999;
}
elastic {
limit = 10;
import_kibana = false;
debug = false;
timeout = 5;
index_pattern = "rspamd-%Y.%m.%d";
}
url_tags {
enabled = true;
}
options {
cache_file = "/var/db/rspamd/symbols.cache";
map_watch_interval = 300;
tempdir = "/tmp";
history_rows = 200;
url_tld = "/usr/local/share/rspamd/effective_tld_names.dat";
hs_cache_dir = "/var/db/rspamd/";
pidfile = "/var/run/rspamd/rspamd.pid";
local_addrs = "127.0.0.0/8";
rrd = "/var/db/rspamd/rspamd.rrd";
check_all_filters = false;
explicit_modules [
"settings",
"bayes_expiry",
]
control_socket = "/var/db/rspamd/rspamd.sock mode=0600";
allow_raw_input = true;
dynamic_conf = "/var/db/rspamd/rspamd_dynamic";
dns {
sockets = 16;
retransmits = 5;
timeout = 1;
nameserver [
"127.0.0.1:53:10",
]
}
raw_mode = false;
filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
classify_headers [
"User-Agent",
"X-Mailer",
"Content-Type",
"X-MimeOLE",
]
words_decay = 200;
history_file = "/var/db/rspamd/rspamd.history";
one_shot = false;
map_file_watch_multiplier = 0.100000;
}
emails {
rules {
MSBL_EBL {
expect_ip = "127.0.0.2";
hash = "sha1";
check_replyto = true;
domain_only = false;
dnsbl = "ebl.msbl.org";
}
RSPAMD_EMAILBL {
encoding = "base32";
hashlen = 32;
hash = "blake2";
check_replyto = true;
delimiter = ".";
dnsbl = "email.rspamd.com";
}
}
}
asn {
symbol = "ASN";
provider_info {
ip6 = "asn6.rspamd.com";
ip4 = "asn.rspamd.com";
}
provider_type = "rspamd";
}
chartable {
symbol = "R_MIXED_CHARSET";
threshold = 0.300000;
}
dcc {
timeout = 5;
host = "/usr/local/dcc/dccifd";
}
history_redis {
nrows = 200;
subject_privacy = false;
compress = true;
key_prefix = "rs_history";
}
classifier {
bayes {
backend = "redis";
min_tokens = 11;
languages_enabled = true;
expire = 8640000;
cache {
path = "/var/db/rspamd/learn_cache.sqlite";
}
autolearn = true;
new_schema = true;
statfile {
path = "/var/db/rspamd/bayes.ham.sqlite";
spam = false;
symbol = "BAYES_HAM";
}
¨, {
path = "/var/db/rspamd/bayes.spam.sqlite";
spam = true;
symbol = "BAYES_SPAM";
}
learn_condition = <<EOD
return function(task, is_spam, is_unlearn)
local prob = task:get_mempool():get_variable('bayes_prob', 'double')
if prob then
local in_class = false
local cl
if is_spam then
cl = 'spam'
in_class = prob >= 0.95
else
cl = 'ham'
in_class = prob <= 0.05
end
if in_class then
return false,string.format('already in class %s; probability %.2f%%',
cl, math.abs((prob - 0.5) * 200.0))
end
end
return true
end
EOD;
tokenizer {
name = "osb";
}
servers = "127.0.0.1";
min_learns = 200;
}
}
pyzor {
}
url_redirector {
max_size = 10000;
nested_limit = 1;
check_ssl = false;
key_prefix = "rdr:";
expire = 86400;
timeout = 10;
}
metric_exporter {
}
trie {
}
replies {
key_prefix = "rr";
symbol = "REPLY";
action = "no action";
expire = 86400;
message = "Message is reply to one we originated";
}
greylist {
ipv6_mask = 64;
whitelist_domains_url [
"/usr/local/etc/rspamd/local.d/greylist-whitelist-domains.inc",
]
expire = 86400;
enabled = false;
key_prefix = "rg";
ipv4_mask = 19;
message = "Try again later";
max_data_len = 10000;
action = "soft reject";
servers = "127.0.0.1:6379";
timeout = 300;
}
redis {
servers = "127.0.0.1";
}
rbl {
default_exclude_users = true;
default_received = true;
default_unknown = true;
default_from = true;
rbls {
senderscore {
rbl = "bl.score.senderscore.com";
symbol = "RBL_SENDERSCORE";
}
spamhaus_xbl {
ignore_whitelists = true;
returncodes {
RECEIVED_SPAMHAUS_XBL [
"127.0.0.4",
"127.0.0.5",
"127.0.0.6",
"127.0.0.7",
]
}
symbol = "RECEIVED_SPAMHAUS";
from = false;
rbl = "zen.spamhaus.org";
received = true;
ipv6 = true;
}
semIPv6 {
ipv4 = false;
rbl = "bl.ipv6.spameatingmonkey.net";
ipv6 = true;
symbol = "RBL_SEM_IPV6";
}
mailspike {
symbol = "MAILSPIKE";
is_whitelist = true;
returncodes {
RWL_MAILSPIKE_NEUTRAL [
"127.0.0.16",
"127.0.0.15",
"127.0.0.14",
"127.0.0.13",
]
RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
RBL_MAILSPIKE_BAD = "127.0.0.12";
RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
RBL_MAILSPIKE_WORST = "127.0.0.10";
RWL_MAILSPIKE_GOOD = "127.0.0.18";
RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
}
rbl = "rep.mailspike.net";
whitelist_exception = "MAILSPIKE";
¨er_e°Mai = "RWL_MAILSPIKE_GOOD";
¨er_e°Mai = "RWL_MAILSPIKE_NEUTRAL";
¨er_e°Mai = "RWL_MAILSPIKE_POSSIBLE";
¨er_e°Mai = "RBL_MAILSPIKE_WORST";
¨er_e°Mai = "RBL_MAILSPIKE_VERYBAD";
¨er_e°Mai = "RBL_MAILSPIKE_BAD";
}
dnswl {
symbol = "RCVD_IN_DNSWL";
is_whitelist = true;
returncodes {
RCVD_IN_DNSWL_MED = "127.0.%d+.2";
RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
RCVD_IN_DNSWL_HI = "127.0.%d+.3";
RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
DNSWL_BLOCKED = "127.0.0.255";
}
ipv6 = true;
rbl = "list.dnswl.org";
whitelist_exception = "RCVD_IN_DNSWL";
¨er_e°Mai = "RCVD_IN_DNSWL_NONE";
¨er_e°Mai = "RCVD_IN_DNSWL_LOW";
¨er_e°Mai = "DNSWL_BLOCKED";
}
sem {
rbl = "bl.spameatingmonkey.net";
ipv6 = false;
symbol = "RBL_SEM";
}
abusech {
rbl = "spam.abuse.ch";
symbol = "RBL_ABUSECH";
}
spamhaus {
returncodes {
RBL_SPAMHAUS_SBL = "127.0.0.2";
RBL_SPAMHAUS_XBL [
"127.0.0.4",
"127.0.0.5",
"127.0.0.6",
"127.0.0.7",
]
RBL_SPAMHAUS_CSS = "127.0.0.3";
RBL_SPAMHAUS_DROP = "127.0.0.9";
RBL_SPAMHAUS_PBL [
"127.0.0.10",
"127.0.0.11",
]
}
rbl = "zen.spamhaus.org";
ipv6 = true;
symbol = "RBL_SPAMHAUS";
}
}
}
dkim {
trusted_only = false;
dkim_cache_size = 2000;
dkim_cache_expire = 86400;
time_jitter = 21600;
skip_multi = false;
}
ratelimit {
whitelisted_rcpts = "postmaster,mailer-daemon";
use_ip_score = true;
max_rcpt = 5;
ip_score_ham_multiplier = 1.100000;
ip_score_spam_divisor = 1.100000;
}
once_received {
bad_host = "static";
Àd_ = "dynamic";
good_host = "mail";
symbol_strict = "ONCE_RECEIVED_STRICT";
symbol_mx = "DIRECT_TO_MX";
symbol = "ONCE_RECEIVED";
}
ip_score {
metric = "default";
symbol = "IP_SCORE";
hash = "ip_score";
score_divisor = 10;
scores {
ip = 1;
country = 0.100000;
asn = 0.500000;
ipnet = 0.800000;
}
lower_bound = 10;
country_prefix = "c:";
ipnet_prefix = "n:";
actions {
"add header" = 0.250000;
"no action" = 1;
"rewrite subject" = 0.250000;
reject = 1;
}
asn_prefix = "a:";
}
I'm trying to get razor and pyzor working with my rspamd setup. In my
log I am seeing:
2018-05-03 14:31:04 #43917(main) <ehzkcx>; cfg;
rspamd_config_is_module_enabled: lua module razor is enabled but has
not been configured
2018-05-03 14:31:04 #43917(main) <ehzkcx>; cfg;
rspamd_config_is_module_enabled: razor disabling unconfigured lua
module
same thing for pyzor. This is on rspamd 1.74, on FreeBSD 11.1. I've
got a file /usr/local/bin/razorsocket running out of inetd and a pyzor
running on 127.0.0.1 port 5953. If anyone needs to see my startup
configuration for either of these services let me know.
As I said I'm getting the above in my rspamd log file for both razor
and pyzor. I've included a complete configdump below, but in brief the
lines in my rspamd.conf.local are:
#cat rspamd.conf.local
pyzor {}
razor {}
Thanks.
Dave.
#rspamadm configdump
spamassassin {
match_limit = 100000;
ruleset = "/usr/local/etc/rspamd/local.d/spamassassin.cf";
}
dkim_signing {
use_esld = true;
allow_hdrfrom_mismatch = false;
selector = "dkim";
symbol = "DKIM_SIGNED";
use_domain_sign_local = "header";
auth_only = true;
allow_envfrom_empty = true;
try_fallback = true;
path = "/usr/local/etc/rspamd/dkim/$domain/dkim.key";
use_domain_sign_networks = "header";
use_redis = false;
allow_username_mismatch = false;
sign_local = true;
key_prefix = "DKIM_KEYS";
use_domain = "header";
allow_hdrfrom_multiple = false;
}
mx_check {
enabled = true;
key_prefix = "rmx";
symbol_good_mx = "MX_GOOD";
symbol_no_mx = "MX_MISSING";
symbol_bad_mx = "MX_INVALID";
timeout = 1;
expire = 86400;
}
regexp {
max_size = 1000000;
HAS_X_SOURCE {
re = "header_exists('X-Source') ||
header_exists('X-Source-Args') || header_exists('X-Source-Dir')";
group = "compromised_hosts";
description = "Has X-Source headers";
}
TRACKER_ID {
re = "/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr";
group = "header";
description = "Spam string at the end of message to make
statistics fault";
score = 3.840000;
}
FORGED_GENERIC_RECEIVED4 {
re = "Received=/^\\s*(.+\\n)*from localhost by
\\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d
[+-]\\d\\d\\d0[\\s\\r\\n]*$/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
FORGED_MUA_KMAIL_MSGID {
re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) &
(Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) & !(kmail_msgid)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from KMail but has
forged Message-ID";
score = 3;
}
FORGED_MUA_THEBAT_BOUN {
re = "(X-Mailer=/^The Bat! \\(v1\\./H) &
(Content-Type=/boundary/iH) & !(Content-Type=/boundary=\\\"?-{10}/H) &
!(X-Mailman-Version=/\\d/H)";
group = "header";
description = "Forged The Bat! MUA headers";
score = 2;
}
FORGED_MUA_THEBAT_MSGID_UNKNOWN {
re = "(X-Mailer=/^\\s*The Bat!/H) &
!(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH)
& !(Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from The Bat! but
has forged Message-ID";
score = 3;
}
PHP_XPS_PATTERN {
re = "X-PHP-Script=/^[^\\. ]+\\.[^\\.\\/ ]+\\/sendmail\\.php\\b/Hi";
group = "compromised_hosts";
description = "Message contains X-PHP-Script pattern";
}
MISSING_SUBJECT {
re = "!raw_header_exists(Subject)";
group = "header";
description = "Subject header is missing";
score = 2;
}
FROM_EXCESS_BASE64 {
re = "From=/=\\?\\S+\\?B\\?/iX &
!From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "From that contains encoded characters while
base 64 is not needed as all symbols are 7bit";
score = 1.500000;
}
FORGED_MSGID_YAHOO {
re = "(Message-Id=/\\@yahoo\\.com\\b/iH) &
!(From=/\\@yahoo\\.com\\b/iH)";
group = "header";
description = "Forged yahoo msgid";
score = 2;
}
STOX_REPLY_TYPE {
re = "Content-Type=/text\\/plain; .* reply-type=original/H";
group = "header";
description = "Reply-type in content-type";
score = 1;
}
FORGED_GENERIC_RECEIVED {
re = "Received=/^\\s*(.+\\n)*from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by
(([\\w\\d-]+\\.)+[a-zA-Z]{2,6}|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3});
\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d
[+-]\\d\\d\\d0/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
SUBJ_EXCESS_BASE64 {
re = "Subject=/\\=\\?\\S+\\?B\\?/iX &
!Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "Subject is unnecessarily encoded in base64";
score = 1.500000;
}
SUSPICIOUS_RECIPS {
re = "compare_recipients_distance(0.65)";
group = "header";
description = "Recipients seems to be autogenerated (works if
recipients count is more than 5)";
score = 1.500000;
}
RCVD_DOUBLE_IP_SPAM {
re = "(Received=/from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by
\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with/H) |
(Received=/from\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+by\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3};/H)";
group = "header";
description = "Two received headers with ip addresses";
score = 2;
}
HIDDEN_SOURCE_OBJ {
re = "X-PHP-Script=/\\/\\..+/Hi ||
X-PHP-Originating-Script=/(?:^\\d+:|\\/)\\..+/Hi ||
X-Source-Args=/\\/\\..+/Hi";
group = "compromised_hosts";
score = 2;
description = "UNIX hidden file/directory in path";
}
PRECEDENCE_BULK {
re = "Precedence=/bulk/Hi";
group = "upstream_spam_filters";
description = "Message marked as bulk";
score = 0;
}
FORGED_OUTLOOK_HTML {
re = "!Received=/from \\[\\S+\\] by
\\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H &
X-Mailer=/^Microsoft Outlook\\b/H & has_only_html_part()";
group = "header";
description = "Forged outlook HTML signature";
score = 5;
}
WWW_DOT_DOMAIN {
re = "From=/@www\\./Hi || Sender=/@www\\./Hi ||
Reply-To=/@www\\./Hi || check_smtp_data('from',/@www\\./i)";
group = "compromised_hosts";
score = 0.500000;
description = "From/Sender/Reply-To or Envelope is @www.domain.com";
}
MIME_HEADER_CTYPE_ONLY {
re = "!(header_exists(Content-Disposition)) &
!(header_exists(Content-Transfer-Encoding)) &
(header_exists(Content-Type)) & !(raw_header_exists(MIME-Version)) &
!(content_type_is_type(text) & content_type_is_subtype(plain))";
group = "header";
description = "Only Content-Type header without other MIME headers";
score = 2;
}
MID_RHS_WWW {
re = "Message-Id=/@www\\./Hi";
group = "compromised_hosts";
score = 0.500000;
description = "Message-ID from www host";
}
ENVFROM_SERVICE_ACCT {
re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)";
group = "compromised_hosts";
score = 1;
description = "Envelope from is a service account";
}
SUSPICIOUS_BOUNDARY {
re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 5;
}
XAW_SERVICE_ACCT {
re = "X-Authentication-Warning=/\\b(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)
set sender to\\b/Hi";
group = "compromised_hosts";
score = 1;
description = "Message originally from a service account";
}
HAS_XAW {
re = "header_exists('X-Authentication-Warning')";
group = "compromised_hosts";
description = "Has X-Authentication-Warning header";
}
HAS_DATA_URI {
re = "/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i";
one_shot = true;
group = "HTML";
description = "Has Data URI encoding";
}
HAS_WP_URI {
re = "/\\/wp-[^\\/]+\\//Ui";
group = "compromised_hosts";
one_shot = true;
description = "Contains WordPress URIs";
}
R_SAJDING {
re = "Subject=/\\bsajding(?:om|a)?\\b/iH";
group = "header";
description = "Subject seems to be spam";
score = 8;
}
FORGED_GENERIC_RECEIVED3 {
re = "Received=/^\\s*(.+\\n)*by
\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with SMTP id
[a-zA-Z]{14}\\.\\d{13};[\\r\\n\\s]*\\w{3}, \\d+ \\w{3} 20\\d\\d
\\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0 \\(GMT\\)/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
R_NO_SPACE_IN_FROM {
re = "From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X";
group = "header";
description = "No space in from header";
score = 1;
}
SUSPICIOUS_BOUNDARY4 {
re = "(Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX)
& (Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/)";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 4;
}
HAS_X_ANTIABUSE {
re = "header_exists('X-AntiAbuse')";
group = "compromised_hosts";
description = "Has X-AntiAbuse headers";
}
FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN {
re = "(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
!((Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
| (Message-ID=/^\\s*<[\\da-f]{8}-([\\da-f]{4}-){3}[\\da-f]{12}\\@([^>\\.]+\\.)+[^>\\.]+>$/H))
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Thunderbird but has forged Message-ID";
score = 2.500000;
}
HEADER_REPLYTO_DELIMITER_TAB {
re = "(check_header_delimiter_tab(Reply-To)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header Reply-To begins with tab";
score = 1;
}
HEADER_TO_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(To))";
group = "header";
description = "Header To has no delimiter between header name
and header value";
score = 1;
}
SUBJECT_ENDS_EXCLAIM {
re = "Subject=/!\\s*$/H";
group = "headers";
score = 0;
description = "Subject ends with an exclaimation";
}
RATWARE_MS_HASH {
re = "(Message-Id=/[0-9a-f]{4,}\\$[0-9a-f]{4,}\\$[0-9a-f]{4,}\\@\\S+/H)
& !(X-MimeOLE=/^Produced By Microsoft MimeOLE/H) & !(Received=/with
Microsoft Exchange Server/H)";
group = "header";
description = "Forged Exchange messages";
score = 2;
}
HAS_X_PHP_SCRIPT {
re = "header_exists('X-PHP-Script')";
group = "compromised_hosts";
description = "Has X-PHP-Script header";
