Package: rspamd
Version: 3.12.1-1
Severity: important
Dear Maintainer,
since upgrading to Debian 13, rspamd immediately segfaults when postfix
hands it an email for scanning:
2026-02-02 14:06:48 #1168822(rspamd_proxy) rspamd_crash_sig_handler:
caught fatal signal 11(Segmentation fault), pid: 1168822, trace:
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #0:
[0x7fb9ce435b56]: /usr/lib/rspamd/librspamd-server.so in
rspamd::log_backtrace()
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #1:
[0x7fb9ce4064ba]: /usr/lib/rspamd/librspamd-server.so in
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #2:
[0x7fb9cdb14def]: /lib/x86_64-linux-gnu/libc.so.6 in
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #3:
[0x7fb9ce472858]: /usr/lib/rspamd/librspamd-server.so in
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #4:
[0x7fb9ce818af5]: /lib/x86_64-linux-gnu/libluajit-5.1.so.2 in
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #5:
[0x7fb9ce879132]: /lib/x86_64-linux-gnu/libluajit-5.1.so.2 in lua_pcall
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #6:
[0x7fb9ce3612f6]: /usr/lib/rspamd/librspamd-server.so in
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #7:
[0x7fb9ce53d00b]: /usr/lib/rspamd/librspamd-server.so in
redisProcessCallbacks
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #8:
[0x7fb9ce0e1c8d]: /usr/lib/rspamd/librspamd-ev.so in ev_invoke_pending
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #9:
[0x7fb9ce0e56e3]: /usr/lib/rspamd/librspamd-ev.so in ev_run
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #10:
[0x56099f5cac25]: rspamd: rspamd_proxy process in localhost:11332
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #11:
[0x7fb9ce405aeb]: /usr/lib/rspamd/librspamd-server.so in rspamd_fork_worker
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #12:
[0x56099f5c33e0]: rspamd: rspamd_proxy process in localhost:11332
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #13:
[0x56099f5c3d6d]: rspamd: rspamd_proxy process in localhost:11332
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #14:
[0x56099f5b48a3]: rspamd: rspamd_proxy process in localhost:11332
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #15:
[0x7fb9cdafeca7]: /lib/x86_64-linux-gnu/libc.so.6 in
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #16:
[0x7fb9cdafed64]: /lib/x86_64-linux-gnu/libc.so.6 in __libc_start_main
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #17:
[0x56099f5b5030]: rspamd: rspamd_proxy process in localhost:11332
2026-02-02 14:06:48 #1168822(rspamd_proxy) log_backtrace: #18:
[0xffffffffffffffff]: [0xffffffffffffffff] in
2026-02-02 14:06:48 #1168822(rspamd_proxy) rspamd_crash_sig_handler:
please see Rspamd FAQ to learn how to dump core files and how to fill a
bug report
2026-02-02 14:06:48 #1168819(main) <86f5c4>; main; rspamd_srv_handler:
cannot read from worker's srv pipe connection closed; command =
notice_hyperscan_cache
Best regards
Richard
-- System Information:
Debian Release: 13.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.63+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rspamd depends on:
ii adduser 3.152
ii ca-certificates 20250419
ii fonts-glyphicons-halflings 1.009~3.4.1+dfsg-6
ii init-system-helpers 1.69~deb13u1
ii libarchive13t64 3.7.4-4
ii libc6 2.41-12+deb13u1
ii libgcc-s1 14.2.0-19
ii libglib2.0-0t64 2.84.4-3~deb13u2
ii libhyperscan5 5.4.2-3
ii libicu76 76.1-4
ii libjs-bootstrap5 5.3.5+dfsg-4
ii libjs-jquery 3.6.1+dfsg+~3.5.14-1
ii libjs-requirejs 2.3.7+ds+~2.1.37-1
ii libluajit-5.1-2 2.1.0+openresty20250117-2
ii libpcre2-8-0 10.46-1~deb13u1
ii libsodium23 1.0.18-1+deb13u1
ii libsqlite3-0 3.46.1-7
ii libssl3t64 3.5.4-1~deb13u1
ii libstdc++6 14.2.0-19
ii libzstd1 1.5.7+dfsg-1
ii perl 5.40.1-6
ii publicsuffix 20250328.1952-0.1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
Versions of packages rspamd recommends:
ii redis-server 5:8.0.2-3+deb13u1
rspamd suggests no packages.
-- Configuration Files:
/etc/logrotate.d/rspamd changed:
/var/log/rspamd/rspamd.log {
daily
rotate 14
delaycompress
compress
notifempty
missingok
postrotate
systemctl kill --signal=SIGUSR1 rspamd >/dev/null 2>&1 \
|| service rspamd reopenlog >/dev/null 2>&1 || true
endscript
}
/etc/rspamd/actions.conf changed:
actions {
reject = 15; # Reject when reaching this score
add_header = 6; # Add header when reaching this score
greylist = 4; # Apply greylisting when reaching this score (will
emit `soft reject action`)
#unknown_weight = 1.0; # Enable if need to set score for all
symbols implicitly
# Each new symbol is added multiplied by gf^N, where N is the
number of spammy symbols
#grow_factor = 1.1;
# Set rewrite subject to this value (%s is replaced by the original
subject)
#subject = "***SPAM*** %s"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/actions.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/actions.conf"
}
/etc/rspamd/common.conf changed:
lua = "$RULESDIR/rspamd.lua"
.include "$CONFDIR/metrics.conf"
.include "$CONFDIR/actions.conf"
.include "$CONFDIR/groups.conf"
.include "$CONFDIR/composites.conf"
.include "$CONFDIR/statistic.conf"
.include "$CONFDIR/modules.conf"
.include "$CONFDIR/settings.conf"
.include(try=true) "$LOCAL_CONFDIR/rspamd.conf.local"
.include(try=true,priority=10) "$LOCAL_CONFDIR/rspamd.conf.local.override"
.include(try=true,priority=10) "$LOCAL_CONFDIR/rspamd.conf.override"
modules {
path = "${PLUGINSDIR}";
fallback_path = "${SHAREDIR}/lua"; # Legacy path
try_path = "${LOCAL_CONFDIR}/plugins.d/"; # User plugins
}
/etc/rspamd/composites.conf changed:
composites {
FORGED_RECIPIENTS_MAILLIST {
expression = "FORGED_RECIPIENTS & -MAILLIST";
}
FORGED_SENDER_MAILLIST {
expression = "FORGED_SENDER & -MAILLIST";
}
FORGED_SENDER_FORWARDING {
expression = "FORGED_SENDER & g:forwarding";
description = "Forged sender, but message is forwarded";
policy = "remove_weight";
}
SPF_FAIL_FORWARDING {
expression = "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)";
policy = "remove_weight";
}
DMARC_POLICY_ALLOW_WITH_FAILURES {
expression = "DMARC_POLICY_ALLOW & (R_SPF_SOFTFAIL | R_SPF_FAIL |
R_DKIM_REJECT)";
policy = "remove_weight";
}
FORGED_RECIPIENTS_FORWARDING {
expression = "FORGED_RECIPIENTS & g:forwarding";
policy = "remove_weight";
}
FORGED_SENDER_VERP_SRS {
expression = "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)";
}
FORGED_MUA_MAILLIST {
expression = "g:mua & -MAILLIST";
}
RBL_SPAMHAUS_XBL_ANY {
expression = "RBL_SPAMHAUS_XBL & RECEIVED_SPAMHAUS_XBL";
description = "From and Received address are listed in Spamhaus XBL";
}
AUTH_NA {
expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
score = 1.0;
policy = "remove_weight";
description = "Authenticating message via SPF/DKIM/DMARC/ARC not
available";
}
AUTH_NA_OR_FAIL {
expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) &
(R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA |
R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)";
score = 1.0;
policy = "remove_weight";
description = "No authenticating method SPF/DKIM/DMARC/ARC was
successful";
}
BOUNCE_NO_AUTH {
expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE |
SUBJ_BOUNCE_WORDS)";
score = 1.0;
}
DKIM_MIXED {
expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL |
R_DKIM_REJECT)"
policy = "remove_weight";
}
MAIL_RU_MAILER_BASE64 {
expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 |
MIME_BASE64_TEXT | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 |
TO_EXCESS_BASE64)";
}
YANDEX_RU_MAILER_CTYPE_MIXED_BOGUS {
expression = "YANDEX_RU_MAILER & -HAS_ATTACHMENT & CTYPE_MIXED_BOGUS";
}
MAILER_1C_8_BASE64 {
expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT
| SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
description = "Message was sent by '1C:Enterprise 8' and uses
base64 encoded data";
}
HACKED_WP_PHISHING {
