An alternative introduction to rspamd configuration: Scores (3/4)

May 22, 2018

Let’s have a look at rspamd’s default scores. As mentioned, this is kind of a moving target, the scores in the default configuration can in theory change anytime unless you disable rspamd_update, so you should verify a particular score you want to override in your installation.

The following table should be useful nevertheless to get a quick overview. Configfile names will be of importance in the following section. The description are mostly taken 1:1 from the configfiles and the source/module is often missing because there is unfortunately no way to find out where a symbol is documented except than to read the sources. I might update it as I find out more.

Scores marked with an asterisk (*) are one-shot symbols that is, the symbol is only triggered with the highest score no matter how often the associated test matched. Symbols that are not one-shot can be triggered multiple times, with the additional matches being affected by a grow factor (see the metrics documentation for further details).

Source / Module Symbol Description Score
fuzzy_group.conf
fuzzy_check FUZZY_UNKNOWN Generic fuzzy hash match, bl.rspamd.com 5.0
FUZZY_DENIED Denied fuzzy hash, bl.rspamd.com 12.0
FUZZY_PROB Probable fuzzy hash, bl.rspamd.com 5.0
FUZZY_WHITE Whitelisted fuzzy hash, bl.rspamd.com -2.1
headers_group.conf
? FORGED_SENDER Sender is forged (different From: header and smtp MAIL FROM: addresses) 0.30
? FORGED_SENDER_MAILLIST Sender is not the same as MAIL FROM: envelope, but a message is from a mailing list 0.0
? FORGED_RECIPIENTS Recipients are not the same as RCPT TO: mail command 2.0
? FORGED_RECIPIENTS_MAILLIST Recipients are not the same as RCPT TO: mail command, but a message is from a mailing list 0.0
chartable R_MIXED_CHARSET Mixed characters in a message 5.0
R_MIXED_CHARSET_URL Mixed characters in a URL inside a message 7.0
once_received ONCE_RECEIVED One received header in a message 0.1
ONCE_RECEIVED_STRICT One received header with “bad” patterns inside 4.0
? RDNS_NONE Cannot resolve reverse DNS for sender’s IP 1.0
maillist MAILLIST Message seems to be from a mailing list -0.2
hfilter_group.conf
? HFILTER_HELO_BAREIP Helo host is bare IP 3.0
? HFILTER_HELO_BADIP Helo host is very bad IP 4.5
? HFILTER_HELO_1 Helo host checks (very low) 0.5
? HFILTER_HELO_2 Helo host checks (low) 1.0
? HFILTER_HELO_3 Helo host checks (medium) 2.0
? HFILTER_HELO_4 Helo host checks (hard) 2.5
? HFILTER_HELO_5 Helo host checks (very hard) 3.0
? HFILTER_HOSTNAME_1 Hostname checks (very low) 0.5
? HFILTER_HOSTNAME_2 Hostname checks (low) 1.0
? HFILTER_HOSTNAME_3 Hostname checks (medium) 2.0
? HFILTER_HOSTNAME_4 Hostname checks (hard) 2.5
? HFILTER_HOSTNAME_5 Hostname checks (very hard) 3.0
? HFILTER_HELO_NORESOLVE_MX MX found in HELO and no resolve 0.2
? HFILTER_HELO_NORES_A_OR_MX HELO no resolve to A or MX 0.3