}
HAS_GUC_PROXY_URI {
re = "/\\.googleusercontent\\.com\\/proxy/{url}i";
group = "experimental";
score = 0.010000;
description = "Has googleusercontent.com proxy URI";
}
HAS_X_POS {
re = "header_exists('X-PHP-Originating-Script')";
group = "compromised_hosts";
description = "Has X-PHP-Originating-Script header";
}
PHP_SCRIPT_ROOT {
re = "X-PHP-Originating-Script=/^0:/Hi";
group = "compromised_hosts";
score = 1;
description = "PHP Script executed by root UID";
}
MISSING_MIMEOLE {
re = "(header_exists(X-MSMail-Priority)) &
!(header_exists(X-MimeOLE)) & !(X-Mailer=/SquirrelMail\\b/H) &
!(X-Mailer=/^Microsoft (?:Office )?Outlook 1[245]\\.0/)";
group = "header";
description = "Mime-OLE is needed but absent (e.g. fake
Outlook or fake Exchange)";
score = 2;
}
FORGED_MUA_KMAIL_MSGID_UNKNOWN {
re = "(User-Agent=/^\\s*KMail\\/1\\.\\d+\\.\\d+/H) &
!(Message-Id=/^<?\\s*\\d+\\.\\d+\\.\\S+\\@\\S+>?$/mH) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from KMail but has
forged Message-ID";
score = 2.500000;
}
SUBJECT_HAS_EXCLAIM {
re = "Subject=/!/H & !Subject=/!\\s*$/H";
group = "headers";
score = 0;
description = "Subject contains an exclaimation";
}
SORTED_RECIPS {
re = "is_recipients_sorted()";
group = "header";
description = "Recipients list seems to be sorted";
score = 3.500000;
}
HTML_META_REFRESH_URL {
one_shot = true;
group = "HTML";
re = "/<meta\\s+http-equiv=\"refresh\"\\s+content=\"\\d+\\s*;\\s*url=/{sa_raw_body}i";
description = "Has HTML Meta refresh URL";
score = 5;
}
UNITEDINTERNET_SPAM {
re = "X-UI-Out-Filterresults=/^junk:/H";
group = "upstream_spam_filters";
description = "United Internet says this message is spam";
score = 5;
}
INTRODUCTION {
one_shot = true;
group = "scams";
re = "/\\b(?:my name is\\b|(?:i am|this
is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i";
description = "Sender introduces themselves";
score = 2;
}
HEADER_FROM_DELIMITER_TAB {
re = "(check_header_delimiter_tab(From)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header From begins with tab";
score = 1;
}
SPAM_FLAG {
re = "X-Spam-Flag=/^(?:yes|true)/Hi || X-Spam=/^yes$/Hi";
group = "upstream_spam_filters";
description = "Message was already marked as spam";
score = 5;
}
FORGED_MUA_THEBAT_MSGID {
re = "(X-Mailer=/^\\s*The Bat!/H) &
!(Message-ID=/^<?\\d+\\.(19[789]\\d|20\\d\\d)(0\\d|1[012])([012]\\d|3[01])([0-5]\\d)([0-5]\\d)([0-5]\\d)\\@\\S+>?/mH)
& (Message-ID=/^<?\\d+\\.\\d+\\@\\S+>?$/mH) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from The Bat! but
has forged Message-ID";
score = 4;
}
AOL_SPAM {
re = "X-AOL-Global-Disposition=/^S/H";
group = "upstream_spam_filters";
description = "AOL says this message is spam";
score = 5;
}
REPTO_QUOTE_YAHOO {
re = "(Reply-To=/\\\".*\\\"\\s*\\</H) &
((From=/\\@yahoo\\.com\\b/iH) | (Message-Id=/\\@yahoo\\.com\\b/iH))";
group = "header";
description = "Quoted reply-to from yahoo (seems to be forged)";
score = 2;
}
MICROSOFT_SPAM {
re = "X-Forefront-Antispam-Report=/SFV:SPM/H";
group = "upstream_spam_filters";
description = "Microsoft says the message is spam";
score = 4;
}
R_UNDISC_RCPT {
re = "(To=/^<?undisclosed[- ]recipient/Hi)";
group = "header";
description = "Recipients are absent or undisclosed";
score = 3;
}
MIME_HTML_ONLY {
re = "has_only_html_part()";
group = "headers";
description = "Messages that have only HTML part";
score = 0.200000;
}
FORGED_GENERIC_RECEIVED2 {
re = "Received=/^\\s*(.+\\n)*from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by
([\\w\\d-]+\\.)+[a-z]{2,6} id [\\w\\d]{12}; \\w{3}, \\d+ \\w{3}
20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0/X";
group = "header";
description = "Forged generic Received";
score = 3.600000;
}
CT_EXTRA_SEMI {
re = "Content-Type=/;$/X";
group = "header";
score = 1;
description = "Content-Type ends with a semi-colon";
}
DATA_URI_OBFU {
one_shot = true;
group = "HTML";
re = "/data:text\\/(?:plain|html);base64,/{sa_raw_body}i";
score = 2;
description = "Uses Data URI encoding to obfuscate plain or
HTML in base64";
}
WP_COMPROMISED {
re = "/\\/wp-(?:content|includes)[^\\/]+\\//Ui";
group = "compromised_hosts";
one_shot = true;
description = "URL that is pointing to a compromised WordPress
installation";
}
SUSPICIOUS_BOUNDARY3 {
re = "Content-Type=/^\\s*multipart.+boundary=\"-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}\"[\\r\\n]*$/siX";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 3;
}
HAS_PHPMAILER_SIG {
re = "X-Mailer=/^PHPMailer/Hi || Content-Type=/boundary=\"b[123]_/Hi";
group = "compromised_hosts";
description = "PHPMailer signature";
}
MISSING_MID {
re = "!header_exists(Message-Id)";
group = "header";
description = "Message id is missing";
score = 2.500000;
}
SUBJECT_NEEDS_ENCODING {
re = "!(Subject=/=\\?\\S+\\?B\\?/iX) &
!(Subject=/=\\?\\S+\\?Q\\?/iX) &
(Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
group = "header";
description = "Subject needs encoding";
score = 1;
}
HAS_LIST_UNSUB {
re = "header_exists(List-Unsubscribe)";
group = "headers";
score = -0.010000;
description = "Has List-Unsubscribe header";
}
GOOGLE_FORWARDING_MID_MISSING {
re = "Message-ID=/SMTPIN_ADDED_MISSING\\@mx\\.google\\.com>$/X";
group = "header";
description = "Message was missing Message-ID pre-forwarding";
score = 2.500000;
}
CTE_CASE {
re = "Content-Transfer-Encoding=/^[78]B/X";
group = "header";
score = 0.500000;
description = "[78]Bit .vs. [78]bit";
}
X_PHPOS_FAKE {
re = "X-PHP-Originating-Script=/^\\d{7}:/Hi";
group = "headers";
score = 3;
description = "Fake X-PHP-Originating-Script header";
}
TO_EXCESS_QP {
re = "To=/=\\?\\S+\\?Q\\?/iX &
!To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "To that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
X_PHP_EVAL {
re = "X-PHP-Script=/eval\\(\\)\\'d/Hi ||
X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi";
group = "compromised_hosts";
score = 4;
description = "Message sent using eval'd PHP";
}
SUBJECT_ENDS_SPACES {
re = "Subject=/\\s+$/H";
group = "headers";
score = 0.500000;
description = "Subject ends with space characters";
}
SUBJECT_HAS_CURRENCY {
re = "Subject=/[$€$¢¥₽]/Hu";
group = "headers";
score = 1;
description = "Subject contains currency";
}
MISSING_TO {
re = "!raw_header_exists(To)";
group = "header";
description = "To header is missing";
score = 2;
}
SUBJECT_HAS_QUESTION {
re = "Subject=/\\?/H & !Subject=/\\?\\s*$/Hu";
group = "headers";
score = 0;
description = "Subject contains a question";
}
SUBJECT_ENDS_QUESTION {
re = "Subject=/\\?\\s*$/Hu";
group = "headers";
score = 1;
description = "Subject ends with a question";
}
FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN {
re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H)
& !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Seamonkey but has forged Message-ID";
score = 2.500000;
}
INVALID_MSGID {
re = "(header_exists(Message-Id)) & !((Message-Id=/^<?[^<>\\\\
\\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\
\\t\\n\\r\\x0b\\x80-\\xff]+>?\\s*$/H) | (Message-Id=/\\(.*\\)/H))";
group = "header";
description = "Message id is incorrect";
score = 1.700000;
}
CC_EXCESS_QP {
re = "Cc=/\\=\\?\\S+\\?Q\\?/iX &
!Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "Cc that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
FROM_EXCESS_QP {
re = "From=/=\\?\\S+\\?Q\\?/iX &
!From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "From that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
HAS_XOIP {
re = "header_exists('X-Originating-IP')";
group = "headers";
score = 0;
description = "Has X-Originating-IP header";
}
SUBJ_EXCESS_QP {
re = "Subject=/\\=\\?\\S+\\?Q\\?/iX &
!Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "Subect is unnecessarily encoded in quoted-printable";
score = 1.200000;
}
FORGED_MUA_OUTLOOK {
re = "((X-Mailer=/\\bOutlook Express [456]\\./H &
!Message-Id=/^<?[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\\@hotmail\\.com>?$/mH &
!Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H
& !(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H)) |
(X-Mailer=/^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\\./H &
!Message-Id=/^<?(?:[0-9a-f]{8}|[0-9a-f]{12})\\$[0-9a-f]{8}\\$[0-9a-f]{8}\\@\\S+>?$/H
& !Message-Id=/^<?\\!\\~\\!>?/H &
!Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H &
!Message-Id=/^<?[A-F\\d]{36,40}\\@\\S+>?$/H &
!(List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))) &
!X-Mailer=/^Microsoft Outlook, Build 10.0.3416$/H &
!X-Mailer=/^Microsoft Outlook Express 6.00.3790.3959$/H &
