File: /volume1/@appstore/MailPlus-Server/etc/rspamd/metrics.conf
# Metrics settings
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local.override' to redefine
# parameters defined on the top level
#
# You can modify '$LOCAL_CONFDIR/rspamd.conf.local' to add
# parameters defined on the top level
#
# For specific modules or configuration you can also modify
# '$LOCAL_CONFDIR/local.d/file.conf' - to add your options or rewrite defaults
# '$LOCAL_CONFDIR/override.d/file.conf' - to override the defaults
#
# See https://rspamd.com/doc/tutorials/writing_rules.html for details
# DEPRECATION WARNING!!
# This file is deprecated since 1.7
# Please use actions.conf and groups.conf files instead
metric {
name = "default";
group "excessqp" {
# SYNO_ADJUST_SCORE_XXX {{{
# max_score = 2.4;
max_score = 0.8;
# }}}
}
group "excessb64" {
# SYNO_ADJUST_SCORE_XXX {{{
# max_score = 3.0;
max_score = 1.0;
# }}}
}
group "headers" {
symbol "FORGED_SENDER" {
weight = 0.30;
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)";
}
symbol "R_MIXED_CHARSET" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.0;
weight = 1.667;
# }}}
description = "Mixed characters in a message";
one_shot = true;
}
symbol "R_MIXED_CHARSET_URL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 7.0;
weight = 2.333;
# }}}
description = "Mixed characters in a URL inside message";
one_shot = true;
}
symbol "FORGED_RECIPIENTS" {
weight = 0.4;
description = "Recipients are not the same as RCPT TO: mail command";
}
symbol "FORGED_RECIPIENTS_MAILLIST" {
weight = 0.0;
description = "Recipients are not the same as RCPT TO: mail command, but a message from a maillist";
}
symbol "FORGED_SENDER_MAILLIST" {
weight = 0.0;
description = "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist";
}
symbol "ONCE_RECEIVED" {
weight = 0.1;
description = "One received header in a message";
}
symbol "RDNS_NONE" {
weight = 1.0;
description = "Cannot resolve reverse DNS for sender's IP";
}
symbol "ONCE_RECEIVED_STRICT" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 4.0;
weight = 1.333;
# }}}
description = "One received header with 'bad' patterns inside";
}
symbol "MAILLIST" {
weight = -0.2;
description = "Message seems to be from maillist";
}
}
group "subject" {
# SYNO_ADJUST_SCORE_XXX {{{
# max_score = 6.0;
max_score = 2.0;
# }}}
}
group "mua" {
symbol "FORGED_MUA_MAILLIST" {
weight = 0.0;
description = "Avoid false positives for FORGED_MUA_* in maillist";
}
}
group "rbl" {
symbol "DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries";
}
symbol "RCVD_IN_DNSWL" {
weight = 0.0;
description = "Unrecognised result from dnswl.org";
}
symbol "RCVD_IN_DNSWL_NONE" {
weight = 0.0;
description = "Sender listed at http://www.dnswl.org, low none";
}
symbol "RCVD_IN_DNSWL_LOW" {
weight = 0.0;
description = "Sender listed at http://www.dnswl.org, low trust";
}
symbol "RCVD_IN_DNSWL_MED" {
# SYNO_DNSWL_SCORE {{{
weight = -2.3;
# }}}
description = "Sender listed at http://www.dnswl.org, medium trust";
}
symbol "RCVD_IN_DNSWL_HI" {
# SYNO_DNSWL_SCORE {{{
weight = -5.0;
# }}}
description = "Sender listed at http://www.dnswl.org, high trust";
}
symbol "RBL_SPAMHAUS" {
weight = 0.0;
description = "Unrecognised result from Spamhaus zen";
}
symbol "RBL_SPAMHAUS_SBL" {
weight = 2.0;
description = "From address is listed in zen sbl";
}
symbol "RBL_SPAMHAUS_CSS" {
weight = 2.0;
description = "From address is listed in zen css";
}
symbol "RBL_SPAMHAUS_XBL" {
weight = 4.0;
description = "From address is listed in zen xbl";
}
symbol "RBL_SPAMHAUS_XBL_ANY" {
weight = 4.0;
description = "From or receive address is listed in zen xbl (any list)";
}
symbol "RBL_SPAMHAUS_PBL" {
weight = 2.0;
description = "From address is listed in zen pbl (ISP list)";
}
symbol "RBL_SPAMHAUS_DROP" {
weight = 7.0;
description = "From address is listed in zen drop bl";
}
symbol "RECEIVED_SPAMHAUS_XBL" {
weight = 3.0;
description = "Received address is listed in zen xbl";
one_shot = true;
}
symbol "RBL_SENDERSCORE" {
weight = 2.0;
description = "From address is listed in senderscore.com BL";
}
symbol "RBL_ABUSECH" {
weight = 1.0;
description = "From address is listed in ABUSE.CH BL";
}
symbol "MAILSPIKE" {
weight = 0.0;
description = "Unrecognised result from Mailspike";
}
symbol "RWL_MAILSPIKE_NEUTRAL" {
weight = 0.0;
description = "Neutral result from Mailspike";
}
