Let’s have a look at rspamd’s default scores. As mentioned, this is kind of a moving target, the scores in the default configuration can in theory change anytime unless you disable rspamd_update, so you should verify a particular score you want to override in your installation.
The following table should be useful nevertheless to get a quick overview. Configfile names will be of importance in the following section. The description are mostly taken 1:1 from the configfiles and the source/module is often missing because there is unfortunately no way to find out where a symbol is documented except than to read the sources. I might update it as I find out more.
Scores marked with an asterisk (*) are one-shot symbols that is, the symbol is only triggered with the highest score no matter how often the associated test matched. Symbols that are not one-shot can be triggered multiple times, with the additional matches being affected by a grow factor (see the metrics documentation for further details).
| Source / Module | Symbol | Description | Score |
|---|---|---|---|
| fuzzy_check | FUZZY_UNKNOWN | Generic fuzzy hash match, bl.rspamd.com | 5.0 |
| FUZZY_DENIED | Denied fuzzy hash, bl.rspamd.com | 12.0 | |
| FUZZY_PROB | Probable fuzzy hash, bl.rspamd.com | 5.0 | |
| FUZZY_WHITE | Whitelisted fuzzy hash, bl.rspamd.com | -2.1 | |
| ? | FORGED_SENDER | Sender is forged (different From: header and smtp MAIL FROM: addresses) | 0.30 |
| ? | FORGED_SENDER_MAILLIST | Sender is not the same as MAIL FROM: envelope, but a message is from a mailing list | 0.0 |
| ? | FORGED_RECIPIENTS | Recipients are not the same as RCPT TO: mail command | 2.0 |
| ? | FORGED_RECIPIENTS_MAILLIST | Recipients are not the same as RCPT TO: mail command, but a message is from a mailing list | 0.0 |
| chartable | R_MIXED_CHARSET | Mixed characters in a message | 5.0 |
| R_MIXED_CHARSET_URL | Mixed characters in a URL inside a message | 7.0 | |
| once_received | ONCE_RECEIVED | One received header in a message | 0.1 |
| ONCE_RECEIVED_STRICT | One received header with “bad” patterns inside | 4.0 | |
| ? | RDNS_NONE | Cannot resolve reverse DNS for sender’s IP | 1.0 |
| maillist | MAILLIST | Message seems to be from a mailing list | -0.2 |
| ? | HFILTER_HELO_BAREIP | Helo host is bare IP | 3.0 |
| ? | HFILTER_HELO_BADIP | Helo host is very bad IP | 4.5 |
| ? | HFILTER_HELO_1 | Helo host checks (very low) | 0.5 |
| ? | HFILTER_HELO_2 | Helo host checks (low) | 1.0 |
| ? | HFILTER_HELO_3 | Helo host checks (medium) | 2.0 |
| ? | HFILTER_HELO_4 | Helo host checks (hard) | 2.5 |
| ? | HFILTER_HELO_5 | Helo host checks (very hard) | 3.0 |
| ? | HFILTER_HOSTNAME_1 | Hostname checks (very low) | 0.5 |
| ? | HFILTER_HOSTNAME_2 | Hostname checks (low) | 1.0 |
| ? | HFILTER_HOSTNAME_3 | Hostname checks (medium) | 2.0 |
| ? | HFILTER_HOSTNAME_4 | Hostname checks (hard) | 2.5 |
| ? | HFILTER_HOSTNAME_5 | Hostname checks (very hard) | 3.0 |
| ? | HFILTER_HELO_NORESOLVE_MX | MX found in HELO and no resolve | 0.2 |
| ? | HFILTER_HELO_NORES_A_OR_MX | HELO no resolve to A or MX | 0.3 |
| ? | HFILTER_HELO_IP_A | HELO A IP != hostname IP | 1.0 |
| ? | HFILTER_HELO_NOT_FQDN | HELO not FQDN | 2.0 |