? HFILTER_HELO_IP_A HELO A IP != hostname IP 1.0
? HFILTER_HELO_NOT_FQDN HELO not FQDN 2.0
? HFILTER_FROMHOST_NORESOLVE_MX MX found in FROM host and no resolve 0.5
? HFILTER_FROMHOST_NORES_A_OR_MX FROM host no resolve to A or MX 1.5
? HFILTER_FROMHOST_NOT_FQDN FROM host not FQDN 3.0
? HFILTER_FROM_BOUNCE Bounce message 0.0
? HFILTER_HOSTNAME_UNKNOWN Unknown hostname (no PTR or no resolve PTR to hostname) 2.5
? HFILTER_RCPT_BOUNCEMOREONE Message from bounce and more than one recipient 1.5
? HFILTER_URL_ONLY URL only in body 2.2
? HFILTER_URL_ONELINE One line URL and text in body 2.5
mime_types_group.conf
mime_types MIME_GOOD Known content-type -0.1*
MIME_BAD Known bad content-type 1.0*
MIME_UNKNOWN Missing or unknown content-type 0.1*
MIME_BAD_ATTACHMENT Invalid attachment mime type 4.0*
MIME_ENCRYPTED_ARCHIVE Encrypted archive in a message 2.0*
MIME_ARCHIVE_IN_ARCHIVE Archive within another archive 5.0*
MIME_BAD_EXTENSION Bad extension 2.0*
MIME_DOUBLE_BAD_EXTENSION Bad extension cloaking 3.0*
mua_group.conf
? FORGED_MUA_MAILLIST Avoid false positives for FORGED_MUA_* in mailing list 0.0
phishing_group.conf
phishing PHISHING Phished URL 4.0*
PHISHED_OPENPHISH Phished URL found in openphish.com blacklist 7.0
PHISHED_PHISHTANK Phished URL found in phishtank.com blacklist 7.0
HACKED_WP_PHISHING Phishing message from hacked wordpress 4.5
policies_group.conf
spf R_SPF_FAIL SPF verification failed 1.0
R_SPF_SOFTFAIL SPF verification soft-failed 0.0
R_SPF_NEUTRAL SPF policy is neutral 0.0
R_SPF_ALLOW SPF verification allows sending -0.2
R_SPF_DNSFAIL SPF DNS failure 0.0
dkim R_DKIM_REJECT DKIM verification failed 1.0*
R_DKIM_TEMPFAIL DKIM verification soft-failed 0.0
R_DKIM_ALLOW DKIM verification succeeded -0.2*
dmarc DMARC_POLICY_ALLOW DMARC permit policy -0.5
DMARC_POLICY_ALLOW_WITH_FAILURES DMARC permit policy with DKIM/SPF failure -0.5
DMARC_POLICY_REJECT DMARC reject policy 2.0
DMARC_POLICY_QUARANTINE DMARC quarantine policy 1.5
DMARC_POLICY_SOFTFAIL DMARC failed 0.1
arc ARC_ALLOW ARC checks success -1.0
ARC_REJECT ARC checks failure 2.0
ARC_INVALID ARC structure invalid 1.0
ARC_DNSFAIL ARC DNS error 0.0
ARC_NA ARC signature absent 0.0
rbl_group.conf
rbl DNSWL_BLOCKED Resolver blocked due to excessive queries 0.0
RCVD_IN_DNSWL Unrecognised result from dnswl.org 0.0
RCVD_IN_DNSWL_NONE Sender listed at www.dnswl.org, no trust 0.0
RCVD_IN_DNSWL_LOW Sender listed at www.dnswl.org, low trust 0.0
RCVD_IN_DNSWL_MED Sender listed at www.dnswl.org, medium trust 0.0
RCVD_IN_DNSWL_HI Sender listed at www.dnswl.org, high trust 0.0
RBL_SPAMHAUS Unrecognised result from Spamhaus Zen 0.0
RBL_SPAMHAUS_SBL From address is listed in Zen SBL 2.0
RBL_SPAMHAUS_CSS From address is listed in Zen CSS 2.0
RBL_SPAMHAUS_XBL From address is listed in Zen XBL 4.0
RBL_SPAMHAUS_XBL_ANY From or Received address is listed in Zen XBL (any list) 4.0
RBL_SPAMHAUS_PBL From address is listed in Zen PBL 2.0