symbol "RBL_MAILSPIKE_WORST" {
weight = 2.0;
description = "From address is listed in RBL - worst possible reputation";
}
symbol "RBL_MAILSPIKE_VERYBAD" {
weight = 1.5;
description = "From address is listed in RBL - very bad reputation";
}
symbol "RBL_MAILSPIKE_BAD" {
weight = 1.0;
description = "From address is listed in RBL - bad reputation";
}
symbol "RWL_MAILSPIKE_POSSIBLE" {
weight = 0.0;
description = "From address is listed in RWL - possibly legit";
}
symbol "RWL_MAILSPIKE_GOOD" {
weight = 0.0;
description = "From address is listed in RWL - good reputation";
}
symbol "RWL_MAILSPIKE_VERYGOOD" {
weight = 0.0;
description = "From address is listed in RWL - very good reputation";
}
symbol "RWL_MAILSPIKE_EXCELLENT" {
weight = 0.0;
description = "From address is listed in RWL - excellent reputation";
}
symbol "RBL_SEM" {
weight = 1.0;
description = "Address is listed in Spameatingmonkey RBL";
}
symbol "RBL_SEM_IPV6" {
weight = 1.0;
description = "Address is listed in Spameatingmonkey RBL (ipv6)";
}
}
group "statistics" {
symbol "BAYES_SPAM" {
weight = 4.0;
description = "Message probably spam, probability: ";
}
symbol "BAYES_HAM" {
weight = -3.0;
description = "Message probably ham, probability: ";
}
}
group "fuzzy" {
symbol "FUZZY_UNKNOWN" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.0;
weight = 1.667;
# }}}
description = "Generic fuzzy hash match";
}
symbol "FUZZY_DENIED" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 12.0;
weight = 4.0;
# }}}
description = "Denied fuzzy hash";
}
symbol "FUZZY_PROB" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.0;
weight = 1.667;
# }}}
description = "Probable fuzzy hash";
}
symbol "FUZZY_WHITE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = -2.1;
weight = -0.7;
# }}}
description = "Whitelisted fuzzy hash";
}
}
group "spf" {
symbol "R_SPF_FAIL" {
weight = 1.0;
description = "SPF verification failed";
}
symbol "R_SPF_SOFTFAIL" {
weight = 0.0;
description = "SPF verification soft-failed";
}
symbol "R_SPF_NEUTRAL" {
weight = 0.0;
description = "SPF policy is neutral";
}
symbol "R_SPF_ALLOW" {
weight = -0.2;
description = "SPF verification allows sending";
}
symbol "R_SPF_DNSFAIL" {
weight = 0.0;
description = "SPF DNS failure";
}
}
group "dkim" {
symbol "R_DKIM_REJECT" {
weight = 1.0;
description = "DKIM verification failed";
one_shot = true;
}
symbol "R_DKIM_TEMPFAIL" {
weight = 0.0;
description = "DKIM verification soft-failed";
}
symbol "R_DKIM_ALLOW" {
weight = -0.2;
description = "DKIM verification succeed";
one_shot = true;
}
}
group "surbl" {
# SYNO_ADJUST_SCORE_XXX {{{
# max_score = 12.5;
max_score = 4.167;
# }}}
symbol "SURBL_BLOCKED" {
weight = 0.0;
description = "SURBL: blocked by policy/overusage";
}
symbol "PH_SURBL_MULTI" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.5;
weight = 0.610;
# }}}
description = "SURBL: Phishing sites";
}
symbol "MW_SURBL_MULTI" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.5;
weight = 1.263;
# }}}
description = "SURBL: Malware sites";
}
symbol "ABUSE_SURBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.5;
weight = 1.263;
# }}}
description = "SURBL: ABUSE";
}
symbol "CRACKED_SURBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 4.0;
weight = 1.263;
# }}}
description = "SURBL: cracked site";
}
symbol "RAMBLER_URIBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 4.5;
weight = 0;
# }}}
description = "Rambler uribl";
one_shot = true;
}
symbol "RAMBLER_EMAILBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 9.5;
weight = 0;
# }}}
description = "Rambler emailbl";
one_shot = true;
}
symbol "MSBL_EBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 7.5;
weight = 0;
# }}}
description = "MSBL emailbl";
one_shot = true;
}
symbol "SEM_URIBL_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey uribl: unknown result";
}
symbol "SEM_URIBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.5;
weight = 1.5;
# }}}
description = "Spameatingmonkey uribl";
}
symbol "SEM_URIBL_FRESH15_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey Fresh15 uribl: unknown result";
}
symbol "SEM_URIBL_FRESH15" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.0;
weight = 1.0;
# }}}
description = "Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
}
symbol "DBL" {
weight = 0.0;
description = "DBL unknown result";
}
symbol "DBL_SPAM" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 6.5;