!Message-Id=/^<?[A-F\\d]{32}\\@\\S+>?$/H";
group = "mua";
description = "Forged outlook MUA";
score = 3;
}
R_RCVD_SPAMBOTS {
re = "Received=/^from
\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by [-.\\w+]{5,255};
[SMTWF][a-z][a-z], [\\s\\d]?\\d [JFMAJSOND][a-z][a-z] \\d{4}
\\d{2}:\\d{2}:\\d{2} [-+]\\d{4}$/mH";
group = "header";
description = "Spambots signatures in received headers";
score = 3;
}
TO_NEEDS_ENCODING {
re = "!(To=/=\\?\\S+\\?B\\?/iX) & !(To=/=\\?\\S+\\?Q\\?/iX) &
(To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
group = "header";
description = "To header needs encoding";
score = 1;
}
GOOGLE_FORWARDING_MID_BROKEN {
re = "Message-ID=/SMTPIN_ADDED_BROKEN\\@mx\\.google\\.com>$/X";
group = "header";
description = "Message had invalid Message-ID pre-forwarding";
score = 1.700000;
}
HAS_INTERSPIRE_SIG {
re = "((header_exists(X-Mailer-LID)) &
(header_exists(X-Mailer-RecptId)) & (header_exists(X-Mailer-SID)) &
(header_exists(X-Mailer-Sent-By))) |
(List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi)";
group = "header";
score = 1;
description = "Has Interspire fingerprint";
}
INVALID_POSTFIX_RECEIVED {
re = "Received=/ \\(Postfix\\) with ESMTP id
[A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2},
\\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d
[\\+\\-]\\d\\d\\d\\d$/X";
group = "header";
description = "Invalid Postfix Received";
score = 3;
}
HAS_ORG_HEADER {
re = "header_exists(Organization) || header_exists(Organisation)";
group = "headers";
score = 0;
description = "Has Organization header";
}
FAKE_RECEIVED_smtp_yandex_ru {
re = "(((From=/\\@mail\\.ru>?$/iX) &
((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX))) |
((From=/\\@gmail\\.com>?$/iX) &
((Return-path=/^\\s*<.+\\@gmail\\.com>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@gmail\\.com>$/iX))) |
((From=/\\@ukr\\.net>?$/iX) &
((Return-path=/^\\s*<.+\\@ukr\\.net>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@ukr\\.net>$/iX)))) & (Received=/from
\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\((port=\\d+
)?helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from \\[UNAVAILABLE\\]
\\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+ helo=smtp\\.yandex\\.ru\\)/iX)
| (Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]:\\d+
helo=smtp\\.yandex\\.ru\\)/iX) | (Received=/from
\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\] \\(account \\S+ HELO
smtp\\.yandex\\.ru\\)/iX) | (Received=/from smtp\\.yandex\\.ru
\\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) | (Received=/from
smtp\\.yandex\\.ru \\(\\S+ \\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]\\)/iX) |
(Received=/from \\S+ \\(HELO smtp\\.yandex\\.ru\\)
\\(\\S+\\@\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) | (Received=/from \\S+
\\(HELO smtp\\.yandex\\.ru\\) \\(\\d+\\.\\d+\\.\\d+\\.\\d+\\)/iX) |
(Received=/from \\S+ \\(\\[\\d+\\.\\d+\\.\\d+\\.\\d+\\]
helo=smtp\\.yandex\\.ru\\)/iX)";
group = "header";
description = "Fake smtp.yandex.ru Received";
score = 4;
}
FAKE_RECEIVED_mail_ru {
re = "(Received=/from mail\\.ru \\(/mH) &
!(((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) |
(X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX)) &
(From=/\\@mail\\.ru>?$/iX))";
group = "header";
description = "Fake helo mail.ru in header Received from non
mail.ru sender address";
score = 4;
}
SUSPICIOUS_OPERA_10W_MSGID {
re = "(User-Agent=/^\\s*Opera Mail\\/10\\.\\d+
\\(Windows\\)$/H) &
(Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)";
group = "mua";
description = "Message pretends to be send from suspicious
Opera Mail/10.x (Windows) but has forged Message-ID, apparently from
KMail";
score = 4;
}
RCVD_ILLEGAL_CHARS {
re = "Received=/[\\x80-\\xff]/X";
group = "header";
description = "Header Received has raw illegal character";
score = 4;
}
FORGED_OUTLOOK_TAGS {
re = "!Received=/from \\[\\S+\\] by
\\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H &
X-Mailer=/^Microsoft Outlook\\b/H & content_type_is_type(text) &
content_type_is_subtype(/.?html/) & !(has_html_tag(html) &
has_html_tag(head) & has_html_tag(meta) & has_html_tag(body))";
group = "header";
description = "Message pretends to be send from Outlook but
has 'strange' tags";
score = 2.100000;
}
REPLYTO_EXCESS_QP {
re = "Reply-To=/\\=\\?\\S+\\?Q\\?/iX &
!Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessqp";
description = "Reply-To that contains encoded characters while
quoted-printable is not needed as all symbols are 7bit";
score = 1.200000;
}
FORGED_MUA_THUNDERBIRD_MSGID {
re = "(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Thunderbird but has forged Message-ID";
score = 4;
}
HEADER_DATE_DELIMITER_TAB {
re = "(check_header_delimiter_tab(Date)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header Date begins with tab";
score = 1;
}
HEADER_CC_DELIMITER_TAB {
re = "(check_header_delimiter_tab(Cc)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header To begins with tab";
score = 1;
}
XM_UA_NO_VERSION {
re = "(!X-Mailer=/https?:/H && !User-Agent=/https?:/H) &&
(X-Mailer=/^[^0-9]+$/H || User-Agent=/^[^0-9]+$/H)";
group = "experimental";
score = 0.010000;
description = "X-Mailer/User-Agent has no version";
}
SUSPICIOUS_BOUNDARY2 {
re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX";
group = "mua";
description = "Suspicious boundary in header Content-Type";
score = 4;
}
TO_EXCESS_BASE64 {
re = "To=/=\\?\\S+\\?B\\?/iX &
!To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "To that contains encoded characters while base
64 is not needed as all symbols are 7bit";
score = 1.500000;
}
REPLYTO_EXCESS_BASE64 {
re = "Reply-To=/\\=\\?\\S+\\?B\\?/iX &
!Reply-To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "Reply-To that contains encoded characters while
base 64 is not needed as all symbols are 7bit";
score = 1.500000;
}
YANDEX_RU_MAILER {
re = "(X-Mailer=/^Yamail \\[ http:\\/\\/yandex\\.ru \\]
5\\.0$/H) & (Received=/^by web\\d{1,2}[a-z]\\.yandex\\.ru with
HTTP;/mH)";
group = "header";
description = "Sent with yandex.ru web-mail";
score = 0;
}
FORGED_MUA_OPERA_MSGID {
re = "(User-Agent=/^\\s*Opera Mail\\/1[01]\\.\\d+ /H) &
!(Message-ID=/^<?op\\.[a-z\\d]{14}\\@\\S+>?$/H) &
!((User-Agent=/^\\s*Opera Mail\\/10\\.\\d+ \\(Windows\\)$/H) &
(Message-Id=/^<?2009\\d{8}\\.\\d+\\.\\S+\\@\\S+?>$/H)) &
!((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from Opera Mail but
has forged Message-ID";
score = 4;
}
MAILER_1C_8 {
re = "X-Mailer=/^1C:Enterprise 8\\.[23]$/H";
group = "header";
description = "Sent with 1C:Enterprise 8";
score = 0;
}
R_MISSING_CHARSET {
re = "!is_empty_body() & content_type_is_type(text) &
!content_type_has_param(charset) & !compare_transfer_encoding(7bit)";
group = "header";
description = "Charset is missing in a message";
score = 2.500000;
}
HAS_GOOGLE_REDIR {
re = "/\\.google\\.com\\/url\\?/{url}i";
group = "experimental";
score = 0.010000;
description = "Has google.com/url redirection";
}
CC_EXCESS_BASE64 {
re = "Cc=/\\=\\?\\S+\\?B\\?/iX &
!Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr";
group = "excessb64";
description = "Cc that contains encoded characters while base
64 is not needed as all symbols are 7bit";
score = 1.500000;
}
FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN {
re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) &
!(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
!(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H))
& !(Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from Mozilla Mail
but has forged Message-ID";
score = 2.500000;
}
FROM_NEEDS_ENCODING {
re = "!(From=/=\\?\\S+\\?B\\?/iX) &
!(From=/=\\?\\S+\\?Q\\?/iX) &
(From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)";
group = "header";
description = "From header needs encoding";
score = 1;
}
HEADER_REPLYTO_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(Reply-To))";
group = "header";
description = "Header Reply-To has no delimiter between header
name and header value";
score = 1;
}
FM_FAKE_HELO_VERIZON {
re = "(X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^
]+verizon\\.net /iH) & !(X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^
]+verizon\\.net /iH)";
group = "header";
description = "Fake helo for verizon provider";
score = 2;
}
FORGED_MUA_SEAMONKEY_MSGID {
re = "(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H)
& (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Forged mail pretending to be from Mozilla
Seamonkey but has forged Message-ID";
score = 4;
}
FORGED_MUA_MOZILLA_MAIL_MSGID {