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI &
(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
description = "Phish message sent by hacked Wordpress instance";
policy = "leave";
}
COMPROMISED_ACCT_BULK {
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK";
description = "Likely to be from a compromised account";
score = 3.0;
policy = "leave";
}
UNDISC_RCPTS_BULK {
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
description = "Missing or undisclosed recipients with a bulk
signature";
score = 3.0;
policy = "leave";
}
RCVD_UNAUTH_PBL {
expression = "RECEIVED_PBL & !RCVD_VIA_SMTP_AUTH";
description = "Relayed through ZEN PBL IP without sufficient
authentication (possible indicating an open relay)";
score = 2.0;
policy = "leave";
}
RCVD_DKIM_ARC_DNSWL_MED {
expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_MED";
description = "Sufficiently DKIM/ARC signed and received from IP
with medium trust at DNSWL";
score = -0.5;
policy = "leave";
}
RCVD_DKIM_ARC_DNSWL_HI {
expression = "(R_DKIM_ALLOW | ARC_ALLOW) & RCVD_IN_DNSWL_HI";
description = "Sufficiently DKIM/ARC signed and received from IP
with high trust at DNSWL";
score = -1.0;
policy = "leave";
}
AUTOGEN_PHP_SPAMMY {
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG | HAS_X_PHP_SCRIPT) &
(SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM | MANY_INVISIBLE_PARTS)";
description = "Message was generated by PHP script and contains
some spam indicators";
score = 1.0;
policy = "leave";
}
PHISH_EMOTION {
expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH |
PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
description = "Phish message with subject trying to address users
emotion";
score = 1.0;
policy = "leave";
}
HAS_ANON_DOMAIN {
expression = "HAS_GUC_PROXY_URI | URIBL_RED | DBL_ABUSE_REDIR |
HAS_ONION_URI";
description = "Contains one or more domains trying to disguise
owner/destination";
score = 0.1;
policy = "leave";
}
BAD_REP_POLICIES {
description = "Contains valid policies but are also marked by
fuzzy/bayes/surbl/rbl";
expression = "(~g-:policies) & (-g+:fuzzy | -g+:statistics |
-g+:surbl | -g+:rbl)";
score = 0.1;
}
VIOLATED_DIRECT_SPF {
description = "Has no Received (or no trusted received relays) and
SPF policy fails or soft fails";
expression = "(R_SPF_FAIL | R_SPF_SOFTFAIL) & (RCVD_COUNT_ZERO |
RCVD_NO_TLS_LAST)";
policy = "leave";
score = 3.5;
}
IP_SCORE_FREEMAIL {
description = "Negate IP_SCORE when message comes from FreeMail";
expression = "FREEMAIL_FROM & SENDER_REP_SPAM";
score = 0.0;
policy = "remove_weight";
}
BROKEN_HEADERS_MAILLIST {
description = "Negate BROKEN_HEADERS when message comes via some
mailing list";
expression = "BROKEN_HEADERS & -MAILLIST";
score = 0.0;
policy = "remove_weight";
}
LEAKED_PASSWORD_SCAM {
description = "Contains BTC wallet address and scam patterns";
expression = "BITCOIN_ADDR & (LEAKED_PASSWORD_SCAM_RE |
R_MIXED_CHARSET | R_EMPTY_IMAGE)";
policy = "leave";
score = 7.0;
group = "scams";
}
FREEMAIL_AFF {
expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM |
FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE
| FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
score = 4.0;
policy = "leave";
description = "Message exhibits strong characteristics of advance
fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
}
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/composites.conf"
}
/etc/rspamd/groups.conf changed:
group "headers" {
.include "$CONFDIR/scores.d/headers_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/headers_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/headers_group.conf"
}
group "subject" {
.include "$CONFDIR/scores.d/subject_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/subject_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/subject_group.conf"
}
group "mua" {
.include "$CONFDIR/scores.d/mua_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/mua_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/mua_group.conf"
}
group "rbl" {
.include "$CONFDIR/scores.d/rbl_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/rbl_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/rbl_group.conf"
}
group "statistics" {
.include "$CONFDIR/scores.d/statistics_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/statistics_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/statistics_group.conf"
}
group "fuzzy" {
.include "$CONFDIR/scores.d/fuzzy_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/fuzzy_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/fuzzy_group.conf"
}
group "policies" {
.include "$CONFDIR/scores.d/policies_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/policies_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/policies_group.conf"
}
group "whitelist" {
.include "$CONFDIR/scores.d/whitelist_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/whitelist_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/whitelist_group.conf"
}
group "surbl" {
.include "$CONFDIR/scores.d/surbl_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/surbl_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/surbl_group.conf"
}
group "phishing" {
.include "$CONFDIR/scores.d/phishing_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/phishing_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/phishing_group.conf"
}
group "hfilter" {
.include "$CONFDIR/scores.d/hfilter_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/hfilter_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/hfilter_group.conf"
}
group "mime_types" {
.include "$CONFDIR/scores.d/mime_types_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/mime_types_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/mime_types_group.conf"
}
group "excessqp" {
max_score = 2.4;
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/excessqp_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/excessqp_group.conf"
}
group "excessb64" {
max_score = 3.0;
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/excessb64_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/excessb64_group.conf"
}
group "neural" {
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/neural_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/neural_group.conf"
}
group "antivirus" {
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/antivirus_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/antivirus_group.conf"
}
group "external_services" {
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/external_services_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/external_services_group.conf"
}
group "content" {
.include "$CONFDIR/scores.d/content_group.conf"
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/content_group.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/content_group.conf"
}
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/groups.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf"
/etc/rspamd/metrics.conf changed:
metric {
name = "default";
.include(try=true; priority=1; duplicate=merge)
"$LOCAL_CONFDIR/local.d/metrics.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/metrics.conf"
}
/etc/rspamd/modules.conf changed:
.include(glob=true) "${CONFDIR}/modules.d/*.conf"
/etc/rspamd/modules.d/arc.conf changed:
arc {
# If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = true;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = false;
# Default path to key, can include '$domain' and '$selector' variables
#path = "${DBDIR}/arc/$domain.$selector.key";
# Default selector to use
selector = "arc";
# If false, messages from authenticated users are not selected for
signing
sign_authenticated = false;
# If false, inbound messages are not selected for signing
sign_inbound = true;
# If false, messages from local networks are not selected for signing
sign_local = false;