weight = 2.5;
# }}}
description = "DBL uribl spam";
}
symbol "DBL_PHISH" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 6.5;
weight = 2.5;
# }}}
description = "DBL uribl phishing";
}
symbol "DBL_MALWARE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 6.5;
weight = 2.5;
# }}}
description = "DBL uribl malware";
}
symbol "DBL_BOTNET" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.5;
weight = 2.5;
# }}}
description = "DBL uribl botnet C&C domain";
}
symbol "DBL_ABUSE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 6.5;
weight = 2.0;
# }}}
description = "DBL uribl abused legit spam";
}
symbol "DBL_ABUSE_REDIR" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 1.5;
weight = 0;
# }}}
description = "DBL uribl abused spammed redirector domain";
}
symbol "DBL_ABUSE_PHISH" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 7.5;
weight = 2.5;
# }}}
description = "DBL uribl abused legit phish";
}
symbol "DBL_ABUSE_MALWARE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 7.5;
weight = 2.5;
# }}}
description = "DBL uribl abused legit malware";
}
symbol "DBL_ABUSE_BOTNET" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.5;
weight = 2.5;
# }}}
description = "DBL uribl abused legit botnet C&C";
}
symbol "DBL_PROHIBIT" {
weight = 0.00000;
description = "DBL uribl IP queries prohibited!";
}
symbol "URIBL_MULTI" {
weight = 0.0;
description = "uribl.com: unrecognised result";
}
symbol "URIBL_BLOCKED" {
weight = 0.0;
description = "uribl.com: query refused";
}
symbol "URIBL_BLACK" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 7.5;
weight = 1.7;
# }}}
description = "uribl.com black url";
}
symbol "URIBL_RED" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.5;
weight = 0;
# }}}
description = "uribl.com red url";
}
symbol "URIBL_GREY" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 1.5;
weight = 0.424;
# }}}
description = "uribl.com grey url";
one_shot = true;
}
symbol "SBL_URIBL" {
weight = 0.0;
description = "SBL URIBL: Filtered result";
}
symbol "URIBL_SBL" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 6.5;
weight = 0.1;
# }}}
description = "Spamhaus SBL URIBL";
}
symbol "URIBL_SBL_CSS" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 6.5;
weight = 0.1;
# }}}
description = "Spamhaus SBL CSS URIBL";
}
# Disabled to improve performance
#symbol "RBL_SARBL_BAD" {
#weight = 2.5;
#description = "A domain listed in the mail is blacklisted in SARBL";
#}
}
# Phishing is Disabled
group "phishing" {
symbol "PHISHING" {
weight = 4.0;
description = "Phished URL";
one_shot = true;
}
symbol "PHISHED_OPENPHISH" {
weight = 7.0;
description = "Phished URL found in openphish.com";
}
symbol "PHISHED_PHISHTANK" {
weight = 7.0;
description = "Phished URL found in phishtank.com";
}
symbol HACKED_WP_PHISHING {
weight = 4.5;
description = "Phishing message from hacked wordpress";
}
}
group "hfilter" {
symbol "HFILTER_HELO_BAREIP" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.00;
weight = 1.0;
# }}}
description = "Helo host is bare ip";
}
symbol "HFILTER_HELO_BADIP" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 4.50;
weight = 1.5;
# }}}
description = "Helo host is very bad ip";
}
symbol "HFILTER_HELO_1" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 0.5;
weight = 0.167;
# }}}
description = "Helo host checks (very low)";
}
symbol "HFILTER_HELO_2" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 1.00;
weight = 0.333;
# }}}
description = "Helo host checks (low)";
}
symbol "HFILTER_HELO_3" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.00;
weight = 0.667;
# }}}
description = "Helo host checks (medium)";
}
symbol "HFILTER_HELO_4" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.50;
weight = 0.833;
# }}}
description = "Helo host checks (hard)";
}
symbol "HFILTER_HELO_5" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.00;
weight = 1.0;
# }}}
description = "Helo host checks (very hard)";
}
symbol "HFILTER_HOSTNAME_1" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 0.5;
weight = 0.167;
# }}}
description = "Hostname checks (very low)";
}
symbol "HFILTER_HOSTNAME_2" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 1.00;
weight = 0.333;
# }}}
description = "Hostname checks (low)";
}
symbol "HFILTER_HOSTNAME_3" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.00;
weight = 0.667;
# }}}
description = "Hostname checks (medium)";
