| MX_IMPLICIT { |
| expression = "MX_GOOD & MX_MISSING"; |
| score = -0.01; |
| } |
| VIRUS_FOUND { |
| expression = "CLAM_VIRUS & !MAILCOW_WHITE"; |
| score = 2000.0; |
| } |
| # Bad policy from free mail providers |
| FREEMAIL_POLICY_FAILURE { |
| expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST& !WHITELISTED_FWD_HOST & -g+:policies"; |
| score = 16.0; |
| } |
| # Applies to freemail with undisclosed recipients |
| FREEMAIL_TO_UNDISC_RCPT { |
| expression = "FREEMAIL_FROM & ( MISSING_TO | R_UNDISC_RCPT | TO_EQ_FROM )"; |
| score = 5.0; |
| } |
| # Bad policy from non-whitelisted senders |
| # Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy |
| SOGO_CONTACT_EXCLUDE { |
| expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW"; |
| } |
| # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts) |
| SPOOFED_UNAUTH { |
| expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies"; |
| score = 50.0; |
| } |
| # Only apply to inbound unauthed and not whitelisted |
| OLEFY_MACRO { |
| expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & OLETOOLS"; |
| score = 20.0; |
| policy = "remove_weight"; |
| } |
| # Applies to a content filter map |
| BAD_WORD_BAD_TLD { |
| expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"; |
| score = 10.0; |
| } |
| # Forged with bad policies and not fwd host, keep bad policy symbols |
| FORGED_W_BAD_POLICY { |
| expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM | ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST & !DMARC_POLICY_ALLOW"; |
| score = 3.0; |
| } |
| # Keep negative (good) scores for rbl, policies and hfilter, disable neural group |
| WL_FWD_HOST { |
| expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; |
| } |
| # Exclude X-Spam like flags from scoring from fwd and sieve hosts |
| UPSTREAM_CHECKS_EXCLUDE_FWD_HOST { |
| expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"; |
| } |
| # Remove fuzzy group from bounces |
| BOUNCE_FUZZY { |
| expression = "-BOUNCE & ^g+:fuzzy"; |
| } |
| # Remove bayes ham if fuzzy denied |
| FUZZY_HAM_MISMATCH { |
| expression = "( -FUZZY_DENIED | -MAILCOW_FUZZY_DENIED | -LOCAL_FUZZY_DENIED ) & ( ^BAYES_HAM | ^NEURAL_HAM_LONG | ^NEURAL_HAM_SHORT )"; |
| } |
| # Remove bayes spam if local fuzzy white |
| FUZZY_SPAM_MISMATCH { |
| expression = "( -LOCAL_FUZZY_WHITE ) & ( ^BAYES_SPAM | ^NEURAL_SPAM_LONG | ^NEURAL_SPAM_SHORT )"; |
| } |
| WL_FWD_HOST { |
| expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; |
| } |
| ENCRYPTED_CHAT { |
| expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP"; |
| } |
| |
| CLAMD_SPAM_FOUND { |
| expression = "CLAM_SECI_SPAM & !MAILCOW_WHITE"; |
| description = "Probably Spam, Securite Spam Flag set through ClamAV"; |
| score = 5; |
| } |
| |
| CLAMD_BAD_PDF { |
| expression = "CLAM_SECI_PDF & !MAILCOW_WHITE"; |
| description = "Bad PDF Found, Securite bad PDF Flag set through ClamAV"; |
| score = 8; |
| } |
| |
| CLAMD_BAD_JPG { |
| expression = "CLAM_SECI_JPG & !MAILCOW_WHITE"; |
| description = "Bad JPG Found, Securite bad JPG Flag set through ClamAV"; |
| score = 8; |
| } |
| |
| CLAMD_ASCII_MALWARE { |
| expression = "CLAM_SECI_ASCII & !MAILCOW_WHITE"; |
| description = "ASCII malware found, Securite ASCII malware Flag set through ClamAV"; |
| score = 8; |
| } |
| |
| CLAMD_HTML_MALWARE { |
| expression = "CLAM_SECI_HTML & !MAILCOW_WHITE"; |
| description = "HTML malware found, Securite HTML malware Flag set through ClamAV"; |
| score = 8; |
| } |
| |
| CLAMD_JS_MALWARE { |
| expression = "CLAM_SECI_JS & !MAILCOW_WHITE"; |
| description = "JS malware found, Securite JS malware Flag set through ClamAV"; |
| score = 8; |
| } |