Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | MX_IMPLICIT { |
| 2 | expression = "MX_GOOD & MX_MISSING"; |
| 3 | score = -0.01; |
| 4 | } |
| 5 | VIRUS_FOUND { |
| 6 | expression = "CLAM_VIRUS & !MAILCOW_WHITE"; |
| 7 | score = 2000.0; |
| 8 | } |
| 9 | # Bad policy from free mail providers |
| 10 | FREEMAIL_POLICY_FAILURE { |
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 11 | expression = "FREEMAIL_FROM & !DMARC_POLICY_ALLOW & !MAILLIST& !WHITELISTED_FWD_HOST & -g+:policies"; |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 12 | score = 16.0; |
| 13 | } |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 14 | # Applies to freemail with undisclosed recipients |
| 15 | FREEMAIL_TO_UNDISC_RCPT { |
| 16 | expression = "FREEMAIL_FROM & ( MISSING_TO | R_UNDISC_RCPT | TO_EQ_FROM )"; |
| 17 | score = 5.0; |
| 18 | } |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 19 | # Bad policy from non-whitelisted senders |
| 20 | # Remove SOGO_CONTACT symbol for fwd hosts and senders with broken policy |
| 21 | SOGO_CONTACT_EXCLUDE { |
| 22 | expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW"; |
| 23 | } |
| 24 | # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts) |
| 25 | SPOOFED_UNAUTH { |
| 26 | expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies"; |
| 27 | score = 50.0; |
| 28 | } |
| 29 | # Only apply to inbound unauthed and not whitelisted |
| 30 | OLEFY_MACRO { |
| 31 | expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & OLETOOLS"; |
| 32 | score = 20.0; |
| 33 | policy = "remove_weight"; |
| 34 | } |
| 35 | # Applies to a content filter map |
| 36 | BAD_WORD_BAD_TLD { |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 37 | expression = "FISHY_TLD & ( BAD_WORDS | BAD_WORDS_DE )"; |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 38 | score = 10.0; |
| 39 | } |
| 40 | # Forged with bad policies and not fwd host, keep bad policy symbols |
| 41 | FORGED_W_BAD_POLICY { |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 42 | expression = "( -g+:policies | -R_SPF_NA) & ( ~FROM_NEQ_ENVFROM | ~FORGED_SENDER ) & !WHITELISTED_FWD_HOST & !DMARC_POLICY_ALLOW"; |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 43 | score = 3.0; |
| 44 | } |
| 45 | # Keep negative (good) scores for rbl, policies and hfilter, disable neural group |
| 46 | WL_FWD_HOST { |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 47 | expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 48 | } |
| 49 | # Exclude X-Spam like flags from scoring from fwd and sieve hosts |
| 50 | UPSTREAM_CHECKS_EXCLUDE_FWD_HOST { |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 51 | expression = "(-SIEVE_HOST | -WHITELISTED_FWD_HOST) & (^UNITEDINTERNET_SPAM | ^SPAM_FLAG | ^KLMS_SPAM | ^AOL_SPAM | ^MICROSOFT_SPAM)"; |
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 52 | } |
| 53 | # Remove fuzzy group from bounces |
| 54 | BOUNCE_FUZZY { |
| 55 | expression = "-BOUNCE & ^g+:fuzzy"; |
| 56 | } |
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 57 | # Remove bayes ham if fuzzy denied |
| 58 | FUZZY_HAM_MISMATCH { |
| 59 | expression = "( -FUZZY_DENIED | -MAILCOW_FUZZY_DENIED | -LOCAL_FUZZY_DENIED ) & ( ^BAYES_HAM | ^NEURAL_HAM_LONG | ^NEURAL_HAM_SHORT )"; |
| 60 | } |
| 61 | # Remove bayes spam if local fuzzy white |
| 62 | FUZZY_SPAM_MISMATCH { |
| 63 | expression = "( -LOCAL_FUZZY_WHITE ) & ( ^BAYES_SPAM | ^NEURAL_SPAM_LONG | ^NEURAL_SPAM_SHORT )"; |
| 64 | } |
| 65 | WL_FWD_HOST { |
| 66 | expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; |
| 67 | } |
| 68 | ENCRYPTED_CHAT { |
| 69 | expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP"; |
| 70 | } |
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 71 | # Remove bayes ham if fuzzy denied |
| 72 | FUZZY_HAM_MISMATCH { |
| 73 | expression = "( -FUZZY_DENIED | -MAILCOW_FUZZY_DENIED | -LOCAL_FUZZY_DENIED ) & ( ^BAYES_HAM | ^NEURAL_HAM_LONG | ^NEURAL_HAM_SHORT )"; |
| 74 | } |
| 75 | # Remove bayes spam if local fuzzy white |
| 76 | FUZZY_SPAM_MISMATCH { |
| 77 | expression = "( -LOCAL_FUZZY_WHITE ) & ( ^BAYES_SPAM | ^NEURAL_SPAM_LONG | ^NEURAL_SPAM_SHORT )"; |
| 78 | } |
| 79 | WL_FWD_HOST { |
| 80 | expression = "-WHITELISTED_FWD_HOST & (^g+:rbl | ^g+:policies | ^g+:hfilter | ^g:neural)"; |
| 81 | } |
| 82 | ENCRYPTED_CHAT { |
| 83 | expression = "CHAT_VERSION_HEADER & ENCRYPTED_PGP"; |
| 84 | } |
| 85 | |
| 86 | CLAMD_SPAM_FOUND { |
| 87 | expression = "CLAM_SECI_SPAM & !MAILCOW_WHITE"; |
| 88 | description = "Probably Spam, Securite Spam Flag set through ClamAV"; |
| 89 | score = 5; |
| 90 | } |
| 91 | |
| 92 | CLAMD_BAD_PDF { |
| 93 | expression = "CLAM_SECI_PDF & !MAILCOW_WHITE"; |
| 94 | description = "Bad PDF Found, Securite bad PDF Flag set through ClamAV"; |
| 95 | score = 8; |
| 96 | } |
| 97 | |
| 98 | CLAMD_BAD_JPG { |
| 99 | expression = "CLAM_SECI_JPG & !MAILCOW_WHITE"; |
| 100 | description = "Bad JPG Found, Securite bad JPG Flag set through ClamAV"; |
| 101 | score = 8; |
| 102 | } |
| 103 | |
| 104 | CLAMD_ASCII_MALWARE { |
| 105 | expression = "CLAM_SECI_ASCII & !MAILCOW_WHITE"; |
| 106 | description = "ASCII malware found, Securite ASCII malware Flag set through ClamAV"; |
| 107 | score = 8; |
| 108 | } |
| 109 | |
| 110 | CLAMD_HTML_MALWARE { |
| 111 | expression = "CLAM_SECI_HTML & !MAILCOW_WHITE"; |
| 112 | description = "HTML malware found, Securite HTML malware Flag set through ClamAV"; |
| 113 | score = 8; |
| 114 | } |
| 115 | |
| 116 | CLAMD_JS_MALWARE { |
| 117 | expression = "CLAM_SECI_JS & !MAILCOW_WHITE"; |
| 118 | description = "JS malware found, Securite JS malware Flag set through ClamAV"; |
| 119 | score = 8; |
| 120 | } |