├── README.md ├── local.d ├── fuzzy_group.conf ├── rbl_group.conf ├── fuzzy_check.conf ├── rbl.conf └── multimap.conf └── LICENSE /README.md: -------------------------------------------------------------------------------- 1 | # rspamd-rules 2 | public fuzzy storage used by mail.baby 3 | This feed is delayed 1 hour from internal fuzzy storage 4 | -------------------------------------------------------------------------------- /local.d/fuzzy_group.conf: -------------------------------------------------------------------------------- 1 | max_score = 15.0; 2 | symbols = { 3 | "MAILBABY_FUZZY_UNKNOWN" { 4 | weight = 0.1; 5 | description = "Generic fuzzy hash match"; 6 | } 7 | "MAILBABY_FUZZY_DENIED" { 8 | weight = 12.0; 9 | description = "Denied fuzzy hash"; 10 | } 11 | "MAILBABY_FUZZY_PROB" { 12 | weight = 12.0; 13 | description = "Probable fuzzy hash"; 14 | } 15 | "MAILBABY_FUZZY_WHITE" { 16 | weight = -2.1; 17 | description = "Whitelisted fuzzy hash"; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /local.d/rbl_group.conf: -------------------------------------------------------------------------------- 1 | max_score = 9.00; 2 | 3 | symbols = { 4 | "INTERSERVER_RULE_URIBL_RBLINT" { 5 | weight = 6.0; 6 | description = "domain listed at sigs.interserver.net"; 7 | groups = ["interserver"]; 8 | } 9 | 10 | "MAILBABY_DQS_EMAIL" { 11 | weight = 1.0; 12 | description = "email hash listed in spam email auto generated"; 13 | groups = ["interserver"]; 14 | } 15 | 16 | "RBLSA_INTERSERVER" { 17 | weight = 1.0; 18 | description = "ip listed at rblspamassassin.interserver.net"; 19 | groups = ["interserver"]; 20 | } 21 | 22 | "RBLGOOD_INTERSERVER" { 23 | weight = -1.0; 24 | description = "ip listed as good reputation at goodrbl.interserver.net"; 25 | groups = ["interserver"]; 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /local.d/fuzzy_check.conf: -------------------------------------------------------------------------------- 1 | rule "mailbaby" { 2 | min_bytes = 1k; # Since small parts and small attachments causes too many FP 3 | timeout = 2s; 4 | retransmits = 1; 5 | encryption_key="dxx6jgzukw9thj1q8s7jxipy5ojn1aqorrnpgtjmbiwzsphtbkuy"; 6 | # Fuzzy storage server list 7 | servers = "fuzzy.mailbaby.net:11335"; 8 | 9 | # Default symbol for unknown flags 10 | symbol = "MAILBABY_FUZZY_UNKNOWN"; 11 | # Additional mime types to store/check 12 | mime_types = ["*"]; 13 | # Hash weight threshold for all maps 14 | max_score = 100.0; 15 | # Whether we can learn this storage 16 | read_only = true; 17 | # Ignore unknown flags 18 | skip_unknown = yes; 19 | # Hash generation algorithm 20 | algorithm = "mumhash"; 21 | # Use direct hash for short texts 22 | short_text_direct_hash = true; 23 | 24 | # Map flags to symbols 25 | fuzzy_map = { 26 | MAILBABY_FUZZY_DENIED { 27 | # Local threshold 28 | max_score = 10.0; 29 | # Flag to match 30 | flag = 11; 31 | } 32 | MAILBABY_FUZZY_PROB { 33 | max_score = 10.0; 34 | flag = 12; 35 | } 36 | MAILBABY_FUZZY_WHITE { 37 | max_score = 2.0; 38 | flag = 13; 39 | } 40 | } 41 | } 42 | 43 | -------------------------------------------------------------------------------- /local.d/rbl.conf: -------------------------------------------------------------------------------- 1 | rbls { 2 | 3 | # auto generated hashes of known spam senders in sha1 format 4 | # available to look up under a dns rbl 5 | MAILBABY_DQS_EMAIL { 6 | ignore_defaults = true; 7 | rbl = "dqsemail.interserver.net"; 8 | emails_domainonly = false; 9 | ignore_whitelist = true; 10 | emails = true; 11 | replyto = true; 12 | hash = "sha1"; 13 | returncodes = { 14 | MAILBABY_DQS_EMAIL = [ 15 | "127.0.0.2" 16 | ]; 17 | } 18 | } 19 | 20 | #goodrbl 21 | # known good senders. Reduce score slightly 22 | "RBLGOOD_INTERSERVER" { 23 | symbol = "RBLGOOD_INTERSERVER"; 24 | rbl = "goodrbl.interserver.net"; 25 | ipv6 = false; 26 | received = true; 27 | from = true; 28 | returncodes = { 29 | RBLGOOD_INTERSERVER = [ 30 | "127.0.0.2", 31 | ]; 32 | } 33 | } 34 | 35 | # high spam score ips 36 | # should increase score slightly 37 | "RBLSA_INTERSERVER" { 38 | symbol = "RBLSA_INTERSERVER"; 39 | rbl = "rblspamassassin.interserver.net"; 40 | ipv6 = false; 41 | received = true; 42 | from = true; 43 | returncodes = { 44 | RBLSA_INTERSERVER = [ 45 | "127.0.0.2", 46 | ]; 47 | } 48 | } 49 | 50 | # spam, scanning, brute force 51 | # auto expires 52 | # score is higher than rblspamassassin 53 | "RBL_INTERSERVER" { 54 | symbol = "RBL_INTERSERVER"; 55 | rbl = "rbl.interserver.net"; 56 | ipv6 = false; 57 | received = true; 58 | from = true; 59 | returncodes = { 60 | RBL_INTERSERVER = [ 61 | "127.0.0.2", 62 | ]; 63 | } 64 | } 65 | 66 | # domain based rbl lookup 67 | # domains are sending to spamtraps 68 | # or sending uce 69 | # auto expires 70 | "INTERSERVER_RULE_URIBL_RBLINT" { 71 | ignore_defaults = true; 72 | rbl = "rbluri.interserver.net"; 73 | no_ip = true; 74 | dkim = true; 75 | emails = true; 76 | emails_domainonly = true; 77 | urls = true; 78 | returncodes = { 79 | INTERSERVER_RULE_URIBL_RBLINT = [ 80 | "127.0.0.2", 81 | ]; 82 | } 83 | } 84 | 85 | } 86 | -------------------------------------------------------------------------------- /local.d/multimap.conf: -------------------------------------------------------------------------------- 1 | # subject used in spam autogenerated from metadata exporter 2 | # 6 or more characters (skipping fwd: re: blank) 3 | #auto 4 | MB_SUBJECT_USED_IN_SPAM { 5 | type = "header"; 6 | header = "subject"; 7 | regexp = true; 8 | map = "https://maps.mailbaby.net/dqs/dqs_subject.map"; 9 | score = 2.0; 10 | } 11 | 12 | #mailbaby spam phrases 13 | #general spam phrases 14 | #manual 15 | mailbaby_spamphrases_body { 16 | type = "content"; 17 | filter = "oneline"; 18 | map = "https://maps.mailbaby.net/mailbaby-spamphrases-body.map"; 19 | regexp = true; 20 | symbol = "MAILBABY_SPAMPHRASES_BODY"; 21 | score 5.0; 22 | description = "Mailbaby: Spam signs in body"; 23 | } 24 | 25 | #probable spam / compromised 26 | #manual 27 | PHPSPAM_HEADER { 28 | type = "content"; 29 | map = "https://maps.mailbaby.net/phpspam_header.map"; 30 | filter = "headers" 31 | regexp = true; 32 | symbols_set = ["PHPSPAM_HEADER"]; 33 | score = 8.0; 34 | } 35 | 36 | #possible spam / compromise 37 | #manual 38 | PHPGREY_HEADER { 39 | type = "content"; 40 | map = "https://maps.mailbaby.net/phpgrey_header.map"; 41 | filter = "headers" 42 | regexp = true; 43 | symbols_set = ["PHPGREY_HEADER"]; 44 | score = 2.0; 45 | } 46 | 47 | #manual 48 | SPAM_WORDS { 49 | type = "content"; 50 | filter = "text"; 51 | map = "https://maps.mailbaby.net/spam_words.map"; 52 | regexp = true; 53 | score = 0.1; 54 | } 55 | 56 | #manual 57 | # some problematic asn's 58 | asn_grey { 59 | type = "asn"; 60 | map = "https://maps.mailbaby.net/mb_rspamd_int_asn_grey.map"; 61 | score = 2; 62 | description = "Poor ASN karma"; 63 | symbol = "ASN_GREYLIST"; 64 | } 65 | 66 | #manually generated higher score subject used in spam 67 | MB_SUBJECT_REGEX { 68 | type = "header"; 69 | header = "subject"; 70 | regexp = true; 71 | map = "https://maps.mailbaby.net/subject_block.map"; 72 | score = 10.0; 73 | } 74 | 75 | # manually generated lower score subject used in spam 76 | MB_LOW_SUBJ_REG { 77 | type = "header"; 78 | header = "subject"; 79 | regexp = true; 80 | score = 4.0; 81 | map = "https://maps.mailbaby.net/low_subject_block.map"; 82 | } 83 | 84 | #manual 85 | # bit.ly is being massivly used for spam and others 86 | MB_HIGH_SPAM_URL { 87 | type = "url"; 88 | regexp = false; 89 | map = "https://maps.mailbaby.net/mb_high_spam_url.map"; 90 | symbol = "MB_HIGH_SPAM_URL"; 91 | score = 1.0; 92 | one_shot = true; 93 | } 94 | 95 | #manual 96 | # smtp crack emails seem to be more common than I thought 97 | mailbaby_smtpcrack_body { 98 | type = "content"; 99 | filter = "oneline"; 100 | map = "https://maps.mailbaby.net/mailbaby-smtpcrack-body.map"; 101 | regexp = true; 102 | symbol = "MAILBABY_SMTPCRACK_BODY"; 103 | score 15.0; 104 | description = "Mailbaby: password disclosure or crack in body"; 105 | } 106 | 107 | # manual based on content 108 | PROB_DHL_DELIVERY { 109 | type = "content"; 110 | filter = "text"; 111 | map = "https://maps.mailbaby.net/contentfiltering/dhl_delivery.map"; 112 | regexp = true; 113 | score = 0.5; 114 | # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: 115 | multi = true; 116 | } 117 | 118 | #manual 119 | #google_forms_phish.map 120 | PROB_GOOGLE_FORM_PHISH { 121 | type = "content"; 122 | filter = "text"; 123 | map = "https://maps.mailbaby.net/contentfiltering/google_forms_phish.map"; 124 | regexp = true; 125 | score = 0.5; 126 | # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: 127 | multi = true; 128 | } 129 | 130 | #manual 131 | #google_forms_phish.map 132 | PROB_FAKE_EMAIL_SPAMBOX { 133 | type = "content"; 134 | filter = "text"; 135 | map = "https://maps.mailbaby.net/contentfiltering/fake_email_spambox.map"; 136 | regexp = true; 137 | score = 0.5; 138 | # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: 139 | multi = true; 140 | } 141 | 142 | #manual 143 | #google_forms_phish.map 144 | PROB_DOMAIN_FOR_SALE { 145 | type = "content"; 146 | filter = "text"; 147 | map = "https://maps.mailbaby.net/contentfiltering/domain_for_sale.map"; 148 | regexp = true; 149 | score = 0.5; 150 | # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: 151 | multi = true; 152 | } 153 | 154 | #manual 155 | # lots of spam with search engine queries 156 | CONTAINS_SEARCH_ENGINE_DIRECT_LINK { 157 | type = "content"; 158 | map = "https://maps.mailbaby.net/contentfiltering/contains_search_engine_link.map"; 159 | filter = "text" 160 | regexp = true; 161 | symbols_set = ["CONTAINS_SEARCH_ENGINE_DIRECT_LINK"]; 162 | score = 2.0; 163 | } 164 | 165 | # auto updated 166 | # attachment hashes which appear many spam reports 167 | MAILBABY_CH_ATTACHMENT_DIGEST_IN_SPAM { 168 | type = "selector"; 169 | selector = "attachments(hex).substring(1, 16)"; 170 | map = "https://maps.mailbaby.net/ch/attachment.map"; 171 | score = 5.0; 172 | } 173 | 174 | #auto 175 | # content digest used in spam 176 | MAILBABY_CH_CONTENT_DIGEST_IN_SPAM { 177 | type = "selector"; 178 | selector = "digest"; 179 | map = "https://maps.mailbaby.net/ch/digest.map"; 180 | score = 5.0; 181 | } 182 | 183 | #auto 184 | # short url abuse in spam 185 | CH_SHORTURL_ABUSE { 186 | type = "url"; 187 | filter = "full"; 188 | map = "https://maps.mailbaby.net/ch/ch_shorturl.map"; 189 | score = 10.0; 190 | } 191 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------