| ? | HFILTER_FROMHOST_NORESOLVE_MX | MX found in FROM host and no resolve | 0.5 |
| ? | HFILTER_FROMHOST_NORES_A_OR_MX | FROM host no resolve to A or MX | 1.5 |
| ? | HFILTER_FROMHOST_NOT_FQDN | FROM host not FQDN | 3.0 |
| ? | HFILTER_FROM_BOUNCE | Bounce message | 0.0 |
| ? | HFILTER_HOSTNAME_UNKNOWN | Unknown hostname (no PTR or no resolve PTR to hostname) | 2.5 |
| ? | HFILTER_RCPT_BOUNCEMOREONE | Message from bounce and more than one recipient | 1.5 |
| ? | HFILTER_URL_ONLY | URL only in body | 2.2 |
| ? | HFILTER_URL_ONELINE | One line URL and text in body | 2.5 |
| mime_types | MIME_GOOD | Known content-type | -0.1* |
| MIME_BAD | Known bad content-type | 1.0* | |
| MIME_UNKNOWN | Missing or unknown content-type | 0.1* | |
| MIME_BAD_ATTACHMENT | Invalid attachment mime type | 4.0* | |
| MIME_ENCRYPTED_ARCHIVE | Encrypted archive in a message | 2.0* | |
| MIME_ARCHIVE_IN_ARCHIVE | Archive within another archive | 5.0* | |
| MIME_BAD_EXTENSION | Bad extension | 2.0* | |
| MIME_DOUBLE_BAD_EXTENSION | Bad extension cloaking | 3.0* | |
| ? | FORGED_MUA_MAILLIST | Avoid false positives for FORGED_MUA_* in mailing list | 0.0 |
| phishing | PHISHING | Phished URL | 4.0* |
| PHISHED_OPENPHISH | Phished URL found in openphish.com blacklist | 7.0 | |
| PHISHED_PHISHTANK | Phished URL found in phishtank.com blacklist | 7.0 | |
| HACKED_WP_PHISHING | Phishing message from hacked wordpress | 4.5 | |
| spf | R_SPF_FAIL | SPF verification failed | 1.0 |
| R_SPF_SOFTFAIL | SPF verification soft-failed | 0.0 | |
| R_SPF_NEUTRAL | SPF policy is neutral | 0.0 | |
| R_SPF_ALLOW | SPF verification allows sending | -0.2 | |
| R_SPF_DNSFAIL | SPF DNS failure | 0.0 | |
| dkim | R_DKIM_REJECT | DKIM verification failed | 1.0* |
| R_DKIM_TEMPFAIL | DKIM verification soft-failed | 0.0 | |
| R_DKIM_ALLOW | DKIM verification succeeded | -0.2* | |
| dmarc | DMARC_POLICY_ALLOW | DMARC permit policy | -0.5 |
| DMARC_POLICY_ALLOW_WITH_FAILURES | DMARC permit policy with DKIM/SPF failure | -0.5 | |
| DMARC_POLICY_REJECT | DMARC reject policy | 2.0 | |
| DMARC_POLICY_QUARANTINE | DMARC quarantine policy | 1.5 | |
| DMARC_POLICY_SOFTFAIL | DMARC failed | 0.1 | |
| arc | ARC_ALLOW | ARC checks success | -1.0 |
| ARC_REJECT | ARC checks failure | 2.0 | |
| ARC_INVALID | ARC structure invalid | 1.0 | |
| ARC_DNSFAIL | ARC DNS error | 0.0 | |
| ARC_NA | ARC signature absent | 0.0 | |
| rbl | DNSWL_BLOCKED | Resolver blocked due to excessive queries | 0.0 |
| RCVD_IN_DNSWL | Unrecognised result from dnswl.org | 0.0 | |
| RCVD_IN_DNSWL_NONE | Sender listed at www.dnswl.org, no trust | 0.0 | |
| RCVD_IN_DNSWL_LOW | Sender listed at www.dnswl.org, low trust | 0.0 | |
| RCVD_IN_DNSWL_MED | Sender listed at www.dnswl.org, medium trust | 0.0 | |
| RCVD_IN_DNSWL_HI | Sender listed at www.dnswl.org, high trust | 0.0 | |
| RBL_SPAMHAUS | Unrecognised result from Spamhaus Zen | 0.0 | |
| RBL_SPAMHAUS_SBL | From address is listed in Zen SBL | 2.0 | |
| RBL_SPAMHAUS_CSS | From address is listed in Zen CSS | 2.0 | |
| RBL_SPAMHAUS_XBL | From address is listed in Zen XBL | 4.0 | |
| RBL_SPAMHAUS_XBL_ANY | From or Received address is listed in Zen XBL (any list) | 4.0 | |