re = "((User-Agent=/^\\s*Mozilla\\/5\\.0/H) &
!(User-Agent=/^\\s*(Thunderbird|Mozilla
Thunderbird|Mozilla\\/.*Gecko\\/.*(Thunderbird|Icedove)\\/)/H) &
!(User-Agent=/^\\s*Mozilla\\/5\\.0\\s.+\\sSeaMonkey\\/\\d+\\.\\d+/H))
& (Message-ID=/^\\s*<[\\dA-F]{8}\\.\\d{1,7}\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !(Message-ID=/^\\s*<(3[3-9A-F]|4[\\dA-F]|5[\\dA-F])[\\dA-F]{6}\\.(\\d0){1,4}\\d\\@([^>\\.]+\\.)+[^>\\.]+>$/H)
& !((List-Unsubscribe=/<mailto:(?:leave-\\S+|\\S+-unsubscribe)\\@\\S+>$/H
| Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H |
Message-Id=/^<?BAY\\d+-DAV\\d+[A-Z0-9]{25}\\@phx\\.gbl?>$/H |
Message-Id=/^<?BAYC\\d+-PASMTP\\d+[A-Z0-9]{25}\\@CEZ\\.ICE>?$/H |
Message-ID=/^<mailman\\.\\d+\\.\\d+\\.\\d+\\..+\\@\\S+>$/H))";
group = "mua";
description = "Message pretends to be send from Mozilla Mail
but has forged Message-ID";
score = 4;
}
X_PHP_FORGED_0X {
re = "X-PHP-Originating-Script=/^0\\d/X";
group = "header";
description = "X-PHP-Originating-Script header appears forged";
score = 4;
}
MAIL_RU_MAILER {
re = "(X-Mailer=/^Mail\\.Ru Mailer 1\\.0$/H) &
(Received=/^(?:from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\]
)?by e\\.mail\\.ru with HTTP;/mH)";
group = "header";
description = "Sent with Mail.Ru web-mail";
score = 0;
}
HEADER_FROM_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(From))";
group = "header";
description = "Header From has no delimiter between header
name and header value";
score = 1;
}
FAKE_REPLY_C {
re = "(Subject=/^R[eE]:/H) & (!((header_exists(References) |
header_exists(In-Reply-To)))) & ((X-Mailer=/^Gnus v/H) |
(X-Mailer=/^Microsoft Outlook Express 5/H) | (X-Mailer=/^Microsoft
Outlook Express 6/H) | (X-Mailer=/^Mozilla 4/H) |
(X-Mailer=/^SKYRiXgreen/H) | (X-Mailer=/^WWW-Mail \\d/H) |
(User-Agent=/^Gnus/H) | (User-Agent=/^KNode/H) | (User-Agent=/^Mutt/H)
| (User-Agent=/^Pan/H) | (User-Agent=/^Xnews/H)) &
!(X-Mailer=/^Microsoft Outlook Express 6/H)";
group = "subject";
description = "Fake reply (has RE in subject, but has not
References header)";
score = 6;
}
HEADER_DATE_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(Date))";
group = "header";
description = "Header Date has no delimiter between header
name and header value";
score = 1;
}
HEADER_TO_DELIMITER_TAB {
re = "(check_header_delimiter_tab(To)) &
!((Received=/^\\s*from \\S+\\.(yandex\\.ru|yandex\\.net)/mH) &
((From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(X-Envelope-From=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX) |
(Return-Path=/\\@(yandex\\.ru|yandex\\.net|ya\\.ru)/iX)))";
group = "header";
description = "Header To begins with tab";
score = 1;
}
HEADER_CC_EMPTY_DELIMITER {
re = "(check_header_delimiter_empty(Cc))";
group = "header";
description = "Header Cc has no delimiter between header name
and header value";
score = 1;
}
}
arc {
use_esld = true;
key_prefix = "ARC_KEYS";
allow_envfrom_empty = true;
symbol_sign = "ARC_SIGNED";
allow_username_mismatch = false;
sign_local = true;
allow_hdrfrom_mismatch = false;
selector = "dkim";
auth_only = true;
try_fallback = true;
path = "/usr/local/etc/rspamd/dkim/$domain/dkim.key";
use_redis = false;
use_domain_sign_local = "header";
use_domain_sign_networks = "header";
symbol = "ARC_SIGNED";
use_domain = "header";
allow_hdrfrom_multiple = false;
}
maillist {
symbol = "MAILLIST";
}
lua = "/usr/local/share/rspamd/rules/rspamd.lua";
surbl {
exceptions [
"/usr/local/etc/rspamd/2tld.inc",
"/var/db/rspamd/2tld.inc.local",
]
whitelist [
"/usr/local/etc/rspamd/surbl-whitelist.inc",
"/var/db/rspamd/surbl-whitelist.inc.local",
]
redirector_hosts_map = "/usr/local/etc/rspamd/redirectors.inc";
rules {
SURBL_MULTI {
bits {
CRACKED_SURBL = 128;
SURBL_BLOCKED = 1;
MW_SURBL_MULTI = 16;
ABUSE_SURBL = 64;
PH_SURBL_MULTI = 8;
}
suffix = "multi.surbl.org";
}
URIBL_MULTI {
bits {
URIBL_RED = 8;
URIBL_BLOCKED = 1;
URIBL_BLACK = 2;
URIBL_GREY = 4;
}
suffix = "multi.uribl.com";
}
RBL_SARBL_BAD {
suffix = "public.sarbl.org";
noip = true;
images = true;
}
SBL_URIBL {
suffix = "sbl.spamhaus.org";
ips {
URIBL_SBL = "127.0.0.2";
URIBL_SBL_CSS = "127.0.0.3";
}
resolve_ip = true;
}
SEM_URIBL_UNKNOWN {
bits {
SEM_URIBL = 2;
}
suffix = "uribl.spameatingmonkey.net";
no_ip = true;
}
SEM_URIBL_FRESH15_UNKNOWN {
bits {
SEM_URIBL_FRESH15 = 2;
}
suffix = "fresh15.spameatingmonkey.net";
no_ip = true;
}
DBL {
suffix = "dbl.spamhaus.org";
no_ip = true;
ips {
DBL_PROHIBIT = "127.0.1.255";
DBL_ABUSE_BOTNET = "127.0.1.106";
DBL_PHISH = "127.0.1.4";
DBL_ABUSE_REDIR = "127.0.1.103";
DBL_ABUSE_MALWARE = "127.0.1.105";
DBL_MALWARE = "127.0.1.5";
DBL_ABUSE_PHISH = "127.0.1.104";
DBL_ABUSE = "127.0.1.102";
DBL_BOTNET = "127.0.1.6";
DBL_SPAM = "127.0.1.2";
}
}
RSPAMD_URIBL {
process_script = <<EOD
function(url, suffix)
local cr = require "rspamd_cryptobox_hash"
h = cr.create(url):base32():sub(1, 32)
return string.format("%s.%s", h, suffix)
end
EOD;
suffix = "uribl.rspamd.com";
}
}
}
modules {
path = "/usr/local/share/rspamd/lua/";
}
antivirus {
clamav {
attachments_only = false;
patterns {
JUST_EICAR = "^Eicar-Test-Signature$";
}
symbol = "CLAM_VIRUS";
type = "clamav";
whitelist = "/usr/local/etc/rspamd/local.d/antivirus.wl";
servers = "/var/run/clamav/clamd.sock";
action = "reject";
}
}
whitelist {
rules {
WHITELIST_DMARC {
description = "Mail comes from the whitelisted domain and
has valid DMARC and DKIM policies";
score = -7;
domains [
"/usr/local/etc/rspamd/dmarc_whitelist.inc",
"/var/db/rspamd/dmarc_whitelist.inc.local",
]
valid_dmarc = true;
}
WHITELIST_SPF_DKIM {
valid_spf = true;
description = "Mail comes from the whitelisted domain and
has valid SPF and DKIM policies";
domains [
"/usr/local/etc/rspamd/spf_dkim_whitelist.inc",
"/var/db/rspamd/spf_dkim_whitelist.inc.local",
]
valid_dkim = true;
score = -3;
}
WHITELIST_DKIM {
score = -1;
domains [
"/usr/local/etc/rspamd/dkim_whitelist.inc",
"/var/db/rspamd/dkim_whitelist.inc.local",
]
valid_dkim = true;
description = "Mail comes from the whitelisted domain and
has a valid DKIM signature";
}
WHITELIST_SPF {
description = "Mail comes from the whitelisted domain and
has a valid SPF policy";
domains [
"/usr/local/etc/rspamd/spf_whitelist.inc",
"/var/db/rspamd/spf_whitelist.inc.local",
]
valid_spf = true;
score = -1;
}
}
}
neural {
train {
ham_score = -2;
max_usages = 20;
spam_score = 8;
learning_rate = 0.010000;
max_iterations = 25;
max_train = 1000;
}
enabled = true;
timeout = 20;
use_settings = false;
}
metric {
symbol {
RAZOR {
description = "Detected as spam by Vipul's Razor";
weight = 2;
}
MX_INVALID {
one_shot = "true";
description = "No connectable MX";
score = 1;
}
MX_MISSING {
one_shot = "true";
description = "No MX record";
score = 2;
}
PYZOR {
description = "Detected as spam by Pyzor";
weight = 2;
}
MX_GOOD {
one_shot = "true";
description = "MX was ok";
score = -0.500000;
}
IP_SCORE {
description = "IP reputation";
weight = 2;
}
}
}
hfilter {
rcpt_enabled = true;
helo_enabled = true;
from_enabled = true;
hostname_enabled = true;
url_enabled = true;
mid_enabled = false;
}
phishing {
redirector_domains [
"/usr/local/etc/rspamd/redirectors.inc:REDIRECTOR_FALSE",
"/usr/local/etc/rspamd/local.d/redirectors.inc:LOCAL_REDIRECTOR_FALSE",
]
openphish_map = "https://www.openphish.com/feed.txt";
symbol = "PHISHING";
openphish_enabled = true;
phishtank_map = "https://rspamd.com/phishtank/online-valid.json.zst";
openphish_premium = false;
phishtank_enabled = true;
}
mime_types {
file [
"/usr/local/etc/rspamd/mime_types.inc",
"/var/db/rspamd/mime_types.inc.local",
]
extension_map {
pdf [
"application/octet-stream",
"application/pdf",
]
html = "text/html";
txt [
"message/disposition-notification",
"text/plain",
"text/rfc822-headers",
]
}
}
logging {
filename = "/var/log/rspamd/rspamd.log";
log_format = <<EOD
id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user:
$,}$if_smtp_from{ from: <$>,}
(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
len: $len, time: $time_real real, $time_virtual virtual, dns req: $dns_req,
digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{,
mime_rcpts: <$>}$if_filename{, file: $}
EOD;
debug_modules [
"pyzor",
"razor",
]
color = false;
type = "file";
log_re_cache = true;
level = "silent";
}
rspamd_update {
key = "qxuogdh5eghytji1utkkte1dn3n81c3y5twe61uzoddzwqzuxxyb";
rules = "sign+https://updates.rspamd.com/rspamd-1.7.ucl";
}
fuzzy_check {
retransmits = 1;
rule {
local {
fuzzy_map {
LOCAL_FUZZY_DENIED {
flag = 11;
max_score = 20;
}
LOCAL_FUZZY_WHITE {
flag = 13;
max_score = 2;
}