# Symbol to add when message is signed
symbol_sign = "ARC_SIGNED";
# Whether to fallback to global config
try_fallback = true;
# Domain to use for ARC signing: can be "header", "envelope" or
"recipient"
use_domain = "recipient";
# Whether to normalise domains to eSLD
use_esld = true;
# Whether to get keys from Redis
use_redis = false;
# Hash for ARC keys in Redis
key_prefix = "ARC_KEYS";
# Domain specific settings
#domain {
# example.com {
# # Private key path
# path = "${DBDIR}/arc/example.key";
# # Selector
# selector = "ds";
# }
#}
.include(try=true,priority=5) "${DBDIR}/dynamic/arc.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/arc.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/arc.conf"
}
/etc/rspamd/modules.d/aws_s3.conf changed:
aws_s3 {
# Required attributes
#s3_bucket = 'xxx';
s3_region = 'us-east-1';
s3_host = 's3.amazonaws.com';
#s3_secret_key = 'xxx';
#s3_key_id = 'xxx';
# Enable in local.d/aws_s3.conf
enabled = false;
.include(try=true,priority=5) "${DBDIR}/dynamic/aws_s3.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/aws_s3.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/aws_s3.conf"
}
/etc/rspamd/modules.d/bimi.conf changed:
bimi {
# Required attributes
#helper_url = "http://127.0.0.1:3030";,
helper_timeout = 5s;
helper_sync = true;
vmc_only = true;
redis_prefix = 'rs_bimi';
redis_min_expiry = 24h;
# Enable in local.d/bimi.conf
enabled = false;
.include(try=true,priority=5) "${DBDIR}/dynamic/bimi.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/bimi.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/bimi.conf"
}
/etc/rspamd/modules.d/clickhouse.conf changed:
clickhouse {
# Push update when 1000 records are collected (1000 if unset)
limit = 1000;
# IP:port of Clickhouse server
# server = "localhost:8123";
# Timeout to wait for response (5 seconds if unset)
timeout = 5;
# How many bits of sending IP to mask in logs for IPv4 (19 if unset)
ipmask = 19;
# How many bits of sending IP to mask in logs for IPv6 (48 if unset)
ipmask6 = 48;
# Record URL paths? (default false)
full_urls = false;
# This parameter points to a map of domain names
# If a message has a domain in this map in From: header and DKIM
signature,
# record general metadata in a table named after the domain
#from_tables = "/etc/rspamd/clickhouse_from.map";
# These are symbols of other checks in Rspamd
# Set these if you use non-default symbol names (unlikely)
#bayes_spam_symbols = ["BAYES_SPAM"];
#bayes_ham_symbols = ["BAYES_HAM"];
#fann_symbols = ["FANN_SCORE"];
#fuzzy_symbols = ["FUZZY_DENIED"];
#whitelist_symbols = ["WHITELIST_DKIM", "WHITELIST_SPF_DKIM",
"WHITELIST_DMARC"];
#dkim_allow_symbols = ["R_DKIM_ALLOW"];
#dkim_reject_symbols = ["R_DKIM_REJECT"];
#dmarc_allow_symbols = ["DMARC_POLICY_ALLOW"];
#dmarc_reject_symbols = ["DMARC_POLICY_REJECT",
"DMARC_POLICY_QUARANTINE"];
#retention {
# # disabled by default
# enable = true;
# # drop | detach, please refer to ClickHouse docs for details
# #
http://clickhouse-docs.readthedocs.io/en/latest/query_language/queries.html#manipulations-with-partitions-and-parts
# method = "drop";
# # how many month the data should be kept in ClickHouse
# period_months = 3;
# # how often run the cleanup process
# run_every = "7d";
#}
.include(try=true,priority=5) "${DBDIR}/dynamic/clickhouse.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/clickhouse.conf"
.include(try=true,priority=10)
"$LOCAL_CONFDIR/override.d/clickhouse.conf"
}
/etc/rspamd/modules.d/elastic.conf changed:
elastic {
# Push update when 10 records are collected (10 if unset)
limit = 10;
# IP:port of Elasticsearch server
#server = "localhost:9200";
# Timeout to wait for response (5 seconds if unset)
timeout = 5;
# Elasticsearch template file (json format)
#template_file = "${SHAREDIR}/elastic/rspamd_template.json";
# Kibana prebuild visualizations and dashboard template (json format)
#kibana_file = "${SHAREDIR}/elastic/kibana.json";
# Elasticsearch index name pattern
index_pattern = "rspamd-%Y.%m.%d";
# Dump debug information
debug = false;
# Import kibana template
import_kibana = false;
.include(try=true,priority=5) "${DBDIR}/dynamic/elastic.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/elastic.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/elastic.conf"
}
/etc/rspamd/modules.d/history_redis.conf changed:
history_redis {
#servers = 127.0.0.1:6379; # Redis server to store history
key_prefix = "rs_history"; # Default key name
nrows = 200; # Default rows limit
compress = true; # Use zstd compression when storing data in redis
subject_privacy = false; # subject privacy is off
.include(try=true,priority=5) "${DBDIR}/dynamic/history_redis.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/history_redis.conf"
.include(try=true,priority=10)
"$LOCAL_CONFDIR/override.d/history_redis.conf"
}
/etc/rspamd/modules.d/multimap.conf changed:
multimap {
# Freemail Addresses
freemail_envfrom {
type = "from";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/free.txt.zst";;
symbol = "FREEMAIL_ENVFROM";
description = "Envelope From is a Freemail address";
score = 0.0;
}
freemail_envrcpt {
type = "rcpt";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/free.txt.zst";;
symbol = "FREEMAIL_ENVRCPT";
description = "Envelope Recipient is a Freemail address";
score = 0.0;
}
freemail_from {
type = "header";
header = "from";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/free.txt.zst";;
symbol = "FREEMAIL_FROM";
description = "From is a Freemail address";
score = 0.0;
}
freemail_to {
type = "header";
header = "To";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/free.txt.zst";;
symbol = "FREEMAIL_TO";
description = "To is a Freemail address";
score = 0.0;
}
freemail_cc {
type = "header";
header = "Cc";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/free.txt.zst";;
symbol = "FREEMAIL_CC";
description = "To is a Freemail address";
score = 0.0;
}
freemail_replyto {
type = "header";
header = "Reply-To";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/free.txt.zst";;
symbol = "FREEMAIL_REPLYTO";
description = "Reply-To is a Freemail address";
score = 0.0;
}
# Disposable Addresses
disposable_envfrom {
type = "from";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";;
symbol = "DISPOSABLE_ENVFROM";
description = "Envelope From is a Disposable e-mail address";
score = 0.0;
}
disposable_envrcpt {
type = "rcpt";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";;
symbol = "DISPOSABLE_ENVRCPT";
description = "Envelope Recipient is a Disposable e-mail address";
score = 0.0;
}
disposable_from {
type = "header";
header = "from";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";;
symbol = "DISPOSABLE_FROM";
description = "From a Disposable e-mail address";
score = 0.0;
}
disposable_to {
type = "header";
header = "To";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";;
symbol = "DISPOSABLE_TO";
description = "To a disposable e-mail address";
score = 0.0;
}
disposable_cc {
type = "header";
header = "Cc";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";;
symbol = "DISPOSABLE_CC";
description = "To a disposable e-mail address";
score = 0.0;
}
disposable_replyto {
type = "header";
header = "Reply-To";
filter = "email:domain";
map = "https://maps.rspamd.com/freemail/disposable.txt.zst";;
symbol = "DISPOSABLE_REPLYTO";
description = "Reply-To a disposable e-mail address";
score = 0.0;
}
.include(try=true,priority=5) "${DBDIR}/dynamic/multimap.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/multimap.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/multimap.conf"
}
/* Example setup
sender_from_whitelist_user {
type = "from";
filter = "email:user";
map = "file:///tmp/from.map";
symbol = "SENDER_FROM_WHITELIST_USER";
action = "accept"; # Prefilter mode
}
sender_from_regexp {
type = "header";
header = "from";
filter = 'regexp:/.*@/';
map = "file:///tmp/from_re.map";
