2017-09-19 09:19:22 +02:00
|
|
|
MX_IMPLICIT {
|
2018-12-10 13:26:18 +01:00
|
|
|
expression = "MX_GOOD & MX_MISSING";
|
2017-12-09 09:08:18 +01:00
|
|
|
score = -0.01;
|
|
|
|
|
}
|
|
|
|
|
VIRUS_FOUND {
|
|
|
|
|
expression = "CLAM_VIRUS & !MAILCOW_WHITE";
|
2020-10-20 11:55:55 +02:00
|
|
|
score = 2000.0;
|
2017-09-19 09:19:22 +02:00
|
|
|
}
|
2020-12-28 22:04:01 +01:00
|
|
|
# Bad policy from free mail providers
|
|
|
|
|
FREEMAIL_POLICY_FAILURE {
|
2023-03-04 16:57:52 +01:00
|
|
|
expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST& !WHITELISTED_FWD_HOST & -g+:policies";
|
2020-12-28 22:04:01 +01:00
|
|
|
score = 16.0;
|
|
|
|
|
}
|
2021-01-17 18:09:02 +01:00
|
|
|
# Applies to freemail with undisclosed recipients
|
|
|
|
|
FREEMAIL_TO_UNDISC_RCPT {
|
|
|
|
|
expression = "FREEMAIL_FROM & ( MISSING_TO | R_UNDISC_RCPT | TO_EQ_FROM )";
|
|
|
|
|
score = 5.0;
|
|
|
|
|
}
|
2020-10-18 10:11:27 +02:00
|
|
|
# Bad policy from non-whitelisted senders
|
|
|
|
|
# Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy
|
|
|
|
|
SOGO_CONTACT_EXCLUDE {
|
2020-11-11 14:34:24 +01:00
|
|
|
expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW";
|
2018-12-10 13:26:18 +01:00
|
|
|
}
|
2020-10-18 10:11:27 +02:00
|
|
|
# Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
|
2019-04-14 20:37:38 +02:00
|
|
|
SPOOFED_UNAUTH {
|
2020-11-19 09:44:04 +01:00
|
|
|
expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
|
2020-10-18 10:11:27 +02:00
|
|
|
score = 50.0;
|
2019-04-14 20:37:38 +02:00
|
|
|
}
|
2019-06-25 18:52:05 +02:00
|
|
|
# Only apply to inbound unauthed and not whitelisted
|
2019-06-16 17:35:24 +02:00
|
|
|
OLEFY_MACRO {
|
|
|
|
|
expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & OLETOOLS";
|
2019-06-20 10:18:43 +02:00
|
|
|
score = 20.0;
|
2019-06-16 17:35:24 +02:00
|
|
|
policy = "remove_weight";
|
|
|
|
|
}
|
2020-10-18 10:11:27 +02:00
|
|
|
# Applies to a content filter map
|
2019-08-28 13:03:15 +02:00
|
|
|
BAD_WORD_BAD_TLD {
|
2021-07-09 07:42:37 +02:00
|
|
|
expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )";
|
2019-08-30 19:30:38 +02:00
|
|
|
score = 10.0;
|
2019-08-28 13:03:15 +02:00
|
|
|
}
|
2020-10-18 10:11:27 +02:00
|
|
|
# Forged with bad policies and not fwd host, keep bad policy symbols
|
2019-11-24 16:08:58 +01:00
|
|
|
FORGED_W_BAD_POLICY {
|
2021-07-09 07:42:37 +02:00
|
|
|
expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM | ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST & !DMARC_POLICY_ALLOW";
|
2019-11-24 16:08:58 +01:00
|
|
|
score = 3.0;
|
|
|
|
|
}
|
2020-10-18 10:11:27 +02:00
|
|
|
# Keep negative (good) scores for rbl, policies and hfilter, disable neural group
|
2020-10-18 09:12:02 +02:00
|
|
|
WL_FWD_HOST {
|
2021-07-09 07:42:37 +02:00
|
|
|
expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)";
|
2020-05-23 11:16:33 +02:00
|
|
|
}
|
2020-10-18 10:11:27 +02:00
|
|
|
# Exclude X-Spam like flags from scoring from fwd and sieve hosts
|
