lua = "/usr/share/rspamd/rules/rspamd.lua"; metric { name = "default"; } actions { reject = 15; add_header = 6; greylist = 4; } group { headers { description = "Various headers checks"; max_score = 8.0; symbols { FORGED_SENDER { weight = 0.300000; description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; } R_MIXED_CHARSET { weight = 5.0; description = "Mixed characters in a message"; one_shot = true; } R_MIXED_CHARSET_URL { weight = 7.0; description = "Mixed characters in a URL inside message"; one_shot = true; } FORGED_RECIPIENTS { weight = 2.0; description = "Recipients are not the same as RCPT TO: mail command"; } FORGED_RECIPIENTS_MAILLIST { weight = 0.0; description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist"; } FORGED_SENDER_MAILLIST { weight = 0.0; description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist"; } ONCE_RECEIVED { weight = 0.100000; description = "One received header in a message"; } ONCE_RECEIVED_STRICT { weight = 4.0; description = "One received header with 'bad' patterns inside"; } DIRECT_TO_MX { weight = 0.0; description = "Message has been directly delivered from MUA to local MX"; } MAILLIST { weight = -0.200000; description = "Message seems to be from maillist"; } BOUNCE { weight = -0.100000; description = "(Non) Delivery Status Notification"; } } } } group { subject { description = "Subject filters"; max_score = 6.0; symbols {} } } group { mua { description = "MUA forgeries"; symbols { FORGED_MUA_MAILLIST { weight = 0.0; description = "Avoid false positives for FORGED_MUA_* in maillist"; } } } } group { rbl { description = "IP DNS lists"; symbols { RBL_SENDERSCORE { weight = 4.0; description = "From address is listed in senderscore.com BL"; } RBL_SPAMHAUS_SBL { weight = 2.0; description = "From address is listed in zen sbl"; } RBL_SPAMHAUS_CSS { weight = 2.0; description = "From address is listed in zen css"; } RBL_SPAMHAUS_XBL { weight = 4.0; description = "From address is listed in zen xbl"; } RBL_SPAMHAUS_XBL_ANY { weight = 4.0; description = "From or receive address is listed in zen xbl (any list)"; } RBL_SPAMHAUS_PBL { weight = 2.0; description = "From address is listed in zen pbl (ISP list)"; } RBL_SPAMHAUS_DROP { weight = 7.0; description = "From address is listed in zen drop bl"; } RECEIVED_SPAMHAUS_XBL { weight = 3.0; description = "Received address is listed in zen xbl"; one_shot = true; } RBL_MAILSPIKE_WORST { weight = 2.0; description = "From address is listed in RBL - worst possible reputation"; } RBL_MAILSPIKE_VERYBAD { weight = 1.500000; description = "From address is listed in RBL - very bad reputation"; } RBL_MAILSPIKE_BAD { weight = 1.0; description = "From address is listed in RBL - bad reputation"; } RBL_SEM { weight = 1.0; description = "Address is listed in Spameatingmonkey RBL"; } } } } group { senderscore { max_score = 4.0; } } group { statistics { description = "Statistical symbols"; symbols { BAYES_SPAM { weight = 5.100000; description = "Message probably spam, probability: "; } BAYES_HAM { weight = -3.0; description = "Message probably ham, probability: "; } } } } group { fuzzy { description = "Fuzzy hashes group"; symbols { FUZZY_UNKNOWN { weight = 5.0; description = "Generic fuzzy hash match, bl.rspamd.com"; } FUZZY_DENIED { weight = 12.0; description = "Denied fuzzy hash, bl.rspamd.com"; } FUZZY_PROB { weight = 5.0; description = "Probable fuzzy hash, bl.rspamd.com"; } FUZZY_WHITE { weight = -2.100000; description = "Whitelisted fuzzy hash, bl.rspamd.com"; } } } } group { policies { description = "SPF, DKIM, DMARC, ARC"; symbols { R_SPF_FAIL { weight = 1.0; description = "SPF verification failed"; groups [ "spf", ] } R_SPF_SOFTFAIL { weight = 0.0; description = "SPF verification soft-failed"; groups [ "spf", ] } R_SPF_NEUTRAL { weight = 0.0; description = "SPF policy is neutral"; groups [ "spf", ] } R_SPF_ALLOW { weight = -0.200000; description = "SPF verification allows sending"; groups [ "spf", ] } R_SPF_DNSFAIL { weight = 0.0; description = "SPF DNS failure"; groups [ "spf", ] } R_SPF_NA { weight = 0.0; description = "Missing SPF record"; one_shot = true; groups [ "spf", ] } R_SPF_PERMFAIL { weight = 0.0; description = "SPF record is malformed or persistent DNS error"; groups [ "spf", ] } R_SPF_PLUSALL { weight = 4.0; description = "SPF record allows to send from any IP"; groups [ "spf", ] } R_DKIM_REJECT { weight = 1.0; description = "DKIM verification failed"; one_shot = true; groups [ "dkim", ] } R_DKIM_TEMPFAIL { weight = 0.0; description = "DKIM verification soft-failed"; groups [ "dkim", ] } R_DKIM_PERMFAIL { weight = 0.0; description = "DKIM verification hard-failed (invalid)"; groups [ "dkim", ] } R_DKIM_ALLOW { weight = -0.200000; description = "DKIM verification succeed"; one_shot = true; groups [ "dkim", ] } R_DKIM_NA { weight = 0.0; description = "Missing DKIM signature"; one_shot = true; groups [ "dkim", ] } DMARC_POLICY_ALLOW { weight = -0.500000; description = "DMARC permit policy"; groups [ "dmarc", ] } DMARC_POLICY_ALLOW_WITH_FAILURES { weight = -0.500000; description = "DMARC permit policy with DKIM/SPF failure"; groups [ "dmarc", ] } DMARC_POLICY_REJECT { weight = 2.0; description = "DMARC reject policy"; groups [ "dmarc", ] } DMARC_POLICY_QUARANTINE { weight = 1.500000; description = "DMARC quarantine policy"; groups [ "dmarc", ] } DMARC_POLICY_SOFTFAIL { weight = 0.100000; description = "DMARC failed"; groups [ "dmarc", ] } DMARC_NA { weight = 0.0; description = "No DMARC record"; groups [ "dmarc", ] } ARC_ALLOW { weight = -1.0; description = "ARC checks success"; groups [ "arc", ] } ARC_REJECT { weight = 1.0; description = "ARC checks failed"; groups [ "arc", ] } ARC_INVALID { weight = 0.500000; description = "ARC structure invalid"; groups [ "arc", ] } ARC_DNSFAIL { weight = 0.0; description = "ARC DNS error"; groups [ "arc", ] } ARC_NA { weight = 0.0; description = "ARC signature absent"; groups [ "arc", ] } } } } group { whitelist { description = "White lists group"; max_score = 10.0; symbols { WHITELIST_SPF { weight = -1.0; description = "Mail comes from the whitelisted domain and has a valid SPF policy"; groups [ "spf", ] } BLACKLIST_SPF { weight = 1.0; description = "Mail comes from the whitelisted domain and has no valid SPF policy"; groups [ "spf", ] } WHITELIST_DKIM { weight = -1.0; description = "Mail comes from the whitelisted domain and has a valid DKIM signature"; groups [ "dkim", ] } BLACKLIST_DKIM { weight = 2.0; description = "Mail comes from the whitelisted domain and has non-valid DKIM signature"; groups [ "dkim", ] } WHITELIST_SPF_DKIM { weight = -3.0; description = "Mail comes from the whitelisted domain and has valid SPF and DKIM policies"; groups [ "spf", "dkim", ] } BLACKLIST_SPF_DKIM { weight = 3.0; description = "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature"; groups [ "spf", "dkim", ] } WHITELIST_DMARC { weight = -7.0; description = "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies"; groups [ "dmarc", "spf", "dkim", ] } BLACKLIST_DMARC { weight = 6.0; description = "Mail comes from the whitelisted domain and has failed DMARC and DKIM policies"; groups [ "dmarc", "spf", "dkim", ] } } } } group { surbl { description = "URL DNS lists"; max_score = 12.500000; symbols { PH_SURBL_MULTI { weight = 5.500000; description = "SURBL: Phishing sites"; } MW_SURBL_MULTI { weight = 5.500000; description = "SURBL: Malware sites"; } ABUSE_SURBL { weight = 5.500000; description = "SURBL: ABUSE"; } CRACKED_SURBL { weight = 4.0; description = "SURBL: cracked site"; } RAMBLER_URIBL { weight = 4.500000; description = "Rambler uribl"; one_shot = true; } RAMBLER_EMAILBL { weight = 9.500000; description = "Rambler emailbl"; one_shot = true; } MSBL_EBL { weight = 7.500000; description = "MSBL emailbl"; one_shot = true; } SEM_URIBL { weight = 3.500000; description = "Spameatingmonkey uribl"; } SEM_URIBL_FRESH15 { weight = 3.0; description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)"; } DBL { weight = 0.0; description = "DBL unknown result"; } DBL_SPAM { weight = 6.500000; description = "DBL uribl spam"; } DBL_PHISH { weight = 6.500000; description = "DBL uribl phishing"; } DBL_MALWARE { weight = 6.500000; description = "DBL uribl malware"; } DBL_BOTNET { weight = 5.500000; description = "DBL uribl botnet C&C domain"; } DBL_ABUSE { weight = 6.500000; description = "DBL uribl abused legit spam"; } DBL_ABUSE_REDIR { weight = 1.500000; description = "DBL uribl abused spammed redirector domain"; } DBL_ABUSE_PHISH { weight = 7.500000; description = "DBL uribl abused legit phish"; } DBL_ABUSE_MALWARE { weight = 7.500000; description = "DBL uribl abused legit malware"; } DBL_ABUSE_BOTNET { weight = 5.500000; description = "DBL uribl abused legit botnet C&C"; } URIBL_BLACK { weight = 7.500000; description = "uribl.com black url"; } URIBL_RED { weight = 3.500000; description = "uribl.com red url"; } URIBL_GREY { weight = 1.500000; description = "uribl.com grey url"; one_shot = true; } URIBL_SBL { weight = 6.500000; description = "Spamhaus SBL URIBL"; } URIBL_SBL_CSS { weight = 6.500000; description = "Spamhaus SBL CSS URIBL"; } RBL_SARBL_BAD { weight = 2.500000; description = "A domain listed in the mail is blacklisted in SARBL"; } } } } group { phishing { description = "Phishing in emails"; max_score = 10.0; symbols { PHISHING { weight = 4.0; description = "Phished URL"; one_shot = true; } PHISHED_EXCLUDED { weight = 0.0; description = "Phished URL found in exclusions list"; } PHISHED_OPENPHISH { weight = 7.0; description = "Phished URL found in openphish.com"; } PHISHED_PHISHTANK { weight = 7.0; description = "Phished URL found in phishtank.com"; } PHISHED_GENERIC_SERVICE { weight = 0.0; description = "Phished URL found in generic service"; } HACKED_WP_PHISHING { weight = 4.500000; description = "Phish message sent by hacked Wordpress instance"; } REDIRECTOR_FALSE { weight = 0.0; description = "Phishing exclusion symbol for known redirectors"; } URL_REDIRECTOR_NESTED { weight = 1.0; description = "URL redirector nested limit has been reached"; one_shot = true; } PHISHED_WHITELISTED { weight = 0.0; description = "Phishing exclusion symbol for known exceptions"; } } } } group { hfilter { description = "SMTP envelope filter"; symbols { HFILTER_HELO_BAREIP { weight = 3.0; description = "Helo host is bare ip"; } HFILTER_HELO_BADIP { weight = 4.500000; description = "Helo host is very bad ip"; } HFILTER_HELO_1 { weight = 0.500000; description = "Helo host checks (very low)"; } HFILTER_HELO_2 { weight = 1.0; description = "Helo host checks (low)"; } HFILTER_HELO_3 { weight = 2.0; description = "Helo host checks (medium)"; } HFILTER_HELO_4 { weight = 2.500000; description = "Helo host checks (hard)"; } HFILTER_HELO_5 { weight = 3.0; description = "Helo host checks (very hard)"; } HFILTER_HOSTNAME_1 { weight = 0.500000; description = "Hostname checks (very low)"; } HFILTER_HOSTNAME_2 { weight = 1.0; description = "Hostname checks (low)"; } HFILTER_HOSTNAME_3 { weight = 2.0; description = "Hostname checks (medium)"; } HFILTER_HOSTNAME_4 { weight = 2.500000; description = "Hostname checks (hard)"; } HFILTER_HOSTNAME_5 { weight = 3.0; description = "Hostname checks (very hard)"; } HFILTER_HELO_NORESOLVE_MX { weight = 0.200000; description = "MX found in Helo and no resolve"; } HFILTER_HELO_NORES_A_OR_MX { weight = 0.300000; description = "Helo no resolve to A or MX"; } HFILTER_HELO_IP_A { weight = 1.0; description = "Helo A IP != hostname IP"; } HFILTER_HELO_NOT_FQDN { weight = 2.0; description = "Helo not FQDN"; } HFILTER_FROMHOST_NORESOLVE_MX { weight = 0.500000; description = "MX found in FROM host and no resolve"; } HFILTER_FROMHOST_NORES_A_OR_MX { weight = 1.500000; description = "FROM host no resolve to A or MX"; } HFILTER_FROMHOST_NOT_FQDN { weight = 3.0; description = "FROM host not FQDN"; } HFILTER_FROM_BOUNCE { weight = 0.0; description = "Bounce message"; } HFILTER_HOSTNAME_UNKNOWN { weight = 2.500000; description = "Unknown client hostname (PTR or FCrDNS verification failed)"; } HFILTER_RCPT_BOUNCEMOREONE { weight = 1.500000; description = "Message from bounce and over 1 recipient"; } HFILTER_URL_ONLY { weight = 2.200000; description = "URL only in body"; } HFILTER_URL_ONELINE { weight = 2.500000; description = "One line URL and text in body"; } RDNS_NONE { weight = 2.0; description = "Cannot resolve reverse DNS for sender's IP"; } RDNS_DNSFAIL { weight = 0.0; description = "PTR verification DNS error"; } } } } group { mime_types { description = "Mime attachments rules"; max_score = 10.0; symbols { MIME_GOOD { weight = -0.100000; description = "Known content-type"; one_shot = true; } MIME_BAD { weight = 1.0; description = "Known bad content-type"; one_shot = true; } MIME_UNKNOWN { weight = 0.100000; description = "Missing or unknown content-type"; one_shot = true; } MIME_BAD_ATTACHMENT { weight = 4.0; description = "Invalid attachment mime type"; one_shot = true; } MIME_ENCRYPTED_ARCHIVE { weight = 2.0; description = "Encrypted archive in a message"; one_shot = true; } MIME_OBFUSCATED_ARCHIVE { weight = 2.0; description = "Archive has files with clear obfuscation signs"; one_shot = true; } MIME_EXE_IN_GEN_SPLIT_RAR { weight = 5.0; description = "EXE file in RAR archive with generic split extension (e.g. .001)"; one_shot = true; } MIME_ARCHIVE_IN_ARCHIVE { weight = 5.0; description = "Archive within another archive"; one_shot = true; } MIME_DOUBLE_BAD_EXTENSION { weight = 3.0; description = "Bad extension cloaking"; one_shot = true; } MIME_BAD_EXTENSION { weight = 2.0; description = "Bad extension"; one_shot = true; } MIME_BAD_UNICODE { weight = 2.0; description = "Filename with known obscured unicode characters"; one_shot = true; } } } } group { excessqp { max_score = 2.400000; } } group { excessb64 { max_score = 3.0; } } group { neural { symbols { NEURAL_SPAM_LONG { weight = 1.0; description = "Neural network spam (long)"; } NEURAL_HAM_LONG { weight = -2.0; description = "Neural network ham (long)"; } NEURAL_SPAM_SHORT { weight = 0.500000; description = "Neural network spam (short)"; } NEURAL_HAM_SHORT { weight = -1.0; description = "Neural network ham (short)"; } } } } group { antivirus {} } group { external_services {} } group { content { description = "Content rules"; symbols { PDF_ENCRYPTED { weight = 0.300000; description = "There is an encrypted PDF in the message"; one_shot = true; } PDF_JAVASCRIPT { weight = 0.100000; description = "There is an PDF with JavaScript in the message"; one_shot = true; } PDF_SUSPICIOUS { weight = 4.500000; description = "There is an PDF with suspicious properties in the message"; one_shot = true; } PDF_LONG_TRAILER { weight = 0.200000; description = "There is an PDF with a long trailer in the message"; one_shot = true; } PDF_MANY_OBJECTS { weight = 0; description = "There is a PDF with too many objects in the message"; one_shot = true; } PDF_TIMEOUT { weight = 0; description = "There is a PDF in the message that caused timeout in processing"; one_shot = true; } } } } composites { SHORT_PART_BAD_HEADERS { expression = "MISSING_ESSENTIAL_HEADERS & SINGLE_SHORT_PART"; group = "blankspam"; policy = "leave"; score = 7.0; } FORGED_RECIPIENTS_MAILLIST { expression = "FORGED_RECIPIENTS & -MAILLIST"; } FORGED_SENDER_MAILLIST { expression = "FORGED_SENDER & -MAILLIST"; } FORGED_SENDER_FORWARDING { expression = "FORGED_SENDER & g:forwarding"; description = "Forged sender, but message is forwarded"; policy = "remove_weight"; } SPF_FAIL_FORWARDING { expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)"; policy = "remove_weight"; } DMARC_POLICY_ALLOW_WITH_FAILURES { expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)"; policy = "remove_weight"; } FORGED_RECIPIENTS_FORWARDING { expression = "FORGED_RECIPIENTS & g:forwarding"; policy = "remove_weight"; } FORGED_SENDER_VERP_SRS { expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)"; } FORGED_MUA_MAILLIST { expression = "g:mua & -MAILLIST"; } AUTH_NA { expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA"; score = 1.0; policy = "remove_weight"; description = "Authenticating message via SPF/DKIM/DMARC/ARC not available"; } AUTH_NA_OR_FAIL { expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) & (R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA | R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)"; score = 1.0; policy = "remove_weight"; description = "No authenticating method SPF/DKIM/DMARC/ARC was successful"; } BOUNCE_NO_AUTH { expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)"; score = 1.0; } DKIM_MIXED { expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"; policy = "remove_weight"; } APPLE_MAILER_COMMON { description = "Message was sent by 'Apple Mail' and has common symbols in place"; expression = "APPLE_MAILER & MV_CASE"; } APPLE_IOS_MAILER_COMMON { description = "Message was sent by 'Apple iOS Mail' and has common symbols in place"; expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)"; } HACKED_WP_PHISHING { expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; description = "Phish message sent by hacked Wordpress instance"; policy = "leave"; group = "compromised_hosts"; } COMPROMISED_ACCT_BULK { expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK"; description = "Likely to be from a compromised account"; score = 3.0; policy = "leave"; group = "compromised_hosts"; } UNDISC_RCPTS_BULK { expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)"; description = "Missing or undisclosed recipients with a bulk signature"; score = 3.0; policy = "leave"; } RCVD_UNAUTH_PBL { expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH"; description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)"; score = 2.0; policy = "leave"; } RCVD_DKIM_ARC_DNSWL_MED { expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED"; description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL"; score = -0.500000; policy = "leave"; } RCVD_DKIM_ARC_DNSWL_HI { expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI"; description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL"; score = -1.0; policy = "leave"; } AUTOGEN_PHP_SPAMMY { expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)"; description = "Message was generated by PHP script and contains some spam indicators"; score = 1.0; policy = "leave"; } PHISH_EMOTION { expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)"; description = "Phish message with subject trying to address users emotion"; score = 1.0; policy = "leave"; } HAS_ANON_DOMAIN { expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI"; description = "Contains one or more domains trying to disguise owner/destination"; score = 0.100000; policy = "leave"; } BAD_REP_POLICIES { description = "Contains valid policies but are also marked by fuzzy/bayes/SURBL/RBL"; expression = "(~g-:policies) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)"; score = 0.100000; } VIOLATED_DIRECT_SPF { description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails"; expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)"; policy = "leave"; score = 3.500000; } IP_SCORE_FREEMAIL { description = "Negate IP_SCORE when message comes from FreeMail"; expression = "FREEMAIL_FROM & SENDER_REP_SPAM"; score = 0.0; policy = "remove_weight"; } BROKEN_HEADERS_MAILLIST { description = "Negate BROKEN_HEADERS when message comes via some mailing list"; expression = "BROKEN_HEADERS & -MAILLIST"; score = 0.0; policy = "remove_weight"; } LEAKED_PASSWORD_SCAM { description = "Contains BTC wallet address and scam patterns"; expression = "BITCOIN_ADDR & (LEAKED_PASSWORD_SCAM_RE | R_MIXED_CHARSET | R_EMPTY_IMAGE)"; policy = "leave"; score = 7.0; group = "scams"; } FREEMAIL_AFF { expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT | CD_MM_BODY) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)"; score = 4.0; policy = "leave"; description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; group = "scams"; } FREEMAIL_REPLYTO_NEQ_FROM { expression = "FREEMAIL_REPLYTO & !REPLYTO_EQ_FROM & !REPLYTO_ADDR_EQ_FROM & !FREEMAIL_REPLYTO_NEQ_FROM_DOM"; score = 2.0; policy = "leave"; description = "Reply-To is a Freemail address and it not match From header or SMTP From, also From is not another Freemail"; } SUSPICIOUS_MDN { expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)"; score = 2.0; policy = "leave"; description = "Message delivery notification should go to freemail or disposable e-mail, but message was not sent from a freemail address"; group = "scams"; } REDIRECTOR_URL_ONLY { expression = "HFILTER_URL_ONLY & REDIRECTOR_URL"; score = 1.0; policy = "leave"; description = "Message only contains a redirector URL"; } SUSPICIOUS_AUTH_ORIGIN { expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)"; score = 0.0; policy = "leave"; description = "Message authenticated, but from a suspicios origin (potentially an injector)"; } ABUSE_FROM_INJECTOR { expression = "SUSPICIOUS_AUTH_ORIGIN & (RCVD_HELO_USER | FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)"; score = 2.0; policy = "leave"; description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account"; group = "compromised_hosts"; } SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE { expression = "(REDIRECTOR_URL | HAS_ANON_DOMAIN | HAS_IPFS_GATEWAY_URL) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)"; score = 1.0; policy = "leave"; description = "Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL"; } MIME_BAD_EXT_IN_OBFUSCATED_ARCHIVE { expression = "MIME_BAD_EXTENSION and MIME_OBFUSCATED_ARCHIVE"; score = 8.0; policy = "leave"; description = "Attachment with bad extension and archive that has filename with clear obfuscation signs"; } MIME_BAD_EXT_WITH_BAD_UNICODE { expression = "MIME_BAD_EXTENSION and MIME_BAD_UNICODE"; score = 8.0; policy = "leave"; description = "Attachment with bad extension and filename that has known obscured unicode characters"; } } classifier { bayes { tokenizer { name = "osb"; } cache {} new_schema = true; store_tokens = false; signatures = false; min_tokens = 11; backend = "redis"; min_learns = 200; statfile { symbol = "BAYES_HAM"; spam = false; } statfile { symbol = "BAYES_SPAM"; spam = true; } learn_condition = "return require('lua_bayes_learn').can_learn"; servers = "127.0.0.1"; autolearn { spam_threshold = 6.0; junk_threshold = 4.0; ham_threshold = -0.500000; check_balance = true; min_balance = 0.900000; } per_user = false; per_language = true; } } aliases { max_recursion_depth = 10; expand_multiple = true; track_chain = false; apply_to_mime = true; apply_to_smtp = true; enable_gmail_rules = true; enable_plus_aliases = true; symbol_local_inbound = "LOCAL_INBOUND"; symbol_local_outbound = "LOCAL_OUTBOUND"; symbol_internal_mail = "INTERNAL_MAIL"; symbol_alias_resolved = "ALIAS_RESOLVED"; symbol_tagged_from = "TAGGED_FROM"; symbol_tagged_rcpt = "TAGGED_RCPT"; score_local_inbound = 0.0; score_local_outbound = 0.0; score_internal_mail = 0.0; score_alias_resolved = 0.0; score_tagged_from = 0.0; score_tagged_rcpt = 0.0; } antivirus { clamav { scan_mime_parts = true; scan_text_mime = true; scan_image_mime = true; symbol = "CLAM_VIRUS"; type = "clamav"; servers = "/var/run/clamav/clamd.ctl"; patterns { JUST_EICAR = "^Eicar-Test-Signature$"; } patterns_fail { CLAM_PROTOCOL_ERROR = '^unhandled response'; } whitelist = "/etc/rspamd/antivirus.wl"; } } arc { allow_envfrom_empty = true; allow_hdrfrom_mismatch = true; allow_hdrfrom_multiple = false; allow_username_mismatch = false; selector = "arc"; sign_authenticated = false; sign_inbound = true; sign_local = false; sign_symbol = "ARC_SIGNED"; try_fallback = false; use_domain = "recipient"; use_esld = false; use_redis = false; key_prefix = "ARC_KEYS"; path_map = "/etc/rspamd/local.d/dkim_domains.map"; selector_map = "/etc/rspamd/local.d/dkim_selectors.map"; sign_networks [ "127.2.4.7", ] } asn { provider_type = "rspamd"; provider_info { ip4 = "asn.rspamd.com"; ip6 = "asn6.rspamd.com"; } } aws_s3 { s3_region = 'us-east-1'; s3_host = 's3.amazonaws.com'; enabled = false; } bayes_expiry {} bimi { helper_timeout = 5.0; helper_sync = true; vmc_only = true; redis_prefix = 'rs_bimi'; redis_min_expiry = 86400.0; enabled = false; } chartable { threshold = 0.300000; symbol = "R_MIXED_CHARSET"; } clickhouse { limit = 1000; timeout = 5; ipmask = 19; ipmask6 = 48; full_urls = false; } contextal { enabled = false; } dcc { enabled = false; socket = "/var/dcc/dccifd"; timeout = 2.0; } dkim { dkim_cache_size = 2000; dkim_cache_expire = 86400.0; time_jitter = 21600.0; trusted_only = false; skip_multi = false; } dkim_signing { allow_envfrom_empty = true; allow_hdrfrom_mismatch = false; allow_hdrfrom_multiple = false; allow_username_mismatch = false; selector = "dkim"; sign_authenticated = true; sign_local = true; symbol = "DKIM_SIGNED"; try_fallback = false; use_domain = "header"; use_esld = false; use_redis = false; key_prefix = "DKIM_KEYS"; path_map = "/etc/rspamd/local.d/dkim_domains.map"; selector_map = "/etc/rspamd/local.d/dkim_selectors.map"; sign_networks [ "127.2.4.7", ] } dmarc {} elastic { enabled = false; use_https = false; periodic_interval = 5.0; timeout = 5.0; no_ssl_verify = false; use_gzip = true; use_keepalive = true; version { autodetect_enabled = true; autodetect_max_fail = 30; override { name = "opensearch"; version = "2.17"; } } limits { max_rows = 500; max_interval = 60; max_fail = 10; } index_template { managed = true; name = "rspamd"; priority = 0; pattern = "%Y.%m.%d"; shards_count = 3; replicas_count = 1; refresh_interval = 5; dynamic_keyword_ignore_above = 256; headers_count_ignore_above = 5; headers_text_ignore_above = 2048; symbols_nested = false; empty_value = "unknown"; } index_policy { enabled = true; managed = true; name = "rspamd"; hot { index_priority = 100; } warm { enabled = true; after = "2d"; index_priority = 50; migrate = true; read_only = true; change_replicas = false; replicas_count = 1; shrink = false; shards_count = 1; max_gb_per_shard = 0; force_merge = false; segments_count = 1; } cold { enabled = true; after = "14d"; index_priority = 0; migrate = true; read_only = true; change_replicas = false; replicas_count = 1; } delete { enabled = true; after = "30d"; } } collect_headers [ "From", "To", "Subject", "Date", "User-Agent", ] extra_collect_headers [] geoip { enabled = true; managed = true; pipeline_name = "rspamd-geoip"; } } external_relay { enabled = false; } external_services { oletools { patterns {} mime_parts_filter_regex { DOC2 = "application/msword"; DOC3 = "application/vnd.ms-word.*"; XLS = "application/vnd.ms-excel.*"; PPT = "application/vnd.ms-powerpoint.*"; GEN2 = "application/vnd.openxmlformats-officedocument.*"; } mime_parts_filter_ext { doc = "doc"; dot = "dot"; docx = "docx"; dotx = "dotx"; docm = "docm"; dotm = "dotm"; xls = "xls"; xlt = "xlt"; xla = "xla"; xlsx = "xlsx"; xltx = "xltx"; xlsm = "xlsm"; xltm = "xltm"; xlam = "xlam"; xlsb = "xlsb"; ppt = "ppt"; pot = "pot"; pps = "pps"; ppa = "ppa"; pptx = "pptx"; potx = "potx"; ppsx = "ppsx"; ppam = "ppam"; pptm = "pptm"; potm = "potm"; ppsm = "ppsm"; } whitelist = "/etc/rspamd/antivirus.wl"; } dcc { max_size = 20000000; patterns {} whitelist = "/etc/rspamd/antivirus.wl"; } } force_actions {} forged_recipients { symbol_sender = "FORGED_SENDER"; symbol_rcpt = "FORGED_RECIPIENTS"; } fuzzy_check { min_bytes = 1000; timeout = 2.0; retransmits = 1; rule { rspamd.com { algorithm = "mumhash"; servers = "round-robin:fuzzy1.rspamd.com:11335,fuzzy2.rspamd.com:11335"; encryption_key = "icy63itbhhni8bq15ntp5n5symuixf73s1kpjh6skaq4e7nx5fiy"; symbol = "FUZZY_UNKNOWN"; mime_types [ "*", ] max_score = 20.0; read_only = true; skip_unknown = true; short_text_direct_hash = true; min_length = 64; fuzzy_map { FUZZY_DENIED { max_score = 20.0; flag = 1; } FUZZY_PROB { max_score = 10.0; flag = 2; } FUZZY_WHITE { max_score = 2.0; flag = 3; } } } } } gpt { type = "openai"; model = "gpt-5-mini"; model_parameters { gpt-5-mini { max_completion_tokens = 1000; } gpt-5-nano { max_completion_tokens = 1000; } gpt-4o-mini { max_tokens = 1000; temperature = 0.0; } } timeout = 10.0; enabled = false; search_context { enabled = false; } } greylist { whitelist_domains_url [ "/etc/rspamd/local.d/greylist-whitelist-domains.inc", "/etc/rspamd/local.d/maps.d/greylist-whitelist-domains.inc", ] expire = 86400.0; timeout = 300.0; key_prefix = "rg"; max_data_len = 10000; message = "Try again later"; action = "soft reject"; ipv4_mask = 19; ipv6_mask = 64; } hfilter { helo_enabled = true; hostname_enabled = true; url_enabled = true; from_enabled = true; rcpt_enabled = true; mid_enabled = false; } history_redis { key_prefix = "rs_history{{HOSTNAME}}{{COMPRESS}}"; nrows = 2500; compress = true; subject_privacy = true; } http_headers { enabled = false; } known_senders { enabled = false; domains = "https://maps.rspamd.com/freemail/free.txt.zst"; max_senders = 100000; max_ttl = 2592000.0; use_bloom = false; } maillist { symbol = "MAILLIST"; } metadata_exporter { rules {} } metric_exporter {} mid { source { url [ "https://maps.rspamd.com/rspamd/mid.inc.zst", "/etc/rspamd/local.d/maps.d/mid.inc", "/etc/rspamd/local.d/mid.inc", "fallback+file:///etc/rspamd/maps.d/mid.inc", ] } } milter_headers { use [ "x-spamd-bar", "x-spam-level", "x-spam-status", "authentication-results", "remove-headers", ] authenticated_headers [ "authentication-results", ] routines { remove-headers { headers { X-Spam = 0; X-Spamd-Bar = 0; X-Spam-Level = 0; X-Spam-Status = 0; X-Spam-Flag = 0; } } } } mime_types { file [ "https://maps.rspamd.com/rspamd/mime_types.inc.zst", "/etc/rspamd/local.d/maps.d/mime_types.inc.local", "/var/lib/rspamd/mime_types.inc.local", "fallback+file:///etc/rspamd/maps.d/mime_types.inc", ] extension_map { html = "text/html"; txt [ "message/disposition-notification", "text/plain", "text/rfc822-headers", ] pdf [ "application/octet-stream", "application/pdf", "application/x-pdf", ] } } multimap { redirector { type = "url"; filter = "tld"; map = "https://maps.rspamd.com/rspamd/redirectors.inc.zst"; symbol = "REDIRECTOR_URL"; description = "The presence of a redirector in the mail"; score = 0.0; one_shot = true; } freemail_envfrom { type = "from"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_ENVFROM"; description = "Envelope From is a Freemail address"; score = 0.0; } freemail_envrcpt { type = "rcpt"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_ENVRCPT"; description = "Envelope Recipient is a Freemail address"; score = 0.0; one_shot = true; } freemail_from { type = "header"; header = "from"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_FROM"; description = "From is a Freemail address"; score = 0.0; } freemail_to { type = "header"; header = "To"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_TO"; description = "To is a Freemail address"; score = 0.0; one_shot = true; } freemail_cc { type = "header"; header = "Cc"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_CC"; description = "To is a Freemail address"; score = 0.0; one_shot = true; } freemail_replyto { type = "header"; header = "Reply-To"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_REPLYTO"; description = "Reply-To is a Freemail address"; score = 0.0; } freemail_mdn { type = "header"; header = "Disposition-Notification-To"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/free.txt.zst"; symbol = "FREEMAIL_MDN"; description = "Disposition-Notification-To is a Freemail address"; score = 0.0; } disposable_envfrom { type = "from"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_ENVFROM"; description = "Envelope From is a Disposable e-mail address"; score = 0.0; } disposable_envrcpt { type = "rcpt"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_ENVRCPT"; description = "Envelope Recipient is a Disposable e-mail address"; score = 0.0; one_shot = true; } disposable_from { type = "header"; header = "from"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_FROM"; description = "From a Disposable e-mail address"; score = 0.0; } disposable_to { type = "header"; header = "To"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_TO"; description = "To a disposable e-mail address"; score = 0.0; one_shot = true; } disposable_cc { type = "header"; header = "Cc"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_CC"; description = "To a disposable e-mail address"; score = 0.0; one_shot = true; } disposable_replyto { type = "header"; header = "Reply-To"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_REPLYTO"; description = "Reply-To a disposable e-mail address"; score = 0.0; } disposable_mdn { type = "header"; header = "Disposition-Notification-To"; filter = "email:domain"; map = "https://maps.rspamd.com/freemail/disposable.txt.zst"; symbol = "DISPOSABLE_MDN"; description = "Disposition-Notification-To is a disposable e-mail address"; score = 0.500000; } WHITELIST_SENDER_DOMAIN { type = "from"; filter = "email:domain"; map = "/etc/rspamd/local.d/whitelist.sender.domain.map"; action = "accept"; } WHITELIST_SENDER_EMAIL { type = "from"; map = "/etc/rspamd/local.d/whitelist.sender.email.map"; action = "accept"; } } mx_check { timeout = 1.0; symbol_bad_mx = "MX_INVALID"; symbol_no_mx = "MX_MISSING"; symbol_good_mx = "MX_GOOD"; expire = 86400; key_prefix = "rmx"; enabled = true; expire_novalid = 7200; greylist_invalid = false; } neural { train { max_trains = 1000; max_usages = 20; learning_rate = 0.010000; max_iterations = 25; } timeout = 20; enabled = true; rules { LONG { train { max_trains = 5000; max_usages = 200; max_iterations = 25; learning_rate = 0.010000; spam_score = 10; ham_score = -2; } symbol_spam = "NEURAL_SPAM_LONG"; symbol_ham = "NEURAL_HAM_LONG"; ann_expire = 8640000.0; } SHORT { train { max_trains = 100; max_usages = 2; max_iterations = 25; learning_rate = 0.010000; spam_score = 10; ham_score = -2; } symbol_spam = "NEURAL_SPAM_SHORT"; symbol_ham = "NEURAL_HAM_SHORT"; ann_expire = 86400.0; } } } once_received { good_host = "mail"; bad_host [ "static", "dynamic", ] symbol_strict = "ONCE_RECEIVED_STRICT"; symbol = "ONCE_RECEIVED"; symbol_mx = "DIRECT_TO_MX"; } p0f { enabled = false; socket = '/var/run/p0f.sock'; timeout = 5.0; symbol = 'P0F'; patterns { WINDOWS = '^Windows.*'; } expire = 7200; prefix = 'p0f'; } phishing { symbol = "PHISHING"; openphish_enabled = false; openphish_premium = false; openphish_map = "https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt"; phishtank_enabled = true; phishing_feed_exclusion_symbol = "PHISHED_EXCLUDED"; phishing_feed_exclusion_enabled = false; phishing_feed_exclusion_map = "/etc/rspamd/local.d/maps.d/phishing_feed_exclusion.inc"; exceptions { REDIRECTOR_FALSE [ "https://maps.rspamd.com/rspamd/redirectors.inc.zst", "/etc/rspamd/local.d/maps.d/redirectors.inc", "/etc/rspamd/local.d/redirectors.inc", "fallback+file:///etc/rspamd/maps.d/redirectors.inc", ] PHISHED_WHITELISTED [ "glob;https://maps.rspamd.com/rspamd/phishing_whitelist.inc.zst", "glob;/etc/rspamd/local.d/maps.d/phishing_whitelist.inc", "glob;/etc/rspamd/local.d/phishing_whitelist.inc", ] } } ratelimit { whitelisted_rcpts = "postmaster,mailer-daemon"; } rbl { default_exclude_users = true; default_unknown = true; url_whitelist [ "https://maps.rspamd.com/rspamd/surbl-whitelist.inc.zst", "/etc/rspamd/local.d/maps.d/surbl-whitelist.inc.local", "/var/lib/rspamd/surbl-whitelist.inc.local", "fallback+file:///etc/rspamd/maps.d/surbl-whitelist.inc", ] disabled_rbl_suffixes_map = "https://maps.rspamd.com/rspamd/disabled_rbls.inc.zst"; attached_maps [ { selector_alias = "surbl_hashbl_map"; description = "SURBL hashbl map"; url = "regexp;http://sa-update.surbl.org/rspamd/surbl-hashbl-map.inc"; } ] rbls { spamhaus { symbol = "SPAMHAUS"; rbl = "zen.spamhaus.org"; checks [ "from", "received", ] symbols_prefixes { received = "RECEIVED"; from = "RBL"; } returncodes { SPAMHAUS_SBL = "127.0.0.2"; SPAMHAUS_CSS = "127.0.0.3"; SPAMHAUS_XBL [ "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", ] SPAMHAUS_PBL [ "127.0.0.10", "127.0.0.11", ] SPAMHAUS_DROP = "127.0.0.9"; SPAMHAUS_BLOCKED_OPENRESOLVER = "127.255.255.254"; SPAMHAUS_BLOCKED = "127.255.255.255"; } } mailspike { symbol = "MAILSPIKE"; rbl = "rep.mailspike.net"; checks [ "from", ] is_whitelist = true; whitelist_exception [ "MAILSPIKE", "RWL_MAILSPIKE_GOOD", "RWL_MAILSPIKE_NEUTRAL", "RWL_MAILSPIKE_POSSIBLE", "RBL_MAILSPIKE_WORST", "RBL_MAILSPIKE_VERYBAD", "RBL_MAILSPIKE_BAD", ] returncodes { RBL_MAILSPIKE_WORST = "127.0.0.10"; RBL_MAILSPIKE_VERYBAD = "127.0.0.11"; RBL_MAILSPIKE_BAD = "127.0.0.12"; RWL_MAILSPIKE_NEUTRAL [ "127.0.0.16", "127.0.0.15", "127.0.0.14", "127.0.0.13", ] RWL_MAILSPIKE_POSSIBLE = "127.0.0.17"; RWL_MAILSPIKE_GOOD = "127.0.0.18"; RWL_MAILSPIKE_VERYGOOD = "127.0.0.19"; RWL_MAILSPIKE_EXCELLENT = "127.0.0.20"; } } senderscore { enabled = false; symbol = "RBL_SENDERSCORE_UNKNOWN"; checks [ "from", ] rbl = "bl.score.senderscore.com"; returncodes { RBL_SENDERSCORE_BOT = "127.0.0.1"; RBL_SENDERSCORE_NA = "127.0.0.2"; RBL_SENDERSCORE_NA_BOT = "127.0.0.3"; RBL_SENDERSCORE_PRST = "127.0.0.4"; RBL_SENDERSCORE_PRST_BOT = "127.0.0.5"; RBL_SENDERSCORE_PRST_NA = "127.0.0.6"; RBL_SENDERSCORE_PRST_NA_BOT = "127.0.0.7"; RBL_SENDERSCORE_SUS_ATT = "127.0.0.8"; RBL_SENDERSCORE_SUS_ATT_NA = "127.0.0.10"; RBL_SENDERSCORE_SUS_ATT_NA_BOT = "127.0.0.11"; RBL_SENDERSCORE_SUS_ATT_PRST_NA = "127.0.0.14"; RBL_SENDERSCORE_SUS_ATT_PRST_NA_BOT = "127.0.0.15"; RBL_SENDERSCORE_SCORE = "127.0.0.16"; RBL_SENDERSCORE_SCORE_NA = "127.0.0.18"; RBL_SENDERSCORE_SCORE_PRST = "127.0.0.20"; RBL_SENDERSCORE_SCORE_PRST_NA = "127.0.0.22"; RBL_SENDERSCORE_SCORE_SUS_ATT_NA = "127.0.0.26"; RBL_SENDERSCORE_BLOCKED = "127.255.255.255"; } } senderscore_reputation { symbol = "RBL_SENDERSCORE_REPUT_UNKNOWN"; checks [ "from", ] rbl = "score.senderscore.com"; returncodes_matcher = "luapattern"; returncodes { RBL_SENDERSCORE_REPUT_0 = "127%.0%.4%.%d"; RBL_SENDERSCORE_REPUT_1 = "127%.0%.4%.1%d"; RBL_SENDERSCORE_REPUT_2 = "127%.0%.4%.2%d"; RBL_SENDERSCORE_REPUT_3 = "127%.0%.4%.3%d"; RBL_SENDERSCORE_REPUT_4 = "127%.0%.4%.4%d"; RBL_SENDERSCORE_REPUT_5 = "127%.0%.4%.5%d"; RBL_SENDERSCORE_REPUT_6 = "127%.0%.4%.6%d"; RBL_SENDERSCORE_REPUT_7 = "127%.0%.4%.7%d"; RBL_SENDERSCORE_REPUT_8 = "127%.0%.4%.8%d"; RBL_SENDERSCORE_REPUT_9 [ "127%.0%.4%.9%d", "127%.0%.4%.100", ] RBL_SENDERSCORE_REPUT_BLOCKED = "127%.255%.255%.255"; } } sem { symbol = "RBL_SEM"; rbl = "bl.spameatingmonkey.net"; checks [ "from", ] ipv6 = false; } semIPv6 { symbol = "RBL_SEM_IPV6"; rbl = "bl.ipv6.spameatingmonkey.net"; checks [ "from", ] ipv4 = false; ipv6 = true; } dnswl { symbol = "RCVD_IN_DNSWL"; rbl = "list.dnswl.org"; checks [ "from", "received", ] ipv6 = true; is_whitelist = true; returncodes_matcher = "luapattern"; whitelist_exception = "RCVD_IN_DNSWL"; whitelist_exception = "RCVD_IN_DNSWL_NONE"; whitelist_exception = "RCVD_IN_DNSWL_LOW"; whitelist_exception = "DNSWL_BLOCKED"; returncodes { RCVD_IN_DNSWL_NONE [ "127%.0%.%d%.0", "127%.0%.[02-9]%d%.0", "127%.0%.1[1-9]%.0", "127%.0%.[12]%d%d%.0", ] RCVD_IN_DNSWL_LOW [ "127%.0%.%d%.1", "127%.0%.[02-9]%d%.1", "127%.0%.1[1-9]%.1", "127%.0%.[12]%d%d%.1", ] RCVD_IN_DNSWL_MED [ "127%.0%.%d%.2", "127%.0%.[02-9]%d%.2", "127%.0%.1[1-9]%.2", "127%.0%.[12]%d%d%.2", ] RCVD_IN_DNSWL_HI [ "127%.0%.%d%.3", "127%.0%.[02-9]%d%.3", "127%.0%.1[1-9]%.3", "127%.0%.[12]%d%d%.3", ] DNSWL_BLOCKED [ "127%.0%.0%.255", "127%.0%.10%.%d+", ] } } virusfree { symbol = "RBL_VIRUSFREE_UNKNOWN"; rbl = "bip.virusfree.cz"; checks [ "from", ] ipv6 = true; returncodes { RBL_VIRUSFREE_BOTNET = "127.0.0.2"; } } blocklistde { symbol = "BLOCKLISTDE"; rbl = "bl.blocklist.de"; checks [ "from", "received", ] symbols_prefixes { received = "RECEIVED"; from = "RBL"; } } dnswl_dwl { symbol = "DWL_DNSWL"; rbl = "dwl.dnswl.org"; checks [ "dkim", ] ignore_whitelist = true; unknown = false; returncodes_matcher = "luapattern"; returncodes { DWL_DNSWL_NONE [ "127%.0%.%d%.0", "127%.0%.[02-9]%d%.0", "127%.0%.1[1-9]%.0", "127%.0%.[12]%d%d%.0", ] DWL_DNSWL_LOW [ "127%.0%.%d%.1", "127%.0%.[02-9]%d%.1", "127%.0%.1[1-9]%.1", "127%.0%.[12]%d%d%.1", ] DWL_DNSWL_MED [ "127%.0%.%d%.2", "127%.0%.[02-9]%d%.2", "127%.0%.1[1-9]%.2", "127%.0%.[12]%d%d%.2", ] DWL_DNSWL_HI [ "127%.0%.%d%.3", "127%.0%.[02-9]%d%.3", "127%.0%.1[1-9]%.3", "127%.0%.[12]%d%d%.3", ] DWL_DNSWL_BLOCKED [ "127%.0%.0%.255", "127%.0%.10%.%d+", ] } } RSPAMD_EMAILBL { rbl = "email.rspamd.com"; checks [ "emails", "replyto", ] hash = "blake2"; hash_len = 32; hash_format = "base32"; ignore_whitelist = true; ignore_url_whitelist = true; ignore_defaults = true; exclude_users = false; emails_delimiter = "."; emails_domainonly = false; selector { from_smtp = "from('smtp'):addr.lower_utf8"; from_mime = "from('mime'):addr.lower_utf8"; } returncodes { RSPAMD_EMAILBL = "127.0.0.2"; } } MSBL_EBL { rbl = "ebl.msbl.org"; checks [ "emails", "replyto", ] hash = "sha1"; ignore_whitelist = true; ignore_url_whitelist = true; ignore_defaults = true; exclude_users = false; emails_domainonly = false; selector { from_smtp = "from('smtp'):addr.lower_utf8"; from_mime = "from('mime'):addr.lower_utf8"; } returncodes { MSBL_EBL [ "127.0.0.2", "127.0.0.3", ] MSBL_EBL_GREY [ "127.0.1.2", "127.0.1.3", ] } } SURBL_MULTI { rbl = "multi.surbl.org"; checks [ "emails", "dkim", "helo", "rdns", "replyto", "urls", "content_urls", ] ignore_defaults = true; exclude_users = false; url_full_hostname = true; emails_domainonly = true; selector { from_smtp = "from('smtp'):domain"; from_mime = "from('mime'):domain"; mid = "header(Message-Id).regexp('@([^.]+.[^>]+)').last"; } returnbits { CRACKED_SURBL = 128; ABUSE_SURBL = 64; CT_SURBL = 32; MW_SURBL_MULTI = 16; PH_SURBL_MULTI = 8; DM_SURBL = 4; SURBL_BLOCKED = 1; } } SURBL_HASHBL { rbl = "hashbl.surbl.org"; selector = "specific_urls_filter_map('surbl_hashbl_map', {limit = 10}).apply_methods('get_host', 'get_path').join_tables('/')"; hash = "md5"; hash_len = 32; random_monitored = true; ignore_defaults = true; returncodes_matcher = "luapattern"; returncodes { SURBL_HASHBL_PHISH = "127.0.0.8"; SURBL_HASHBL_MALWARE = "127.0.0.16"; SURBL_HASHBL_ABUSE = "127.0.0.64"; SURBL_HASHBL_CRACKED = "127.0.0.128"; SURBL_HASHBL_EMAIL = "127.0.1.%d+"; } } URIBL_MULTI { rbl = "multi.uribl.com"; checks [ "emails", "dkim", "helo", "rdns", "replyto", "urls", "content_urls", ] ignore_defaults = true; exclude_users = false; emails_domainonly = true; selector { from_smtp = "from('smtp'):domain"; from_mime = "from('mime'):domain"; mid = "header(Message-Id).regexp('@([^.]+.[^>]+)').last"; } returnbits { URIBL_BLOCKED = 1; URIBL_BLACK = 2; URIBL_GREY = 4; URIBL_RED = 8; } } RSPAMD_URIBL { rbl = "uribl.rspamd.com"; checks [ "emails", "dkim", "urls", "content_urls", ] hash = "blake2"; hash_len = 32; hash_format = "base32"; ignore_defaults = true; exclude_users = false; emails_domainonly = true; selector { from_smtp = "from('smtp'):domain.lower_utf8"; from_mime = "from('mime'):domain.lower_utf8"; mid = "header(Message-Id).regexp('@([^.]+.[^>]+)').last.lower_utf8"; } returncodes { RSPAMD_URIBL [ "127.0.0.2", ] } } DBL { rbl = "dbl.spamhaus.org"; checks [ "emails", "dkim", "helo", "rdns", "replyto", "urls", "content_urls", ] no_ip = true; ignore_defaults = true; exclude_users = false; emails_domainonly = true; selector { from_smtp = "from('smtp'):domain"; from_mime = "from('mime'):domain"; mid = "header(Message-Id).regexp('@([^.]+.[^>]+)').last"; } returncodes { DBL_SPAM = "127.0.1.2"; DBL_PHISH = "127.0.1.4"; DBL_MALWARE = "127.0.1.5"; DBL_BOTNET = "127.0.1.6"; DBL_ABUSE = "127.0.1.102"; DBL_ABUSE_REDIR = "127.0.1.103"; DBL_ABUSE_PHISH = "127.0.1.104"; DBL_ABUSE_MALWARE = "127.0.1.105"; DBL_ABUSE_BOTNET = "127.0.1.106"; DBL_PROHIBIT = "127.0.1.255"; DBL_BLOCKED_OPENRESOLVER = "127.255.255.254"; DBL_BLOCKED = "127.255.255.255"; } } SPAMHAUS_ZEN_URIBL { enabled = false; rbl = "zen.spamhaus.org"; checks [ "emails", ] resolve_ip = true; returncodes { URIBL_SBL = "127.0.0.2"; URIBL_SBL_CSS = "127.0.0.3"; URIBL_XBL [ "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", ] URIBL_PBL [ "127.0.0.10", "127.0.0.11", ] URIBL_DROP = "127.0.0.9"; } } SEM_URIBL_UNKNOWN { rbl = "uribl.spameatingmonkey.net"; checks [ "emails", "dkim", "urls", "content_urls", ] no_ip = true; ignore_defaults = true; emails_domainonly = true; selector { from_smtp = "from('smtp'):domain"; from_mime = "from('mime'):domain"; mid = "header(Message-Id).regexp('@([^.]+.[^>]+)').last"; } returnbits { SEM_URIBL = 2; } } SEM_URIBL_FRESH15_UNKNOWN { rbl = "fresh15.spameatingmonkey.net"; checks [ "emails", "dkim", "urls", "content_urls", ] no_ip = true; ignore_defaults = true; exclude_users = true; emails_domainonly = true; selector { from_smtp = "from('smtp'):domain"; from_mime = "from('mime'):domain"; mid = "header(Message-Id).regexp('@([^.]+.[^>]+)').last"; } returnbits { SEM_URIBL_FRESH15 = 2; } } } } redis { servers = "127.0.0.1"; } regexp { max_size = 1000000; HAS_XAW { re = "header_exists('X-Authentication-Warning')"; group = "compromised_hosts"; description = "Has X-Authentication-Warning header"; } CTE_CASE { re = "Content-Transfer-Encoding=/^[78]B/X"; group = "headers"; score = 0.500000; description = "[78]Bit .vs. [78]bit"; } HAS_XOIP { re = "header_exists('X-Originating-IP')"; group = "headers"; score = 0; description = "Has X-Originating-IP header"; } HAS_X_POS { re = "header_exists('X-PHP-Originating-Script')"; group = "compromised_hosts"; description = "Has X-PHP-Originating-Script header"; } KLMS_SPAM { re = "X-KLMS-AntiSpam-Status=/^spam/H"; group = "upstream_spam_filters"; description = "Kaspersky Security for Mail Server says this message is spam"; score = 5; } SPAM_FLAG { re = "X-Spam-Flag=/^(?:yes|true)/Hi || X-Spam=/^(?:yes|true)/Hi || X-Spam-Status=/^(?:yes|true)/Hi"; group = "upstream_spam_filters"; description = "Message was already marked as spam"; score = 5; } CD_MM_BODY { re = "Content-Description=/^Mail message body$/Hi"; group = "headers"; score = 2; description = "Content-Description header reads \"Mail message body\", commonly seen in spam"; } FAKE_REPLY { re = "Subject=/^(antw|atb|aw|bls|odp|res?|rif|sv|ynt)[. ]*:/i{header} & !(header_exists(In-Reply-To) | header_exists(References))"; group = "headers"; score = 1; description = "Fake reply"; } FORGED_IMS { re = "X-Mailer=/^Internet Mail Service \\(5\\./{header} & !Received=/^by \\S+ with Internet Mail Service \\(5\\./{header}"; group = "headers"; score = 3; description = "Forged X-Mailer: Internet Mail Service"; } HAS_WP_URI { re = "/\\/wp-[^\\/]+\\//Ui"; group = "compromised_hosts"; one_shot = true; description = "Contains WordPress URIs"; } MISSING_TO { mime_only = true; description = "To header is missing"; re = "!raw_header_exists(To)"; group = "headers"; score = 2; } STRONGMAIL { re = "Received=/^from\\s+strongmail\\s+\\(\\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\]\\) by \\S+ \\(-\\); /mH"; group = "headers"; description = "Sent via rogue \"strongmail\" MTA"; score = 6; } TRACKER_ID { mime_only = true; description = "Spam string at the end of message to make statistics fault"; re = "/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\\s*\\z/isPr"; group = "headers"; score = 3.840000; } X_PHP_EVAL { re = "X-PHP-Script=/eval\\(\\)'d code/H || X-PHP-Originating-Script=/eval\\(\\)'d code/H"; group = "compromised_hosts"; score = 4; description = "Message sent using eval'd PHP"; } MAILER_1C_8 { re = "X-Mailer=/^1C:Enterprise 8\\.[23]$/H"; group = "headers"; description = "Sent with 1C:Enterprise 8"; score = 0; } MID_RHS_WWW { re = "Message-Id=/@www\\./Hi"; group = "compromised_hosts"; score = 0.500000; description = "Message-ID from www host"; } MISSING_MID { mime_only = true; description = "Message-ID header is missing"; re = "!header_exists(Message-Id)"; group = "headers"; score = 2.500000; } APPLE_MAILER { re = "X-Mailer=/^Apple Mail \\((?:(?:Version )?[1-9]\\d{0,2}\\.\\d{1,3}|[1-9]\\d{0,2}\\.\\d{1,4}\\.\\d{1,4}\\.\\d{1,4})\\)/{header}"; group = "headers"; score = 0; description = "Sent with Apple Mail"; } BITCOIN_ADDR { group = "scams"; expression_flags [ "noopt", ] description = "Message has a valid bitcoin wallet address"; re = "(/\\b[13LM][1-9A-Za-z]{25,34}\\b/AL{sa_body}) + (/\\b(?:(?:[a-zA-Z]\\w+:)|(?:bc1))?[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{14,}\\b/AL{sa_body}) > 0"; one_shot = true; re_conditions { "/\\b(?:(?:[a-zA-Z]\\w+:)|(?:bc1))?[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{14,}\\b/AL{sa_body}" = "/usr/share/rspamd/rules/bitcoin.lua:213: attempt to perform arithmetic on local 'e' (a nil value)"; "/\\b[13LM][1-9A-Za-z]{25,34}\\b/AL{sa_body}" = "/usr/share/rspamd/rules/bitcoin.lua:191: attempt to perform arithmetic on local 'e' (a nil value)"; } score = 0; } CC_EXCESS_QP { re = "Cc=/\\=\\?\\S+\\?Q\\?/iX & !Cc=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr"; group = "excessqp"; description = "Cc header is unnecessarily encoded in quoted-printable"; score = 1.200000; } HAS_DATA_URI { re = "/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i"; one_shot = true; group = "HTML"; description = "Has Data URI encoding"; } HAS_FILE_URL { re = "/^file:\\/\\//{url}i"; group = "url"; score = 2; description = "Contains file:// URL"; } HAS_X_SOURCE { re = "header_exists('X-Source') || header_exists('X-Source-Args') || header_exists('X-Source-Dir')"; group = "compromised_hosts"; description = "Has X-Source headers"; } INTRODUCTION { one_shot = true; re = "/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i"; group = "scams"; description = "Sender introduces themselves"; score = 2; } OLD_X_MAILER { re = "X-Mailer=/^(?:Microsoft Outlook Express|QUALCOMM Windows Eudora (Pro )?Version [1-6]\\.|The Bat! \\(v[12]\\.|Microsoft Outlook IMO, Build 9\\.0\\.|Microsoft Outlook, Build 10\\.|i(Phone|Pad) Mail \\((?:[1-8][A-L]|12H|13E))/{header}"; group = "headers"; score = 2; description = "X-Mailer header has a very old MUA version"; } TO_EXCESS_QP { re = "To=/=\\?\\S+\\?Q\\?/iX & !To=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr"; group = "excessqp"; description = "To header is unnecessarily encoded in quoted-printable"; score = 1.200000; } X_PHPOS_FAKE { re = "X-PHP-Originating-Script=/^\\d{7}:/Hi"; group = "headers"; score = 3; description = "Fake X-PHP-Originating-Script header"; } CT_EXTRA_SEMI { re = "Content-Type=/;$/X"; group = "headers"; score = 1; description = "Content-Type header ends with a semi-colon"; } DATA_URI_OBFU { one_shot = true; re = "/data:text\\/(?:plain|html);base64,/{sa_raw_body}i"; group = "HTML"; description = "Uses Data URI encoding to obfuscate plain or HTML in base64"; score = 2; } HAS_CD_HEADER { re = "header_exists(Content-Description)"; group = "headers"; score = 0; description = "Has Content-Description header"; } HAS_ONION_URI { re = "(/[a-z0-9]{16}\\.onion?/{url}i | /[a-z0-9]{56}\\.onion?/{url}i)"; group = "url"; score = 0; description = "Contains .onion hidden service URI"; } INVALID_MSGID { re = "(header_exists(Message-Id)) & !((Message-Id=/^\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+\\@[^<>\\\\ \\t\\n\\r\\x0b\\x80-\\xff]+>?\\s*$/H) | (Message-Id=/\\(.*\\)/H))"; group = "headers"; description = "Message-ID header is incorrect"; score = 1.700000; } MISSING_XM_UA { re = "!header_exists(X-Mailer) && !header_exists(User-Agent)"; group = "headers"; description = "Message has neither X-Mailer nor User-Agent header"; score = 0; } R_UNDISC_RCPT { mime_only = true; description = "Recipients are absent or undisclosed"; re = "To=/^?$/mH & !Message-Id=/^?$/H & !(List-Unsubscribe=/$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^$/H | Message-Id=/^?$/H | Message-ID=/^$/H)) | (X-Mailer=/^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\\./H & !Message-Id=/^?$/H & !Message-Id=/^?/H & !Message-Id=/^?$/H & !Message-Id=/^?$/H & !(List-Unsubscribe=/$/H | Received=/\\/CWT\\/DCE\\)/H | Received=/iPlanet Messaging Server/H | Message-Id=/^$/H | Message-Id=/^?$/H | Message-ID=/^$/H))) & !X-Mailer=/^Microsoft Outlook, Build 10.0.3416$/H & !X-Mailer=/^Microsoft Outlook Express 6.00.3790.3959$/H & !Message-Id=/^?$/H"; group = "mua"; description = "Forged Outlook MUA"; score = 3; } FROM_EXCESS_BASE64 { mime_only = true; description = "From header is unnecessarily encoded in base64"; re = "From=/=\\?\\S+\\?B\\?/iX & !From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr"; group = "excessb64"; score = 1.500000; } HAS_INTERSPIRE_SIG { re = "((header_exists(X-Mailer-LID)) & (header_exists(X-Mailer-RecptId)) & (header_exists(X-Mailer-SID)) & (header_exists(X-Mailer-Sent-By))) | (List-Unsubscribe=/\\/unsubscribe\\.php\\?M=[^&]+&C=[^&]+&L=[^&]+&N=[^>]+>$/Xi)"; group = "headers"; score = 1; description = "Has Interspire fingerprint"; } R_HTTP_URL_IN_FROM { mime_only = true; description = "HTTP URL preceded by the start of a line, quote, or whitespace, with normal or URL-encoded colons in From header"; re = "From=/(^|\"|'|\\s)[hH][tT][tT][pP][sS]?(:|=3A)\\/\\/\\S/H"; group = "headers"; score = 5; } R_NO_SPACE_IN_FROM { mime_only = true; description = "No space in From header"; re = "From=/\\S<[-\\w\\.]+\\@[-\\w\\.]+>/X"; group = "headers"; score = 1; } SUBJ_EXCESS_BASE64 { re = "Subject=/\\=\\?\\S+\\?B\\?/iX & !Subject=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/Hr"; group = "excessb64"; description = "Subject header is unnecessarily encoded in base64"; score = 1.500000; } FORGED_OUTLOOK_HTML { mime_only = true; description = "Forged Outlook HTML signature"; re = "!Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H & X-Mailer=/^Microsoft Outlook\\b/H & has_only_html_part()"; group = "headers"; score = 5; } FORGED_OUTLOOK_TAGS { re = "!Received=/from \\[\\S+\\] by \\S+\\.(?:groups|scd|dcn)\\.yahoo\\.com with NNFMP/H & X-Mailer=/^Microsoft Outlook\\b/H & content_type_is_type(text) & content_type_is_subtype(/.?html/) & !(has_html_tag(html) & has_html_tag(head) & has_html_tag(meta) & has_html_tag(body))"; group = "headers"; description = "Message pretends to be send from Outlook but has 'strange' tags"; score = 2.100000; } FROM_NEEDS_ENCODING { mime_only = true; description = "From header needs encoding"; re = "!(From=/=\\?\\S+\\?B\\?/iX) & !(From=/=\\?\\S+\\?Q\\?/iX) & (From=/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f-\\xff]/X)"; group = "headers"; score = 1; } RCVD_DOUBLE_IP_SPAM { re = "(Received=/from \\[\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\] by \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with/H) | (Received=/from\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s+by\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3};/H)"; group = "headers"; description = "Has two Received headers containing bare IP addresses"; score = 2; } SUBJECT_ENDS_SPACES { re = "Subject=/\\s+$/H"; group = "headers"; score = 0.500000; description = "Subject ends with space characters"; } SUBJECT_HAS_EXCLAIM { re = "Subject=/!/H & !Subject=/!\\s*$/H"; group = "headers"; score = 0; description = "Subject contains an exclamation mark"; } SUSPICIOUS_BOUNDARY { re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX"; group = "mua"; description = "Suspicious boundary in Content-Type header"; score = 5; } UNITEDINTERNET_SPAM { re = "X-UI-Filterresults=/^junk:/H || X-UI-Out-Filterresults=/^junk:/H"; group = "upstream_spam_filters"; description = "United Internet says this message is spam"; score = 5; } ENVFROM_SERVICE_ACCT { re = "check_smtp_data('from',/^(?:www-data|anonymous|ftp|apache|nobody|guest|nginx|web|www)@/i)"; group = "compromised_hosts"; score = 1; description = "Envelope from is a service account"; } HAS_IPFS_GATEWAY_URL { one_shot = true; re = "(/(qm[a-z0-9]{44}|[079fvtbchkzmup][a-z0-9]{44,128})/{url}i & /ipfs(\\.|-|_|\\/|\\?)/{url}i)"; group = "url"; description = "Message contains InterPlanetary File System (IPFS) gateway URL, likely malicious"; score = 6; } SUBJECT_ENDS_EXCLAIM { re = "Subject=/!\\s*$/H"; group = "headers"; score = 0; description = "Subject ends with an exclamation mark"; } SUBJECT_HAS_CURRENCY { re = "Subject=/\\p{Sc}/Hu"; group = "headers"; score = 1; description = "Subject contains currency"; } SUBJECT_HAS_QUESTION { re = "Subject=/\\?/H & !Subject=/\\?\\s*$/Hu"; group = "headers"; score = 0; description = "Subject contains a question mark"; } SUSPICIOUS_BOUNDARY2 { re = "Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_(01C6527E)\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX"; group = "mua"; description = "Suspicious boundary in Content-Type header"; score = 4; } SUSPICIOUS_BOUNDARY3 { re = "Content-Type=/^\\s*multipart.+boundary=\"-----000-00\\d\\d-01C[\\dA-F]{5}-[\\dA-F]{8}\"[\\r\\n]*$/siX"; group = "mua"; description = "Suspicious boundary in Content-Type header"; score = 3; } SUSPICIOUS_BOUNDARY4 { re = "(Content-Type=/^\\s*multipart.+boundary=\"----=_NextPart_000_[A-Z\\d]{4}_01C4[\\dA-F]{4}\\.[A-Z\\d]{8}\"[\\r\\n]*$/siX) & (Date=/^\\s*\\w\\w\\w,\\s+\\d+\\s+\\w\\w\\w 20(0[56789]|1\\d)/)"; group = "mua"; description = "Suspicious boundary in Content-Type header"; score = 4; } TO_WRAPPED_IN_SPACES { mime_only = true; description = "To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)"; re = "To=/<\\s[-.\\w]+\\@[-.\\w]+\\s>/X"; group = "headers"; score = 2; } FAKE_RECEIVED_mail_ru { re = "(Received=/from mail\\.ru \\(/mH) & !(((Return-path=/^\\s*<.+\\@mail\\.ru>$/iX) | (X-Envelope-From=/^\\s*<.+\\@mail\\.ru>$/iX)) & (From=/\\@mail\\.ru>?$/iX))"; group = "headers"; description = "Fake HELO mail.ru in Received header from non-mail.ru sender address"; score = 4; } HTML_META_REFRESH_URL { one_shot = true; re = "/,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user: $,}$if_smtp_from{ from: <$>,} (default: $is_spam ($action): [$scores] [$symbols_scores_params]), len: $len, time: $time_real, dns req: $dns_req, digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{, mime_rcpts: <$>}$if_filename{, file: $}$if_forced_action{, forced: $}$if_settings_id{, settings_id: $} EOD; log_re_cache = true; color = false; log_usec = false; debug_modules [] } worker { normal { bind_socket = "localhost:11333"; mime = true; } } worker { controller { bind_socket = "localhost:11334"; count = 1; password = "$2$uunnnir4tebagaki5d1o8ukgx8mtzh6m$c43tybzxdp1s57njx74hj5ixxj193zg3dx8ismk446bunbnk8s1b"; secure_ip = "127.0.0.1"; secure_ip = "::1"; static_dir = "/usr/share/rspamd/www"; } } worker { rspamd_proxy { bind_socket = "localhost:11332"; milter = true; timeout = 60.0; upstream { local { default = true; hosts = "localhost"; } } count = 1; max_retries = 5; discard_on_reject = false; quarantine_on_reject = false; spam_header = "X-Spam"; reject_message = "Spam message rejected"; } } worker { fuzzy { bind_socket = "localhost:11335"; count = -1; backend = "redis"; expire = 7776000.0; allow_update [ "localhost", ] } }