happyDomain/happyDeliver
2
0
Fork 0
Code Issues 7 Pull requests 6 Projects Releases Packages Wiki Activity Actions
happyDeliver/pkg/analyzer/rspamd-symbols.json
Pierre-Olivier Mercier 7d3009d7d0 Add rspamd symbol descriptions from embedded/API lookup 
Embed rspamd-symbols.json in the binary to provide human-readable
descriptions for rspamd symbols in reports. Optionally fetch fresh
symbols from a configurable rspamd API URL (--rspamd-api-url flag),
falling back to the embedded list on error. Update the frontend to
display descriptions alongside symbol names and scores.
2026-03-26 09:51:45 +07:00

6646 lines
182 KiB
JSON
Raw Blame History

[
{
"group": "arc",
"rules": [
{
"symbol": "ARC_ALLOW",
"weight": -1.0,
"description": "ARC checks success",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_REJECT",
"weight": 1.0,
"description": "ARC checks failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_NA",
"weight": 0.0,
"description": "ARC signature absent",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_INVALID",
"weight": 0.500000,
"description": "ARC structure invalid",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_DNSFAIL",
"weight": 0.0,
"description": "ARC DNS error",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_SIGNED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "rbl",
"rules": [
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_NA_BOT",
"weight": 1.500000,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+noauth+botnet"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_0",
"weight": 4.0,
"description": "SenderScore Reputation: Very Bad (0-9).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_2",
"weight": 3.0,
"description": "SenderScore Reputation: Bad (20-29).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_RED",
"weight": 0.500000,
"description": "A domain in the message is listed in URIBL.com red",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_PRST_NA",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - pristine+noauth"
},
{
"symbol": "RECEIVED_SPAMHAUS",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_CSS",
"weight": 1.0,
"description": "Received address is listed in Spamhaus CSS",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_BLOCKED",
"weight": 0.0,
"description": "https://www.dnswl.org: Resolver blocked due to excessive queries (DWL)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from SenderScore RPBL"
},
{
"symbol": "RBL_VIRUSFREE_BOTNET",
"weight": 2.0,
"description": "From address is listed in virusfree.cz BL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_HI",
"weight": -3.500000,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_VIRUSFREE_UNKNOWN",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_MAILSPIKE_BAD",
"weight": 1.0,
"description": "From address is listed in Mailspike RBL - bad reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_SBL",
"weight": 4.0,
"description": "From address is listed in Spamhaus SBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_BLOCKLISTDE",
"weight": 3.0,
"description": "Received address is listed in Blocklist (https://www.blocklist.de/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CRACKED_SURBL",
"weight": 5.0,
"description": "A domain in the message is listed in SURBL as cracked",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_HASHBL_CRACKED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_BLOCKED",
"weight": 0.0,
"description": "Excessive number of queries to SenderScore RPBL, more info: https://knowledge.validity.com/hc/en-us/articles/20961730681243"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_4",
"weight": 2.0,
"description": "SenderScore Reputation: Bad (40-49).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PH_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_PRST_NA_BOT",
"weight": 3.500000,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+pristine+noauth+botnet"
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT",
"weight": 1.0,
"description": "From address is listed in SenderScore RPBL - suspect_attachments"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_8",
"weight": 0.0,
"description": "SenderScore Reputation: Neutral (80-89).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_MED",
"weight": -0.200000,
"description": "Sender listed at https://www.dnswl.org, medium trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_NONE",
"weight": 0.0,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MSBL_EBL",
"weight": 7.500000,
"description": "MSBL emailbl (https://www.msbl.org/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_XBL",
"weight": 4.0,
"description": "From address is listed in Spamhaus XBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_NA",
"weight": 1.0,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+noauth"
},
{
"symbol": "RBL_SENDERSCORE_PRST_BOT",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - pristine+botnet"
},
{
"symbol": "SURBL_HASHBL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_PRST_NA_BOT",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - pristine+noauth+botnet"
},
{
"symbol": "RECEIVED_SPAMHAUS_SBL",
"weight": 3.0,
"description": "Received address is listed in Spamhaus SBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_POSSIBLE",
"weight": 0.0,
"description": "From address is listed in Mailspike RWL - possibly legit",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_HI",
"weight": -0.500000,
"description": "Sender listed at https://www.dnswl.org, high trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_PBL",
"weight": 2.0,
"description": "From address is listed in Spamhaus PBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_LOW",
"weight": -1.0,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_BLOCKED",
"weight": 0.0,
"description": "Excessive number of queries to SenderScore RPBL, more info: https://knowledge.validity.com/hc/en-us/articles/20961730681243",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_7",
"weight": 0.500000,
"description": "SenderScore Reputation: Bad (70-79).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_FRESH15_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from Spameatingmonkey Fresh15 URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_HASHBL_MALWARE",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_MALWARE",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_BLOCKLISTDE",
"weight": 4.0,
"description": "From address is listed in Blocklist (https://www.blocklist.de/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_SPAM",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ABUSE_SURBL",
"weight": 5.0,
"description": "A domain in the message is listed in SURBL as abused",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_MALWARE",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_HASHBL_PHISH",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_DROP",
"weight": 6.0,
"description": "Received address is listed in Spamhaus DROP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE_NA",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - sender_score+noauth"
},
{
"symbol": "DBL_ABUSE_REDIR",
"weight": 5.0,
"description": "A domain in the message is listed in Spamhaus DBL as spammed redirector domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CT_SURBL",
"weight": 0.0,
"description": "A domain in the message is listed in SURBL as a clicktracker",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_HASHBL_EMAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE_SUS_ATT_NA",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - sender_score+suspect_attachments+noauth"
},
{
"symbol": "RECEIVED_SPAMHAUS_XBL",
"weight": 1.0,
"description": "Received address is listed in Spamhaus XBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_GOOD",
"weight": -0.100000,
"description": "From address is listed in Mailspike RWL - good reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE_PRST",
"weight": 4.0,
"description": "From address is listed in SenderScore RPBL - sender_score+pristine"
},
{
"symbol": "RBL_MAILSPIKE_VERYBAD",
"weight": 1.500000,
"description": "From address is listed in Mailspike RBL - very bad reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SEM_IPV6",
"weight": 1.0,
"description": "From address is listed in Spameatingmonkey RBL (IPv6)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MW_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_NA",
"weight": 0.0,
"description": "From address is listed in SenderScore RPBL - noauth"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_9",
"weight": -1.0,
"description": "SenderScore Reputation: Good (90-100).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_BLOCKED",
"weight": 0.0,
"description": "URIBL.com: query refused, likely due to policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_GREY",
"weight": 2.500000,
"description": "A domain in the message is listed in URIBL.com grey",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_BLOCKED",
"weight": 0.0,
"description": "SURBL: query blocked by policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_LOW",
"weight": -0.100000,
"description": "Sender listed at https://www.dnswl.org, low trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_PHISH",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit phish",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_NONE",
"weight": 0.0,
"description": "Sender listed at https://www.dnswl.org, no trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE_PRST_NA",
"weight": 4.0,
"description": "From address is listed in SenderScore RPBL - sender_score+pristine+noauth"
},
{
"symbol": "MSBL_EBL_GREY",
"weight": 0.500000,
"description": "MSBL emailbl grey list (https://www.msbl.org/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_1",
"weight": 3.500000,
"description": "SenderScore Reputation: Bad (10-19).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_BOT",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - botnet"
},
{
"symbol": "SEM_URIBL_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from Spameatingmonkey URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_NEUTRAL",
"weight": 0.0,
"description": "Neutral result from Mailspike",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_HASHBL_ABUSE",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE",
"weight": 5.0,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_6",
"weight": 1.0,
"description": "SenderScore Reputation: Bad (60-69).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL",
"weight": 3.500000,
"description": "A domain in the message is listed in Spameatingmonkey URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_PBL",
"weight": 0.0,
"description": "Received address is listed in Spamhaus PBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DM_SURBL",
"weight": 0.0,
"description": "A domain in the message is listed in SURBL as belonging to a disposable email service",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_5",
"weight": 1.500000,
"description": "SenderScore Reputation: Bad (50-59).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_MAILSPIKE_WORST",
"weight": 2.0,
"description": "From address is listed in Mailspike RBL - worst possible reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_BOTNET",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit botnet C&C",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_PRST_NA",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+pristine+noauth"
},
{
"symbol": "DWL_DNSWL",
"weight": 0.0,
"description": "Unrecognised result from https://www.dnswl.org (DWL)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_CSS",
"weight": 2.0,
"description": "From address is listed in Spamhaus CSS",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_PRST",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - pristine"
},
{
"symbol": "DWL_DNSWL_MED",
"weight": -2.0,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_DROP",
"weight": 7.0,
"description": "From address is listed in Spamhaus DROP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_UNKNOWN",
"weight": 0.0,
"description": "Unrecognized result from SenderScore Reputation list.",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus DBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MAILSPIKE",
"weight": 0.0,
"description": "Unrecognised result from Mailspike",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - sender_score"
},
{
"symbol": "RBL_SPAMHAUS",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus ZEN",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DNSWL_BLOCKED",
"weight": 0.0,
"description": "https://www.dnswl.org: Resolver blocked due to excessive queries",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL",
"weight": 0.0,
"description": "Unrecognised result from https://www.dnswl.org",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_VERYGOOD",
"weight": -0.200000,
"description": "From address is listed in Mailspike RWL - very good reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_3",
"weight": 2.500000,
"description": "SenderScore Reputation: Bad (30-39).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_MULTI",
"weight": 0.0,
"description": "Unrecognised result from URIBL.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_FRESH15",
"weight": 3.0,