symbol = "SENDER_FROM_REGEXP";
}
url_map {
type = "url";
filter = "tld";
map = "file:///tmp/url.map";
symbol = "URL_MAP";
}
url_tld_re {
type = "url";
filter = 'tld:regexp:/\.[^.]+$/'; # Extracts the last
component of URL
map = "file:///tmp/url.map";
symbol = "URL_MAP_RE";
}
*/
/etc/rspamd/modules.d/once_received.conf changed:
once_received {
good_host = "mail";
bad_host = "static";
bad_host = "dynamic";
symbol_strict = "ONCE_RECEIVED_STRICT";
symbol = "ONCE_RECEIVED";
symbol_mx = "DIRECT_TO_MX";
.include(try=true,priority=5) "${DBDIR}/dynamic/once_received.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/once_received.conf"
.include(try=true,priority=10)
"$LOCAL_CONFDIR/override.d/once_received.conf"
}
/etc/rspamd/modules.d/phishing.conf changed:
phishing {
symbol = "PHISHING";
# Disabled by default
openphish_enabled = false;
openphish_premium = false;
openphish_map = "https://www.openphish.com/feed.txt";;
# Phishtank is disabled by default in the module, so let's enable it
here explicitly
phishtank_enabled = true;
# Make exclusions for known redirectors and domains
exceptions = {
REDIRECTOR_FALSE = [
"https://maps.rspamd.com/rspamd/redirectors.inc.zst";,
"$LOCAL_CONFDIR/local.d/maps.d/redirectors.inc",
"$LOCAL_CONFDIR/local.d/redirectors.inc",
"fallback+file://${CONFDIR}/maps.d/redirectors.inc"
];
PHISHED_WHITELISTED = [
"glob;https://maps.rspamd.com/rspamd/phishing_whitelist.inc.zst";,
"glob;$LOCAL_CONFDIR/local.d/maps.d/phishing_whitelist.inc",
"glob;$LOCAL_CONFDIR/local.d/phishing_whitelist.inc",
];
};
.include(try=true,priority=5) "${DBDIR}/dynamic/phishing.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/phishing.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/phishing.conf"
}
/etc/rspamd/modules.d/ratelimit.conf changed:
ratelimit {
#rates {
# Predefined ratelimit
#to = {
# bucket = {
# burst = 100;
# rate = 0.01666666666666666666; # leak 1 message per minute
# }
#}
# or define it with selector
#other_limit_alt = {
# selector = 'rcpts:addr.take_n(5)';
# bucket = {
# burst = 100;
# rate = "1 / 1m"; # leak 1 message per minute
# }
#}
#}
# If symbol is specified, then it is inserted *instead* of setting
result to soft reject
#symbol = "R_RATELIMIT";
# If info_symbol is specified, then it is inserted next to set the result
#info_symbol = "R_RATELIMIT_INFO";
whitelisted_rcpts = "postmaster,mailer-daemon";
.include(try=true,priority=5) "${DBDIR}/dynamic/ratelimit.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/ratelimit.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/ratelimit.conf"
}
/etc/rspamd/modules.d/rbl.conf changed:
rbl {
default_exclude_users = true;
default_unknown = true;
url_whitelist = [
"https://maps.rspamd.com/rspamd/surbl-whitelist.inc.zst";,
"$LOCAL_CONFDIR/local.d/maps.d/surbl-whitelist.inc.local",
"${DBDIR}/surbl-whitelist.inc.local",
"fallback+file://${CONFDIR}/maps.d/surbl-whitelist.inc"
];
rbls {
spamhaus {
symbol = "SPAMHAUS"; # Augmented by prefixes
rbl = "zen.spamhaus.org";
# Check types
checks = ['received', 'from'];
symbols_prefixes = {
received = 'RECEIVED',
from = 'RBL',
}
returncodes {
SPAMHAUS_SBL = "127.0.0.2";
SPAMHAUS_CSS = "127.0.0.3";
SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5",
"127.0.0.6", "127.0.0.7"];
SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"];
SPAMHAUS_DROP = "127.0.0.9";
SPAMHAUS_BLOCKED_OPENRESOLVER = "127.255.255.254";
SPAMHAUS_BLOCKED= "127.255.255.255";
}
}
mailspike {
symbol = "MAILSPIKE";
rbl = "rep.mailspike.net";
is_whitelist = true;
checks = ['from'];
whitelist_exception = "MAILSPIKE";
whitelist_exception = "RWL_MAILSPIKE_GOOD";
whitelist_exception = "RWL_MAILSPIKE_NEUTRAL";
whitelist_exception = "RWL_MAILSPIKE_POSSIBLE";
whitelist_exception = "RBL_MAILSPIKE_WORST";
whitelist_exception = "RBL_MAILSPIKE_VERYBAD";
whitelist_exception = "RBL_MAILSPIKE_BAD";
returncodes {
RBL_MAILSPIKE_WORST = "127.0.0.10";
RBL_MAILSPIKE_VERYBAD = "127.0.0.11";
RBL_MAILSPIKE_BAD = "127.0.0.12";
RWL_MAILSPIKE_NEUTRAL = ["127.0.0.16", "127.0.0.15",
"127.0.0.14", "127.0.0.13"];
RWL_MAILSPIKE_POSSIBLE = "127.0.0.17";
RWL_MAILSPIKE_GOOD = "127.0.0.18";
RWL_MAILSPIKE_VERYGOOD = "127.0.0.19";
RWL_MAILSPIKE_EXCELLENT = "127.0.0.20";
}
}
senderscore {
symbol = "RBL_SENDERSCORE";
checks = ['from'];
rbl = "bl.score.senderscore.com";
}
sem {
symbol = "RBL_SEM";
rbl = "bl.spameatingmonkey.net";
ipv6 = false;
checks = ['from'];
}
semIPv6 {
symbol = "RBL_SEM_IPV6";
rbl = "bl.ipv6.spameatingmonkey.net";
ipv4 = false;
ipv6 = true;
checks = ['from'];
}
dnswl {
symbol = "RCVD_IN_DNSWL";
rbl = "list.dnswl.org";
ipv6 = true;
checks = ['from', 'received'];
is_whitelist = true;
whitelist_exception = "RCVD_IN_DNSWL";
whitelist_exception = "RCVD_IN_DNSWL_NONE";
whitelist_exception = "RCVD_IN_DNSWL_LOW";
whitelist_exception = "DNSWL_BLOCKED";
returncodes {
RCVD_IN_DNSWL_NONE = "127.0.%d+.0";
RCVD_IN_DNSWL_LOW = "127.0.%d+.1";
RCVD_IN_DNSWL_MED = "127.0.%d+.2";
RCVD_IN_DNSWL_HI = "127.0.%d+.3";
DNSWL_BLOCKED = "127.0.0.255";
}
}
# Provided by https://virusfree.cz
virusfree {
symbol = "RBL_VIRUSFREE_UNKNOWN";
rbl = "bip.virusfree.cz";
ipv6 = true;
checks = ['from'];
returncodes {
RBL_VIRUSFREE_BOTNET = "127.0.0.2";
}
}
nixspam {
symbol = "RBL_NIXSPAM";
rbl = "ix.dnsbl.manitu.net";
ipv6 = true;
checks = ['from'];
}
blocklistde {
symbols_prefixes = {
received = 'RECEIVED',
from = 'RBL',
}
symbol = "BLOCKLISTDE";
rbl = "bl.blocklist.de";
checks = ['from', 'received'];
}
# Dkim whitelist
dnswl_dwl {
symbol = "DWL_DNSWL";
rbl = "dwl.dnswl.org";
checks = ['dkim'];
ignore_whitelist = true;
unknown = false;
returncodes {
DWL_DNSWL_NONE = "127.0.%d+.0";
DWL_DNSWL_LOW = "127.0.%d+.1";
DWL_DNSWL_MED = "127.0.%d+.2";
DWL_DNSWL_HI = "127.0.%d+.3";
DWL_DNSWL_BLOCKED = "127.0.0.255";
}
}
RSPAMD_EMAILBL {
ignore_whitelist = true;
ignore_defaults = true;
exclude_users = false;
emails_delimiter = ".";
hash_format = "base32";
hash_len = 32;
rbl = "email.rspamd.com";
checks = ['emails', 'replyto'];
hash = "blake2";
returncodes = {
RSPAMD_EMAILBL = "127.0.0.2";
}
}
MSBL_EBL {
ignore_whitelist = true;
ignore_defaults = true;
exclude_users = false;
rbl = "ebl.msbl.org";
checks = ['emails', 'replyto'];
emails_domainonly = false;
hash = "sha1";
returncodes = {
MSBL_EBL = [
"127.0.0.2",
"127.0.0.3"
];
MSBL_EBL_GREY = [
"127.0.1.2",
"127.0.1.3"
];
}
}
# Old SURBL module
"SURBL_MULTI" {
ignore_defaults = true;
rbl = "multi.surbl.org";
checks = ['emails', 'dkim', 'helo', 'rdns', 'replyto', 'urls'];
emails_domainonly = true;
exclude_users = false;
returnbits = {
CRACKED_SURBL = 128; # From February 2016
ABUSE_SURBL = 64;
MW_SURBL_MULTI = 16;
PH_SURBL_MULTI = 8;
SURBL_BLOCKED = 1;
}
}
"URIBL_MULTI" {
ignore_defaults = true;
rbl = "multi.uribl.com";
checks = ['emails', 'dkim', 'helo', 'rdns', 'replyto', 'urls'];
emails_domainonly = true;
exclude_users = false;
returnbits {
URIBL_BLOCKED = 1;
URIBL_BLACK = 2;
URIBL_GREY = 4;
URIBL_RED = 8;
}
}
"RSPAMD_URIBL" {
ignore_defaults = true;
rbl = "uribl.rspamd.com";
checks = ['emails', 'dkim', 'urls'];
emails_domainonly = true;
hash = 'blake2';
hash_len = 32;
hash_format = 'base32';
exclude_users = false;
returncodes = {
RSPAMD_URIBL = [
"127.0.0.2",
];
}
}
"DBL" {
ignore_defaults = true;
rbl = "dbl.spamhaus.org";
no_ip = true;
checks = ['emails', 'dkim', 'helo', 'rdns', 'replyto', 'urls'];
emails_domainonly = true;
exclude_users = false;
returncodes = {
# spam domain
DBL_SPAM = "127.0.1.2";
# phish domain
DBL_PHISH = "127.0.1.4";
# malware domain
DBL_MALWARE = "127.0.1.5";
# botnet C&C domain
DBL_BOTNET = "127.0.1.6";
# abused legit spam
DBL_ABUSE = "127.0.1.102";
# abused spammed redirector domain
DBL_ABUSE_REDIR = "127.0.1.103";
# abused legit phish
DBL_ABUSE_PHISH = "127.0.1.104";
# abused legit malware
DBL_ABUSE_MALWARE = "127.0.1.105";
# abused legit botnet C&C
DBL_ABUSE_BOTNET = "127.0.1.106";
# error - IP queries prohibited!
DBL_PROHIBIT = "127.0.1.255";
# issue #3074
DBL_BLOCKED_OPENRESOLVER = "127.255.255.254";
DBL_BLOCKED = "127.255.255.255";
}
}
# Not enabled by default due to privacy concerns! (see also
groups.d/surbl_group.conf)
"SPAMHAUS_ZEN_URIBL" {
enabled = false;
rbl = "zen.spamhaus.org";
checks = ['emails'];
resolve_ip = true;
returncodes = {
URIBL_SBL = "127.0.0.2";
URIBL_SBL_CSS = "127.0.0.3";
URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
URIBL_DROP = "127.0.0.9";
}
}
"SEM_URIBL_UNKNOWN" {
ignore_defaults = true;
rbl = "uribl.spameatingmonkey.net";
no_ip = true;
checks = ['emails', 'dkim', 'urls'];
emails_domainonly = true;
returnbits {
SEM_URIBL = 2;
}
}
"SEM_URIBL_FRESH15_UNKNOWN" {
ignore_defaults = true;
rbl = "fresh15.spameatingmonkey.net";
no_ip = true;
checks = ['emails', 'dkim', 'urls'];
emails_domainonly = true;
returnbits {
SEM_URIBL_FRESH15 = 2;
}
}
# Proved to be broken
#"RBL_SARBL_BAD" {
# suffix = "public.sarbl.org";
# noip = true;
# images = true;
#}
}
.include(try=true,priority=5) "${DBDIR}/dynamic/rbl.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/rbl.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/rbl.conf"
}
/etc/rspamd/modules.d/redis.conf changed:
redis {
#servers = "127.0.0.1"; # Read servers (unless write_servers are
unspecified)
#servers = "master-slave:127.0.0.1,10.0.1.1";
#write_servers = "127.0.0.1"; # Servers to write data
#disabled_modules = ["ratelimit"]; # List of modules that should not
use redis from this section
#timeout = 1s;
#db = "0";
#password = "some_password";
.include(try=true,priority=5) "${DBDIR}/dynamic/redis.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/redis.conf"
.include(try=true,priority=10) "$LOCAL_CONFDIR/override.d/redis.conf"
}
/etc/rspamd/modules.d/spamassassin.conf changed:
spamassassin {
# This config defines no SA files leaving this module efficiently
disabled by default
#ruleset = "/path/to/file";
# Limit search size to 100 kilobytes for all regular expressions
#match_limit = 100k;
# Those regexp atoms will not be passed through hyperscan:
#pcre_only = ["RULE1", "__RULE2"];
.include(try=true,priority=5) "${DBDIR}/dynamic/spamassassin.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/spamassassin.conf"
.include(try=true,priority=10)
"$LOCAL_CONFDIR/override.d/spamassassin.conf"
}
/etc/rspamd/modules.d/url_redirector.conf changed:
url_redirector {
expire = 1d; # 1 day by default
timeout = 10; # 10 seconds by default
nested_limit = 1; # How many redirects to follow
#proxy = "http://example.com:3128";; # Send request through proxy
key_prefix = "rdr:"; # default hash name
check_ssl = false; # check ssl certificates
max_size = 10k; # maximum body to process
.include(try=true,priority=5) "${DBDIR}/dynamic/url_redirector.conf"
.include(try=true,priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/url_redirector.conf"
.include(try=true,priority=10)
"$LOCAL_CONFDIR/override.d/url_redirector.conf"
}
/etc/rspamd/options.inc changed:
filters = "chartable,dkim,regexp,fuzzy_check";
one_shot = false;
cache_file = "$DBDIR/symbols.cache";
map_watch_interval = 5min;
map_file_watch_multiplier = 0.1;
dynamic_conf = "$DBDIR/rspamd_dynamic";
history_file = "$DBDIR/rspamd.history";
check_all_filters = false;
dns_max_requests = 64;
max_lua_urls = 1024;
max_urls = 10240;
max_recipients = 1024;
dns {
timeout = 1s;
sockets = 16;
retransmits = 5;
}
tempdir = "/tmp";
url_tld = "${SHAREDIR}/effective_tld_names.dat";
classify_headers = [
"User-Agent",
"X-Mailer",
"Content-Type",
"X-MimeOLE",
];
control_socket = "$DBDIR/rspamd.sock mode=0600";
history_rows = 200;
explicit_modules = ["settings", "bayes_expiry"];
allow_raw_input = true;
words_decay = 600;
rrd = "${DBDIR}/rspamd.rrd";
stats_file = "${DBDIR}/stats.ucl";
local_addrs = [192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, fd00::/8,
169.254.0.0/16, fe80::/10];
hs_cache_dir = "${DBDIR}/";
task_timeout = 8s;
soft_reject_on_timeout = false;
/etc/rspamd/rspamd.conf changed:
.include "$CONFDIR/common.conf"
options {
pidfile = "$RUNDIR/rspamd.pid";
.include "$CONFDIR/options.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/options.inc"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/options.inc"
}
.include(try=true; duplicate=merge) "$CONFDIR/cgp.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/cgp.inc"
logging {
type = "file";
filename = "$LOGDIR/rspamd.log";
.include "$CONFDIR/logging.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/logging.inc"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/logging.inc"
}
worker "normal" {
bind_socket = "localhost:11333";
.include "$CONFDIR/worker-normal.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/worker-normal.inc"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/worker-normal.inc"
}
worker "controller" {
bind_socket = "localhost:11334";
.include "$CONFDIR/worker-controller.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/worker-controller.inc"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/worker-controller.inc"
}
worker "rspamd_proxy" {
bind_socket = "localhost:11332";
.include "$CONFDIR/worker-proxy.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/worker-proxy.inc"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/worker-proxy.inc"
}
worker "fuzzy" {
bind_socket = "localhost:11335";
count = -1; # Disable by default
.include "$CONFDIR/worker-fuzzy.inc"
.include(try=true; priority=1,duplicate=merge)
"$LOCAL_CONFDIR/local.d/worker-fuzzy.inc"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/worker-fuzzy.inc"
}
/etc/rspamd/scores.d/content_group.conf changed:
description = "Content rules";
symbols = {
"PDF_ENCRYPTED" {
weight = 0.3;
description = "There is an encrypted PDF in the message";
one_shot = true;
}
"PDF_JAVASCRIPT" {
weight = 0.1;
description = "There is an PDF with JavaScript in the message";
one_shot = true;
}
"PDF_SUSPICIOUS" {
weight = 4.5;
description = "There is an PDF with suspicious properties in the
message";
one_shot = true;
}
"PDF_LONG_TRAILER" {
weight = 0.2;
description = "There is an PDF with a long trailer";
one_shot = true;
}
"PDF_MANY_OBJECTS" {
weight = 0;
description = "There is a PDF file with too many objects";
one_shot = true;
}
"PDF_TIMEOUT" {
weight = 0;
description = "There is a PDF file that caused timeout in processing";
one_shot = true;
}
}
/etc/rspamd/scores.d/fuzzy_group.conf changed:
description = "Fuzzy hashes group";
symbols = {
"FUZZY_UNKNOWN" {
weight = 5.0;
description = "Generic fuzzy hash match, bl.rspamd.com";
}
"FUZZY_DENIED" {
weight = 12.0;
description = "Denied fuzzy hash, bl.rspamd.com";
}
"FUZZY_PROB" {
weight = 5.0;
description = "Probable fuzzy hash, bl.rspamd.com";
}
"FUZZY_WHITE" {
weight = -2.1;
description = "Whitelisted fuzzy hash, bl.rspamd.com";
}
}
/etc/rspamd/scores.d/headers_group.conf changed:
description = "Various headers checks";
max_score = 8.0;
symbols = {
"FORGED_SENDER" {
weight = 0.3;
description = "Sender is forged (different From: header and
smtp MAIL FROM: addresses)";
}
"R_MIXED_CHARSET" {
weight = 5.0;
description = "Mixed characters in a message";
one_shot = true;
}
"R_MIXED_CHARSET_URL" {
weight = 7.0;
description = "Mixed characters in a URL inside message";
one_shot = true;
}
"FORGED_RECIPIENTS" {
weight = 2.0;
description = "Recipients are not the same as RCPT TO: mail
command";
}
"FORGED_RECIPIENTS_MAILLIST" {
weight = 0.0;
description = "Recipients are not the same as RCPT TO: mail
command, but a message from a maillist";
}
"FORGED_SENDER_MAILLIST" {
weight = 0.0;
description = "Sender is not the same as MAIL FROM: envelope,
but a message is from a maillist";
