Let’s have a look at rspamd’s default scores. As mentioned, this is kind of a moving target, the scores in the default configuration can in theory change anytime unless you disable rspamd_update, so you should verify a particular score you want to override in your installation.
The following table should be useful nevertheless to get a quick overview. Configfile names will be of importance in the following section. The description are mostly taken 1:1 from the configfiles and the source/module is often missing because there is unfortunately no way to find out where a symbol is documented except than to read the sources. I might update it as I find out more.
Scores marked with an asterisk (*) are one-shot symbols that is, the symbol is only triggered with the highest score no matter how often the associated test matched. Symbols that are not one-shot can be triggered multiple times, with the additional matches being affected by a grow factor (see the metrics documentation for further details).
Source / Module | Symbol | Description | Score |
---|---|---|---|
fuzzy_check | FUZZY_UNKNOWN | Generic fuzzy hash match, bl.rspamd.com | 5.0 |
FUZZY_DENIED | Denied fuzzy hash, bl.rspamd.com | 12.0 | |
FUZZY_PROB | Probable fuzzy hash, bl.rspamd.com | 5.0 | |
FUZZY_WHITE | Whitelisted fuzzy hash, bl.rspamd.com | -2.1 | |
? | FORGED_SENDER | Sender is forged (different From: header and smtp MAIL FROM: addresses) | 0.30 |
? | FORGED_SENDER_MAILLIST | Sender is not the same as MAIL FROM: envelope, but a message is from a mailing list | 0.0 |
? | FORGED_RECIPIENTS | Recipients are not the same as RCPT TO: mail command | 2.0 |
? | FORGED_RECIPIENTS_MAILLIST | Recipients are not the same as RCPT TO: mail command, but a message is from a mailing list | 0.0 |
chartable | R_MIXED_CHARSET | Mixed characters in a message | 5.0 |
R_MIXED_CHARSET_URL | Mixed characters in a URL inside a message | 7.0 | |
once_received | ONCE_RECEIVED | One received header in a message | 0.1 |
ONCE_RECEIVED_STRICT | One received header with “bad” patterns inside | 4.0 | |
? | RDNS_NONE | Cannot resolve reverse DNS for sender’s IP | 1.0 |
maillist | MAILLIST | Message seems to be from a mailing list | -0.2 |
? | HFILTER_HELO_BAREIP | Helo host is bare IP | 3.0 |
? | HFILTER_HELO_BADIP | Helo host is very bad IP | 4.5 |
? | HFILTER_HELO_1 | Helo host checks (very low) | 0.5 |
? | HFILTER_HELO_2 | Helo host checks (low) | 1.0 |
? | HFILTER_HELO_3 | Helo host checks (medium) | 2.0 |
? | HFILTER_HELO_4 | Helo host checks (hard) | 2.5 |
? | HFILTER_HELO_5 | Helo host checks (very hard) | 3.0 |
? | HFILTER_HOSTNAME_1 | Hostname checks (very low) | 0.5 |
? | HFILTER_HOSTNAME_2 | Hostname checks (low) | 1.0 |
? | HFILTER_HOSTNAME_3 | Hostname checks (medium) | 2.0 |
? | HFILTER_HOSTNAME_4 | Hostname checks (hard) | 2.5 |
? | HFILTER_HOSTNAME_5 | Hostname checks (very hard) | 3.0 |
? | HFILTER_HELO_NORESOLVE_MX | MX found in HELO and no resolve | 0.2 |
? | HFILTER_HELO_NORES_A_OR_MX | HELO no resolve to A or MX | 0.3 |
? | HFILTER_HELO_IP_A | HELO A IP != hostname IP | 1.0 |
? | HFILTER_HELO_NOT_FQDN | HELO not FQDN | 2.0 |