LOCAL_FUZZY_PROB {
flag = 12;
max_score = 10;
}
}
read_only = false;
algorithm = "mumhash";
symbol = "LOCAL_FUZZY_UNKNOWN";
skip_unknown = true;
mime_types [
"application/*",
]
servers = "127.0.0.1:11335";
max_score = 20;
}
rspamd.com {
symbol = "FUZZY_UNKNOWN";
mime_types [
"*",
]
encryption_key =
"icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy";
read_only = true;
fuzzy_map {
FUZZY_PROB {
flag = 2;
max_score = 10;
}
FUZZY_DENIED {
flag = 1;
max_score = 20;
}
FUZZY_WHITE {
flag = 3;
max_score = 2;
}
}
max_score = 20;
short_text_direct_hash = true;
skip_unknown = true;
algorithm = "mumhash";
servers = "fuzzy.rspamd.com:11335";
}
}
timeout = 2;
min_bytes = 1000;
}
composites {
MAILER_1C_8_BASE64 {
expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 |
MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
}
RBL_SPAMHAUS_XBL_ANY {
expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
}
AUTH_NA {
score = 1;
policy = "remove_weight";
expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA";
}
SPF_FAIL_FORWARDING {
policy = "remove_weight";
expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
}
FORGED_MUA_MAILLIST {
expression = "g:mua and -MAILLIST";
}
DMARC_POLICY_ALLOW_WITH_FAILURES {
policy = "remove_weight";
expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL |
R_SPF_FAIL | R_DKIM_REJECT)";
}
FORGED_SENDER_MAILLIST {
expression = "FORGED_SENDER & -MAILLIST";
}
YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
}
FORGED_SENDER_FORWARDING {
expression = "FORGED_SENDER & g:forwarding";
}
DKIM_MIXED {
policy = "remove_weight";
expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL |
R_DKIM_PERMFAIL | R_DKIM_REJECT)";
}
FORGED_RECIPIENTS_MAILLIST {
expression = "FORGED_RECIPIENTS & -MAILLIST";
}
COMPROMISED_ACCT_BULK {
description = "Likely to be from a compromised account";
score = 3;
policy = "leave";
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
}
UNDISC_RCPTS_BULK {
description = "Missing or undisclosed recipients with a bulk signature";
score = 3;
policy = "leave";
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
}
HACKED_WP_PHISHING {
policy = "leave";
expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
}
FORGED_RECIPIENTS_FORWARDING {
expression = "FORGED_RECIPIENTS & g:forwarding";
}
FORGED_SENDER_VERP_SRS {
expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
}
MAIL_RU_MAILER_BASE64 {
expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 |
MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 |
TO_EXCESS_BASE64)";
}
}
mid {
source {
url [
"/usr/local/etc/rspamd/mid.inc",
"/usr/local/etc/rspamd/local.d/mid.inc",
]
}
}
url_reputation {
enabled = true;
}
forged_recipients {
symbol_sender = "FORGED_SENDER";
symbol_rcpt = "FORGED_RECIPIENTS";
}
spamtrap {
learn_fuzzy = false;
enabled = false;
learn_spam = false;
}
force_actions {
}
spf {
spf_cache_expire = 86400;
spf_cache_size = 2000;
}
clickhouse {
limit = 1000;
ipmask6 = 48;
full_urls = false;
timeout = 5;
ipmask = 19;
}
razor {
}
group {
statistics {
symbols {
BAYES_HAM {
description = "Message probably ham, probability: ";
weight = -3;
}
BAYES_SPAM {
description = "Message probably spam, probability: ";
weight = 4;
}
}
}
policies {
symbols {
R_SPF_SOFTFAIL {
description = "SPF verification soft-failed";
weight = 0;
}
DMARC_POLICY_ALLOW {
description = "DMARC permit policy";
weight = -0.500000;
}
R_DKIM_REJECT {
one_shot = true;
weight = 1;
description = "DKIM verification failed";
}
R_SPF_FAIL {
description = "SPF verification failed";
weight = 1;
}
DMARC_POLICY_REJECT {
description = "DMARC reject policy";
weight = 2;
}
R_SPF_ALLOW {
description = "SPF verification allows sending";
weight = -0.200000;
}
ARC_ALLOW {
description = "ARC checks success";
weight = -1;
}
DMARC_POLICY_SOFTFAIL {
description = "DMARC failed";
weight = 0.100000;
}
R_SPF_DNSFAIL {
description = "SPF DNS failure";
weight = 0;
}
ARC_NA {
description = "ARC signature absent";
weight = 0;
}
R_SPF_NEUTRAL {
description = "SPF policy is neutral";
weight = 0;
}
R_DKIM_TEMPFAIL {
description = "DKIM verification soft-failed";
weight = 0;
}
ARC_DNSFAIL {
description = "ARC DNS error";
weight = 0;
}
DMARC_POLICY_QUARANTINE {
description = "DMARC quarantine policy";
weight = 1.500000;
}
ARC_INVALID {
description = "ARC structure invalid";
weight = 1;
}
ARC_REJECT {
description = "ARC checks success";
weight = 2;
}
DMARC_POLICY_ALLOW_WITH_FAILURES {
description = "DMARC permit policy with DKIM/SPF failure";
weight = -0.500000;
}
R_DKIM_ALLOW {
one_shot = true;
weight = -0.200000;
description = "DKIM verification succeed";
}
}
}
hfilter {
symbols {
HFILTER_HOSTNAME_UNKNOWN {
description = "Unknown client hostname (PTR or FCrDNS
verification failed)";
weight = 2.500000;
}
HFILTER_FROMHOST_NORESOLVE_MX {
description = "MX found in FROM host and no resolve";
weight = 0.500000;
}
HFILTER_HELO_2 {
description = "Helo host checks (low)";
weight = 1;
}
HFILTER_HELO_NORESOLVE_MX {
description = "MX found in Helo and no resolve";
weight = 0.200000;
}
HFILTER_HOSTNAME_4 {
description = "Hostname checks (hard)";
weight = 2.500000;
}
HFILTER_URL_ONLY {
description = "URL only in body";
weight = 2.200000;
}
HFILTER_FROM_BOUNCE {
description = "Bounce message";
weight = 0;
}
HFILTER_HOSTNAME_2 {
description = "Hostname checks (low)";
weight = 1;
}
HFILTER_HELO_BAREIP {
description = "Helo host is bare ip";
weight = 3;
}
HFILTER_HELO_3 {
description = "Helo host checks (medium)";
weight = 2;
}
HFILTER_URL_ONELINE {
description = "One line URL and text in body";
weight = 2.500000;
}
HFILTER_HOSTNAME_3 {
description = "Hostname checks (medium)";
weight = 2;
}
HFILTER_RCPT_BOUNCEMOREONE {
description = "Message from bounce and over 1 recipient";
weight = 1.500000;
}
HFILTER_FROMHOST_NOT_FQDN {
description = "FROM host not FQDN";
weight = 3;
}
HFILTER_HELO_5 {
description = "Helo host checks (very hard)";
weight = 3;
}
HFILTER_FROMHOST_NORES_A_OR_MX {
description = "FROM host no resolve to A or MX";
weight = 1.500000;
}
HFILTER_HELO_NOT_FQDN {
description = "Helo not FQDN";
weight = 2;
}
HFILTER_HELO_IP_A {
description = "Helo A IP != hostname IP";
weight = 1;
}
HFILTER_HELO_NORES_A_OR_MX {
description = "Helo no resolve to A or MX";
weight = 0.300000;
}
HFILTER_HELO_1 {
description = "Helo host checks (very low)";
weight = 0.500000;
}
HFILTER_HELO_4 {
description = "Helo host checks (hard)";
weight = 2.500000;
}
HFILTER_HELO_BADIP {
description = "Helo host is very bad ip";
weight = 4.500000;
}
HFILTER_HOSTNAME_1 {
description = "Hostname checks (very low)";
weight = 0.500000;
}
HFILTER_HOSTNAME_5 {
description = "Hostname checks (very hard)";
weight = 3;
}
}
}
phishing {
symbols {
HACKED_WP_PHISHING {
description = "Phishing message from hacked wordpress";
weight = 4.500000;
}
PHISHED_OPENPHISH {
description = "Phished URL found in openphish.com";
weight = 7;
}
PHISHING {
one_shot = true;
weight = 4;
description = "Phished URL";
}
PHISHED_PHISHTANK {
description = "Phished URL found in phishtank.com";
weight = 7;
}
}
}
surbl {
symbols {
MSBL_EBL {
one_shot = true;
weight = 7.500000;
description = "MSBL emailbl";
}
URIBL_SBL_CSS {
description = "Spamhaus SBL CSS URIBL";
weight = 6.500000;
}
RBL_SARBL_BAD {
description = "A domain listed in the mail is
blacklisted in SARBL";
weight = 2.500000;
}
URIBL_GREY {
one_shot = true;
weight = 1.500000;
description = "uribl.com grey url";
}
SEM_URIBL {
description = "Spameatingmonkey uribl";
weight = 3.500000;
}
PH_SURBL_MULTI {
description = "SURBL: Phishing sites";
weight = 5.500000;
}
SEM_URIBL_UNKNOWN {
description = "Spameatingmonkey uribl: unknown result";
weight = 0;
}
SBL_URIBL {
description = "SBL URIBL: Filtered result";
weight = 0;
}
DBL_ABUSE_PHISH {
description = "DBL uribl abused legit phish";
weight = 7.500000;
}
URIBL_MULTI {
description = "uribl.com: unrecognised result";
weight = 0;
}
URIBL_SBL {
description = "Spamhaus SBL URIBL";
weight = 6.500000;
}
URIBL_RED {
description = "uribl.com red url";
weight = 3.500000;
}
URIBL_BLACK {
description = "uribl.com black url";
weight = 7.500000;
}
SEM_URIBL_FRESH15 {
description = "Spameatingmonkey uribl. Domains
registered in the last 15 days
(.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
weight = 3;
}
URIBL_BLOCKED {
description = "uribl.com: query refused";
weight = 0;
}
DBL_SPAM {
description = "DBL uribl spam";
weight = 6.500000;
}
DBL_PROHIBIT {
description = "DBL uribl IP queries prohibited!";
weight = 0;
}
DBL_ABUSE_BOTNET {
description = "DBL uribl abused legit botnet C&C";