RBL_SPAMHAUS_DROP From address is listed in Zen Drop BL 7.0
RECEIVED_SPAMHAUS_XBL Received address is listed in Zen XBL 3.0*
RBL_SENDERSCORE From address is listed in senderscore.com BL 2.0
RBL_ABUSECH From address is listed in Abuse.CH BL 1.0
MAILSPIKE Unrecognised result from Mailspike 0.0
RWL_MAILSPIKE_NEUTRAL Neutral result from Mailspike 0.0
RBL_MAILSPIKE_WORST From address is listed in RBL – worst possible reputation 2.0
RBL_MAILSPIKE_VERYBAD From address is listed in RBL – very bad reputation 1.5
RBL_MAILSPIKE_BAD From address is listed in RBL – bad reputation 1.0
RWL_MAILSPIKE_POSSIBLE From address is listed in RWL – possibly legit 0.0
RWL_MAILSPIKE_GOOD From address is listed in RWL – good reputation 0.0
RWL_MAILSPIKE_VERYGOOD From address is listed in RWL – very good reputation 0.0
RWL_MAILSPIKE_EXCELLENT From address is listed in RWL – excellent reputation 0.0
RBL_SEM Address is listed in Spameatingmonkey RBL 1.0
RBL_SEM_IPV6 Address is listed in Spameatingmonkey RBL (IPv6) 1.0
statistics_group.conf
Statistics / Bayes classifier BAYES_SPAM Message classified as Spam 4.0
BAYES_HAM Message classified as Ham -3.0
subject_group.conf (doesn’t define any symbols)
surbl_group.conf
surbl SURBL_BLOCKED SURBL: blocked by policy/overusage 0.0
PH_SURBL_MULTI SURBL: Phishing sites 5.5
MW_SURBL_MULTI SURBL: Malware sites 5.5
ABUSE_SURBL SURBL: Abuse 5.5
CRACKED_SURBL SURBL: Cracked site 4.0
RSPAMD_URIBL Rspamd URIBL, bl.rspamd.com 4.5*
RSPAMD_EMAILBL Rspamd EMAILBL, bl.rspamd.com 9.5*
MSBL_EBL MSBL EMAILBL 7.5*
SEM_URIBL_UNKNOWN Spameatingmonkey URIBL: Unknown result 0.0
SEM_URIBL Spameatingmonkey URIBL 3.5
SEM_URIBL_FRESH15_UNKNOWN Spameatingmonkey Fresh15 URIBL: Unknown result 0.0
SEM_URIBL_FRESH15 Spameatingmonkey URIBL. Domains registered in the last 15 days (.aero, .biz, .com, .info, .name, .net, .pro, .sk, .tel, .us) 3.0
DBL DBL Unknown result 0.0
DBL_SPAM DBL URIBL Spam 6.5
DBL_PHISH DBL URIBL Phishing 6.5
DBL_MALWARE DBL URIBL Malware 6.5
DBL_BOTNET DBL URIBL Botnet C&C domain 5.5
DBL_ABUSE DBL URIBL Abused legit Spam 6.5
DBL_ABUSE_REDIR DBL URIBL Abused spammed redirector domain 1.5
DBL_ABUSE_PHISH DBL URIBL Abused legit Phish 7.5
DBL_ABUSE_MALWARE DBL URIBL Abused legit Malware 7.5
DBL_ABUSE_BOTNET DBL URIBL Abused legit Botnet C&C 5.5
DBL_PROHIBIT DBL URIBL IP queries prohibited 0.0
URIBL_MULTI uribl.com: unrecognised result 0.0
URIBL_BLOCKED uribl.com: query refused 0.0
URIBL_BLACK uribl.com: black URL 7.5
URIBL_RED uribl.com: red URL 3.5
URIBL_GREY uribl.com: grey URL 1.5*
SBL_URIBL SBL URIBL: filtered result 0.0
URIBL_SL Spamhaus SBL URIBL 6.5
URIBL_SBL_CSS Spamhaus SBL CSS URIBL 6.5
RBL_SARBL_BAD A domain listed in the message is blacklisted in SARBL 2.5

Blog post series index:

Tags: , , , ,
Posted in rspamd, Software, Systems management by Pieter Hollants

 
Copyright © 2018 by Pieter Hollants. All rights reserved. - Legal notices & Privacy policy