? | HFILTER_FROMHOST_NORESOLVE_MX | MX found in FROM host and no resolve | 0.5 |
? | HFILTER_FROMHOST_NORES_A_OR_MX | FROM host no resolve to A or MX | 1.5 |
? | HFILTER_FROMHOST_NOT_FQDN | FROM host not FQDN | 3.0 |
? | HFILTER_FROM_BOUNCE | Bounce message | 0.0 |
? | HFILTER_HOSTNAME_UNKNOWN | Unknown hostname (no PTR or no resolve PTR to hostname) | 2.5 |
? | HFILTER_RCPT_BOUNCEMOREONE | Message from bounce and more than one recipient | 1.5 |
? | HFILTER_URL_ONLY | URL only in body | 2.2 |
? | HFILTER_URL_ONELINE | One line URL and text in body | 2.5 |
mime_types | MIME_GOOD | Known content-type | -0.1* |
MIME_BAD | Known bad content-type | 1.0* | |
MIME_UNKNOWN | Missing or unknown content-type | 0.1* | |
MIME_BAD_ATTACHMENT | Invalid attachment mime type | 4.0* | |
MIME_ENCRYPTED_ARCHIVE | Encrypted archive in a message | 2.0* | |
MIME_ARCHIVE_IN_ARCHIVE | Archive within another archive | 5.0* | |
MIME_BAD_EXTENSION | Bad extension | 2.0* | |
MIME_DOUBLE_BAD_EXTENSION | Bad extension cloaking | 3.0* | |
? | FORGED_MUA_MAILLIST | Avoid false positives for FORGED_MUA_* in mailing list | 0.0 |
phishing | PHISHING | Phished URL | 4.0* |
PHISHED_OPENPHISH | Phished URL found in openphish.com blacklist | 7.0 | |
PHISHED_PHISHTANK | Phished URL found in phishtank.com blacklist | 7.0 | |
HACKED_WP_PHISHING | Phishing message from hacked wordpress | 4.5 | |
spf | R_SPF_FAIL | SPF verification failed | 1.0 |
R_SPF_SOFTFAIL | SPF verification soft-failed | 0.0 | |
R_SPF_NEUTRAL | SPF policy is neutral | 0.0 | |
R_SPF_ALLOW | SPF verification allows sending | -0.2 | |
R_SPF_DNSFAIL | SPF DNS failure | 0.0 | |
dkim | R_DKIM_REJECT | DKIM verification failed | 1.0* |
R_DKIM_TEMPFAIL | DKIM verification soft-failed | 0.0 | |
R_DKIM_ALLOW | DKIM verification succeeded | -0.2* | |
dmarc | DMARC_POLICY_ALLOW | DMARC permit policy | -0.5 |
DMARC_POLICY_ALLOW_WITH_FAILURES | DMARC permit policy with DKIM/SPF failure | -0.5 | |
DMARC_POLICY_REJECT | DMARC reject policy | 2.0 | |
DMARC_POLICY_QUARANTINE | DMARC quarantine policy | 1.5 | |
DMARC_POLICY_SOFTFAIL | DMARC failed | 0.1 | |
arc | ARC_ALLOW | ARC checks success | -1.0 |
ARC_REJECT | ARC checks failure | 2.0 | |
ARC_INVALID | ARC structure invalid | 1.0 | |
ARC_DNSFAIL | ARC DNS error | 0.0 | |
ARC_NA | ARC signature absent | 0.0 | |
rbl | DNSWL_BLOCKED | Resolver blocked due to excessive queries | 0.0 |
RCVD_IN_DNSWL | Unrecognised result from dnswl.org | 0.0 | |
RCVD_IN_DNSWL_NONE | Sender listed at www.dnswl.org, no trust | 0.0 | |
RCVD_IN_DNSWL_LOW | Sender listed at www.dnswl.org, low trust | 0.0 | |
RCVD_IN_DNSWL_MED | Sender listed at www.dnswl.org, medium trust | 0.0 | |
RCVD_IN_DNSWL_HI | Sender listed at www.dnswl.org, high trust | 0.0 | |
RBL_SPAMHAUS | Unrecognised result from Spamhaus Zen | 0.0 | |
RBL_SPAMHAUS_SBL | From address is listed in Zen SBL | 2.0 | |
RBL_SPAMHAUS_CSS | From address is listed in Zen CSS | 2.0 | |
RBL_SPAMHAUS_XBL | From address is listed in Zen XBL | 4.0 | |
RBL_SPAMHAUS_XBL_ANY | From or Received address is listed in Zen XBL (any list) | 4.0 | |
RBL_SPAMHAUS_PBL | From address is listed in Zen PBL | 2.0 | |
RBL_SPAMHAUS_DROP | From address is listed in Zen Drop BL | 7.0 | |
RECEIVED_SPAMHAUS_XBL | Received address is listed in Zen XBL | 3.0* | |
RBL_SENDERSCORE | From address is listed in senderscore.com BL | 2.0 | |
RBL_ABUSECH | From address is listed in Abuse.CH BL | 1.0 | |
MAILSPIKE | Unrecognised result from Mailspike | 0.0 | |
RWL_MAILSPIKE_NEUTRAL | Neutral result from Mailspike | 0.0 | |
RBL_MAILSPIKE_WORST | From address is listed in RBL – worst possible reputation | 2.0 | |
RBL_MAILSPIKE_VERYBAD | From address is listed in RBL – very bad reputation | 1.5 | |
RBL_MAILSPIKE_BAD | From address is listed in RBL – bad reputation | 1.0 | |
RWL_MAILSPIKE_POSSIBLE | From address is listed in RWL – possibly legit | 0.0 | |
RWL_MAILSPIKE_GOOD | From address is listed in RWL – good reputation | 0.0 | |
RWL_MAILSPIKE_VERYGOOD | From address is listed in RWL – very good reputation | 0.0 | |
RWL_MAILSPIKE_EXCELLENT | From address is listed in RWL – excellent reputation | 0.0 | |
RBL_SEM | Address is listed in Spameatingmonkey RBL | 1.0 | |
RBL_SEM_IPV6 | Address is listed in Spameatingmonkey RBL (IPv6) | 1.0 | |
Statistics / Bayes classifier | BAYES_SPAM | Message classified as Spam | 4.0 |
BAYES_HAM | Message classified as Ham | -3.0 | |
surbl | SURBL_BLOCKED | SURBL: blocked by policy/overusage | 0.0 |
PH_SURBL_MULTI | SURBL: Phishing sites | 5.5 | |
MW_SURBL_MULTI | SURBL: Malware sites | 5.5 | |
ABUSE_SURBL | SURBL: Abuse | 5.5 | |
CRACKED_SURBL | SURBL: Cracked site | 4.0 | |
RSPAMD_URIBL | Rspamd URIBL, bl.rspamd.com | 4.5* | |
RSPAMD_EMAILBL | Rspamd EMAILBL, bl.rspamd.com | 9.5* | |
MSBL_EBL | MSBL EMAILBL | 7.5* | |
SEM_URIBL_UNKNOWN | Spameatingmonkey URIBL: Unknown result | 0.0 | |
SEM_URIBL | Spameatingmonkey URIBL | 3.5 | |
SEM_URIBL_FRESH15_UNKNOWN | Spameatingmonkey Fresh15 URIBL: Unknown result | 0.0 | |
SEM_URIBL_FRESH15 | Spameatingmonkey URIBL. Domains registered in the last 15 days (.aero, .biz, .com, .info, .name, .net, .pro, .sk, .tel, .us) | 3.0 | |
DBL | DBL Unknown result | 0.0 | |
DBL_SPAM | DBL URIBL Spam | 6.5 | |
DBL_PHISH | DBL URIBL Phishing | 6.5 | |
DBL_MALWARE | DBL URIBL Malware | 6.5 | |
DBL_BOTNET | DBL URIBL Botnet C&C domain | 5.5 | |
DBL_ABUSE | DBL URIBL Abused legit Spam | 6.5 | |
DBL_ABUSE_REDIR | DBL URIBL Abused spammed redirector domain | 1.5 | |
DBL_ABUSE_PHISH | DBL URIBL Abused legit Phish | 7.5 | |
DBL_ABUSE_MALWARE | DBL URIBL Abused legit Malware | 7.5 | |
DBL_ABUSE_BOTNET | DBL URIBL Abused legit Botnet C&C | 5.5 | |
DBL_PROHIBIT | DBL URIBL IP queries prohibited | 0.0 | |
URIBL_MULTI | uribl.com: unrecognised result | 0.0 | |
URIBL_BLOCKED | uribl.com: query refused | 0.0 | |
URIBL_BLACK | uribl.com: black URL | 7.5 | |
URIBL_RED | uribl.com: red URL | 3.5 | |
URIBL_GREY | uribl.com: grey URL | 1.5* | |
SBL_URIBL | SBL URIBL: filtered result | 0.0 | |
URIBL_SL | Spamhaus SBL URIBL | 6.5 | |
URIBL_SBL_CSS | Spamhaus SBL CSS URIBL | 6.5 | |
RBL_SARBL_BAD | A domain listed in the message is blacklisted in SARBL | 2.5 |
Blog post series index: