commit ae8f199: [Rules] Add VIOLATED_DIRECT_SPF composite
Vsevolod Stakhov
vsevolod at highsecure.ru
Tue Jan 15 18:07:03 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-01-15 18:05:25 +0000
URL: https://github.com/rspamd/rspamd/commit/ae8f1997198be36340efb8a1d291e0339b1486c3 (HEAD -> master)
[Rules] Add VIOLATED_DIRECT_SPF composite
---
conf/composites.conf | 233 ++++++++++++++++++++++++++-------------------------
1 file changed, 120 insertions(+), 113 deletions(-)
diff --git a/conf/composites.conf b/conf/composites.conf
index 09ae5c156..976225db1 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -16,118 +16,125 @@
composites {
- FORGED_RECIPIENTS_MAILLIST {
- expression = "FORGED_RECIPIENTS & -MAILLIST";
- }
- FORGED_SENDER_MAILLIST {
- expression = "FORGED_SENDER & -MAILLIST";
- }
- FORGED_SENDER_FORWARDING {
- expression = "FORGED_SENDER & g:forwarding";
- description = "Forged sender, but message is forwarded";
- policy = "remove_weight";
- }
- SPF_FAIL_FORWARDING {
- expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
- policy = "remove_weight";
- }
- DMARC_POLICY_ALLOW_WITH_FAILURES {
- expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
- policy = "remove_weight";
- }
- FORGED_RECIPIENTS_FORWARDING {
- expression = "FORGED_RECIPIENTS & g:forwarding";
- policy = "remove_weight";
- }
- FORGED_SENDER_VERP_SRS {
- expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
- }
- FORGED_MUA_MAILLIST {
- expression = "g:mua & -MAILLIST";
- }
- RBL_SPAMHAUS_XBL_ANY {
- expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
- description = "From and Received address are listed in Spamhaus XBL";
- }
- AUTH_NA {
- expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
- score = 1.0;
- policy = "remove_weight";
- description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
- }
- DKIM_MIXED {
- expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
- policy = "remove_weight";
- }
- MAIL_RU_MAILER_BASE64 {
- expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
- }
- YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
- expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
- }
- MAILER_1C_8_BASE64 {
- expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
- description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
- }
- HACKED_WP_PHISHING {
- expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
- description = "Phish message sent by hacked Wordpress instance";
- policy = "leave";
- }
- COMPROMISED_ACCT_BULK {
- expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
- description = "Likely to be from a compromised account";
- score = 3.0;
- policy = "leave";
- }
- UNDISC_RCPTS_BULK {
- expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
- description = "Missing or undisclosed recipients with a bulk signature";
- score = 3.0;
- policy = "leave";
- }
- RCVD_UNAUTH_PBL {
- expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH";
- description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
- score = 2.0;
- policy = "leave";
- }
- RCVD_DKIM_ARC_DNSWL_MED {
- expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
- description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
- score = -0.5;
- policy = "leave";
- }
- RCVD_DKIM_ARC_DNSWL_HI {
- expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
- description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
- score = -1.0;
- policy = "leave";
- }
- AUTOGEN_PHP_SPAMMY {
- expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
- description = "Message was generated by PHP script and contains some spam indicators";
- score = 1.0;
- policy = "leave";
- }
- PHISH_EMOTION {
- expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
- description = "Phish message with subject trying to address users emotion";
- score = 1.0;
- policy = "leave";
- }
- HAS_ANON_DOMAIN {
- expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
- description = "Contains one or more domains trying to disguise owner/destination";
- score = 0.1;
- policy = "leave";
- }
- BAD_REP_POLICIES {
- description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
- expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
- score = 0.1;
- }
+ FORGED_RECIPIENTS_MAILLIST {