"description": "A domain in the message is listed in Spameatingmonkey Fresh15 URIBL (registered in the past 15 days, .AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US only)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SEM",
"weight": 1.0,
"description": "From address is listed in Spameatingmonkey RBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_EXCELLENT",
"weight": -0.400000,
"description": "From address is listed in Mailspike RWL - excellent reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_EMAILBL",
"weight": 2.500000,
"description": "Rspamd emailbl, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_BLACK",
"weight": 7.500000,
"description": "A domain in the message is listed in URIBL.com black",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_URIBL",
"weight": 4.500000,
"description": "Rspamd uribl, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_MULTI",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_NA_BOT",
"weight": 1.0,
"description": "From address is listed in SenderScore RPBL - noauth+botnet"
},
{
"symbol": "DBL_PROHIBIT",
"weight": 0.0,
"description": "DBL uribl IP queries prohibited!",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BOTNET",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as botnet C&C",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_PHISH",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "dnswl",
"rules": [
{
"symbol": "RCVD_IN_DNSWL_MED",
"weight": -0.200000,
"description": "Sender listed at https://www.dnswl.org, medium trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_LOW",
"weight": -0.100000,
"description": "Sender listed at https://www.dnswl.org, low trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_NONE",
"weight": 0.0,
"description": "Sender listed at https://www.dnswl.org, no trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL",
"weight": 0.0,
"description": "Unrecognised result from https://www.dnswl.org (DWL)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL",
"weight": 0.0,
"description": "Unrecognised result from https://www.dnswl.org",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DNSWL_BLOCKED",
"weight": 0.0,
"description": "https://www.dnswl.org: Resolver blocked due to excessive queries",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_BLOCKED",
"weight": 0.0,
"description": "https://www.dnswl.org: Resolver blocked due to excessive queries (DWL)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_HI",
"weight": -0.500000,
"description": "Sender listed at https://www.dnswl.org, high trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_LOW",
"weight": -1.0,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, low trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_NONE",
"weight": 0.0,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, no trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_HI",
"weight": -3.500000,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, high trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_MED",
"weight": -2.0,
"description": "Message has a valid dkim signature originated from domain listed at https://www.dnswl.org, medium trust",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "dmarc",
"rules": [
{
"symbol": "DMARC_POLICY_ALLOW",
"weight": -0.500000,
"description": "DMARC permit policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_DMARC",
"weight": 6.0,
"description": "Mail comes from the whitelisted domain and has failed DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_REJECT",
"weight": 2.0,
"description": "DMARC reject policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_ALLOW_WITH_FAILURES",
"weight": -0.500000,
"description": "DMARC permit policy with DKIM/SPF failure",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_SOFTFAIL",
"weight": 0.100000,
"description": "DMARC failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_DMARC",
"weight": -7.0,
"description": "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_NA",
"weight": 0.0,
"description": "No DMARC record",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_QUARANTINE",
"weight": 1.500000,
"description": "DMARC quarantine policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_DNSFAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_BAD_POLICY",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "statistics",
"rules": [
{
"symbol": "BAYES_SPAM",
"weight": 5.100000,
"description": "Message probably spam, probability: ",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BAYES_HAM",
"weight": -3.0,
"description": "Message probably ham, probability: ",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "dkim",
"rules": [
{
"symbol": "R_DKIM_ALLOW",
"weight": -0.200000,
"description": "DKIM verification succeed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_DKIM",
"weight": -1.0,
"description": "Mail comes from the whitelisted domain and has a valid DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_REJECT",
"weight": 1.0,
"description": "DKIM verification failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_SPF_DKIM",
"weight": -3.0,
"description": "Mail comes from the whitelisted domain and has valid SPF and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_DMARC",
"weight": 6.0,
"description": "Mail comes from the whitelisted domain and has failed DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_TEMPFAIL",
"weight": 0.0,
"description": "DKIM verification soft-failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_CHECK",
"weight": 0.0,
"description": "DKIM check callback",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_DKIM",
"weight": 2.0,
"description": "Mail comes from the whitelisted domain and has non-valid DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_PERMFAIL",
"weight": 0.0,
"description": "DKIM verification hard-failed (invalid)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_SPF_DKIM",
"weight": 3.0,
"description": "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_NA",
"weight": 0.0,
"description": "Missing DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_SIGNED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_TRACE",
"weight": 0.0,
"description": "DKIM trace symbol",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_DMARC",
"weight": -7.0,
"description": "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "sem",
"rules": [
{
"symbol": "SEM_URIBL_FRESH15_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from Spameatingmonkey Fresh15 URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_FRESH15",
"weight": 3.0,
"description": "A domain in the message is listed in Spameatingmonkey Fresh15 URIBL (registered in the past 15 days, .AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US only)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL",
"weight": 3.500000,
"description": "A domain in the message is listed in Spameatingmonkey URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SEM",
"weight": 1.0,
"description": "From address is listed in Spameatingmonkey RBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SEM_IPV6",
"weight": 1.0,
"description": "From address is listed in Spameatingmonkey RBL (IPv6)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from Spameatingmonkey URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "neural",
"rules": []
},
{
"group": "policies",
"rules": [
{
"symbol": "R_SPF_NA",
"weight": 0.0,
"description": "Missing SPF record",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_TEMPFAIL",
"weight": 0.0,
"description": "DKIM verification soft-failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_SOFTFAIL",
"weight": 0.100000,
"description": "DMARC failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_ALLOW",
"weight": -1.0,
"description": "ARC checks success",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_SIGNED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_ALLOW",
"weight": -0.200000,
"description": "SPF verification allows sending",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_NA",
"weight": 0.0,
"description": "Missing DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_BAD_POLICY",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPF_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_NA",
"weight": 0.0,
"description": "No DMARC record",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_ALLOW_WITH_FAILURES",
"weight": -0.500000,
"description": "DMARC permit policy with DKIM/SPF failure",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_PLUSALL",
"weight": 4.0,
"description": "SPF record allows to send from any IP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_SOFTFAIL",
"weight": 0.0,
"description": "SPF verification soft-failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_INVALID",
"weight": 0.500000,
"description": "ARC structure invalid",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_DNSFAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_PERMFAIL",
"weight": 0.0,
"description": "DKIM verification hard-failed (invalid)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_TRACE",
"weight": 0.0,
"description": "DKIM trace symbol",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_ALLOW",
"weight": -0.500000,
"description": "DMARC permit policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_CHECK",
"weight": 0.0,
"description": "DKIM check callback",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_DNSFAIL",
"weight": 0.0,
"description": "ARC DNS error",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_REJECT",
"weight": 1.0,
"description": "ARC checks failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_PERMFAIL",
"weight": 0.0,
"description": "SPF record is malformed or persistent DNS error",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_NA",
"weight": 0.0,
"description": "ARC signature absent",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_NEUTRAL",
"weight": 0.0,
"description": "SPF policy is neutral",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_QUARANTINE",
"weight": 1.500000,
"description": "DMARC quarantine policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_FAIL",
"weight": 1.0,
"description": "SPF verification failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_DNSFAIL",
"weight": 0.0,
"description": "SPF DNS failure",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_REJECT",
"weight": 2.0,
"description": "DMARC reject policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_ALLOW",
"weight": -0.200000,
"description": "DKIM verification succeed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_DKIM_REJECT",
"weight": 1.0,
"description": "DKIM verification failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_SIGNED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ARC_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "surbl",
"rules": [
{
"symbol": "DBL_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_BOTNET",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit botnet C&C",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_PROHIBIT",
"weight": 0.0,
"description": "DBL uribl IP queries prohibited!",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPAMHAUS_ZEN_URIBL",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus ZEN URIBL"
},
{
"symbol": "MSBL_EBL",
"weight": 7.500000,
"description": "MSBL emailbl (https://www.msbl.org/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE",
"weight": 5.0,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PH_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BOTNET",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as botnet C&C",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_EMAILBL",
"weight": 2.500000,
"description": "Rspamd emailbl, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from Spameatingmonkey URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CT_SURBL",
"weight": 0.0,
"description": "A domain in the message is listed in SURBL as a clicktracker",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL",
"weight": 3.500000,
"description": "A domain in the message is listed in Spameatingmonkey URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_URIBL",
"weight": 4.500000,
"description": "Rspamd uribl, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_FRESH15_UNKNOWN",
"weight": 0.0,
"description": "Unrecognised result from Spameatingmonkey Fresh15 URIBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_SBL",
"weight": 6.500000,
"description": "A domain in the message body resolves to an IP listed in Spamhaus SBL"
},
{
"symbol": "URIBL_BLACK",
"weight": 7.500000,
"description": "A domain in the message is listed in URIBL.com black",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ABUSE_SURBL",
"weight": 5.0,
"description": "A domain in the message is listed in SURBL as abused",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_REDIR",
"weight": 5.0,
"description": "A domain in the message is listed in Spamhaus DBL as spammed redirector domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_PBL",
"weight": 0.010000,
"description": "A domain in the message body resolves to an IP listed in Spamhaus PBL"
},
{
"symbol": "DBL_ABUSE_PHISH",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit phish",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MSBL_EBL_GREY",
"weight": 0.500000,
"description": "MSBL emailbl grey list (https://www.msbl.org/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_SPAM",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CRACKED_SURBL",
