# Your options should be saved to $HOME/.spamtestbuddy # This CONFIGURATION file can be copied as .spamtestbuddy and modified. # # Emails start with a score of 0. Define overall threshold for OVER/UNDER. # Beware floating point comparisons (e.g. 1 + 0.9999 does not exceed 2) SpamThreshold 0.9 # In order to test the IP address which sent this message, SpamTestBuddy # has to extract the right IP address from email headers. The last IP address # found within square brackets on Received lines will be used. Indicate the # network(s) to skip, so that local hops or forwarding servers are ignored. # Use a comma separated list of full or partial IP addresses. Each will be # compared in string style, so it's best to include the dots at the end of # the network (e.g. 24.19. instead of 24.19). The parsed IP is output in # X-SpamTestBuddy headers. Currently used by TestFileIP, TestDnsProblems, # and TestDNSBL. List must be under 1000 chars. SkipReceived 127., 192.168. ################### ## TEST FORMAT ## ################### # # Each matching test increases (+) or decreases (-) total score by a floating # point amount. The score starts at zero, and is compared to the SpamThreshold # once all tests are done. The score may go negative or positive during tests. # # Each test can have an arbitrary user-defined weighting, any floating point # multiplier. The default weight is 1.0 for each test. Most tests are binary # in nature and either contribute to the score or do nothing. The exception is # TestHeaderFloat which evaluates to a floating point value [0, 1] which will # be multiplied by the indicated weighting. # # Each test is given a name (arbitrary, shown in all capitals) which is output # upon match in the X-SpamTestBuddy-Tests: header. # # Example simple test definition which adds (subtracts) 1.0 on a match: # +TestName LABEL parameter # -TestName LABEL parameter # Example weighted test definition which adds (subtracts) +0.5 or -0.3 on match: # +0.5 * TestName LABEL parameter # -0.3 * TestName LABEL parameter # # Where TestName is replaced with TestDnsProblems, TestFileIP, etc from below. # # It is best to specify a weight for each test rather than using the default, # coarse increments/decrements of 1.0 # # #################### ## TEST NAMES ## #################### # # Summary of supported tests, all described below: $ # TestHeaderFloat - Check for header containing value [0,1] and add/subtract from score # TestDnsProblems - Check for existing reverse dns and consistent forward dns # TestFileIP - Check if connecting IP address (parsed from Received:) is in local text file # TestHeaderSubstr - Check for header substring match # TestHeaderYes - Check for header with right hand side "Yes/True/Spam" # TestDNSBL - Check if connecting IP address is in DNS based real-time blacklist # # # One common use of SpamTestBuddy is filtering based on the score from a # statistical filter (such as Bayesian). TestHeaderFloat will test an email # header for a floating point number between 0 and 1.0001 # The first number found in the header is read (ignored if > 1) and then # multiplied by the weighting if indicated. The header parameter can not # contain whitespace and is case sensitive. # # The example below adds the score read from SpamProbe (near 0.0 if non-spam, # near 0.5 if unsure, near 1.0 if spam). No weight is specified so the value # is simply added to the score. Similar spam probabilities can be easily # parsed from other similar filters such as DSPAM (X-DSPAM-Probability:) +TestHeaderFloat SPAMPROBE X-SpamProbe: # Test for DNS problems. Matches if there is no reverse DNS, or if forward # and reverse DNS don't match. Beware that non-functioning DNS on the local # system will trigger this test to match on every email sent through. As # long as your DNS functions properly, this test should only match emails # sent through hosts with questionable DNS configuration. Such hosts are # rarely legitimate mail relays, since proper forward and reverse DNS are # a requirement for any normal mail server. # # The example below, based on a SpamProbe starting point [0, 1] increases the # score by +0.2 if there are DNS problems, making a spam result more likely. +0.2 * TestDnsProblems DNSPROBLEM # Test the connecting IP address (see SkipReceived) against a local text file # containing a list of IP addresses. The file must contain one IP per line and # must match exactly between line start and line end. This can be used to # consult a local blacklist (+) or whitelist (-). The parameter is the file # name to read, errors to stderr if can't fopen() # # The example below consults a local whitelist file, and subtracts -0.4 if the # IP address parsed from this email appears in the file. -0.4 * TestFileIP WHITELIST /home/user/sender.ip.whitelist # Test a header for substring match (case sensitive). Must match exactly from # the start of the line to the end of the parameter below. e.g. CRM-114 # The header parameter can contain whitespace and ends at the newline # # The example below adds +0.5 to the score if the header matches. +0.5 * TestHeaderSubstr CRM114 X-CRM114-Status: SPAM # Test a header for "Yes/True/Spam" (case insensitive) on the right. e.g QSF. # The header parameter (case sensitive) can not contain whitespace. # # The example below adds +0.5 to the score if the header ends in "Yes/True/Spam" +0.5 * TestHeaderYes QSF X-Spam: # Test the IP address parsed (see SkipReceived) against DNS based blocklists. # A whitelist can be used as shown by associating a negative score on match. # These are light weight remote database queries. # # Testing DNSBLs takes time to do DNS queries and could even wait and timeout # if you use the wrong DNS zone. Failure to get a reply does not impact the # score at all. SpamTestBuddy caches the last lookup, so group your TestDNSBL's # for the same zone together to benefit. Of course each new email causes a new # instance of SpamTestBuddy to run, and there is no caching between instances. # # When a DNSBL is queried with an IP address, it returns another IP address # which is a coded response. The positive response is usually 127.0.0.2 though # any code could be returned. By default, SpamTestBuddy takes any 127.0.x.y # response as a match when used in the form: # +TestDNSBL LABEL zone.example.com # To match a specific code from left-to-right, add ^string after the zone. # The following matches any response 127.1.x.y (but would not match 127.0.0.2) # +TestDNSBL LABEL zone.example.com^127.1. # You can also match from right-to-left by adding a $string after the zone. # The following matches any response ending in .1.1 as a right aligned string. # +TestDNSBL LABEL zone.example.com$.1.1 # # See: http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists # # There are many useful lists available with different policies. Don't go # overboard and query too many though, because this adds lookup delays. # It is suggested that you associate a relatively small weight beside each # DNSBL lookup, so that no single blacklist alone causes spam detection. # Please carefully read each DNSBL's policy and understand what they list. # # Examples of real DNSBL definitions that could be useful if you are starting # with a statistical spam score between [0, 1]. Notice that if the statistical # filter gives a low score (such as 0.0) the IP address can appear on several # blacklists and still not cause the score to go over the spam threshold! # # If the sender is listed on Spamhaus ZEN, add +0.4 to the score. +0.4 * TestDNSBL ZEN zen.spamhaus.org # If the sender is listed on SORBS, add +0.1 to the score. +0.1 * TestDNSBL SORBS dnsbl.sorbs.net # If the sender is listed on WPBL, add +0.1 to the score. +0.1 * TestDNSBL WPBL db.wpbl.info # Use the dnswl.org service reduce the score depending on degree of # confidence (represented in last octet of dnswl response code). # Subtract -0.1 for 'none' level, -0.5 for low, etc. # These definitions should be grouped together to benefit from # caching of lookups, which only sends one DNS query for the batch. -0.1 * TestDNSBL DNSWL.none list.dnswl.org$.0 -0.5 * TestDNSBL DNSWL.low list.dnswl.org$.1 -0.8 * TestDNSBL DNSWL.med list.dnswl.org$.2 -1.0 * TestDNSBL DNSWL.high list.dnswl.org$.3