[Rspamd] Composite fixes and adjustments for better filtering
parent
f95bd3e7b6
commit
be0ec8efc0
|
@ -6,20 +6,19 @@ VIRUS_FOUND {
|
||||||
expression = "CLAM_VIRUS & !MAILCOW_WHITE";
|
expression = "CLAM_VIRUS & !MAILCOW_WHITE";
|
||||||
score = 2000;
|
score = 2000;
|
||||||
}
|
}
|
||||||
SPF_FAIL_NO_DKIM {
|
# Bad policy from non-whitelisted senders
|
||||||
expression = "R_SPF_FAIL & R_DKIM_NA & !MAILCOW_WHITE & !ARC_ALLOW";
|
POLICY_FAILURE {
|
||||||
|
expression = "-g+:policies & !MAILCOW_WHITE";
|
||||||
score = 10;
|
score = 10;
|
||||||
}
|
}
|
||||||
SOGO_CONTACT_EXCLUDE_FWD_HOST {
|
# Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy
|
||||||
expression = "-WHITELISTED_FWD_HOST & ~SOGO_CONTACT";
|
SOGO_CONTACT_EXCLUDE {
|
||||||
|
expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT";
|
||||||
}
|
}
|
||||||
SOGO_CONTACT_SPOOFED {
|
# Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
|
||||||
expression = "(R_SPF_PERMFAIL | R_SPF_SOFTFAIL | R_SPF_FAIL) & ~SOGO_CONTACT";
|
|
||||||
}
|
|
||||||
# SPF checks against envelope, so we do not exclude SPF valid mail
|
|
||||||
SPOOFED_UNAUTH {
|
SPOOFED_UNAUTH {
|
||||||
expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST";
|
expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
|
||||||
score = 5.0;
|
score = 50.0;
|
||||||
}
|
}
|
||||||
# Only apply to inbound unauthed and not whitelisted
|
# Only apply to inbound unauthed and not whitelisted
|
||||||
OLEFY_MACRO {
|
OLEFY_MACRO {
|
||||||
|
@ -27,21 +26,21 @@ OLEFY_MACRO {
|
||||||
score = 20.0;
|
score = 20.0;
|
||||||
policy = "remove_weight";
|
policy = "remove_weight";
|
||||||
}
|
}
|
||||||
|
# Applies to a content filter map
|
||||||
BAD_WORD_BAD_TLD {
|
BAD_WORD_BAD_TLD {
|
||||||
expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"
|
expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"
|
||||||
score = 10.0;
|
score = 10.0;
|
||||||
}
|
}
|
||||||
|
# Forged with bad policies and not fwd host, keep bad policy symbols
|
||||||
FORGED_W_BAD_POLICY {
|
FORGED_W_BAD_POLICY {
|
||||||
expression = "( ~g+:policies | ~R_SPF_NA) & ( ~FROM_NEQ_ENVFROM & ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST"
|
expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM & ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST"
|
||||||
score = 3.0;
|
score = 3.0;
|
||||||
}
|
}
|
||||||
|
# Keep negative (good) scores for rbl, policies and hfilter, disable neural group
|
||||||
WL_FWD_HOST {
|
WL_FWD_HOST {
|
||||||
expression = "-WHITELISTED_FWD_HOST & (^g:rbl | ^g+:policies | ^g:hfilter | ^g:neural)"
|
expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"
|
||||||
}
|
}
|
||||||
|
# Exclude X-Spam like flags from scoring from fwd and sieve hosts
|
||||||
UPSTREAM_CHECKS_EXCLUDE_FWD_HOST {
|
UPSTREAM_CHECKS_EXCLUDE_FWD_HOST {
|
||||||
expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"
|
expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"
|
||||||
}
|
}
|
||||||
SPOOFED_UNAUTH_POLICY_FAILURE {
|
|
||||||
expression = "-SPOOFED_UNAUTH & -R_SPF_FAIL";
|
|
||||||
score = 50.0;
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue