mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
326 lines
11 KiB
Django/Jinja
326 lines
11 KiB
Django/Jinja
# This is the right place to customize your installation of SpamAssassin.
|
|
#
|
|
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
|
|
# tweaked.
|
|
#
|
|
# Only a small subset of options are listed below
|
|
#
|
|
###########################################################################
|
|
|
|
dns_server 127.0.0.1
|
|
|
|
# Add *****SPAM***** to the Subject header of spam e-mails
|
|
#
|
|
# rewrite_header Subject *****SPAM*****
|
|
|
|
|
|
# Save spam messages as a message/rfc822 MIME attachment instead of
|
|
# modifying the original message (0: off, 2: use text/plain instead)
|
|
#
|
|
# report_safe 1
|
|
|
|
|
|
# Set which networks or hosts are considered 'trusted' by your mail
|
|
# server (i.e. not spammers)
|
|
#
|
|
# trusted_networks 212.17.35.
|
|
|
|
|
|
# Set file-locking method (flock is not safe over NFS, but is faster)
|
|
#
|
|
# lock_method flock
|
|
|
|
|
|
# Set the threshold at which a message is considered spam (default: 5.0)
|
|
#
|
|
required_score 5.0
|
|
|
|
|
|
# Use Bayesian classifier (default: 1)
|
|
#
|
|
# use_bayes 1
|
|
|
|
|
|
# Bayesian classifier auto-learning (default: 1)
|
|
#
|
|
# bayes_auto_learn 1
|
|
|
|
|
|
# Set headers which may provide inappropriate cues to the Bayesian
|
|
# classifier
|
|
#
|
|
# bayes_ignore_header X-Bogosity
|
|
# bayes_ignore_header X-Spam-Flag
|
|
# bayes_ignore_header X-Spam-Status
|
|
|
|
#whitelist_to postmaster@*
|
|
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
|
|
# them to UTF-8 before the text is given over to rules processing.
|
|
#
|
|
# normalize_charset 1
|
|
|
|
# Some shortcircuiting, if the plugin is enabled
|
|
#
|
|
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
|
|
#
|
|
# default: strongly-whitelisted mails are *really* whitelisted now, if the
|
|
# shortcircuiting plugin is active, causing early exit to save CPU load.
|
|
# Uncomment to turn this on
|
|
#
|
|
#shortcircuit USER_IN_WHITELIST ham
|
|
#shortcircuit USER_IN_WHITELIST_TO ham
|
|
# shortcircuit USER_IN_DEF_WHITELIST on
|
|
# shortcircuit USER_IN_ALL_SPAM_TO on
|
|
# shortcircuit SUBJECT_IN_WHITELIST on
|
|
|
|
# the opposite; blacklisted mails can also save CPU
|
|
#
|
|
#shortcircuit USER_IN_BLACKLIST on
|
|
#shortcircuit USER_IN_BLACKLIST_TO on
|
|
# shortcircuit SUBJECT_IN_BLACKLIST on
|
|
|
|
# if you have taken the time to correctly specify your "trusted_networks",
|
|
# this is another good way to save CPU
|
|
#
|
|
# shortcircuit ALL_TRUSTED on
|
|
|
|
# and a well-trained bayes DB can save running rules, too
|
|
#
|
|
# shortcircuit BAYES_99 spam
|
|
# shortcircuit BAYES_00 ham
|
|
|
|
endif # Mail::SpamAssassin::Plugin::Shortcircuit
|
|
|
|
loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
|
|
|
|
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ autolearn=_AUTOLEARN_ version=_VERSION_
|
|
|
|
# enable SPF plugin
|
|
loadplugin Mail::SpamAssassin::Plugin::SPF
|
|
|
|
# disable suspicious IADB stuff (they whitelisted some spam mails)
|
|
score __RCVD_IN_IADB 0
|
|
|
|
# reduce the positive weight of returnpath CERTIFIED/SAFE results
|
|
score RCVD_IN_RP_CERTIFIED -0.01 # default -3
|
|
score RCVD_IN_RP_SAFE -0.001 # default -2
|
|
|
|
# increase scores of some rules
|
|
score RCVD_IN_BL_SPAMCOP_NET 3.5
|
|
score RCVD_IN_SBL 3.5
|
|
score RCVD_IN_XBL 3.5
|
|
score URIBL_DBL_SPAM 3.5
|
|
score URIBL_SBL 3.5
|
|
score URIBL_BLACK 3.0
|
|
score URIBL_SBL_A 1.0
|
|
score RCVD_IN_SORBS_SPAM 3.5
|
|
score RCVD_IN_BRBL_LASTEXT 2.0
|
|
score URIBL_ABUSE_SURBL 2.0
|
|
score SPF_HELO_SOFTFAIL 0.25
|
|
score SPF_HELO_FAIL 0.5
|
|
score SPF_SOFTFAIL 0.25
|
|
score SPF_FAIL 0.5
|
|
|
|
score RDNS_NONE 3.5
|
|
score RDNS_DYNAMIC 1.6
|
|
score HELO_MISC_IP 0.25
|
|
score UNPARSEABLE_RELAY 1.0
|
|
score FREEMAIL_FORGED_REPLYTO 2.0
|
|
|
|
score BAYES_00 -1.0
|
|
score BAYES_05 -0.5
|
|
score BAYES_20 0
|
|
score BAYES_40 1.0
|
|
score BAYES_50 1.25
|
|
#score BAYES_60 3.0
|
|
#score BAYES_80 3.5
|
|
#score BAYES_90 4.0
|
|
#score BAYES_95 4.9
|
|
#score BAYES_99 5.0
|
|
|
|
score MISSING_HEADERS 1.3
|
|
score LOTS_OF_MONEY 0.5
|
|
score FREEMAIL_FROM 0.5
|
|
score DKIM_INVALID 1.0
|
|
|
|
score MONEY_FRAUD_3 0.75
|
|
score MONEY_FRAUD_5 1.0
|
|
score MONEY_FRAUD_8 1.25
|
|
|
|
score UPPERCASE_50_75 2.5
|
|
score UPPERCASE_75_100 3.0
|
|
|
|
# NIX
|
|
header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
|
|
describe RCVD_IN_NIX_SPAM Listed in NIX-SPAM DNSBL (www.dnsbl.manitu.net)
|
|
tflags RCVD_IN_NIX_SPAM net
|
|
score RCVD_IN_NIX_SPAM 3.5
|
|
|
|
# extremely long subjects
|
|
header LOCAL_LONG_SUBJECT_250 Subject =~ /^.{250,}/
|
|
describe LOCAL_LONG_SUBJECT_250 Subject field is extremely large (>250)
|
|
score LOCAL_LONG_SUBJECT_250 3.5
|
|
|
|
header LOCAL_LONG_SUBJECT_500 Subject =~ /^.{500,}/
|
|
describe LOCAL_LONG_SUBJECT_500 Subject field is extremely large (>500)
|
|
score LOCAL_LONG_SUBJECT_500 2.1
|
|
|
|
header LOCAL_SUBJECT_EXCLAMATION Subject =~ /!!!$/
|
|
score LOCAL_SUBJECT_EXCLAMATION 2
|
|
|
|
header LOCAL_EMPTY_SUBJECT Subject =~ /^\s*$/
|
|
score LOCAL_EMPTY_SUBJECT 1
|
|
|
|
body LOCAL_FAKE_OFFICE /180 Sansome Street/
|
|
score LOCAL_FAKE_OFFICE 1
|
|
|
|
# date tld
|
|
header LOCAL_DATE_TLD From =~ /\@.*?\.date/i
|
|
describe LOCAL_DATE_TLD Sender address is from a .date TLD
|
|
score LOCAL_DATE_TLD 1.0
|
|
|
|
# bitcoin
|
|
header __LOCAL_BITCOIN_SUBJ Subject =~ /\b(bitcoin)\b/i
|
|
