File: //etc/mail/spamassassin/CPANEL.cf
#CPANEL.cf - SpamAssassin Rules
#
#Author: cPanel, L.L.C.
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.
# NetSol thought it was a great idea to give away tons of
# .xyz domains.  In practice the primary consumers are spammers
# http://domaingang.com/domain-news/chinese-registrar-iisp-hk-sends-xyz-spam-harvested-whois-emails/
header          CPANEL_XYZ             	From =~ /\@.*?\.xyz/i
describe        CPANEL_XYZ            	.XYZ domain mostly used by spammers
score           CPANEL_XYZ              2.1
meta     CPANEL_LOTS_OF_EMPTY_LINE !HTML_MESSAGE
rawbody  CPANEL_LOTS_OF_EMPTY_LINE /(?:[\t ]*[\r\n]){14,}/i
describe CPANEL_LOTS_OF_EMPTY_LINE Spam that has large block of empty lines
score    CPANEL_LOTS_OF_EMPTY_LINE 0.8
meta     CPANEL_LOTS_OF_EMPTY_LINE_HTML HTML_MESSAGE
rawbody  CPANEL_LOTS_OF_EMPTY_LINE_HTML /(?:\s*<+\s*(?:p|br)\s*>+){10,}/i
describe CPANEL_LOTS_OF_EMPTY_LINE_HTML Spam that has large block of empty html lines
score    CPANEL_LOTS_OF_EMPTY_LINE_HTML 0.8
#
# SPF failures and information
#
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0
score SPF_SOFTFAIL 1.5
endif
#
# SURBL for foreign language content
#
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
score URIBL_AB_SURBL 4.5
score URIBL_JP_SURBL 1.9
score URIBL_WS_SURBL 1.7
score URIBL_MW_SURBL 1.3
urirhssub       URIBL_BLACK  multi.uribl.com.        A   2
body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK  net
score           URIBL_BLACK  5.0
urirhssub       URIBL_GREY  multi.uribl.com.        A   4
body            URIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
describe        URIBL_GREY  Contains an URL listed in the URIBL greylist
tflags          URIBL_GREY  net
score           URIBL_GREY  1.0
urirhssub       URIBL_GOLD  multi.uribl.com.        A   4
body            URIBL_GOLD  eval:check_uridnsbl('URIBL_GOLD')
describe        URIBL_GOLD  Contains an URL listed in the URIBL GOLDlist
tflags          URIBL_GOLD  net
score           URIBL_GOLD  0.5
endif
# No "Message-Id:" header
score MISSING_MID 1.6
#
# Spam coming from dynamic IPs
#
ifplugin Mail::SpamAssassin::Plugin::DNSEval
score RCVD_IN_SORBS_HTTP 0
score RCVD_IN_SORBS_SOCKS 0
score RCVD_IN_SORBS_MISC 2.6
score RCVD_IN_SORBS_SMTP 2.6
score RCVD_IN_SORBS_WEB 0
score RCVD_IN_SORBS_BLOCK 0
score RCVD_IN_SORBS_ZOMBIE 1.0
score RCVD_IN_SORBS_DUL 4.0
#
score RCVD_IN_XBL 0 4.724 0 4.375
score RCVD_IN_CBL 0 4.724 0 4.375
score RCVD_IN_PSBL 0 2.700 0 2.700
#
score RCVD_IN_BRBL_LASTEXT 0 4.644 0 4.449
score URIBL_DBL_SPAM  0 4.5 0 4.5
#
endif
#
# Mailspike bad reputations
#
if (version >= 3.004000)
score RCVD_IN_MSPIKE_L2                     0.001 1.001 0.001 0.001
score RCVD_IN_MSPIKE_L3                     0.001 2.498 0.001 2.498
score RCVD_IN_MSPIKE_L4                     0.001 4.497 0.001 4.497
score RCVD_IN_MSPIKE_L5                     0.001 6.196 0.001 6.196
endif
#
# RDNS problems
#
score RDNS_DYNAMIC 2.6
score RDNS_LOCALHOST 1.0
score RDNS_NONE 2.0
#
# Increase Pyzor score
#
score PYZOR_CHECK 0 1.985 0 1.792 # n=0 n=2
#   Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED             on
endif # Mail::SpamAssassin::Plugin::Shortcircuit
# Increase Bayes
score BAYES_80 4.2
score BAYES_99 5.0
score BAYES_999 1.0