2020-04-10 20:54:26 +02:00
|
|
|
UPSTREAM_CHECKS_EXCLUDE_FWD_HOST {
|
2021-07-09 07:42:37 +02:00
|
|
|
expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)";
|
2020-04-10 20:54:26 +02:00
|
|
|
}
|
2020-10-20 16:15:02 +02:00
|
|
|
# Remove fuzzy group from bounces
|
|
|
|
|
BOUNCE_FUZZY {
|
|
|
|
|
expression = "-BOUNCE & ^g+:fuzzy";
|
|
|
|
|
}
|
2021-01-19 12:59:46 +01:00
|
|
|
# Remove bayes ham if fuzzy denied
|
|
|
|
|
FUZZY_HAM_MISMATCH {
|
2021-07-09 07:42:37 +02:00
|
|
|
expression = "( -FUZZY_DENIED | -MAILCOW_FUZZY_DENIED | -LOCAL_FUZZY_DENIED ) & ( ^BAYES_HAM | ^NEURAL_HAM_LONG | ^NEURAL_HAM_SHORT )";
|
2021-01-31 09:56:47 +01:00
|
|
|
}
|
|
|
|
|
# Remove bayes spam if local fuzzy white
|
|
|
|
|
FUZZY_SPAM_MISMATCH {
|
2021-07-09 07:42:37 +02:00
|
|
|
expression = "( -LOCAL_FUZZY_WHITE ) & ( ^BAYES_SPAM | ^NEURAL_SPAM_LONG | ^NEURAL_SPAM_SHORT )";
|
|
|
|
|
}
|
|
|
|
|
WL_FWD_HOST {
|
|
|
|
|
expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)";
|
|
|
|
|
}
|
|
|
|
|
ENCRYPTED_CHAT {
|
2021-07-09 09:19:06 +02:00
|
|
|
expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP";
|
2021-01-19 12:59:46 +01:00
|
|
|
}
|
2023-06-23 16:13:25 +02:00
|
|
|
|
|
|
|
|
CLAMD_SPAM_FOUND {
|
|
|
|
|
expression = "CLAM_SECI_SPAM & !MAILCOW_WHITE";
|
|
|
|
|
description = "Probably Spam, Securite Spam Flag set through ClamAV";
|
2023-06-27 10:28:52 +02:00
|
|
|
score = 5;
|
2023-06-23 16:13:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CLAMD_BAD_PDF {
|
|
|
|
|
expression = "CLAM_SECI_PDF & !MAILCOW_WHITE";
|
|
|
|
|
description = "Bad PDF Found, Securite bad PDF Flag set through ClamAV";
|
2023-06-23 16:19:37 +02:00
|
|
|
score = 8;
|
2023-06-23 16:13:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CLAMD_BAD_JPG {
|
|
|
|
|
expression = "CLAM_SECI_JPG & !MAILCOW_WHITE";
|
|
|
|
|
description = "Bad JPG Found, Securite bad JPG Flag set through ClamAV";
|
2023-06-23 16:19:37 +02:00
|
|
|
score = 8;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CLAMD_ASCII_MALWARE {
|
|
|
|
|
expression = "CLAM_SECI_ASCII & !MAILCOW_WHITE";
|
|
|
|
|
description = "ASCII malware found, Securite ASCII malware Flag set through ClamAV";
|
|
|
|
|
score = 8;
|
2023-06-23 16:13:25 +02:00
|
|
|
}
|
|
|
|
|
|
2023-06-23 16:19:37 +02:00
|
|
|
CLAMD_HTML_MALWARE {
|
2023-06-23 16:13:25 +02:00
|
|
|
expression = "CLAM_SECI_HTML & !MAILCOW_WHITE";
|
2023-06-23 16:19:37 +02:00
|
|
|
description = "HTML malware found, Securite HTML malware Flag set through ClamAV";
|
2023-06-23 16:13:25 +02:00
|
|
|
score = 8;
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-23 16:19:37 +02:00
|
|
|
CLAMD_JS_MALWARE {
|
2023-06-23 16:13:25 +02:00
|
|
|
expression = "CLAM_SECI_JS & !MAILCOW_WHITE";
|
2023-06-23 16:19:37 +02:00
|
|
|
description = "JS malware found, Securite JS malware Flag set through ClamAV";
|
2023-06-23 16:13:25 +02:00
|
|
|
score = 8;
|
|
|
|
|
}
|
