MX_IMPLICIT { expression = "MX_GOOD & MX_MISSING"; score = -0.01; } VIRUS_FOUND { expression = "CLAM_VIRUS & !MAILCOW_WHITE"; score = 2000.0; } # Bad policy from free mail providers FREEMAIL_POLICY_FAILURE { expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST& !WHITELISTED_FWD_HOST & -g+:policies"; score = 16.0; } # Applies to freemail with undisclosed recipients FREEMAIL_TO_UNDISC_RCPT { expression = "FREEMAIL_FROM & ( MISSING_TO | R_UNDISC_RCPT | TO_EQ_FROM )"; score = 5.0; } # Bad policy from non-whitelisted senders # Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy SOGO_CONTACT_EXCLUDE { expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW"; } # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts) SPOOFED_UNAUTH { expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies"; score = 50.0; } # Only apply to inbound unauthed and not whitelisted OLEFY_MACRO { expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & OLETOOLS"; score = 20.0; policy = "remove_weight"; } # Applies to a content filter map BAD_WORD_BAD_TLD { expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"; score = 10.0; } # Forged with bad policies and not fwd host, keep bad policy symbols FORGED_W_BAD_POLICY { expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM | ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST & !DMARC_POLICY_ALLOW"; score = 3.0; } # Keep negative (good) scores for rbl, policies and hfilter, disable neural group WL_FWD_HOST { expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; } # Exclude X-Spam like flags from scoring from fwd and sieve hosts UPSTREAM_CHECKS_EXCLUDE_FWD_HOST { expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"; } # Remove fuzzy group from bounces BOUNCE_FUZZY { expression = "-BOUNCE & ^g+:fuzzy"; } # Remove bayes ham if fuzzy denied FUZZY_HAM_MISMATCH { expression = "( -FUZZY_DENIED | -MAILCOW_FUZZY_DENIED | -LOCAL_FUZZY_DENIED ) & ( ^BAYES_HAM | ^NEURAL_HAM_LONG | ^NEURAL_HAM_SHORT )"; } # Remove bayes spam if local fuzzy white FUZZY_SPAM_MISMATCH { expression = "( -LOCAL_FUZZY_WHITE ) & ( ^BAYES_SPAM | ^NEURAL_SPAM_LONG | ^NEURAL_SPAM_SHORT )"; } WL_FWD_HOST { expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; } ENCRYPTED_CHAT { expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP"; } CLAMD_SPAM_FOUND { expression = "CLAM_SECI_SPAM & !MAILCOW_WHITE"; description = "Probably Spam, Securite Spam Flag set through ClamAV"; score = 5; } CLAMD_BAD_PDF { expression = "CLAM_SECI_PDF & !MAILCOW_WHITE"; description = "Bad PDF Found, Securite bad PDF Flag set through ClamAV"; score = 8; } CLAMD_BAD_JPG { expression = "CLAM_SECI_JPG & !MAILCOW_WHITE"; description = "Bad JPG Found, Securite bad JPG Flag set through ClamAV"; score = 8; } CLAMD_ASCII_MALWARE { expression = "CLAM_SECI_ASCII & !MAILCOW_WHITE"; description = "ASCII malware found, Securite ASCII malware Flag set through ClamAV"; score = 8; } CLAMD_HTML_MALWARE { expression = "CLAM_SECI_HTML & !MAILCOW_WHITE"; description = "HTML malware found, Securite HTML malware Flag set through ClamAV"; score = 8; } CLAMD_JS_MALWARE { expression = "CLAM_SECI_JS & !MAILCOW_WHITE"; description = "JS malware found, Securite JS malware Flag set through ClamAV"; score = 8; }