body __LOCAL_BITCOIN_BODY /\b(bitcoin|BTC)\b/i
|
|
meta LOCAL_BITCOIN ((__LOCAL_BITCOIN_SUBJ + __LOCAL_BITCOIN_BODY) > 0)
|
|
describe LOCAL_BITCOIN Contains bitcoin keywords in body and/or subject
|
|
score LOCAL_BITCOIN 1.5
|
|
|
|
header LOCAL_VIDEO_SUBJECT Subject =~ /\.mp4\b/
|
|
score LOCAL_VIDEO_SUBJECT 0.75
|
|
|
|
meta LOCAL_VIDEO_EXTORTION ((LOCAL_VIDEO_SUBJECT && LOCAL_BITCOIN))
|
|
score LOCAL_VIDEO_EXTORTION 1.5
|
|
|
|
header __LOCAL_ARABIC_STUDENT From =~ /student.*1\./
|
|
header __LOCAL_ARABIC_STUDENT_MAILER X-Mailer =~ /^MBM 7\.9-US$/
|
|
meta LOCAL_ARABIC_STUDENT (__LOCAL_ARABIC_STUDENT && __LOCAL_ARABIC_STUDENT_MAILER)
|
|
score LOCAL_ARABIC_STUDENT 2
|
|
|
|
header LOCAL_SPAM1 Subject =~ /Reclame sus facturas impagadas/
|
|
score LOCAL_SPAM1 2.5
|
|
|
|
header LOCAL_ANON_HACKER From =~ /(anoniemehacker.club|hackeranonim.top)/
|
|
score LOCAL_ANON_HACKER 2.5
|
|
|
|
# Attachments
|
|
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
|
|
|
|
mimeheader ZIP_ATTACHED Content-Type =~ /zip/i
|
|
describe ZIP_ATTACHED email contains a zip attachment
|
|
score ZIP_ATTACHED 1.0
|
|
|
|
mimeheader MSWORD_ATTACHED Content-Type =~ /ms-?word/i
|
|
describe MSWORD_ATTACHED email contains a msword attachment
|
|
score MSWORD_ATTACHED 1.0
|
|
|
|
### whitelist / negative rules for some senders ###
|
|
|
|
# whitelist abuse reports
|
|
header LOCAL_ABUSE_FROM From =~ /abuse@.*/
|
|
score LOCAL_ABUSE_FROM -2
|
|
|
|
header LOCAL_ABUSE_REPLY_TO Reply-To =~ /abuse@.*/
|
|
score LOCAL_ABUSE_REPLY_TO -2
|
|
|
|
header LOCAL_ABUSE_TO To =~ /abuse@.*/
|
|
score LOCAL_ABUSE_TO -2
|
|
|
|
##################################################
|
|
# from: https://forum.hetzner.de/thread/24022-spamassassin-filterregel/?postID=243392#post243392
|
|
add_header all BL-Results "_RBL_"
|
|
### Senderbase Reputation checks (rf.senderbase.org)
|
|
header __R_SB_FR eval:check_rbl_txt('rf.senderbase.org-lastexternal','rf.senderbase.org')
|
|
describe __R_SB_FR IP reputation of the sender at SenderBase
|
|
tflags __R_SB_FR net
|
|
reuse __R_SB_FR
|
|
|
|
|
|
header R_SB_R_NEG3 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^-[3-9]\.')
|
|
describe R_SB_R_NEG3 SenderBase Reputation is -3 to -10
|
|
score R_SB_R_NEG3 5
|
|
reuse R_SB_R_NEG3
|
|
|
|
|
|
header R_SB_R_NEU0 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^-[0-2]\.')
|
|
describe R_SB_R_NEU0 SenderBase Reputation is 0 to -2.9
|
|
score R_SB_R_NEU0 2
|
|
reuse R_SB_R_NEU0
|
|
|
|
|
|
header R_SB_R_POS1 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^[0-3]\.')
|
|
describe R_SB_R_POS1 SenderBase Reputation is 0 - 2.9
|
|
score R_SB_R_POS1 0.1
|
|
reuse R_SB_R_POS1
|
|
|
|
|
|
header R_SB_FR_POS3 eval:check_rbl_sub('rf.senderbase.org-lastexternal', '^[3-9]\.')
|
|
describe R_SB_FR_POS3 SenderBase Reputation is 3.0 - 9.9
|
|
score R_SB_FR_POS3 -0.5
|
|
reuse R_SB_FR_POS3
|
|
###################################################
|
|
|
|
ifplugin Mail::SpamAssassin::Plugin::AskDNS
|
|
|
|
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*none \s*(?:;|\z)/x
|
|
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*quarantine \s*(?:;|\z)/x
|
|
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*reject \s*(?:;|\z)/x
|
|
askdns __DMARC_ADKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* adkim\s*=\s*s \s*(?:;|\z)/x
|
|
|
|
# some common email domains that sign with the author domain
|
|
header __DMARC_SIMPLE_DKIM From:addr =~ /\@(?:gmail\.com|yahoo\.(?:com|\w\w|co\.\w\w))$/i
|
|
meta __DMARC_TESTS_FAIL !( DKIM_VALID_AU || DKIM_VALID && !__DMARC_ADKIM_S && !__DMARC_SIMPLE_DKIM || __HAS_LIST_ID && DKIM_SIGNED || SPF_PASS)
|
|
meta __DMARC_TESTS_PASS DKIM_VALID_AU && SPF_PASS
|
|
|
|
# TODO: increase scores if testing period is over and was successful
|
|
|
|
|
|
meta DMARC_FAIL_REJECT __DMARC_TESTS_FAIL && __DMARC_POLICY_REJECT
|
|
describe DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
|
|
score DMARC_FAIL_REJECT 1.5
|
|
|
|
meta DMARC_FAIL_QUAR __DMARC_TESTS_FAIL && __DMARC_POLICY_QUAR
|
|
describe DMARC_FAIL_QUAR DMARC validation failed and policy is quarantine
|
|
#score DMARC_FAIL_QUAR 1.0
|
|
score DMARC_FAIL_QUAR 0.5
|
|
|
|
meta DMARC_FAIL_NONE __DMARC_TESTS_FAIL && __DMARC_POLICY_NONE
|
|
describe DMARC_FAIL_NONE DMARC validation failed and policy is none
|
|
score DMARC_FAIL_NONE 0.25
|
|
|
|
|
|
meta DMARC_PASS_REJECT __DMARC_TESTS_PASS && __DMARC_POLICY_REJECT
|
|
describe DMARC_PASS_REJECT DMARC validation passed and policy is to reject
|
|
tflags DMARC_PASS_REJECT nice
|
|
score DMARC_PASS_REJECT -1.0
|
|
|
|
meta DMARC_PASS_QUAR __DMARC_TESTS_PASS && __DMARC_POLICY_QUAR
|
|
describe DMARC_PASS_QUAR DMARC validation passed and policy is quarantine
|
|
tflags DMARC_PASS_QUAR nice
|
|
score DMARC_PASS_QUAR -0.5
|
|
|
|
meta DMARC_PASS_NONE __DMARC_TESTS_PASS && __DMARC_POLICY_NONE
|
|
describe DMARC_PASS_NONE DMARC validation passed and policy is none
|
|
tflags DMARC_PASS_NONE nice
|
|
score DMARC_PASS_NONE -0.1
|
|
|
|
|
|
meta DMARC_REJ_NO_DKIM __DMARC_POLICY_REJECT && !DKIM_SIGNED
|
|
describe DMARC_REJ_NO_DKIM DMARC policy is reject without any DKIM signatures
|
|
score DMARC_REJ_NO_DKIM 1.0
|
|
|
|
meta DMARC_QUAR_NO_DKIM __DMARC_POLICY_QUAR && !DKIM_SIGNED
|
|
describe DMARC_QUAR_NO_DKIM DMARC policy is quarantine without any DKIM signatures
|
|
score DMARC_QUAR_NO_DKIM 1.0
|
|
|
|
# some temporary informational rules
|
|
meta T_DMARC_TESTS_FAIL __DMARC_TESTS_FAIL
|
|
meta T_DMARC_TESTS_PASS __DMARC_TESTS_PASS
|
|
meta T_DMARC_POLICY_NONE __DMARC_POLICY_NONE
|
|
meta T_DMARC_POLICY_QUAR __DMARC_POLICY_QUAR
|
|
meta T_DMARC_POLICY_REJECT __DMARC_POLICY_REJECT
|
|
meta T_DMARC_ADKIM_STRICT __DMARC_ADKIM_STRICT
|
|
meta T_DMARC_SIMPLE_DKIM __DMARC_SIMPLE_DKIM
|
|
|
|
endif
|