# subject used in spam autogenerated from metadata exporter # 6 or more characters (skipping fwd: re: blank) #auto MB_SUBJECT_USED_IN_SPAM { type = "header"; header = "subject"; regexp = true; map = "https://maps.mailbaby.net/dqs/dqs_subject.map"; score = 2.0; } #mailbaby spam phrases #general spam phrases #manual mailbaby_spamphrases_body { type = "content"; filter = "oneline"; map = "https://maps.mailbaby.net/mailbaby-spamphrases-body.map"; regexp = true; symbol = "MAILBABY_SPAMPHRASES_BODY"; score 5.0; description = "Mailbaby: Spam signs in body"; } #probable spam / compromised #manual PHPSPAM_HEADER { type = "content"; map = "https://maps.mailbaby.net/phpspam_header.map"; filter = "headers" regexp = true; symbols_set = ["PHPSPAM_HEADER"]; score = 8.0; } #possible spam / compromise #manual PHPGREY_HEADER { type = "content"; map = "https://maps.mailbaby.net/phpgrey_header.map"; filter = "headers" regexp = true; symbols_set = ["PHPGREY_HEADER"]; score = 2.0; } #manual SPAM_WORDS { type = "content"; filter = "text"; map = "https://maps.mailbaby.net/spam_words.map"; regexp = true; score = 0.1; } #manual # some problematic asn's asn_grey { type = "asn"; map = "https://maps.mailbaby.net/mb_rspamd_int_asn_grey.map"; score = 2; description = "Poor ASN karma"; symbol = "ASN_GREYLIST"; } #manually generated higher score subject used in spam MB_SUBJECT_REGEX { type = "header"; header = "subject"; regexp = true; map = "https://maps.mailbaby.net/subject_block.map"; score = 10.0; } # manually generated lower score subject used in spam MB_LOW_SUBJ_REG { type = "header"; header = "subject"; regexp = true; score = 4.0; map = "https://maps.mailbaby.net/low_subject_block.map"; } #manual # bit.ly is being massivly used for spam and others MB_HIGH_SPAM_URL { type = "url"; regexp = false; map = "https://maps.mailbaby.net/mb_high_spam_url.map"; symbol = "MB_HIGH_SPAM_URL"; score = 1.0; one_shot = true; } #manual # smtp crack emails seem to be more common than I thought mailbaby_smtpcrack_body { type = "content"; filter = "oneline"; map = "https://maps.mailbaby.net/mailbaby-smtpcrack-body.map"; regexp = true; symbol = "MAILBABY_SMTPCRACK_BODY"; score 15.0; description = "Mailbaby: password disclosure or crack in body"; } # manual based on content PROB_DHL_DELIVERY { type = "content"; filter = "text"; map = "https://maps.mailbaby.net/contentfiltering/dhl_delivery.map"; regexp = true; score = 0.5; # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: multi = true; } #manual #google_forms_phish.map PROB_GOOGLE_FORM_PHISH { type = "content"; filter = "text"; map = "https://maps.mailbaby.net/contentfiltering/google_forms_phish.map"; regexp = true; score = 0.5; # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: multi = true; } #manual #google_forms_phish.map PROB_FAKE_EMAIL_SPAMBOX { type = "content"; filter = "text"; map = "https://maps.mailbaby.net/contentfiltering/fake_email_spambox.map"; regexp = true; score = 0.5; # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: multi = true; } #manual #google_forms_phish.map PROB_DOMAIN_FOR_SALE { type = "content"; filter = "text"; map = "https://maps.mailbaby.net/contentfiltering/domain_for_sale.map"; regexp = true; score = 0.5; # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map: multi = true; } #manual # lots of spam with search engine queries CONTAINS_SEARCH_ENGINE_DIRECT_LINK { type = "content"; map = "https://maps.mailbaby.net/contentfiltering/contains_search_engine_link.map"; filter = "text" regexp = true; symbols_set = ["CONTAINS_SEARCH_ENGINE_DIRECT_LINK"]; score = 2.0; } # auto updated # attachment hashes which appear many spam reports MAILBABY_CH_ATTACHMENT_DIGEST_IN_SPAM { type = "selector"; selector = "attachments(hex).substring(1, 16)"; map = "https://maps.mailbaby.net/ch/attachment.map"; score = 5.0; } #auto # content digest used in spam MAILBABY_CH_CONTENT_DIGEST_IN_SPAM { type = "selector"; selector = "digest"; map = "https://maps.mailbaby.net/ch/digest.map"; score = 5.0; } #auto # short url abuse in spam CH_SHORTURL_ABUSE { type = "url"; filter = "full"; map = "https://maps.mailbaby.net/ch/ch_shorturl.map"; score = 10.0; }