+ expression = "FORGED_RECIPIENTS & -MAILLIST";
+ }
+ FORGED_SENDER_MAILLIST {
+ expression = "FORGED_SENDER & -MAILLIST";
+ }
+ FORGED_SENDER_FORWARDING {
+ expression = "FORGED_SENDER & g:forwarding";
+ description = "Forged sender, but message is forwarded";
+ policy = "remove_weight";
+ }
+ SPF_FAIL_FORWARDING {
+ expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
+ policy = "remove_weight";
+ }
+ DMARC_POLICY_ALLOW_WITH_FAILURES {
+ expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL | R_DKIM_REJECT)";
+ policy = "remove_weight";
+ }
+ FORGED_RECIPIENTS_FORWARDING {
+ expression = "FORGED_RECIPIENTS & g:forwarding";
+ policy = "remove_weight";
+ }
+ FORGED_SENDER_VERP_SRS {
+ expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
+ }
+ FORGED_MUA_MAILLIST {
+ expression = "g:mua & -MAILLIST";
+ }
+ RBL_SPAMHAUS_XBL_ANY {
+ expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
+ description = "From and Received address are listed in Spamhaus XBL";
+ }
+ AUTH_NA {
+ expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
+ score = 1.0;
+ policy = "remove_weight";
+ description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
+ }
+ DKIM_MIXED {
+ expression = "-R_DKIM_ALLOW & (R_DKIM_DNSFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
+ policy = "remove_weight";
+ }
+ MAIL_RU_MAILER_BASE64 {
+ expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
+ }
+ YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
+ expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
+ }
+ MAILER_1C_8_BASE64 {
+ expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
+ description = "Message was sent by '1C:Enterprise 8' and uses base64 encoded data";
+ }
+ HACKED_WP_PHISHING {
+ expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
+ description = "Phish message sent by hacked Wordpress instance";
+ policy = "leave";
+ }
+ COMPROMISED_ACCT_BULK {
+ expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
+ description = "Likely to be from a compromised account";
+ score = 3.0;
+ policy = "leave";
+ }
+ UNDISC_RCPTS_BULK {
+ expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
+ description = "Missing or undisclosed recipients with a bulk signature";
+ score = 3.0;
+ policy = "leave";
+ }
+ RCVD_UNAUTH_PBL {
+ expression = "RECEIVED_PBL & -RCVD_VIA_SMTP_AUTH";
+ description = "Relayed through ZEN PBL IP without sufficient authentication (possible indicating an open relay)";
+ score = 2.0;
+ policy = "leave";
+ }
+ RCVD_DKIM_ARC_DNSWL_MED {
+ expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
+ description = "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL";
+ score = -0.5;
+ policy = "leave";
+ }
+ RCVD_DKIM_ARC_DNSWL_HI {
+ expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
+ description = "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL";
+ score = -1.0;
+ policy = "leave";
+ }
+ AUTOGEN_PHP_SPAMMY {
+ expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
+ description = "Message was generated by PHP script and contains some spam indicators";
+ score = 1.0;
+ policy = "leave";
+ }
+ PHISH_EMOTION {
+ expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
+ description = "Phish message with subject trying to address users emotion";
+ score = 1.0;
+ policy = "leave";
+ }
+ HAS_ANON_DOMAIN {
+ expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR | HAS_ONION_URI";
+ description = "Contains one or more domains trying to disguise owner/destination";
+ score = 0.1;
+ policy = "leave";
+ }
+ BAD_REP_POLICIES {
+ description = "Contains valid policies but are also marked by fuzzy/bayes/surbl/rbl";
+ expression = "(~g-:policies) & (-g+:fuzzy | -g+:bayes | -g+:surbl | -g+:rbl)";
+ score = 0.1;
+ }
- .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
- .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
+ VIOLATED_DIRECT_SPF {
+ description = "Has no Received (or no trusted received relays) and SPF policy fails or soft fails";
+ expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO | RCVD_NO_TLS_LAST)";
+ policy = "leave";
+ score = 3.5;
+ }
+
+ .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
+ .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
}
More information about the Commits
mailing list