}
"ONCE_RECEIVED" {
weight = 0.1;
description = "One received header in a message";
}
"RDNS_NONE" {
weight = 1.0;
description = "Cannot resolve reverse DNS for sender's IP";
}
"RDNS_DNSFAIL" {
weight = 0.0;
description = "PTR verification DNS error";
}
"ONCE_RECEIVED_STRICT" {
weight = 4.0;
description = "One received header with 'bad' patterns inside";
}
"DIRECT_TO_MX" {
weight = 0.0;
description = "Message has been directly delivered from MUA to
local MX";
}
"MAILLIST" {
weight = -0.2;
description = "Message seems to be from maillist";
}
"BOUNCE" {
weight = -0.1;
description = "(Non) Delivery Status Notification";
}
}
/etc/rspamd/scores.d/hfilter_group.conf changed:
description = "SMTP envelope filter";
symbols = {
"HFILTER_HELO_BAREIP" {
weight = 3.0;
description = "Helo host is bare ip";
}
"HFILTER_HELO_BADIP" {
weight = 4.5;
description = "Helo host is very bad ip";
}
"HFILTER_HELO_1" {
weight = 0.5;
description = "Helo host checks (very low)";
}
"HFILTER_HELO_2" {
weight = 1.0;
description = "Helo host checks (low)";
}
"HFILTER_HELO_3" {
weight = 2.0;
description = "Helo host checks (medium)";
}
"HFILTER_HELO_4" {
weight = 2.5;
description = "Helo host checks (hard)";
}
"HFILTER_HELO_5" {
weight = 3.0;
description = "Helo host checks (very hard)";
}
"HFILTER_HOSTNAME_1" {
weight = 0.5;
description = "Hostname checks (very low)";
}
"HFILTER_HOSTNAME_2" {
weight = 1.0;
description = "Hostname checks (low)";
}
"HFILTER_HOSTNAME_3" {
weight = 2.0;
description = "Hostname checks (medium)";
}
"HFILTER_HOSTNAME_4" {
weight = 2.5;
description = "Hostname checks (hard)";
}
"HFILTER_HOSTNAME_5" {
weight = 3.0;
description = "Hostname checks (very hard)";
}
"HFILTER_HELO_NORESOLVE_MX" {
weight = 0.2;
description = "MX found in Helo and no resolve";
}
"HFILTER_HELO_NORES_A_OR_MX" {
weight = 0.3;
description = "Helo no resolve to A or MX";
}
"HFILTER_HELO_IP_A" {
weight = 1.0;
description = "Helo A IP != hostname IP";
}
"HFILTER_HELO_NOT_FQDN" {
weight = 2.0;
description = "Helo not FQDN";
}
"HFILTER_FROMHOST_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in FROM host and no resolve";
}
"HFILTER_FROMHOST_NORES_A_OR_MX" {
weight = 1.5;
description = "FROM host no resolve to A or MX";
}
"HFILTER_FROMHOST_NOT_FQDN" {
weight = 3.0;
description = "FROM host not FQDN";
}
"HFILTER_FROM_BOUNCE" {
weight = 0.0;
description = "Bounce message";
}
/*
# Disabled by default
"HFILTER_MID_NORESOLVE_MX" {
weight = 0.5;
description = "MX found in Message-id host and no resolve";
}
"HFILTER_MID_NORES_A_OR_MX" {
weight = 0.5;
name = ;
description = "Message-id host no resolve to A or MX";
}
"HFILTER_MID_NOT_FQDN" {
weight = 0.5;
description = "Message-id host not FQDN";
}
*/
"HFILTER_HOSTNAME_UNKNOWN" {
weight = 2.5;
description = "Unknown client hostname (PTR or FCrDNS
verification failed)";
}
"HFILTER_RCPT_BOUNCEMOREONE" {
weight = 1.5;
description = "Message from bounce and over 1 recipient";
}
"HFILTER_URL_ONLY" {
weight = 2.2;
description = "URL only in body";
}
"HFILTER_URL_ONELINE" {
weight = 2.5;
description = "One line URL and text in body";
}
}
/etc/rspamd/scores.d/mime_types_group.conf changed:
description = "Mime attachments rules";
max_score = 10.0;
symbols = {
"MIME_GOOD" {
weight = -0.1;
description = "Known content-type";
one_shot = true;
}
"MIME_BAD" {
weight = 1.0;
description = "Known bad content-type";
one_shot = true;
}
"MIME_UNKNOWN" {
weight = 0.1;
description = "Missing or unknown content-type";
one_shot = true;
}
"MIME_BAD_ATTACHMENT" {
weight = 4.0;
description = "Invalid attachment mime type";
one_shot = true;
}
"MIME_ENCRYPTED_ARCHIVE" {
weight = 2.0;
description = "Encrypted archive in a message";
one_shot = true;
}
"MIME_OBFUSCATED_ARCHIVE" {
weight = 8.0;
description = "Archive has files with clear obfuscation signs";
one_shot = true;
}
"MIME_EXE_IN_GEN_SPLIT_RAR" {
weight = 5.0;
description = "EXE file in RAR archive with generic split
extension (e.g. .001)";
one_shot = true;
}
"MIME_ARCHIVE_IN_ARCHIVE" {
weight = 5.0;
description = "Archive within another archive";
one_shot = true;
}
"MIME_DOUBLE_BAD_EXTENSION" {
weight = 3.0; # This rule has dynamic weight up to 4.0
description = "Bad extension cloaking";
one_shot = true;
}
"MIME_BAD_EXTENSION" {
weight = 2.0; # This rule has dynamic weight up to 4.0
description = "Bad extension";
one_shot = true;
}
"MIME_BAD_UNICODE" {
weight = 8.0;
description = "Filename with known obscured unicode characters";
one_shot = true;
}
}
/etc/rspamd/scores.d/mua_group.conf changed:
description = "MUA forgeries";
symbols = {
"FORGED_MUA_MAILLIST" {
weight = 0.0;
description = "Avoid false positives for FORGED_MUA_* in maillist";
}
}
/etc/rspamd/scores.d/phishing_group.conf changed:
description = "Phishing in emails";
max_score = 10.0;
symbols = {
"PHISHING" {
weight = 4.0;
description = "Phished URL";
one_shot = true;
}
"PHISHED_OPENPHISH" {
weight = 7.0;
description = "Phished URL found in openphish.com";
}
"PHISHED_PHISHTANK" {
weight = 7.0;
description = "Phished URL found in phishtank.com";
}
HACKED_WP_PHISHING {
weight = 4.5;
description = "Phishing message from hacked wordpress";
}
REDIRECTOR_FALSE {
weight = 0.0;
description = "Phishing exclusion symbol for known redirectors";
}
PHISHED_WHITELISTED {
weight = 0.0;
description = "Phishing exclusion symbol for known exceptions";
}
}
/etc/rspamd/scores.d/policies_group.conf changed:
description = "SPF, DKIM, DMARC, ARC";
symbols = {
# SPF
"R_SPF_FAIL" {
weight = 1.0;
description = "SPF verification failed";
groups = ["spf"];
}
"R_SPF_SOFTFAIL" {
weight = 0.0;
description = "SPF verification soft-failed";
groups = ["spf"];
}
"R_SPF_NEUTRAL" {
weight = 0.0;
description = "SPF policy is neutral";
groups = ["spf"];
}
"R_SPF_ALLOW" {
weight = -0.2;
description = "SPF verification allows sending";
groups = ["spf"];
}
"R_SPF_DNSFAIL" {
weight = 0.0;
description = "SPF DNS failure";
groups = ["spf"];
}
"R_SPF_NA" {
weight = 0.0;
description = "Missing SPF record";
one_shot = true;
groups = ["spf"];
}
"R_SPF_PERMFAIL" {
weight = 0.0;
description = "SPF record is malformed or persistent DNS error";
groups = ["spf"];
}
# DKIM
"R_DKIM_REJECT" {
weight = 1.0;
description = "DKIM verification failed";
one_shot = true;
groups = ["dkim"];
}
"R_DKIM_TEMPFAIL" {
weight = 0.0;
description = "DKIM verification soft-failed";
groups = ["dkim"];
}
"R_DKIM_PERMFAIL" {
weight = 0.0;
description = "DKIM verification hard-failed (invalid)";
groups = ["dkim"];
}
"R_DKIM_ALLOW" {
weight = -0.2;
description = "DKIM verification succeed";
one_shot = true;
groups = ["dkim"];
}
"R_DKIM_NA" {
weight = 0.0;
description = "Missing DKIM signature";
one_shot = true;
groups = ["dkim"];
}
# DMARC
"DMARC_POLICY_ALLOW" {
weight = -0.5;
description = "DMARC permit policy";
groups = ["dmarc"];
}
"DMARC_POLICY_ALLOW_WITH_FAILURES" {
weight = -0.5;
description = "DMARC permit policy with DKIM/SPF failure";
groups = ["dmarc"];
}
"DMARC_POLICY_REJECT" {
weight = 2.0;
description = "DMARC reject policy";
groups = ["dmarc"];
}
"DMARC_POLICY_QUARANTINE" {
weight = 1.5;
description = "DMARC quarantine policy";
groups = ["dmarc"];
}
"DMARC_POLICY_SOFTFAIL" {
weight = 0.1;
description = "DMARC failed";
groups = ["dmarc"];
}
"DMARC_NA" {
weight = 0.0;
description = "No DMARC record";
groups = ["dmarc"];
}
# ARC
"ARC_ALLOW" {
weight = -1.0;
description = "ARC checks success";
groups = ["arc"];
}
"ARC_REJECT" {
weight = 1.0;
description = "ARC checks failed";
groups = ["arc"];
}
"ARC_INVALID" {
weight = 0.5;
description = "ARC structure invalid";
groups = ["arc"];
}
"ARC_DNSFAIL" {
weight = 0.0;
description = "ARC DNS error";