"weight": 5.0,
"description": "A domain in the message is listed in SURBL as cracked",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_GREY",
"weight": 2.500000,
"description": "A domain in the message is listed in URIBL.com grey",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_RED",
"weight": 0.500000,
"description": "A domain in the message is listed in URIBL.com red",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_DROP",
"weight": 5.0,
"description": "A domain in the message body resolves to an IP listed in Spamhaus DROP"
},
{
"symbol": "DBL_PHISH",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_MULTI",
"weight": 0.0,
"description": "Unrecognised result from URIBL.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_MALWARE",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus DBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_MALWARE",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MW_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_XBL",
"weight": 3.0,
"description": "A domain in the message body resolves to an IP listed in Spamhaus XBL"
},
{
"symbol": "SEM_URIBL_FRESH15",
"weight": 3.0,
"description": "A domain in the message is listed in Spameatingmonkey Fresh15 URIBL (registered in the past 15 days, .AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.US only)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_SBL_CSS",
"weight": 5.0,
"description": "A domain in the message body resolves to an IP listed in Spamhaus CSS"
},
{
"symbol": "DM_SURBL",
"weight": 0.0,
"description": "A domain in the message is listed in SURBL as belonging to a disposable email service",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_BLOCKED",
"weight": 0.0,
"description": "URIBL.com: query refused, likely due to policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_BLOCKED",
"weight": 0.0,
"description": "SURBL: query blocked by policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "mime",
"rules": [
{
"symbol": "MIME_BASE64_TEXT_BOGUS",
"weight": 1.0,
"description": "Has text part encoded in base64 that does not contain any 8bit characters",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CTYPE_MIXED_BOGUS",
"weight": 1.0,
"description": "multipart/mixed without non-textual part",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CTYPE_MISSING_DISPOSITION",
"weight": 4.0,
"description": "Binary content-type not specified as an attachment",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BASE64_TEXT",
"weight": 0.100000,
"description": "Has text part encoded in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "multimap",
"rules": [
{
"symbol": "DISPOSABLE_FROM",
"weight": 0.0,
"description": "From a Disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DISPOSABLE_ENVFROM",
"weight": 0.0,
"description": "Envelope From is a Disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DISPOSABLE_TO",
"weight": 0.0,
"description": "To a disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DISPOSABLE_REPLYTO",
"weight": 0.0,
"description": "Reply-To a disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DISPOSABLE_CC",
"weight": 0.0,
"description": "To a disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_TO",
"weight": 0.0,
"description": "To is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_ENVRCPT",
"weight": 0.0,
"description": "Envelope Recipient is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_ENVFROM",
"weight": 0.0,
"description": "Envelope From is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DISPOSABLE_MDN",
"weight": 0.500000,
"description": "Disposition-Notification-To is a disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_MDN",
"weight": 0.0,
"description": "Disposition-Notification-To is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_FROM",
"weight": 0.0,
"description": "From is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_REPLYTO",
"weight": 0.0,
"description": "Reply-To is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DISPOSABLE_ENVRCPT",
"weight": 0.0,
"description": "Envelope Recipient is a Disposable e-mail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_CC",
"weight": 0.0,
"description": "To is a Freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REDIRECTOR_URL",
"weight": 0.0,
"description": "The presence of a redirector in the mail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "excessqp",
"rules": [
{
"symbol": "CC_EXCESS_QP",
"weight": 1.200000,
"description": "Cc header is unnecessarily encoded in quoted-printable",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJ_EXCESS_QP",
"weight": 1.200000,
"description": "Subject header is unnecessarily encoded in quoted-printable",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_EXCESS_QP",
"weight": 1.200000,
"description": "Reply-To header is unnecessarily encoded in quoted-printable",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_EXCESS_QP",
"weight": 1.200000,
"description": "From header is unnecessarily encoded in quoted-printable",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_EXCESS_QP",
"weight": 1.200000,
"description": "To header is unnecessarily encoded in quoted-printable",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "upstream_spam_filters",
"rules": [
{
"symbol": "UNITEDINTERNET_SPAM",
"weight": 5.0,
"description": "United Internet says this message is spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "KLMS_SPAM",
"weight": 5.0,
"description": "Kaspersky Security for Mail Server says this message is spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MICROSOFT_SPAM",
"weight": 4.0,
"description": "Microsoft says the message is spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PRECEDENCE_BULK",
"weight": 0.0,
"description": "Message marked as bulk",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPAM_FLAG",
"weight": 5.0,
"description": "Message was already marked as spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "headers",
"rules": [
{
"symbol": "FAKE_RECEIVED_smtp_yandex_ru",
"weight": 4.0,
"description": "Fake smtp.yandex.ru Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_RCONFIRM_MISMATCH",
"weight": 2.0,
"description": "Read confirmation address is different to from address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_ZERO",
"weight": 0.0,
"description": "No recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MAILER_1C_8",
"weight": 0.0,
"description": "Sent with 1C:Enterprise 8",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPTO_QUOTE_YAHOO",
"weight": 2.0,
"description": "Quoted Reply-To header from Yahoo (seems to be forged)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_SEVEN",
"weight": 0.0,
"description": "Message has 7-11 Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_ZERO",
"weight": 0.0,
"description": "Message has no Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPOOF_DISPLAY_NAME",
"weight": 8.0,
"description": "Display name is being used to spoof and trick the recipient",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DN_EQ_ADDR_ALL",
"weight": 0.0,
"description": "All of the recipients have display names that are the same as their address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CHECK_FROM",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_ENDS_EXCLAIM",
"weight": 0.0,
"description": "Subject ends with an exclamation mark",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_IMS",
"weight": 3.0,
"description": "Forged X-Mailer: Internet Mail Service",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_SENDER",
"weight": 0.300000,
"description": "Sender is forged (different From: header and smtp MAIL FROM: addresses)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_ONE",
"weight": 0.0,
"description": "Message has one Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INVALID_RCPT_8BIT",
"weight": 6.0,
"description": "Invalid 8bit character in recipients headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_THEBAT_BOUN",
"weight": 2.0,
"description": "Forged The Bat! MUA headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MAIL_RU_MAILER",
"weight": 0.0,
"description": "Sent with Mail.Ru webmail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_CC_EMPTY_DELIMITER",
"weight": 1.0,
"description": "Cc header has no delimiter between header name and header value",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "OLD_X_MAILER",
"weight": 2.0,
"description": "X-Mailer header has a very old MUA version",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_GENERIC_RECEIVED4",
"weight": 3.600000,
"description": "Forged generic Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FAKE_REPLY",
"weight": 1.0,
"description": "Fake reply",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "STRONGMAIL",
"weight": 6.0,
"description": "Sent via rogue \"strongmail\" MTA",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PRIO_FIVE",
"weight": 0.0,
"description": "Message has X-Priority header set to 5 or higher",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_MIME_VERSION",
"weight": 2.0,
"description": "MIME-Version header is missing in MIME message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CHECK_RCVD",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_DOUBLE_IP_SPAM",
"weight": 2.0,
"description": "Has two Received headers containing bare IP addresses",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_REPLYTO",
"weight": 0.0,
"description": "Has Reply-To header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_MA_MISSING_HTML",
"weight": 1.0,
"description": "MIME multipart/alternative missing text/html part",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_DN_EQ_FROM_DN",
"weight": 0.0,
"description": "Reply-To display name matches From",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_DOM_EQ_TO_DOM",
"weight": 0.0,
"description": "Reply-To domain matches the To domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "X_PHPOS_FAKE",
"weight": 3.0,
"description": "Fake X-PHP-Originating-Script header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ENVFROM_VERP",
"weight": 0.0,
"description": "Envelope From is a VERP address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_EQ_ENVFROM",
"weight": 0.0,
"description": "From address is the same as the envelope",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_ORG_HEADER",
"weight": 0.0,
"description": "Has Organization header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_TO",
"weight": 2.0,
"description": "To header is missing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BROKEN_HEADERS",
"weight": 10.0,
"description": "Headers structure is likely broken",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_DN_EQ_ADDR",
"weight": 1.0,
"description": "From header display name is the same as the address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_REPLYTO_NEQ_FROM_DOM",
"weight": 3.0,
"description": "The From and Reply-To addresses in the email are from different freemail services",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_HELO_LOCALHOST",
"weight": 0.0,
"description": "Localhost HELO seen in Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_BAD_CTE_7BIT",
"weight": 3.500000,
"description": "Detects bad Content-Transfer-Encoding for text parts",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_FROM_EMPTY_DELIMITER",
"weight": 1.0,
"description": "From header has no delimiter between header name and header value",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_HAS_QUESTION",
"weight": 0.0,
"description": "Subject contains a question mark",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PRIO_ZERO",
"weight": 0.0,
"description": "Message has X-Priority header set to 0",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DN_SOME",
"weight": 0.0,
"description": "Some of the recipients have display names",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ONCE_RECEIVED",
"weight": 0.100000,
"description": "One received header in a message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INFO_TO_INFO_LU",
"weight": 2.0,
"description": "info@ From/To address with List-Unsubscribe headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_DOM_EQ_FROM_DOM",
"weight": 0.0,
"description": "Reply-To domain matches the From domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_MA_MISSING_TEXT",
"weight": 2.0,
"description": "MIME multipart/alternative missing text/plain part",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_TWO",
"weight": 0.0,
"description": "Two recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_THREE",
"weight": 0.0,
"description": "3-5 recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PRIO",
"weight": 0.0,
"description": "X-Priority check callback rule",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DN_NONE",
"weight": 0.0,
"description": "None of the recipients have display names",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_TWO",
"weight": 0.0,
"description": "Message has two Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CTE_CASE",
"weight": 0.500000,
"description": "[78]Bit .vs. [78]bit",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_HAS_EXCLAIM",
"weight": 0.0,
"description": "Subject contains an exclamation mark",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_XM_UA",
"weight": 0.0,
"description": "Message has neither X-Mailer nor User-Agent header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "X_PHP_FORGED_0X",
"weight": 4.0,
"description": "X-PHP-Originating-Script header appears forged",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "APPLE_IOS_MAILER",
"weight": 0.0,
"description": "Sent with Apple iPhone/iPad Mail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_LIST_UNSUB",
"weight": -0.010000,
"description": "Has List-Unsubscribe header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ENVFROM_INVALID",
"weight": 2.0,
"description": "Envelope from does not have a valid format",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_GENERIC_RECEIVED3",
"weight": 3.600000,
"description": "Forged generic Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_MIXED_CHARSET",
"weight": 5.0,
"description": "Mixed characters in a message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INVALID_MSGID",
"weight": 1.700000,
"description": "Message-ID header is incorrect",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_DOM_NEQ_FROM_DOM",
"weight": 0.0,
"description": "Reply-To domain does not match the From domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_ENDS_SPACES",
"weight": 0.500000,
"description": "Subject ends with space characters",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_TWELVE",
"weight": 0.0,
"description": "Message has 12 or more Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_NEQ_DISPLAY_NAME",
"weight": 4.0,
"description": "Display name contains an email address different to the From address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BROKEN_CONTENT_TYPE",
"weight": 1.500000,
"description": "Message has part with broken content type",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_DATE",
"weight": 1.0,
"description": "Date header is missing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MSGID_YAHOO",
"weight": 2.0,
"description": "Forged Yahoo Message-ID header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DN_EQ_ADDR_SOME",
"weight": 0.0,
"description": "Some of the recipients have display names that are the same as their address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_RCVD_SPAMBOTS",
"weight": 3.0,
"description": "Spambots signatures in received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_MISSING_CHARSET",
"weight": 0.500000,
"description": "Charset header is missing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_MID",
"weight": 2.500000,
"description": "Message-ID header is missing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_FORGED_MDN",
"weight": 2.0,
"description": "Read confirmation address is different to return path",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPOOF_REPLYTO",
"weight": 6.0,
"description": "Reply-To is being used to spoof and trick the recipient to send an off-domain reply",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_DATE_EMPTY_DELIMITER",
"weight": 1.0,
"description": "Date header has no delimiter between header name and header value",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_MATCH_ENVRCPT_SOME",
"weight": 0.0,
"description": "Some of the recipients match the envelope",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_RECIPIENTS_MAILLIST",
"weight": 0.0,
"description": "Recipients are not the same as RCPT TO: mail command, but a message from a maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_FROM",
"weight": 2.0,
"description": "Missing From header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_SEVEN",
"weight": 0.0,
"description": "7-11 recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_UNPARSEABLE",
"weight": 1.0,
"description": "Reply-To header could not be parsed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PRIO_ONE",
"weight": 0.0,
"description": "Message has X-Priority header set to 1",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_GT_50",
"weight": 0.0,
"description": "50+ recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_TLS_LAST",
"weight": 0.0,
"description": "Last hop used encrypted transports",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_NAME_HAS_TITLE",
"weight": 1.0,
"description": "From header display name has a title (Mr/Mrs/Dr)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PREVIOUSLY_DELIVERED",
"weight": 0.0,
"description": "Message either to a list or was forwarded",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_HELO_USER",
"weight": 3.0,
"description": "HELO User spam pattern",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_X_MAILER",
"weight": 4.500000,
"description": "Forged X-Mailer header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_HTTP_URL_IN_FROM",
"weight": 5.0,
"description": "HTTP URL preceded by the start of a line, quote, or whitespace, with normal or URL-encoded colons in From header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DOM_EQ_FROM_DOM",
"weight": 0.0,
"description": "To domain is the same as the From domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_TWELVE",
"weight": 0.0,
"description": "12-50 recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_OUTLOOK_TAGS",
"weight": 2.100000,
"description": "Message pretends to be send from Outlook but has 'strange' tags",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_NO_DN",
"weight": 0.0,
"description": "From header does not have a display name",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INVALID_DATE",
"weight": 1.500000,
"description": "Malformed Date header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_NO_SPACE_IN_FROM",
"weight": 1.0,
"description": "No space in From header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_OUTLOOK_HTML",
"weight": 5.0,
"description": "Forged Outlook HTML signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_DISPLAY_CALLBACK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_ADDR_EQ_FROM",
"weight": 0.0,
"description": "Reply-To header is identical to SMTP From",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_SENDER_MAILLIST",
"weight": 0.0,
"description": "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_WRAPPED_IN_SPACES",
"weight": 2.0,
"description": "To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DIRECT_TO_MX",
"weight": 0.0,
"description": "Message has been directly delivered from MUA to local MX",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_FIVE",
"weight": 0.0,
"description": "Message has 5-7 Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_GENERIC_RECEIVED",
"weight": 3.600000,
"description": "Forged generic Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_ENDS_QUESTION",
"weight": 1.0,
"description": "Subject ends with a question mark",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_CALLBACK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_RECIPIENTS",
"weight": 2.0,
"description": "Recipients are not the same as RCPT TO: mail command",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TRACKER_ID",
"weight": 3.840000,
"description": "Spam string at the end of message to make statistics fault",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_NEQ_ENVFROM",
"weight": 0.0,
"description": "From address is different to the envelope",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CT_EXTRA_SEMI",
"weight": 1.0,
"description": "Content-Type header ends with a semi-colon",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MAILLIST",
"weight": -0.200000,
"description": "Message seems to be from maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PRIO_TWO",
"weight": 0.0,
"description": "Message has X-Priority header set to 2",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_FIVE",
"weight": 0.0,
"description": "5-7 recipients",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_SUBJECT",
"weight": 2.0,
"description": "Subject header is missing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CD_MM_BODY",
"weight": 2.0,
"description": "Content-Description header reads \"Mail message body\", commonly seen in spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "YANDEX_RU_MAILER",
"weight": 0.0,
"description": "Sent with Yandex webmail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "GOOGLE_FORWARDING_MID_MISSING",
"weight": 2.500000,
"description": "Message was missing Message-ID pre-forwarding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_NEEDS_ENCODING",
"weight": 1.0,
"description": "To header needs encoding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_NEEDS_ENCODING",
"weight": 1.0,
"description": "From header needs encoding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_NEEDS_ENCODING",
"weight": 1.0,
"description": "Subject needs encoding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_EQ_TO_ADDR",
"weight": 5.0,
"description": "Reply-To is the same as the To address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_EMAIL_HAS_TITLE",
"weight": 2.0,
"description": "Reply-To header has title",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCPT_COUNT_ONE",
"weight": 0.0,
"description": "One recipient",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_EQ_FROM",
"weight": 0.0,
"description": "To address matches the From address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CHECK_MIME",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_RECIPS",
"weight": 1.500000,
"description": "Recipients seems to be autogenerated (works if recipients count is more than 5)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FAKE_RECEIVED_mail_ru",
"weight": 4.0,
"description": "Fake HELO mail.ru in Received header from non-mail.ru sender address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_XOIP",
"weight": 0.0,
"description": "Has X-Originating-IP header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_DOM_NEQ_TO_DOM",
"weight": 0.0,
"description": "Reply-To domain does not match the To domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "EMPTY_SUBJECT",
"weight": 1.0,
"description": "Subject header is empty",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "STOX_REPLY_TYPE",
"weight": 1.0,
"description": "Reply-type in Content-Type header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_HEADER_CTYPE_ONLY",
"weight": 2.0,
"description": "Only Content-Type header without other MIME headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BOUNCE",
"weight": -0.100000,
"description": "(Non) Delivery Status Notification",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SORTED_RECIPS",
"weight": 3.500000,
"description": "Recipients list seems to be sorted",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INVALID_POSTFIX_RECEIVED",
"weight": 3.0,
"description": "Invalid Postfix Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ENVFROM_PRVS",
"weight": 0.0,
"description": "Envelope From is a PRVS address that matches the From address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CHECK_RECEIVED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_MIMEOLE",
"weight": 2.0,
"description": "Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_HAS_DN",
"weight": 0.0,
"description": "From header has a display name",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_NO_TLS_LAST",
"weight": 0.100000,
"description": "Last hop did not use encrypted transports",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INVALID_FROM_8BIT",
"weight": 6.0,
"description": "Invalid 8bit character in From header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RATWARE_MS_HASH",
"weight": 2.0,
"description": "Forged Exchange messages",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ONCE_RECEIVED_STRICT",
"weight": 4.0,
"description": "One received header with 'bad' patterns inside",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "XM_CASE",
"weight": 0.500000,
"description": "X-mailer .vs. X-Mailer",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DATE_IN_PAST",
"weight": 1.0,
"description": "Message date is in the past",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MULTIPLE_UNIQUE_HEADERS",
"weight": 7.0,
"description": "Repeated unique headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PRIO_THREE",
"weight": 0.0,
"description": "Message has X-Priority header set to 3 or 4",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CHECK_REPLYTO",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_MIXED_CHARSET_URL",
"weight": 7.0,
"description": "Mixed characters in a URL inside message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MV_CASE",
"weight": 0.500000,
"description": "Mime-Version .vs. MIME-Version",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_UNDISC_RCPT",
"weight": 3.0,
"description": "Recipients are absent or undisclosed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "APPLE_MAILER",
"weight": 0.0,
"description": "Sent with Apple Mail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DN_ALL",
"weight": 0.0,
"description": "All the recipients have display names",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "GOOGLE_FORWARDING_MID_BROKEN",
"weight": 1.700000,
"description": "Message had invalid Message-ID pre-forwarding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_INVALID",
"weight": 2.0,
"description": "From header does not have a valid format",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DATE_IN_FUTURE",
"weight": 4.0,
"description": "Message date is in the future",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_NAME_EXCESS_SPACE",
"weight": 1.0,
"description": "From header display name contains excess whitespace",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_GENERIC_RECEIVED2",
"weight": 3.600000,
"description": "Forged generic Received header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_COUNT_THREE",
"weight": 0.0,
"description": "Message has 3-5 Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_EQ_FROM",
"weight": 0.0,
"description": "Reply-To header is identical to From header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MULTIPLE_FROM",
"weight": 8.0,
"description": "Multiple addresses in From header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_CD_HEADER",
"weight": 0.0,
"description": "Has Content-Description header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_TLS_ALL",
"weight": 0.0,
"description": "All hops used encrypted transports",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_MATCH_ENVRCPT_ALL",
"weight": 0.0,
"description": "All of the recipients match the envelope",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_VIA_SMTP_AUTH",
"weight": 0.0,
"description": "Authenticated hand-off was seen in Received headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_DN_RECIPIENTS",
"weight": 2.0,
"description": "To header display name is \"Recipients\"",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_HTML_ONLY",
"weight": 0.200000,
"description": "Message has only an HTML part",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_INTERSPIRE_SIG",
"weight": 1.0,
"description": "Has Interspire fingerprint",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJECT_HAS_CURRENCY",
"weight": 1.0,
"description": "Subject contains currency",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJ_BOUNCE_WORDS",
"weight": 0.0,
"description": "Words/phrases typical for DSN",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_REPLYTO_EMPTY_DELIMITER",
"weight": 1.0,
"description": "Reply-To header has no delimiter between header name and header value",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HEADER_TO_EMPTY_DELIMITER",
"weight": 1.0,
"description": "To header has no delimiter between header name and header value",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "phishing",
"rules": [
{
"symbol": "PH_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HACKED_WP_PHISHING",
"weight": 4.500000,
"description": "Phish message sent by hacked Wordpress instance",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_REDIRECTOR_NESTED",
"weight": 1.0,
"description": "URL redirector nested limit has been reached"
},
{
"symbol": "REDIRECTOR_FALSE",
"weight": 0.0,
"description": "Phishing exclusion symbol for known redirectors",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISHED_EXCLUDED",
"weight": 0.0,
"description": "Phished URL found in exclusions list",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISHING",
"weight": 4.0,
"description": "Phished URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISHED_OPENPHISH",
"weight": 7.0,
"description": "Phished URL found in openphish.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISHED_GENERIC_SERVICE",
"weight": 0.0,
"description": "Phished URL found in generic service",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISHED_WHITELISTED",
"weight": 0.0,
"description": "Phishing exclusion symbol for known exceptions",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISHED_PHISHTANK",
"weight": 7.0,
"description": "Phished URL found in phishtank.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "excessb64",
"rules": [
{
"symbol": "FROM_EXCESS_BASE64",
"weight": 1.500000,
"description": "From header is unnecessarily encoded in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REPLYTO_EXCESS_BASE64",
"weight": 1.500000,
"description": "Reply-To header is unnecessarily encoded in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TO_EXCESS_BASE64",
"weight": 1.500000,
"description": "To header is unnecessarily encoded in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CC_EXCESS_BASE64",
"weight": 1.500000,
"description": "Cc header is unnecessarily encoded in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUBJ_EXCESS_BASE64",
"weight": 1.500000,
"description": "Subject header is unnecessarily encoded in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "forwarding",
"rules": [
{
"symbol": "FWD_MAILRU",
"weight": 0.0,
"description": "Message was forwarded by Mail.ru",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORWARDED",
"weight": 0.0,
"description": "Message was forwarded",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FWD_GOOGLE",
"weight": 0.0,
"description": "Message was forwarded by Google",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FWD_SIEVE",
"weight": 0.0,
"description": "Message was forwarded using Sieve",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FWD_CPANEL",
"weight": 0.0,
"description": "Message was forwarded using cPanel",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FWD_YANDEX",
"weight": 0.0,
"description": "Message was forwarded by Yandex",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FWD_SRS",
"weight": 0.0,
"description": "Message was forwarded using Sender Rewriting Scheme (SRS)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "url",
"rules": [
{
"symbol": "HAS_FILE_URL",
"weight": 2.0,
"description": "Contains file:// URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_BAD_UNICODE",
"weight": 3.0,
"description": "URL contains invalid Unicode",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_USER_PASSWORD",
"weight": 2.0,
"description": "URL contains user field",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_OBFUSCATED_TEXT",
"weight": 5.0,
"description": "Obfuscated URL found in message text",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_VERY_LONG",
"weight": 1.500000,
"description": "URL is very long",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_HOMOGRAPH_ATTACK",
"weight": 5.0,
"description": "URL uses homograph attack (mixed scripts)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_SUSPICIOUS_TLD",
"weight": 3.0,
"description": "URL uses suspicious TLD",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_GOOGLE_REDIR",
"weight": 1.0,
"description": "Has google.com/url or alike Google redirection URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URI_COUNT_ODD",
"weight": 1.0,
"description": "Odd number of URIs in multipart/alternative message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_ZERO_WIDTH_SPACES",
"weight": 7.0,
"description": "URL contains zero-width spaces",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_USER_LONG",
"weight": 3.0,
"description": "URL user field is long (>128 chars)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_GOOGLE_FIREBASE_URL",
"weight": 2.0,
"description": "Contains firebasestorage.googleapis.com URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_IPFS_GATEWAY_URL",
"weight": 6.0,
"description": "Message contains InterPlanetary File System (IPFS) gateway URL, likely malicious",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_RTL_OVERRIDE",
"weight": 6.0,
"description": "URL uses RTL override character",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_NUMERIC_PRIVATE_IP",
"weight": 0.500000,
"description": "URL uses private IP range",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_BACKSLASH_PATH",
"weight": 2.0,
"description": "URL uses backslashes",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_NUMERIC_IP",
"weight": 1.500000,
"description": "URL uses numeric IP address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_USER_VERY_LONG",
"weight": 5.0,
"description": "URL user field is very long (>256 chars)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_ONION_URI",
"weight": 0.0,
"description": "Contains .onion hidden service URI",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_EXCESSIVE_DOTS",
"weight": 2.0,
"description": "URL has excessive dots in hostname",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_SUSPECT_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_NO_TLD",
"weight": 2.0,
"description": "URL has no TLD",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "OMOGRAPH_URL",
"weight": 5.0,
"description": "URL contains both latin and non-latin characters",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_MULTIPLE_AT_SIGNS",
"weight": 3.0,
"description": "URL has multiple @ signs",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_NUMERIC_IP_USER",
"weight": 4.0,
"description": "URL uses numeric IP with user field",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_GUC_PROXY_URI",
"weight": 1.0,
"description": "Has googleusercontent.com proxy URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "rspamdbl",
"rules": [
{
"symbol": "RSPAMD_URIBL",
"weight": 4.500000,
"description": "Rspamd uribl, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_EMAILBL",
"weight": 2.500000,
"description": "Rspamd emailbl, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "blocked",
"rules": [
{
"symbol": "RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_BLOCKED",
"weight": 0.0,
"description": "SURBL: query blocked by policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DNSWL_BLOCKED",
"weight": 0.0,
"description": "https://www.dnswl.org: Resolver blocked due to excessive queries",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_BLOCKED",
"weight": 0.0,
"description": "https://www.dnswl.org: Resolver blocked due to excessive queries (DWL)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_BLOCKED",
"weight": 0.0,
"description": "URIBL.com: query refused, likely due to policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_BLOCKED",
"weight": 0.0,
"description": "Excessive number of queries to SenderScore RPBL, more info: https://knowledge.validity.com/hc/en-us/articles/20961730681243",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_BLOCKED",
"weight": 0.0,
"description": "Excessive number of queries to SenderScore RPBL, more info: https://knowledge.validity.com/hc/en-us/articles/20961730681243"
},
{
"symbol": "DBL_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "blocklistde",
"rules": [
{
"symbol": "RECEIVED_BLOCKLISTDE",
"weight": 3.0,
"description": "Received address is listed in Blocklist (https://www.blocklist.de/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_BLOCKLISTDE",
"weight": 4.0,
"description": "From address is listed in Blocklist (https://www.blocklist.de/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "mime_types",
"rules": [
{
"symbol": "MIME_DOUBLE_BAD_EXTENSION",
"weight": 3.0,
"description": "Bad extension cloaking",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_TRACE",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_ARCHIVE_IN_ARCHIVE",
"weight": 5.0,
"description": "Archive within another archive",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_UNKNOWN",
"weight": 0.100000,
"description": "Missing or unknown content-type",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ENCRYPTED_PGP",
"weight": -0.500000,
"description": "Message is encrypted with PGP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_GOOD",
"weight": -0.100000,
"description": "Known content-type",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BOGUS_ENCRYPTED_AND_TEXT",
"weight": 10.0,
"description": "Bogus mix of encrypted and text/html payloads",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BAD_EXTENSION",
"weight": 2.0,
"description": "Bad extension",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_EXE_IN_GEN_SPLIT_RAR",
"weight": 5.0,
"description": "EXE file in RAR archive with generic split extension (e.g. .001)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_ENCRYPTED_ARCHIVE",
"weight": 2.0,
"description": "Encrypted archive in a message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BAD",
"weight": 1.0,
"description": "Known bad content-type",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SIGNED_SMIME",
"weight": -2.0,
"description": "Message is signed with S/MIME",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_TYPES_CALLBACK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BAD_UNICODE",
"weight": 2.0,
"description": "Filename with known obscured unicode characters",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SIGNED_PGP",
"weight": -2.0,
"description": "Message is signed with PGP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_OBFUSCATED_ARCHIVE",
"weight": 2.0,
"description": "Archive has files with clear obfuscation signs",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ENCRYPTED_SMIME",
"weight": -0.500000,
"description": "Message is encrypted with S/MIME",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BAD_ATTACHMENT",
"weight": 4.0,
"description": "Invalid attachment mime type",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "antivirus",
"rules": []
},
{
"group": "spf",
"rules": [
{
"symbol": "R_SPF_FAIL",
"weight": 1.0,
"description": "SPF verification failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPF_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_SPF_DKIM",
"weight": -3.0,
"description": "Mail comes from the whitelisted domain and has valid SPF and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_DMARC",
"weight": 6.0,
"description": "Mail comes from the whitelisted domain and has failed DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_SPF_DKIM",
"weight": 3.0,
"description": "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_PERMFAIL",
"weight": 0.0,
"description": "SPF record is malformed or persistent DNS error",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_ALLOW",
"weight": -0.200000,
"description": "SPF verification allows sending",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_SOFTFAIL",
"weight": 0.0,
"description": "SPF verification soft-failed",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_NEUTRAL",
"weight": 0.0,
"description": "SPF policy is neutral",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_PLUSALL",
"weight": 4.0,
"description": "SPF record allows to send from any IP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_DMARC",
"weight": -7.0,
"description": "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_DNSFAIL",
"weight": 0.0,
"description": "SPF DNS failure",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SPF_NA",
"weight": 0.0,
"description": "Missing SPF record",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_SPF",
"weight": 1.0,
"description": "Mail comes from the whitelisted domain and has no valid SPF policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_SPF",
"weight": -1.0,
"description": "Mail comes from the whitelisted domain and has a valid SPF policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "hfilter",
"rules": [
{
"symbol": "HFILTER_URL_ONELINE",
"weight": 2.500000,
"description": "One line URL and text in body",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_3",
"weight": 2.0,
"description": "Helo host checks (medium)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HOSTNAME_1",
"weight": 0.500000,
"description": "Hostname checks (very low)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_4",
"weight": 2.500000,
"description": "Helo host checks (hard)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_BAREIP",
"weight": 3.0,
"description": "Helo host is bare ip",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HOSTNAME_4",
"weight": 2.500000,
"description": "Hostname checks (hard)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_1",
"weight": 0.500000,
"description": "Helo host checks (very low)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_5",
"weight": 3.0,
"description": "Helo host checks (very hard)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_NORESOLVE_MX",
"weight": 0.200000,
"description": "MX found in Helo and no resolve",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HOSTNAME_3",
"weight": 2.0,
"description": "Hostname checks (medium)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_RCPT_BOUNCEMOREONE",
"weight": 1.500000,
"description": "Message from bounce and over 1 recipient",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_FROMHOST_NORES_A_OR_MX",
"weight": 1.500000,
"description": "FROM host no resolve to A or MX",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_2",
"weight": 1.0,
"description": "Helo host checks (low)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_BADIP",
"weight": 4.500000,
"description": "Helo host is very bad ip",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HOSTNAME_2",
"weight": 1.0,
"description": "Hostname checks (low)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HOSTNAME_5",
"weight": 3.0,
"description": "Hostname checks (very hard)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_FROM_BOUNCE",
"weight": 0.0,
"description": "Bounce message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RDNS_DNSFAIL",
"weight": 0.0,
"description": "PTR verification DNS error",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_NOT_FQDN",
"weight": 2.0,
"description": "Helo not FQDN",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_NORES_A_OR_MX",
"weight": 0.300000,
"description": "Helo no resolve to A or MX",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_FROMHOST_NORESOLVE_MX",
"weight": 0.500000,
"description": "MX found in FROM host and no resolve",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_FROMHOST_NOT_FQDN",
"weight": 3.0,
"description": "FROM host not FQDN",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HOSTNAME_UNKNOWN",
"weight": 2.500000,
"description": "Unknown client hostname (PTR or FCrDNS verification failed)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RDNS_NONE",
"weight": 2.0,
"description": "Cannot resolve reverse DNS for sender's IP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_HELO_IP_A",
"weight": 1.0,
"description": "Helo A IP != hostname IP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HFILTER_URL_ONLY",
"weight": 2.200000,
"description": "URL only in body",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "spamhaus",
"rules": [
{
"symbol": "RBL_SPAMHAUS_DROP",
"weight": 7.0,
"description": "From address is listed in Spamhaus DROP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_PBL",
"weight": 2.0,
"description": "From address is listed in Spamhaus PBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_BOTNET",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit botnet C&C",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_PROHIBIT",
"weight": 0.0,
"description": "DBL uribl IP queries prohibited!",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE",
"weight": 5.0,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPAMHAUS_ZEN_URIBL",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus ZEN URIBL"
},
{
"symbol": "RBL_SPAMHAUS",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus ZEN",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_BLOCKED",
"weight": 0.0,
"description": "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BOTNET",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as botnet C&C",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_PBL",
"weight": 0.0,
"description": "Received address is listed in Spamhaus PBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_SBL",
"weight": 6.500000,
"description": "A domain in the message body resolves to an IP listed in Spamhaus SBL"
},
{
"symbol": "RBL_SPAMHAUS_SBL",
"weight": 4.0,
"description": "From address is listed in Spamhaus SBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_SBL",
"weight": 3.0,
"description": "Received address is listed in Spamhaus SBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_REDIR",
"weight": 5.0,
"description": "A domain in the message is listed in Spamhaus DBL as spammed redirector domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_CSS",
"weight": 2.0,
"description": "From address is listed in Spamhaus CSS",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_PHISH",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit phish",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_XBL",
"weight": 1.0,
"description": "Received address is listed in Spamhaus XBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_SPAM",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as spam",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_PBL",
"weight": 0.010000,
"description": "A domain in the message body resolves to an IP listed in Spamhaus PBL"
},
{
"symbol": "URIBL_DROP",
"weight": 5.0,
"description": "A domain in the message body resolves to an IP listed in Spamhaus DROP"
},
{
"symbol": "RECEIVED_SPAMHAUS_CSS",
"weight": 1.0,
"description": "Received address is listed in Spamhaus CSS",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_PHISH",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_ABUSE_MALWARE",
"weight": 6.500000,
"description": "A domain in the message is listed in Spamhaus DBL as abused legit malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SPAMHAUS_XBL",
"weight": 4.0,
"description": "From address is listed in Spamhaus XBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL",
"weight": 0.0,
"description": "Unrecognised result from Spamhaus DBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_MALWARE",
"weight": 7.500000,
"description": "A domain in the message is listed in Spamhaus DBL as malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER",
"weight": 0.0,
"description": "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_XBL",
"weight": 3.0,
"description": "A domain in the message body resolves to an IP listed in Spamhaus XBL"
},
{
"symbol": "URIBL_SBL_CSS",
"weight": 5.0,
"description": "A domain in the message body resolves to an IP listed in Spamhaus CSS"
},
{
"symbol": "RECEIVED_SPAMHAUS_DROP",
"weight": 6.0,
"description": "Received address is listed in Spamhaus DROP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "ebl",
"rules": [
{
"symbol": "MSBL_EBL",
"weight": 7.500000,
"description": "MSBL emailbl (https://www.msbl.org/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MSBL_EBL_GREY",
"weight": 0.500000,
"description": "MSBL emailbl grey list (https://www.msbl.org/)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "surblorg",
"rules": [
{
"symbol": "CRACKED_SURBL",
"weight": 5.0,
"description": "A domain in the message is listed in SURBL as cracked",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_BLOCKED",
"weight": 0.0,
"description": "SURBL: query blocked by policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PH_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as phishing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ABUSE_SURBL",
"weight": 5.0,
"description": "A domain in the message is listed in SURBL as abused",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CT_SURBL",
"weight": 0.0,
"description": "A domain in the message is listed in SURBL as a clicktracker",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MW_SURBL_MULTI",
"weight": 7.500000,
"description": "A domain in the message is listed in SURBL as malware",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DM_SURBL",
"weight": 0.0,
"description": "A domain in the message is listed in SURBL as belonging to a disposable email service",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "uribl",
"rules": [
{
"symbol": "URIBL_GREY",
"weight": 2.500000,
"description": "A domain in the message is listed in URIBL.com grey",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_MULTI",
"weight": 0.0,
"description": "Unrecognised result from URIBL.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_BLOCKED",
"weight": 0.0,
"description": "URIBL.com: query refused, likely due to policy/overusage",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_BLACK",
"weight": 7.500000,
"description": "A domain in the message is listed in URIBL.com black",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_RED",
"weight": 0.500000,
"description": "A domain in the message is listed in URIBL.com red",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "external_services",
"rules": []
},
{
"group": "experimental",
"rules": [
{
"symbol": "XM_UA_NO_VERSION",
"weight": 0.010000,
"description": "X-Mailer/User-Agent header has no version number",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "composite",
"rules": [
{
"symbol": "SUSPICIOUS_AUTH_ORIGIN",
"weight": 0.0,
"description": "Message authenticated, but from a suspicios origin (potentially an injector)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_RECIPIENTS_FORWARDING",
"weight": 0.0,
"description": "FORGED_RECIPIENTS & g:forwarding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "UNDISC_RCPTS_BULK",
"weight": 3.0,
"description": "Missing or undisclosed recipients with a bulk signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE",
"weight": 1.0,
"description": "Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_UNAUTH_PBL",
"weight": 2.0,
"description": "Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "APPLE_MAILER_COMMON",
"weight": 0.0,
"description": "Message was sent by 'Apple Mail' and has common symbols in place",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_SENDER_MAILLIST",
"weight": 0.0,
"description": "Sender is not the same as MAIL FROM: envelope, but a message is from a maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHISH_EMOTION",
"weight": 1.0,
"description": "Phish message with subject trying to address users emotion",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DMARC_POLICY_ALLOW_WITH_FAILURES",
"weight": -0.500000,
"description": "DMARC permit policy with DKIM/SPF failure",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "AUTH_NA_OR_FAIL",
"weight": 1.0,
"description": "No authenticating method SPF/DKIM/DMARC/ARC was successful",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "REDIRECTOR_URL_ONLY",
"weight": 1.0,
"description": "Message only contains a redirector URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_RECIPIENTS_MAILLIST",
"weight": 0.0,
"description": "Recipients are not the same as RCPT TO: mail command, but a message from a maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_SENDER_VERP_SRS",
"weight": 0.0,
"description": "FORGED_SENDER & (ENVFROM_PRVS | ENVFROM_VERP)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_ANON_DOMAIN",
"weight": 0.100000,
"description": "Contains one or more domains trying to disguise owner/destination",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BROKEN_HEADERS_MAILLIST",
"weight": 0.0,
"description": "Negate BROKEN_HEADERS when message comes via some mailing list",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "AUTOGEN_PHP_SPAMMY",
"weight": 1.0,
"description": "Message was generated by PHP script and contains some spam indicators",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "APPLE_IOS_MAILER_COMMON",
"weight": 0.0,
"description": "Message was sent by 'Apple iOS Mail' and has common symbols in place",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "IP_SCORE_FREEMAIL",
"weight": 0.0,
"description": "Negate IP_SCORE when message comes from FreeMail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "VIOLATED_DIRECT_SPF",
"weight": 3.500000,
"description": "Has no Received (or no trusted received relays) and SPF policy fails or soft fails",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "AUTH_NA",
"weight": 1.0,
"description": "Authenticating message via SPF/DKIM/DMARC/ARC not available",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_REPLYTO_NEQ_FROM",
"weight": 2.0,
"description": "Reply-To is a Freemail address and it not match From header or SMTP From, also From is not another Freemail",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BAD_EXT_IN_OBFUSCATED_ARCHIVE",
"weight": 8.0,
"description": "Attachment with bad extension and archive that has filename with clear obfuscation signs",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BAD_REP_POLICIES",
"weight": 0.100000,
"description": "Contains valid policies but are also marked by fuzzy/bayes/SURBL/RBL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_MID_ALLOWED",
"weight": 0.0,
"description": "MISSING_MID_ALLOWED",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_MAILLIST",
"weight": 0.0,
"description": "Avoid false positives for FORGED_MUA_* in maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPF_FAIL_FORWARDING",
"weight": 0.0,
"description": "g:forwarding & (R_SPF_SOFTFAIL | R_SPF_FAIL)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INVALID_MSGID_ALLOWED",
"weight": 0.0,
"description": "INVALID_MSGID_ALLOWED",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_DKIM_ARC_DNSWL_HI",
"weight": -1.0,
"description": "Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_SENDER_FORWARDING",
"weight": 0.0,
"description": "Forged sender, but message is forwarded",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MIME_BAD_EXT_WITH_BAD_UNICODE",
"weight": 8.0,
"description": "Attachment with bad extension and filename that has known obscured unicode characters",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_DKIM_ARC_DNSWL_MED",
"weight": -0.500000,
"description": "Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_MIXED",
"weight": 0.0,
"description": "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BOUNCE_NO_AUTH",
"weight": 1.0,
"description": "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "mid",
"rules": [
{
"symbol": "MID_END_EQ_FROM_USER_PART",
"weight": 4.0,
"description": "Message-ID RHS (after @) and MIME from local part are the same",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "CHECK_MID",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "KNOWN_MID",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "KNOWN_NO_MID",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "KNOWN_MID_CALLBACK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "fuzzy",
"rules": [
{
"symbol": "FUZZY_DENIED",
"weight": 12.0,
"description": "Denied fuzzy hash, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_PROB",
"weight": 5.0,
"description": "Probable fuzzy hash, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_ENCRYPTION_REQUIRED",
"weight": 0.0,
"description": "Fuzzy encryption is required by a server",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_WHITE",
"weight": -2.100000,
"description": "Whitelisted fuzzy hash, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_FORBIDDEN",
"weight": 0.0,
"description": "Fuzzy access denied",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_RATELIMITED",
"weight": 0.0,
"description": "Fuzzy rate limit is reached",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_UNKNOWN",
"weight": 5.0,
"description": "Generic fuzzy hash match, bl.rspamd.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FUZZY_CALLBACK",
"weight": 0.0,
"description": "Fuzzy check callback",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "senderscore",
"rules": [
{
"symbol": "RBL_SENDERSCORE_NA",
"weight": 0.0,
"description": "From address is listed in SenderScore RPBL - noauth"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_2",
"weight": 3.0,
"description": "SenderScore Reputation: Bad (20-29).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_NA",
"weight": 1.0,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+noauth"
},
{
"symbol": "RBL_SENDERSCORE_SCORE",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - sender_score"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_9",
"weight": -1.0,
"description": "SenderScore Reputation: Good (90-100).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_4",
"weight": 2.0,
"description": "SenderScore Reputation: Bad (40-49).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_1",
"weight": 3.500000,
"description": "SenderScore Reputation: Bad (10-19).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_UNKNOWN",
"weight": 0.0,
"description": "Unrecognized result from SenderScore Reputation list.",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE_NA",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - sender_score+noauth"
},
{
"symbol": "RBL_SENDERSCORE_BLOCKED",
"weight": 0.0,
"description": "Excessive number of queries to SenderScore RPBL, more info: https://knowledge.validity.com/hc/en-us/articles/20961730681243"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_8",
"weight": 0.0,
"description": "SenderScore Reputation: Neutral (80-89).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SCORE_PRST_NA",
"weight": 4.0,
"description": "From address is listed in SenderScore RPBL - sender_score+pristine+noauth"
},
{
"symbol": "RBL_SENDERSCORE_PRST_NA",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - pristine+noauth"
},
{
"symbol": "RBL_SENDERSCORE_PRST_NA_BOT",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - pristine+noauth+botnet"
},
{
"symbol": "RBL_SENDERSCORE_PRST_BOT",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - pristine+botnet"
},
{
"symbol": "RBL_SENDERSCORE_SCORE_SUS_ATT_NA",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - sender_score+suspect_attachments+noauth"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_6",
"weight": 1.0,
"description": "SenderScore Reputation: Bad (60-69).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_PRST",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - pristine"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_0",
"weight": 4.0,
"description": "SenderScore Reputation: Very Bad (0-9).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT",
"weight": 1.0,
"description": "From address is listed in SenderScore RPBL - suspect_attachments"
},
{
"symbol": "RBL_SENDERSCORE_SCORE_PRST",
"weight": 4.0,
"description": "From address is listed in SenderScore RPBL - sender_score+pristine"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_3",
"weight": 2.500000,
"description": "SenderScore Reputation: Bad (30-39).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_5",
"weight": 1.500000,
"description": "SenderScore Reputation: Bad (50-59).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_PRST_NA",
"weight": 3.0,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+pristine+noauth"
},
{
"symbol": "RBL_SENDERSCORE_NA_BOT",
"weight": 1.0,
"description": "From address is listed in SenderScore RPBL - noauth+botnet"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_7",
"weight": 0.500000,
"description": "SenderScore Reputation: Bad (70-79).",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_NA_BOT",
"weight": 1.500000,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+noauth+botnet"
},
{
"symbol": "RBL_SENDERSCORE_SUS_ATT_PRST_NA_BOT",
"weight": 3.500000,
"description": "From address is listed in SenderScore RPBL - suspect_attachments+pristine+noauth+botnet"
},
{
"symbol": "RBL_SENDERSCORE_BOT",
"weight": 2.0,
"description": "From address is listed in SenderScore RPBL - botnet"
},
{
"symbol": "RBL_SENDERSCORE_REPUT_BLOCKED",
"weight": 0.0,
"description": "Excessive number of queries to SenderScore RPBL, more info: https://knowledge.validity.com/hc/en-us/articles/20961730681243",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "aliases",
"rules": [
{
"symbol": "TAGGED_RCPT",
"weight": 0.0,
"description": "Recipient has plus-tags",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "TAGGED_FROM",
"weight": 0.0,
"description": "From address has plus-tags",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INTERNAL_MAIL",
"weight": 0.0,
"description": "Mail from local to local domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ALIASES_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "LOCAL_INBOUND",
"weight": 0.0,
"description": "Mail from external to local domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ALIAS_RESOLVED",
"weight": 0.0,
"description": "Address was resolved through aliases",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "LOCAL_OUTBOUND",
"weight": 0.0,
"description": "Mail from local to external domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "malware",
"rules": [
{
"symbol": "EXE_ARCHIVE_CLICKBAIT_FILENAME",
"weight": 9.0,
"description": "exe file in archive with clickbait filename",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "EXE_ARCHIVE_CLICKBAIT_SUBJECT",
"weight": 9.0,
"description": "exe file in archive with clickbait subject",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISIDENTIFIED_RAR",
"weight": 4.0,
"description": "rar with wrong extension",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "EXE_IN_ARCHIVE",
"weight": 1.500000,
"description": "exe file in archive",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "EXE_IN_MISIDENTIFIED_RAR",
"weight": 5.0,
"description": "rar with wrong extension containing exe file",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SINGLE_FILE_ARCHIVE_WITH_EXE",
"weight": 5.0,
"description": "single file container bearing executable",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "mailspike",
"rules": [
{
"symbol": "MAILSPIKE",
"weight": 0.0,
"description": "Unrecognised result from Mailspike",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_MAILSPIKE_BAD",
"weight": 1.0,
"description": "From address is listed in Mailspike RBL - bad reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_MAILSPIKE_VERYBAD",
"weight": 1.500000,
"description": "From address is listed in Mailspike RBL - very bad reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_GOOD",
"weight": -0.100000,
"description": "From address is listed in Mailspike RWL - good reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_VERYGOOD",
"weight": -0.200000,
"description": "From address is listed in Mailspike RWL - very good reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_POSSIBLE",
"weight": 0.0,
"description": "From address is listed in Mailspike RWL - possibly legit",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_EXCELLENT",
"weight": -0.400000,
"description": "From address is listed in Mailspike RWL - excellent reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RWL_MAILSPIKE_NEUTRAL",
"weight": 0.0,
"description": "Neutral result from Mailspike",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_MAILSPIKE_WORST",
"weight": 2.0,
"description": "From address is listed in Mailspike RBL - worst possible reputation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "compromised_hosts",
"rules": [
{
"symbol": "URI_HIDDEN_PATH",
"weight": 1.0,
"description": "Message contains URI with a hidden path",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "XAW_SERVICE_ACCT",
"weight": 1.0,
"description": "Message originally from a service account",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HIDDEN_SOURCE_OBJ",
"weight": 2.0,
"description": "UNIX hidden file/directory in path",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_PHPMAILER_SIG",
"weight": 0.0,
"description": "PHPMailer signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WWW_DOT_DOMAIN",
"weight": 0.500000,
"description": "From/Sender/Reply-To or Envelope is @www.domain.com",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_SOURCE",
"weight": 0.0,
"description": "Has X-Source headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HACKED_WP_PHISHING",
"weight": 4.500000,
"description": "Phish message sent by hacked Wordpress instance",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_XAW",
"weight": 0.0,
"description": "Has X-Authentication-Warning header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_PHP_SCRIPT",
"weight": 0.0,
"description": "Has X-PHP-Script header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHP_SCRIPT_ROOT",
"weight": 1.0,
"description": "PHP Script executed by root UID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PHP_XPS_PATTERN",
"weight": 0.0,
"description": "Message contains X-PHP-Script pattern",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_AS",
"weight": 0.0,
"description": "Has X-Authenticated-Sender header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "COMPROMISED_ACCT_BULK",
"weight": 3.0,
"description": "Likely to be from a compromised account",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "X_PHP_EVAL",
"weight": 4.0,
"description": "Message sent using eval'd PHP",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_POS",
"weight": 0.0,
"description": "Has X-PHP-Originating-Script header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_WP_URI",
"weight": 0.0,
"description": "Contains WordPress URIs",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ABUSE_FROM_INJECTOR",
"weight": 2.0,
"description": "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_GMSV",
"weight": 0.0,
"description": "Has X-Get-Message-Sender-Via: header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FROM_SERVICE_ACCT",
"weight": 1.0,
"description": "Sender/From/Reply-To is a service account",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ENVFROM_SERVICE_ACCT",
"weight": 1.0,
"description": "Envelope from is a service account",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_X_ANTIABUSE",
"weight": 0.0,
"description": "Has X-AntiAbuse headers",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WP_COMPROMISED",
"weight": 0.0,
"description": "URL that is pointing to a compromised WordPress installation",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_RHS_WWW",
"weight": 0.500000,
"description": "Message-ID from www host",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "html",
"rules": [
{
"symbol": "ZERO_FONT",
"weight": 1.0,
"description": "Zero sized font used",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTML_SHORT_LINK_IMG_1",
"weight": 2.0,
"description": "Short HTML part (0..1K) with a link to an image",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_WHITE_ON_WHITE",
"weight": 4.0,
"description": "Message contains low contrast text",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTML_SHORT_LINK_IMG_2",
"weight": 1.0,
"description": "Short HTML part (1K..1.5K) with a link to an image",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTML_VISIBLE_CHECKS",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTML_SHORT_LINK_IMG_3",
"weight": 0.500000,
"description": "Short HTML part (1.5K..2K) with a link to an image",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HAS_DATA_URI",
"weight": 0.0,
"description": "Has Data URI encoding",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTTP_TO_IP",
"weight": 1.0,
"description": "HTML anchor points to an IP address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_EMPTY_IMAGE",
"weight": 2.0,
"description": "Message contains empty parts and image",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MANY_INVISIBLE_PARTS",
"weight": 1.0,
"description": "Many parts are visually hidden",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_SUSPICIOUS_IMAGES",
"weight": 5.0,
"description": "Message has high image to text ratio",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTTP_TO_HTTPS",
"weight": 0.500000,
"description": "The anchor text contains a distinct scheme compared to the target URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "EXT_CSS",
"weight": 1.0,
"description": "Message contains external CSS reference",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DATA_URI_OBFU",
"weight": 2.0,
"description": "Uses Data URI encoding to obfuscate plain or HTML in base64",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "HTML_META_REFRESH_URL",
"weight": 5.0,
"description": "Has HTML Meta refresh URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "subject",
"rules": [
{
"symbol": "SUBJ_ALL_CAPS",
"weight": 3.0,
"description": "Subject contains mostly capital letters",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "LONG_SUBJ",
"weight": 3.0,
"description": "Subject is very long",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URL_IN_SUBJECT",
"weight": 4.0,
"description": "Subject contains URL",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "ungrouped",
"rules": [
{
"symbol": "ARC_SIGNED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ASN",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DKIM_SIGNED",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLOCKLISTDE_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DWL_DNSWL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MSBL_EBL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MAILSPIKE_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPAMHAUS_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_FRESH15_UNKNOWN_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SPF_CHECK",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_HASHBL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SEM_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RCVD_IN_DNSWL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SINGLE_SHORT_PART",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SURBL_MULTI_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "UDF_COMPRESSION_500PLUS",
"weight": 9.0,
"description": "very well compressed img file in archive",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "ASN_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_VIRUSFREE_UNKNOWN_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SENDERSCORE_REPUT_UNKNOWN_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_EMAILBL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "URIBL_MULTI_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "DBL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RSPAMD_URIBL_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "RBL_SEM_IPV6_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SEM_URIBL_UNKNOWN_FAIL",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "mua",
"rules": [
{
"symbol": "FORGED_MUA_THEBAT_MSGID_UNKNOWN",
"weight": 3.0,
"description": "Message pretends to be send from The Bat! but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_KMAIL_MSGID_UNKNOWN",
"weight": 2.500000,
"description": "Message pretends to be send from KMail but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_OPERA_MSGID",
"weight": 4.0,
"description": "Message pretends to be send from Opera Mail but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_SEAMONKEY_MSGID",
"weight": 4.0,
"description": "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN",
"weight": 2.500000,
"description": "Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_OUTLOOK",
"weight": 3.0,
"description": "Forged Outlook MUA",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_BOUNDARY2",
"weight": 4.0,
"description": "Suspicious boundary in Content-Type header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_THEBAT_MSGID",
"weight": 4.0,
"description": "Message pretends to be send from The Bat! but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_BOUNDARY3",
"weight": 3.0,
"description": "Suspicious boundary in Content-Type header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_BOUNDARY4",
"weight": 4.0,
"description": "Suspicious boundary in Content-Type header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_BOUNDARY",
"weight": 5.0,
"description": "Suspicious boundary in Content-Type header",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_POSTBOX_MSGID_UNKNOWN",
"weight": 2.500000,
"description": "Forged mail pretending to be from Postbox but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_MOZILLA_MAIL_MSGID",
"weight": 4.0,
"description": "Message pretends to be send from Mozilla Mail but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN",
"weight": 2.500000,
"description": "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_MAILLIST",
"weight": 0.0,
"description": "Avoid false positives for FORGED_MUA_* in maillist",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_THUNDERBIRD_MSGID",
"weight": 4.0,
"description": "Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN",
"weight": 2.500000,
"description": "Message pretends to be send from Mozilla Mail but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FORGED_MUA_POSTBOX_MSGID",
"weight": 4.0,
"description": "Forged mail pretending to be from Postbox but has forged Message-ID",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "whitelist",
"rules": [
{
"symbol": "WHITELIST_DKIM",
"weight": -1.0,
"description": "Mail comes from the whitelisted domain and has a valid DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_SPF_DKIM",
"weight": -3.0,
"description": "Mail comes from the whitelisted domain and has valid SPF and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_DMARC",
"weight": 6.0,
"description": "Mail comes from the whitelisted domain and has failed DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_DMARC",
"weight": -7.0,
"description": "Mail comes from the whitelisted domain and has valid DMARC and DKIM policies",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_SPF_DKIM",
"weight": 3.0,
"description": "Mail comes from the whitelisted domain and has no valid SPF policy or a bad DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_DKIM",
"weight": 2.0,
"description": "Mail comes from the whitelisted domain and has non-valid DKIM signature",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "WHITELIST_SPF",
"weight": -1.0,
"description": "Mail comes from the whitelisted domain and has a valid SPF policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BLACKLIST_SPF",
"weight": 1.0,
"description": "Mail comes from the whitelisted domain and has no valid SPF policy",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "blankspam",
"rules": [
{
"symbol": "COMPLETELY_EMPTY",
"weight": 15.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SHORT_PART_BAD_HEADERS",
"weight": 7.0,
"description": "MISSING_ESSENTIAL_HEADERS & SINGLE_SHORT_PART",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MISSING_ESSENTIAL_HEADERS",
"weight": 7.0,
"description": "Common headers were entirely absent",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "content",
"rules": [
{
"symbol": "PDF_TIMEOUT",
"weight": 0.0,
"description": "There is a PDF in the message that caused timeout in processing",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PDF_LONG_TRAILER",
"weight": 0.200000,
"description": "There is an PDF with a long trailer in the message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PDF_JAVASCRIPT",
"weight": 0.100000,
"description": "There is an PDF with JavaScript in the message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PDF_MANY_OBJECTS",
"weight": 0.0,
"description": "There is a PDF with too many objects in the message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PDF_ENCRYPTED",
"weight": 0.300000,
"description": "There is an encrypted PDF in the message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "PDF_SUSPICIOUS",
"weight": 4.500000,
"description": "There is an PDF with suspicious properties in the message",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "Message ID",
"rules": [
{
"symbol": "MID_CONTAINS_TO",
"weight": 1.0,
"description": "Message-ID contains To address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_MISSING_BRACKETS",
"weight": 0.500000,
"description": "Message-ID is missing <>'s",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_RHS_MATCH_TO",
"weight": 1.0,
"description": "Message-ID RHS matches To domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_RHS_NOT_FQDN",
"weight": 0.500000,
"description": "Message-ID RHS is not a fully-qualified domain name",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_RHS_MATCH_FROM",
"weight": 0.0,
"description": "Message-ID RHS matches From domain",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_CONTAINS_FROM",
"weight": 1.0,
"description": "Message-ID contains From address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_BARE_IP",
"weight": 2.0,
"description": "Message-ID RHS is a bare IP address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_RHS_IP_LITERAL",
"weight": 0.500000,
"description": "Message-ID RHS is an IP-literal",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "MID_RHS_MATCH_FROMTLD",
"weight": 0.0,
"description": "Message-ID RHS matches From domain tld",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "headers,mime",
"rules": [
{
"symbol": "CHECK_TO_CC",
"weight": 0.0,
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "scams",
"rules": [
{
"symbol": "LEAKED_PASSWORD_SCAM_RE",
"weight": 0.0,
"description": "Contains BTC wallet address and malicious regexps",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "FREEMAIL_AFF",
"weight": 4.0,
"description": "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "INTRODUCTION",
"weight": 2.0,
"description": "Sender introduces themselves",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "SUSPICIOUS_MDN",
"weight": 2.0,
"description": "Message delivery notification should go to freemail or disposable e-mail, but message was not sent from a freemail address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "BITCOIN_ADDR",
"weight": 0.0,
"description": "Message has a valid bitcoin wallet address",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "LEAKED_PASSWORD_SCAM",
"weight": 7.0,
"description": "Contains BTC wallet address and scam patterns",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
},
{
"group": "body",
"rules": [
{
"symbol": "HAS_ATTACHMENT",
"weight": 0.0,
"description": "Message contains attachments",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
},
{
"symbol": "R_PARTS_DIFFER",
"weight": 1.0,
"description": "Text and HTML parts differ",
"frequency": 0.0,
"frequency_stddev": 0.0,
"time": 0.0
}
]
}
]
Reference in a new issue View git blame Copy permalink