}
symbol "HFILTER_HOSTNAME_4" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.50;
weight = 0.833;
# }}}
description = "Hostname checks (hard)";
}
symbol "HFILTER_HOSTNAME_5" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.00;
weight = 1.0;
# }}}
description = "Hostname checks (very hard)";
}
symbol "HFILTER_HELO_NORESOLVE_MX" {
weight = 0.20;
description = "MX found in Helo and no resolve";
}
symbol "HFILTER_HELO_NORES_A_OR_MX" {
# SYNO_ADJUST_SCORE {{{
weight = 0.20;
# }}}
description = "Helo no resolve to A or MX";
}
symbol "HFILTER_HELO_IP_A" {
# SYNO_ADJUST_SCORE {{{
weight = 0.20;
# }}}
description = "Helo A IP != hostname IP";
}
symbol "HFILTER_HELO_NOT_FQDN" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.00;
weight = 0.667;
# }}}
description = "Helo not FQDN";
}
symbol "HFILTER_FROMHOST_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in FROM host and no resolve";
}
symbol "HFILTER_FROMHOST_NORES_A_OR_MX" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 1.50;
weight = 0.5;
# }}}
description = "FROM host no resolve to A or MX";
}
symbol "HFILTER_FROMHOST_NOT_FQDN" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.00;
weight = 1.0;
# }}}
description = "FROM host not FQDN";
}
symbol "HFILTER_FROM_BOUNCE" {
weight = 0.00;
description = "Bounce message";
}
/*
symbol {
weight = 0.50;
name = "HFILTER_MID_NORESOLVE_MX";
description = "MX found in Message-id host and no resolve";
}
symbol {
weight = 0.50;
name = "HFILTER_MID_NORES_A_OR_MX";
description = "Message-id host no resolve to A or MX";
}
symbol {
weight = 0.50;
name = "HFILTER_MID_NOT_FQDN";
description = "Message-id host not FQDN";
}
*/
symbol "HFILTER_HOSTNAME_UNKNOWN" {
# This rule can be easily triggered by E-News, so lower the score
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.50;
weight = 0.833;
# }}}
description = "Unknown hostname (no PTR or no resolve PTR to hostname)";
}
symbol "HFILTER_RCPT_BOUNCEMOREONE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 1.50;
weight = 0.5;
# }}}
description = "Message from bounce and over 1 recipient";
}
symbol "HFILTER_URL_ONLY" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.20;
weight = 0.733;
# }}}
description = "URL only in body";
}
symbol "HFILTER_URL_ONELINE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.50;
weight = 0.833;
# }}}
description = "One line URL and text in body";
}
}
group "dmarc" {
symbol "DMARC_POLICY_ALLOW" {
weight = -0.5;
description = "DMARC permit policy";
}
symbol "DMARC_POLICY_ALLOW_WITH_FAILURES" {
weight = -0.5;
description = "DMARC permit policy with DKIM/SPF failure";
}
symbol "DMARC_POLICY_REJECT" {
weight = 3.0;
description = "DMARC reject policy";
}
symbol "DMARC_POLICY_QUARANTINE" {
weight = 2.5;
description = "DMARC quarantine policy";
}
symbol "DMARC_POLICY_SOFTFAIL" {
weight = 0.1;
description = "DMARC failed";
}
}
group "mime_types" {
symbol "MIME_GOOD" {
weight = -0.1;
description = "Known content-type";
one_shot = true;
}
symbol "MIME_BAD" {
weight = 1.0;
description = "Known bad content-type";
one_shot = true;
}
symbol "MIME_UNKNOWN" {
weight = 0.1;
description = "Missing or unknown content-type";
one_shot = true;
}
symbol "MIME_BAD_ATTACHMENT" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 4.0;
weight = 1.333;
# }}}
description = "Invalid attachment mime type";
one_shot = true;
}
symbol "MIME_ENCRYPTED_ARCHIVE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.0;
weight = 0.667;
# }}}
description = "Encrypted archive in a message";
one_shot = true;
}
symbol "MIME_ARCHIVE_IN_ARCHIVE" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 5.0;
weight = 1.667;
# }}}
description = "Archive within another archive";
one_shot = true;
}
symbol "MIME_DOUBLE_BAD_EXTENSION" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 3.0; # This rule has dynamic weight up to 4.0
weight = 1.0; # This rule has dynamic weight up to 4.0
# }}}
description = "Bad extension cloaking";
one_shot = true;
}
symbol "MIME_BAD_EXTENSION" {
# SYNO_ADJUST_SCORE_XXX {{{
# weight = 2.0; # This rule has dynamic weight up to 4.0
weight = 0.667; # This rule has dynamic weight up to 4.0
# }}}
description = "Bad extension";
one_shot = true;
}
}
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf" # for MailPlus-Server config
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" # for user to override
}