groups = ["arc"];
}
"ARC_NA" {
weight = 0.0;
description = "ARC signature absent";
groups = ["arc"];
}
}
/etc/rspamd/scores.d/rbl_group.conf changed:
description = "IP DNS lists";
symbols = {
"DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries";
groups = ["dnswl", "blocked"];
}
"RCVD_IN_DNSWL" {
weight = 0.0;
description = "Unrecognised result from https://www.dnswl.org";;
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_NONE" {
weight = 0.0;
description = "Sender listed at https://www.dnswl.org, no trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_LOW" {
weight = -0.1;
description = "Sender listed at https://www.dnswl.org, low trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_MED" {
weight = -0.2;
description = "Sender listed at https://www.dnswl.org, medium
trust";
groups = ["dnswl"];
}
"RCVD_IN_DNSWL_HI" {
weight = -0.5;
description = "Sender listed at https://www.dnswl.org, high trust";
groups = ["dnswl"];
}
"DWL_DNSWL_BLOCKED" {
weight = 0.0;
description = "Resolver blocked due to excessive queries (dwl)";
groups = ["dnswl", "blocked"];
}
"DWL_DNSWL" {
weight = 0.0;
description = "Unrecognised result from https://www.dnswl.org
(dwl)";
groups = ["dnswl"];
}
"DWL_DNSWL_NONE" {
weight = 0.0;
description = "Message has a valid dkim signature originated
from domain listed at https://www.dnswl.org, no trust";
groups = ["dnswl"];
}
"DWL_DNSWL_LOW" {
weight = -1.0;
description = "Message has a valid dkim signature originated
from domain listed at https://www.dnswl.org, low trust";
groups = ["dnswl"];
}
"DWL_DNSWL_MED" {
weight = -2.0;
description = "Message has a valid dkim signature originated
from domain listed at https://www.dnswl.org, medium trust";
groups = ["dnswl"];
}
"DWL_DNSWL_HI" {
weight = -3.5;
description = "Message has a valid dkim signature originated
from domain listed at https://www.dnswl.org, high trust";
groups = ["dnswl"];
}
"RBL_SPAMHAUS" {
weight = 0.0;
description = "Unrecognised result from Spamhaus ZEN";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_SBL" {
weight = 4.0;
description = "From address is listed in ZEN SBL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_CSS" {
weight = 2.0;
description = "From address is listed in ZEN CSS";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_XBL" {
weight = 4.0;
description = "From address is listed in ZEN XBL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_XBL_ANY" {
weight = 4.0;
description = "From or received address is listed in ZEN XBL
(any list)";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_PBL" {
weight = 2.0;
description = "From address is listed in ZEN PBL (ISP list)";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_DROP" {
weight = 7.0;
description = "From address is listed in ZEN DROP BL";
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_BLOCKED_OPENRESOLVER" {
weight = 0.0;
description = "You are querying Spamhaus from an open resolver,
please see https://www.spamhaus.org/returnc/pub/";;
groups = ["spamhaus"];
}
"RBL_SPAMHAUS_BLOCKED" {
weight = 0.0;
description = "You are exceeding the query limit, please see
https://www.spamhaus.org/returnc/vol/";;
groups = ["spamhaus"];
}
"RECEIVED_SPAMHAUS_SBL" {
weight = 3.0;
description = "Received address is listed in ZEN SBL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_CSS" {
weight = 1.0;
description = "Received address is listed in ZEN CSS";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_XBL" {
weight = 3.0;
description = "Received address is listed in ZEN XBL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_PBL" {
weight = 0.0;
description = "Received address is listed in ZEN PBL (ISP list)";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_DROP" {
weight = 6.0;
description = "Received address is listed in ZEN DROP BL";
groups = ["spamhaus"];
one_shot = true;
}
"RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER" {
weight = 0.0;
description = "You are querying Spamhaus from an open resolver,
please see https://www.spamhaus.org/returnc/pub/";;
groups = ["spamhaus"];
}
"RECEIVED_SPAMHAUS_BLOCKED" {
weight = 0.0;
description = "You are exceeding the query limit, please see
https://www.spamhaus.org/returnc/vol/";;
groups = ["spamhaus"];
}
"RBL_SENDERSCORE" {
weight = 2.0;
description = "From address is listed in senderscore.com BL";
}
"MAILSPIKE" {
weight = 0.0;
description = "Unrecognised result from Mailspike";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_NEUTRAL" {
weight = 0.0;
description = "Neutral result from Mailspike";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_WORST" {
weight = 2.0;
description = "From address is listed in RBL - worst possible
reputation";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_VERYBAD" {
weight = 1.5;
description = "From address is listed in RBL - very bad
reputation";
groups = ["mailspike"];
}
"RBL_MAILSPIKE_BAD" {
weight = 1.0;
description = "From address is listed in RBL - bad reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_POSSIBLE" {
weight = 0.0;
description = "From address is listed in RWL - possibly legit";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_GOOD" {
weight = -0.1;
description = "From address is listed in RWL - good reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_VERYGOOD" {
weight = -0.2;
description = "From address is listed in RWL - very good
reputation";
groups = ["mailspike"];
}
"RWL_MAILSPIKE_EXCELLENT" {
weight = -0.4;
description = "From address is listed in RWL - excellent
reputation";
groups = ["mailspike"];
}
"RBL_SEM" {
weight = 1.0;
description = "From address is listed in Spameatingmonkey RBL";
groups = ["sem"];
}
"RBL_SEM_IPV6" {
weight = 1.0;
description = "From address is listed in Spameatingmonkey RBL
(IPv6)";
groups = ["sem"];
}
"RBL_VIRUSFREE_BOTNET" {
weight = 2.0;
description = "From address is listed in virusfree.cz BL";
}
"RBL_NIXSPAM" {
weight = 4.0;
description = "From address is listed in NiX Spam
(http://www.dnsbl.manitu.net/)";
}
"RBL_BLOCKLISTDE" {
weight = 4.0;
description = "From address is listed in Blocklist
(https://www.blocklist.de/)";
groups = ["blocklistde"];
}
"RECEIVED_BLOCKLISTDE" {
weight = 3.0;
description = "Received address is listed in Blocklist
(https://www.blocklist.de/)";
groups = ["blocklistde"];
one_shot = true;
}
}
/etc/rspamd/scores.d/statistics_group.conf changed:
description = "Statistical symbols";
symbols = {
"BAYES_SPAM" {
weight = 5.1;
description = "Message probably spam, probability: ";
}
"BAYES_HAM" {
weight = -3.0;
description = "Message probably ham, probability: ";
}
}
/etc/rspamd/scores.d/subject_group.conf changed:
description = "Subject filters";
symbols = {
}
max_score = 6.0;
/etc/rspamd/scores.d/surbl_group.conf changed:
description = "URL DNS lists";
max_score = 12.5;
symbols = {
"SURBL_BLOCKED" {
weight = 0.0;
description = "SURBL: blocked by policy/overusage";
one_shot = true;
groups = ["surblorg", "blocked"];
}
"PH_SURBL_MULTI" {
weight = 5.5;
description = "SURBL: Phishing sites";
one_shot = true;
groups = ["surblorg", "phishing"];
}
"MW_SURBL_MULTI" {
weight = 5.5;
description = "SURBL: Malware sites";
one_shot = true;
groups = ["surblorg"];
}
"ABUSE_SURBL" {
weight = 5.5;
description = "SURBL: ABUSE";
one_shot = true;
groups = ["surblorg"];
}
"CRACKED_SURBL" {
weight = 4.0;
description = "SURBL: cracked site";
one_shot = true;
groups = ["surblorg"];
}
"RSPAMD_URIBL" {
weight = 4.5;
description = "Rspamd uribl, bl.rspamd.com";
one_shot = true;
groups = ["rspamdbl"];
}
"RSPAMD_EMAILBL" {
weight = 2.5;
description = "Rspamd emailbl, bl.rspamd.com";
one_shot = true;
groups = ["rspamdbl"];
}
"MSBL_EBL" {
weight = 7.5;
description = "MSBL emailbl";
one_shot = true;
groups = ["ebl"];
}
"MSBL_EBL_GREY" {
weight = 0.5; # TODO: test it
description = "MSBL emailbl grey list";
one_shot = true;
groups = ["ebl"];
}
"SEM_URIBL_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey uribl: unknown result";
one_shot = true;
groups = ["sem"];
}
"SEM_URIBL" {
weight = 3.5;
description = "Spameatingmonkey uribl";
one_shot = true;
groups = ["sem"];
}
"SEM_URIBL_FRESH15_UNKNOWN" {
weight = 0.0;
description = "Spameatingmonkey Fresh15 uribl: unknown result";
one_shot = true;
groups = ["sem"];
}
"SEM_URIBL_FRESH15" {
weight = 3.0;
description = "Spameatingmonkey uribl. Domains registered in
the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US)";
one_shot = true;
groups = ["sem"];
}
"DBL" {
weight = 0.0;
description = "DBL unknown result";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_SPAM" {
weight = 6.5;
description = "DBL uribl spam";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_PHISH" {
weight = 6.5;
description = "DBL uribl phishing";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_MALWARE" {
weight = 6.5;
description = "DBL uribl malware";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_BOTNET" {
weight = 5.5;
description = "DBL uribl botnet C&C domain";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_ABUSE" {
weight = 6.5;
description = "DBL uribl abused legit spam";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_ABUSE_REDIR" {
weight = 1.5;
description = "DBL uribl abused spammed redirector domain";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_ABUSE_PHISH" {
weight = 7.5;
description = "DBL uribl abused legit phish";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_ABUSE_MALWARE" {
weight = 7.5;
description = "DBL uribl abused legit malware";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_ABUSE_BOTNET" {
weight = 5.5;
description = "DBL uribl abused legit botnet C&C";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_PROHIBIT" {
weight = 0.0;
description = "DBL uribl IP queries prohibited!";
one_shot = true;
groups = ["spamhaus"];
}
"DBL_BLOCKED_OPENRESOLVER" {
weight = 0.0;
description = "You are querying Spamhaus from an open resolver,
please see https://www.spamhaus.org/returnc/pub/";;
one_shot = true;
groups = ["spamhaus"];
}
"DBL_BLOCKED" {
weight = 0.0;
description = "You are exceeding the query limit, please see
https://www.spamhaus.org/returnc/vol/";;
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_MULTI" {
weight = 0.0;
description = "uribl.com: unrecognised result";
one_shot = true;
groups = ["uribl"];
}
"URIBL_BLOCKED" {
weight = 0.0;
description = "uribl.com: query refused";
one_shot = true;
groups = ["uribl", "blocked"];
}
"URIBL_BLACK" {
weight = 7.5;
description = "uribl.com black url";
one_shot = true;
groups = ["uribl"];
}
"URIBL_RED" {
weight = 3.5;
description = "uribl.com red url";
one_shot = true;
groups = ["uribl"];
}
"URIBL_GREY" {
weight = 1.5;
description = "uribl.com grey url";
one_shot = true;
groups = ["uribl"];
}
"SPAMHAUS_ZEN_URIBL" {
ignore = true;
weight = 0.0;
description = "Spamhaus ZEN URIBL: Filtered result";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_SBL" {
ignore = true;
weight = 6.5;
description = "A domain in the message body resolves to an IP
listed in Spamhaus SBL";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_SBL_CSS" {
ignore = true;
weight = 6.5;
description = "A domain in the message body resolves to an IP
listed in Spamhaus SBL CSS";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_XBL" {
ignore = true;
weight = 1.5;
description = "A domain in the message body resolves to an IP
listed in Spamhaus XBL";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_PBL" {
ignore = true;
weight = 0.01;
description = "A domain in the message body resolves to an IP
listed in Spamhaus PBL";
one_shot = true;
groups = ["spamhaus"];
}
"URIBL_DROP" {
ignore = true;
weight = 5.0;
description = "A domain in the message body resolves to an IP
listed in Spamhaus DROP";
one_shot = true;
groups = ["spamhaus"];
}
#"RBL_SARBL_BAD" {
# weight = 2.5;
# description = "A domain in the message body is blacklisted in
SARBL";
# one_shot = true;
#}
}
/etc/rspamd/scores.d/whitelist_group.conf changed:
description = "White lists group";
max_score = 10.0;
symbols = {
"WHITELIST_SPF" {
weight = -1.0;
description = "Mail comes from the whitelisted domain and has a
valid SPF policy";
groups = ["spf"];
}
"BLACKLIST_SPF" {
weight = 1.0;
description = "Mail comes from the whitelisted domain and has
no valid SPF policy";
groups = ["spf"];
}
"WHITELIST_DKIM" {
weight = -1.0;
description = "Mail comes from the whitelisted domain and has a
valid DKIM signature";
groups = ["dkim"];
}
"BLACKLIST_DKIM" {
weight = 2.0;
description = "Mail comes from the whitelisted domain and has
non-valid DKIM signature";
groups = ["dkim"];
}
"WHITELIST_SPF_DKIM" {
weight = -3.0;
description = "Mail comes from the whitelisted domain and has
valid SPF and DKIM policies";
groups = ["spf", "dkim"];
}
"BLACKLIST_SPF_DKIM" {
weight = 3.0;
description = "Mail comes from the whitelisted domain and has
no valid SPF policy or a bad DKIM signature";
groups = ["spf", "dkim"];
}
"WHITELIST_DMARC" {
weight = -7.0;
description = "Mail comes from the whitelisted domain and has
valid DMARC and DKIM policies";
groups = ["dmarc", "spf", "dkim"];
}
"BLACKLIST_DMARC" {
weight = 6.0;
description = "Mail comes from the whitelisted domain and has
failed DMARC and DKIM policies";
groups = ["dmarc", "spf", "dkim"];
}
}
/etc/rspamd/statistic.conf changed:
classifier "bayes" {
# name = "custom"; # 'name' parameter must be set if multiple
classifiers are defined
tokenizer {
name = "osb";
}
cache {
}
new_schema = true; # Always use new schema
store_tokens = false; # Redefine if storing of tokens is desired
signatures = false; # Store learn signatures
#per_user = true; # Enable per user classifier
min_tokens = 11;
backend = "redis";
min_learns = 200;
statfile {
#symbol = "BAYES_HAM";
#spam = false;
}
statfile {
symbol = "BAYES_SPAM";
spam = true;
}
learn_condition = 'return require("lua_bayes_learn").can_learn';
# Autolearn sample
# autolearn {
# spam_threshold = 6.0; # When to learn spam (score >= threshold and
action is reject)
# junk_threshold = 4.0; # When to learn spam (score >= threshold and
action is rewrite subject or add header, and has two or more positive
results)
# ham_threshold = -0.5; # When to learn ham (score <= threshold and
action is no action, and score is negative or has three or more negative
results)
# check_balance = true; # Check spam and ham balance
# min_balance = 0.9; # Keep diff for spam/ham learns for at least
this value
#}
.include(try=true; priority=1)
"$LOCAL_CONFDIR/local.d/classifier-bayes.conf"
.include(try=true; priority=10)
"$LOCAL_CONFDIR/override.d/classifier-bayes.conf"
}
.include(try=true; priority=1) "$LOCAL_CONFDIR/local.d/statistic.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/statistic.conf"
/etc/rspamd/worker-proxy.inc changed:
milter = yes; # Enable milter mode
timeout = 120s; # Needed for Milter usually
upstream "local" {
default = yes;
hosts = "localhost";
}
count = 1; # Do not spawn too many processes of this type
max_retries = 5; # How many times master is queried in case of failure
discard_on_reject = false; # Discard message instead of rejection
quarantine_on_reject = false; # Tell MTA to quarantine rejected messages
spam_header = "X-Spam"; # Use the specific spam header
reject_message = "Spam message rejected"; # Use custom rejection message
-- no debconf information