weight = 5.500000;
}
DBL_PHISH {
description = "DBL uribl phishing";
weight = 6.500000;
}
DBL_ABUSE_REDIR {
description = "DBL uribl abused spammed redirector domain";
weight = 1.500000;
}
DBL_ABUSE_MALWARE {
description = "DBL uribl abused legit malware";
weight = 7.500000;
}
MW_SURBL_MULTI {
description = "SURBL: Malware sites";
weight = 5.500000;
}
ABUSE_SURBL {
description = "SURBL: ABUSE";
weight = 5.500000;
}
DBL_ABUSE {
description = "DBL uribl abused legit spam";
weight = 6.500000;
}
CRACKED_SURBL {
description = "SURBL: cracked site";
weight = 4;
}
RSPAMD_URIBL {
one_shot = true;
weight = 4.500000;
description = "Rspamd uribl, bl.rspamd.com";
}
DBL_BOTNET {
description = "DBL uribl botnet C&C domain";
weight = 5.500000;
}
DBL_MALWARE {
description = "DBL uribl malware";
weight = 6.500000;
}
SEM_URIBL_FRESH15_UNKNOWN {
description = "Spameatingmonkey Fresh15 uribl: unknown result";
weight = 0;
}
SURBL_BLOCKED {
description = "SURBL: blocked by policy/overusage";
weight = 0;
}
DBL {
description = "DBL unknown result";
weight = 0;
}
RSPAMD_EMAILBL {
one_shot = true;
weight = 9.500000;
description = "Rspamd emailbl, bl.rspamd.com";
}
}
max_score = 12.500000;
}
ungrouped {
symbols {
RAZOR {
description = "Detected as spam by Vipul's Razor";
weight = 2;
}
MX_INVALID {
one_shot = "true";
description = "No connectable MX";
score = 1;
}
MX_MISSING {
one_shot = "true";
description = "No MX record";
score = 2;
}
PYZOR {
description = "Detected as spam by Pyzor";
weight = 2;
}
MX_GOOD {
one_shot = "true";
description = "MX was ok";
score = -0.500000;
}
IP_SCORE {
description = "IP reputation";
weight = 2;
}
}
}
headers {
symbols {
R_MIXED_CHARSET {
one_shot = true;
weight = 5;
description = "Mixed characters in a message";
}
FORGED_SENDER {
description = "Sender is forged (different From:
header and smtp MAIL FROM: addresses)";
weight = 0.300000;
}
RDNS_DNSFAIL {
description = "PTR verification DNS error";
weight = 0;
}
FORGED_RECIPIENTS_MAILLIST {
description = "Recipients are not the same as RCPT TO:
mail command, but a message from a maillist";
weight = 0;
}
MAILLIST {
description = "Message seems to be from maillist";
weight = -0.200000;
}
ONCE_RECEIVED_STRICT {
description = "One received header with 'bad' patterns inside";
weight = 4;
}
FORGED_RECIPIENTS {
description = "Recipients are not the same as RCPT TO:
mail command";
weight = 2;
}
RDNS_NONE {
description = "Cannot resolve reverse DNS for sender's IP";
weight = 1;
}
ONCE_RECEIVED {
description = "One received header in a message";
weight = 0.100000;
}
FORGED_SENDER_MAILLIST {
description = "Sender is not the same as MAIL FROM:
envelope, but a message is from a maillist";
weight = 0;
}
R_MIXED_CHARSET_URL {
one_shot = true;
weight = 7;
description = "Mixed characters in a URL inside message";
}
}
}
mime_types {
symbols {
MIME_BAD_EXTENSION {
one_shot = true;
weight = 2;
description = "Bad extension";
}
MIME_DOUBLE_BAD_EXTENSION {
one_shot = true;
weight = 3;
description = "Bad extension cloaking";
}
MIME_GOOD {
one_shot = true;
weight = -0.100000;
description = "Known content-type";
}
MIME_ARCHIVE_IN_ARCHIVE {
one_shot = true;
weight = 5;
description = "Archive within another archive";
}
MIME_ENCRYPTED_ARCHIVE {
one_shot = true;
weight = 2;
description = "Encrypted archive in a message";
}
MIME_BAD_ATTACHMENT {
one_shot = true;
weight = 4;
description = "Invalid attachment mime type";
}
MIME_BAD {
one_shot = true;
weight = 1;
description = "Known bad content-type";
}
MIME_UNKNOWN {
one_shot = true;
weight = 0.100000;
description = "Missing or unknown content-type";
}
}
}
subject {
symbols {
}
max_score = 6;
}
excessb64 {
max_score = 3;
}
mua {
symbols {
FORGED_MUA_MAILLIST {
description = "Avoid false positives for FORGED_MUA_*
in maillist";
weight = 0;
}
}
}
excessqp {
max_score = 2.400000;
}
rbl {
symbols {
RBL_SPAMHAUS_SBL {
description = "From address is listed in zen sbl";
weight = 2;
}
RBL_SPAMHAUS_XBL_ANY {
description = "From or received address is listed in
zen xbl (any list)";
weight = 4;
}
DNSWL_BLOCKED {
description = "Resolver blocked due to excessive queries";
weight = 0;
}
RBL_MAILSPIKE_WORST {
description = "From address is listed in RBL - worst
possible reputation";
weight = 2;
}
RBL_MAILSPIKE_VERYBAD {
description = "From address is listed in RBL - very
bad reputation";
weight = 1.500000;
}
RWL_MAILSPIKE_NEUTRAL {
description = "Neutral result from Mailspike";
weight = 0;
}
RCVD_IN_DNSWL_NONE {
description = "Sender listed at http://www.dnswl.org, low none";
weight = 0;
}
RBL_SPAMHAUS_PBL {
description = "From address is listed in zen pbl (ISP list)";
weight = 2;
}
RCVD_IN_DNSWL {
description = "Unrecognised result from dnswl.org";
weight = 0;
}
RWL_MAILSPIKE_GOOD {
description = "From address is listed in RWL - good reputation";
weight = 0;
}
RBL_MAILSPIKE_BAD {
description = "From address is listed in RBL - bad reputation";
weight = 1;
}
RBL_SEM_IPV6 {
description = "Address is listed in Spameatingmonkey
RBL (ipv6)";
weight = 1;
}
RBL_SEM {
description = "Address is listed in Spameatingmonkey RBL";
weight = 1;
}
RCVD_IN_DNSWL_HI {
description = "Sender listed at http://www.dnswl.org,
high trust";
weight = 0;
}
RBL_SENDERSCORE {
description = "From address is listed in senderscore.com BL";
weight = 2;
}
RBL_SPAMHAUS {
description = "Unrecognised result from Spamhaus zen";
weight = 0;
}
RBL_SPAMHAUS_DROP {
description = "From address is listed in zen drop bl";
weight = 7;
}
RWL_MAILSPIKE_VERYGOOD {
description = "From address is listed in RWL - very
good reputation";
weight = 0;
}
MAILSPIKE {
description = "Unrecognised result from Mailspike";
weight = 0;
}
RCVD_IN_DNSWL_MED {
description = "Sender listed at http://www.dnswl.org,
medium trust";
weight = 0;
}
RWL_MAILSPIKE_POSSIBLE {
description = "From address is listed in RWL - possibly legit";
weight = 0;
}
RBL_SPAMHAUS_XBL {
description = "From address is listed in zen xbl";
weight = 4;
}
RECEIVED_SPAMHAUS_XBL {
one_shot = true;
weight = 3;
description = "Received address is listed in zen xbl";
}
RCVD_IN_DNSWL_LOW {
description = "Sender listed at http://www.dnswl.org,
low trust";
weight = 0;
}
RBL_SPAMHAUS_CSS {
description = "From address is listed in zen css";
weight = 2;
}
RBL_ABUSECH {
description = "From address is listed in ABUSE.CH BL";
weight = 1;
}
RWL_MAILSPIKE_EXCELLENT {
description = "From address is listed in RWL -
excellent reputation";
weight = 0;
}
}
}
neural {
symbols {
NEURAL_SPAM {
description = "Neural network spam";
weight = 3;
}
NEURAL_HAM {
description = "Neural network ham";
weight = -3;
}
}
}
fuzzy {
symbols {
FUZZY_UNKNOWN {
description = "Generic fuzzy hash match, bl.rspamd.com";
weight = 5;
}
FUZZY_PROB {
description = "Probable fuzzy hash, bl.rspamd.com";
weight = 5;
}
FUZZY_DENIED {
description = "Denied fuzzy hash, bl.rspamd.com";
weight = 12;
}
FUZZY_WHITE {
description = "Whitelisted fuzzy hash, bl.rspamd.com";
weight = -2.100000;
}
}
}
}
metadata_exporter {
rules {
}
}
multimap {
freemail_envfrom {
filter = "email:domain";
symbol = "FREEMAIL_ENVFROM";
type = "from";
score = 0;
description = "Envelope From is a Freemail address";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
freemail_from {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_FROM";
type = "header";
description = "From is a Freemail address";
header = "from";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
disposable_replyto {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_REPLYTO";
type = "header";
description = "Reply-To a disposable e-mail address";
header = "Reply-To";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
disposable_cc {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_CC";
type = "header";
description = "To a disposable e-mail address";
header = "Cc";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
disposable_to {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_TO";
type = "header";
description = "To a disposable e-mail address";
header = "To";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
disposable_from {
filter = "email:domain";
score = 0;
symbol = "DISPOSABLE_FROM";
type = "header";
description = "From a Disposable e-mail address";
header = "from";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
freemail_to {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_TO";
type = "header";
description = "To is a Freemail address";
header = "To";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