| RBL_SPAMHAUS_PBL | From address is listed in Zen PBL | 2.0 | |
| RBL_SPAMHAUS_DROP | From address is listed in Zen Drop BL | 7.0 | |
| RECEIVED_SPAMHAUS_XBL | Received address is listed in Zen XBL | 3.0* | |
| RBL_SENDERSCORE | From address is listed in senderscore.com BL | 2.0 | |
| RBL_ABUSECH | From address is listed in Abuse.CH BL | 1.0 | |
| MAILSPIKE | Unrecognised result from Mailspike | 0.0 | |
| RWL_MAILSPIKE_NEUTRAL | Neutral result from Mailspike | 0.0 | |
| RBL_MAILSPIKE_WORST | From address is listed in RBL – worst possible reputation | 2.0 | |
| RBL_MAILSPIKE_VERYBAD | From address is listed in RBL – very bad reputation | 1.5 | |
| RBL_MAILSPIKE_BAD | From address is listed in RBL – bad reputation | 1.0 | |
| RWL_MAILSPIKE_POSSIBLE | From address is listed in RWL – possibly legit | 0.0 | |
| RWL_MAILSPIKE_GOOD | From address is listed in RWL – good reputation | 0.0 | |
| RWL_MAILSPIKE_VERYGOOD | From address is listed in RWL – very good reputation | 0.0 | |
| RWL_MAILSPIKE_EXCELLENT | From address is listed in RWL – excellent reputation | 0.0 | |
| RBL_SEM | Address is listed in Spameatingmonkey RBL | 1.0 | |
| RBL_SEM_IPV6 | Address is listed in Spameatingmonkey RBL (IPv6) | 1.0 | |
| Statistics / Bayes classifier | BAYES_SPAM | Message classified as Spam | 4.0 |
| BAYES_HAM | Message classified as Ham | -3.0 | |
| surbl | SURBL_BLOCKED | SURBL: blocked by policy/overusage | 0.0 |
| PH_SURBL_MULTI | SURBL: Phishing sites | 5.5 | |
| MW_SURBL_MULTI | SURBL: Malware sites | 5.5 | |
| ABUSE_SURBL | SURBL: Abuse | 5.5 | |
| CRACKED_SURBL | SURBL: Cracked site | 4.0 | |
| RSPAMD_URIBL | Rspamd URIBL, bl.rspamd.com | 4.5* | |
| RSPAMD_EMAILBL | Rspamd EMAILBL, bl.rspamd.com | 9.5* | |
| MSBL_EBL | MSBL EMAILBL | 7.5* | |
| SEM_URIBL_UNKNOWN | Spameatingmonkey URIBL: Unknown result | 0.0 | |
| SEM_URIBL | Spameatingmonkey URIBL | 3.5 | |
| SEM_URIBL_FRESH15_UNKNOWN | Spameatingmonkey Fresh15 URIBL: Unknown result | 0.0 | |
| SEM_URIBL_FRESH15 | Spameatingmonkey URIBL. Domains registered in the last 15 days (.aero, .biz, .com, .info, .name, .net, .pro, .sk, .tel, .us) | 3.0 | |
| DBL | DBL Unknown result | 0.0 | |
| DBL_SPAM | DBL URIBL Spam | 6.5 | |
| DBL_PHISH | DBL URIBL Phishing | 6.5 | |
| DBL_MALWARE | DBL URIBL Malware | 6.5 | |
| DBL_BOTNET | DBL URIBL Botnet C&C domain | 5.5 | |
| DBL_ABUSE | DBL URIBL Abused legit Spam | 6.5 | |
| DBL_ABUSE_REDIR | DBL URIBL Abused spammed redirector domain | 1.5 | |
| DBL_ABUSE_PHISH | DBL URIBL Abused legit Phish | 7.5 | |
| DBL_ABUSE_MALWARE | DBL URIBL Abused legit Malware | 7.5 | |
| DBL_ABUSE_BOTNET | DBL URIBL Abused legit Botnet C&C | 5.5 | |
| DBL_PROHIBIT | DBL URIBL IP queries prohibited | 0.0 | |
| URIBL_MULTI | uribl.com: unrecognised result | 0.0 | |
| URIBL_BLOCKED | uribl.com: query refused | 0.0 | |
| URIBL_BLACK | uribl.com: black URL | 7.5 | |
| URIBL_RED | uribl.com: red URL | 3.5 | |
| URIBL_GREY | uribl.com: grey URL | 1.5* | |
| SBL_URIBL | SBL URIBL: filtered result | 0.0 | |
| URIBL_SL | Spamhaus SBL URIBL | 6.5 | |
| URIBL_SBL_CSS | Spamhaus SBL CSS URIBL | 6.5 | |
| RBL_SARBL_BAD | A domain listed in the message is blacklisted in SARBL | 2.5 | |
Blog post series index: