diff options
Diffstat (limited to 'conf/composites.conf')
| -rw-r--r-- | conf/composites.conf | 193 |
1 files changed, 193 insertions, 0 deletions
diff --git a/conf/composites.conf b/conf/composites.conf new file mode 100644 index 0000000..e38d64e --- /dev/null +++ b/conf/composites.conf @@ -0,0 +1,193 @@ +# Composites setup +# Please don't modify this file as your changes might be overwritten with +# the next update. +# +# You can modify 'local.d/composites.conf' to add and merge +# parameters defined inside this section +# +# You can modify 'override.d/composites.conf' to strictly override all +# parameters defined inside this section +# +# See https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories +# for details +# +# See https://rspamd.com/doc/tutorials/writing_rules.html and +# https://rspamd.com/doc/configuration/composites.html for details + +composites { + + SHORT_PART_BAD_HEADERS { + expression = "MISSING_ESSENTIAL_HEADERS & SINGLE_SHORT_PART"; + group = "blankspam"; + policy = "leave"; + score = 7.0; + } + FORGED_RECIPIENTS_MAILLIST { + expression = "FORGED_RECIPIENTS & -MAILLIST"; + } + FORGED_SENDER_MAILLIST { + expression = "FORGED_SENDER & -MAILLIST"; + } + FORGED_SENDER_FORWARDING { + expression = "FORGED_SENDER & g:forwarding"; + description = "Forged sender, but message is forwarded"; + policy = "remove_weight"; + } + SPF_FAIL_FORWARDING { + expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)"; + policy = "remove_weight"; + } + DMARC_POLICY_ALLOW_WITH_FAILURES { + expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)"; + policy = "remove_weight"; + } + FORGED_RECIPIENTS_FORWARDING { + expression = "FORGED_RECIPIENTS & g:forwarding"; + policy = "remove_weight"; + } + FORGED_SENDER_VERP_SRS { + expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)"; + } + FORGED_MUA_MAILLIST { + expression = "g:mua & -MAILLIST"; + } + AUTH_NA { + expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA"; + score = 1.0; + policy = "remove_weight"; + description = "Authenticating message via SPF/DKIM/DMARC/ARC not available"; + } + AUTH_NA_OR_FAIL { + expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) & (R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA | R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)"; + score = 1.0; + policy = "remove_weight"; + description = "No authenticating method SPF/DKIM/DMARC/ARC was successful"; + } + BOUNCE_NO_AUTH { + expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)"; + score = 1.0; + } + DKIM_MIXED { + expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)" + policy = "remove_weight"; + } + APPLE_MAILER_COMMON { + description = "Message was sent by 'Apple Mail' and has common symbols in place"; + expression = "APPLE_MAILER & MV_CASE"; + } + APPLE_IOS_MAILER_COMMON { + description = "Message was sent by 'Apple iOS Mail' and has common symbols in place"; + expression = "APPLE_IOS_MAILER & (MV_CASE | MIME_MA_MISSING_TEXT)"; + } + HACKED_WP_PHISHING { + expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; + description = "Phish message sent by hacked Wordpress instance"; + policy = "leave"; + } + COMPROMISED_ACCT_BULK { + expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK"; + description = "Likely to be from a compromised account"; + score = 3.0; + policy = "leave"; + } + UNDISC_RCPTS_BULK { + expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)"; + description = "Missing or undisclosed recipients with a bulk signature"; + score = 3.0; + policy = "leave"; + } + RCVD_UNAUTH_PBL { + expression = "RECEIVED_SPAMHAUS_PBL & !RCVD_VIA_SMTP_AUTH"; + description = "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)"; + score = 2.0; + policy = "leave"; + } + RCVD_DKIM_ARC_DNSWL_MED { + expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED"; + description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL"; + score = -0.5; + policy = "leave"; + } + RCVD_DKIM_ARC_DNSWL_HI { + expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI"; + description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL"; + score = -1.0; + policy = "leave"; + } + AUTOGEN_PHP_SPAMMY { + expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)"; + description = "Message was generated by PHP script and contains some spam indicators"; + score = 1.0; + policy = "leave"; + } + PHISH_EMOTION { + expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)"; + description = "Phish message with subject trying to address users emotion"; + score = 1.0; + policy = "leave"; + } + HAS_ANON_DOMAIN { + expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI"; + description = "Contains one or more domains trying to disguise owner/destination"; + score = 0.1; + policy = "leave"; + } + BAD_REP_POLICIES { + description = "Contains valid policies but are also marked by fuzzy/bayes/SURBL/RBL"; + expression = "(~g-:policies) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)"; + score = 0.1; + } + VIOLATED_DIRECT_SPF { + description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails"; + expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)"; + policy = "leave"; + score = 3.5; + } + IP_SCORE_FREEMAIL { + description = "Negate IP_SCORE when message comes from FreeMail"; + expression = "FREEMAIL_FROM & SENDER_REP_SPAM"; + score = 0.0; + policy = "remove_weight"; + } + BROKEN_HEADERS_MAILLIST { + description = "Negate BROKEN_HEADERS when message comes via some mailing list"; + expression = "BROKEN_HEADERS & -MAILLIST"; + score = 0.0; + policy = "remove_weight"; + } + LEAKED_PASSWORD_SCAM { + description = "Contains BTC wallet address and scam patterns"; + expression = "BITCOIN_ADDR & (LEAKED_PASSWORD_SCAM_RE | R_MIXED_CHARSET | R_EMPTY_IMAGE)"; + policy = "leave"; + score = 7.0; + group = "scams"; + } + FREEMAIL_AFF { + expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)"; + score = 4.0; + policy = "leave"; + description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; + } + REDIRECTOR_URL_ONLY { + expression = "HFILTER_URL_ONLY & REDIRECTOR_URL"; + score = 1.0; + policy = "leave"; + description = "Message only contains a redirector URL"; + } + THREAD_HIJACKING_FROM_INJECTOR { + expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)"; + score = 2.0; + policy = "leave"; + description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking"; + group = "compromised_hosts"; + } + SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE { + expression = "(REDIRECTOR_URL | HAS_ANON_DOMAIN | HAS_IPFS_GATEWAY_URL) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)"; + score = 1.0; + policy = "leave"; + description = "Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL"; + } + + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf" +} |