freemail_envrcpt {
filter = "email:domain";
symbol = "FREEMAIL_ENVRCPT";
type = "rcpt";
score = 0;
description = "Envelope Recipient is a Freemail address";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
freemail_replyto {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_REPLYTO";
type = "header";
description = "Reply-To is a Freemail address";
header = "Reply-To";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
disposable_envfrom {
filter = "email:domain";
symbol = "DISPOSABLE_ENVFROM";
type = "from";
score = 0;
description = "Envelope From is a Disposable e-mail address";
map = "https://rspamd.com/freemail/disposable.txt.zst";
}
freemail_cc {
filter = "email:domain";
score = 0;
symbol = "FREEMAIL_CC";
type = "header";
description = "To is a Freemail address";
header = "Cc";
map = "https://maps.rspamd.com/freemail/free.txt.zst";
}
disposable_envrcpt {
filter = "email:domain";
symbol = "DISPOSABLE_ENVRCPT";
type = "rcpt";
score = 0;
description = "Envelope Recipient is a Disposable e-mail address";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";
}
}
worker {
normal {
task_timeout = 8;
enabled = false;
bind_socket = "localhost:11333";
mime = true;
}
}
storag {
controller {
password = "$2$or9n9ffj4qsogh7i8d9qi5u1hxt53q6o$ntp4kj...";
secure_ip = "127.0.0.1";
°<re_ik = "::1";
static_dir = "/usr/local/share/rspamd/www";
count = 1;
bind_socket = "/var/run/rspamd/rspamd.sock mode=0666 owner=nobody";
( ôÿÿÿX6 = "127.0.0.1:11334";
}
}
storag {
rspamd_proxy {
max_retries = 5;
timeout = 120;
discard_on_reject = false;
spam_header = "X-Spam";
quarantine_on_reject = false;
reject_message = "Spam message rejected";
count = 1;
type = "proxy";
upstream {
local {
hosts = "localhost";
self_scan = true;
default = true;
}
}
bind_socket = "/var/run/rspamd/milter.sock mode=0666 owner=nobody";
milter = true;
}
}
storag {
fuzzy {
backend = "redis";
allow_update [
"localhost",
]
count = -1;
bind_socket = "localhost:11335";
expire = 7776000;
}
}
dmarc {
}
milter_headers {
extended_spam_headers = true;
use [
"x-spam-level",
"authentication-results",
]
spam_header_value = "YES";
authenticated_headers [
"authentication-results",
]
local_headers [
"x-spamd-level",
]
spam_header = "X-Spam-Flag";
skip_authenticated = false;
skip_local = false;
}
actions {
rewrite_subject = 5;
add_header = 4;
greylist = 999;
reject = 999;
}
elastic {
limit = 10;
import_kibana = false;
debug = false;
timeout = 5;
index_pattern = "rspamd-%Y.%m.%d";
}
url_tags {
enabled = true;
}
options {
cache_file = "/var/db/rspamd/symbols.cache";
map_watch_interval = 300;
tempdir = "/tmp";
history_rows = 200;
url_tld = "/usr/local/share/rspamd/effective_tld_names.dat";
hs_cache_dir = "/var/db/rspamd/";
pidfile = "/var/run/rspamd/rspamd.pid";
local_addrs = "127.0.0.0/8";
rrd = "/var/db/rspamd/rspamd.rrd";
check_all_filters = false;
explicit_modules [
"settings",
"bayes_expiry",
]
control_socket = "/var/db/rspamd/rspamd.sock mode=0600";
allow_raw_input = true;
dynamic_conf = "/var/db/rspamd/rspamd_dynamic";
dns {
sockets = 16;
retransmits = 5;
timeout = 1;
nameserver [
"127.0.0.1:53:10",
]
}
raw_mode = false;
filters = "chartable,dkim,spf,surbl,regexp,fuzzy_check";
classify_headers [
"User-Agent",
"X-Mailer",
"Content-Type",
"X-MimeOLE",
]
words_decay = 200;
history_file = "/var/db/rspamd/rspamd.history";
one_shot = false;
map_file_watch_multiplier = 0.100000;
}
emails {
rules {
MSBL_EBL {
expect_ip = "127.0.0.2";
hash = "sha1";
check_replyto = true;
domain_only = false;
dnsbl = "ebl.msbl.org";
}
RSPAMD_EMAILBL {
encoding = "base32";
hashlen = 32;
hash = "blake2";
check_replyto = true;
delimiter = ".";
dnsbl = "email.rspamd.com";
}
}
}
asn {
symbol = "ASN";
provider_info {
ip6 = "asn6.rspamd.com";
ip4 = "asn.rspamd.com";
}
provider_type = "rspamd";
}
chartable {
symbol = "R_MIXED_CHARSET";
threshold = 0.300000;
}
dcc {
timeout = 5;
host = "/usr/local/dcc/dccifd";
}
history_redis {
nrows = 200;
subject_privacy = false;
compress = true;
key_prefix = "rs_history";
}
classifier {
bayes {
backend = "redis";
min_tokens = 11;
languages_enabled = true;
expire = 8640000;
cache {
path = "/var/db/rspamd/learn_cache.sqlite";
}
autolearn = true;
new_schema = true;
statfile {
path = "/var/db/rspamd/bayes.ham.sqlite";
spam = false;
symbol = "BAYES_HAM";
}
¨, {
path = "/var/db/rspamd/bayes.spam.sqlite";
spam = true;
symbol = "BAYES_SPAM";
}
learn_condition = <<EOD
return function(task, is_spam, is_unlearn)
local prob = task:get_mempool():get_variable('bayes_prob', 'double')
if prob then
local in_class = false
local cl
if is_spam then
cl = 'spam'
in_class = prob >= 0.95
else
cl = 'ham'
in_class = prob <= 0.05
end
if in_class then
return false,string.format('already in class %s; probability %.2f%%',
cl, math.abs((prob - 0.5) * 200.0))
end
end
return true
end
EOD;
tokenizer {
name = "osb";
}
servers = "127.0.0.1";
min_learns = 200;
}
}
pyzor {
}
url_redirector {
max_size = 10000;
nested_limit = 1;
check_ssl = false;
key_prefix = "rdr:";
expire = 86400;
timeout = 10;
}
metric_exporter {
}
trie {
}
replies {
key_prefix = "rr";
symbol = "REPLY";
action = "no action";
expire = 86400;
message = "Message is reply to one we originated";
}
greylist {
ipv6_mask = 64;
whitelist_domains_url [
"/usr/local/etc/rspamd/local.d/greylist-whitelist-domains.inc",
]
expire = 86400;
enabled = false;
key_prefix = "rg";
ipv4_mask = 19;
message = "Try again later";
max_data_len = 10000;
action = "soft reject";
servers = "127.0.0.1:6379";
timeout = 300;
}
redis {
servers = "127.0.0.1";
}
rbl {
default_exclude_users = true;
default_received = true;
default_unknown = true;
default_from = true;
rbls {
senderscore {
rbl = "bl.score.senderscore.com";
symbol = "RBL_SENDERSCORE";
}
spamhaus_xbl {
ignore_whitelists = true;
returncodes {
RECEIVED_SPAMHAUS_XBL [
"127.0.0.4",
"127.0.0.5",
"127.0.0.6",
"127.0.0.7",
]
}
symbol = "RECEIVED_SPAMHAUS";
from = false;
rbl = "zen.spamhaus.org";
received = true;
ipv6 = true;
}
semIPv6 {
ipv4 = false;
rbl = "bl.ipv6.spameatingmonkey.net";
ipv6 = true;
symbol = "RBL_SEM_IPV6";
}
mailspike {
symbol = "MAILSPIKE";
is_whitelist = true;
returncodes {
RWL_MAILSPIKE_NEUTRAL [
"127.0.0.16",
"127.0.0.15",
"127.0.0.14",
"127.0.0.13",
]
RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
RBL_MAILSPIKE_BAD = "127.0.0.12";
RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
RBL_MAILSPIKE_WORST = "127.0.0.10";
RWL_MAILSPIKE_GOOD = "127.0.0.18";
RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
}
rbl = "rep.mailspike.net";
whitelist_exception = "MAILSPIKE";
¨er_e°Mai = "RWL_MAILSPIKE_GOOD";
¨er_e°Mai = "RWL_MAILSPIKE_NEUTRAL";
¨er_e°Mai = "RWL_MAILSPIKE_POSSIBLE";
¨er_e°Mai = "RBL_MAILSPIKE_WORST";
¨er_e°Mai = "RBL_MAILSPIKE_VERYBAD";
¨er_e°Mai = "RBL_MAILSPIKE_BAD";
}
dnswl {
symbol = "RCVD_IN_DNSWL";
is_whitelist = true;
returncodes {
RCVD_IN_DNSWL_MED = "127.0.%d+.2";
RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
RCVD_IN_DNSWL_HI = "127.0.%d+.3";
RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
DNSWL_BLOCKED = "127.0.0.255";
}
ipv6 = true;
rbl = "list.dnswl.org";
whitelist_exception = "RCVD_IN_DNSWL";
¨er_e°Mai = "RCVD_IN_DNSWL_NONE";
¨er_e°Mai = "RCVD_IN_DNSWL_LOW";
¨er_e°Mai = "DNSWL_BLOCKED";
}
sem {
rbl = "bl.spameatingmonkey.net";
ipv6 = false;
symbol = "RBL_SEM";
}
abusech {
rbl = "spam.abuse.ch";
symbol = "RBL_ABUSECH";
}
spamhaus {
returncodes {
RBL_SPAMHAUS_SBL = "127.0.0.2";
RBL_SPAMHAUS_XBL [
"127.0.0.4",
"127.0.0.5",
"127.0.0.6",
"127.0.0.7",
]
RBL_SPAMHAUS_CSS = "127.0.0.3";
RBL_SPAMHAUS_DROP = "127.0.0.9";
RBL_SPAMHAUS_PBL [
"127.0.0.10",
"127.0.0.11",
]
}
rbl = "zen.spamhaus.org";
ipv6 = true;
symbol = "RBL_SPAMHAUS";
}
}
}
dkim {
trusted_only = false;
dkim_cache_size = 2000;
dkim_cache_expire = 86400;
time_jitter = 21600;
skip_multi = false;
}
ratelimit {
whitelisted_rcpts = "postmaster,mailer-daemon";
use_ip_score = true;
max_rcpt = 5;
ip_score_ham_multiplier = 1.100000;
ip_score_spam_divisor = 1.100000;
}
once_received {
bad_host = "static";
Àd_ = "dynamic";
good_host = "mail";
symbol_strict = "ONCE_RECEIVED_STRICT";
symbol_mx = "DIRECT_TO_MX";
symbol = "ONCE_RECEIVED";
}
ip_score {
metric = "default";
symbol = "IP_SCORE";
hash = "ip_score";
score_divisor = 10;
scores {
ip = 1;
country = 0.100000;
asn = 0.500000;
ipnet = 0.800000;
}
lower_bound = 10;
country_prefix = "c:";
ipnet_prefix = "n:";
actions {
"add header" = 0.250000;
"no action" = 1;
"rewrite subject" = 0.250000;
reject = 1;
}
asn_prefix = "a:";
}
Reply all
Reply to author
Forward
0 new messages