Suggestion for prereleases

@girish, just a suggestion for consideration... It'd be really nice if when you release 7.5.0 for early testing by your advanced fearless (lol) users that the bugs we bring to your attention are addressed in a quick patch release that doesn't have too long of a waiting period, rather than the beta testers having to wait for a point release which also comes with new features and thus takes a long time to release.

For example, it's been quite a while since 7.5.0 came out as pre-release, and many of us reported various errors with it in our real-world testing. It was observed in those related posts that in most cases you resolved the issues right away within hours to days. But we're waiting quite a long time for those bug fixes to be delivered since they're being included in a new feature release at the same time. I think it'd be better for your users if you released 7.5.1 pre-release with the bug fixes quickly before allowing the branch with the new features being added yet in 7.5.x.

Hopefully the above makes sense. I do also recognize that we are beta testing and ideally would be using separate servers entirely for those tests or reverting back right away, but for one reason or another (bug fixes or a particular new feature we've been waiting on and really need if seen as low risk) we'll risk the update to pre-release software in production and we'll report back with any bugs we find. If anything catastrophic of course we'd just revert back to a backup, but many times the bugs we find aren't too high-impacting, however waiting a month or more for fixes you already made to code a day or two after it's reported seems like a long time to wait in my opinion. Thinking in that scenario it might be good to do it something like this...

1. New 7.5.0 pre-release
2. Gather feedback from beta testers on 7.5.0, generate bug fixes for those that are low-hanging fruit or high-impacting, after maybe just one to two weeks the bug fixes you've created can be released as 7.x.1 (or 7.x.0.1), even as pre-release still
3. Then continue with adding the new features again in the next point release and call it stable (ideally) by that time since the bug fixes would already have been released too

Not meant to be a criticism at all though, I assume you've chosen to release in the way you do currently for a reason, but just wanted to throw it an optional suggestion from a beta testers point of view. Thanks again for all the awesome improvements!! You guys are awesome!

I’ve been less active in the Cloudron forums recently (sorry), but still use Cloudron daily for my freelance business. While I’m not a large business, I do like to act and think like one when it comes to hosting services, so I saw this post and wanted to add some thoughts.

With a business perspective, I would prefer the focus to be on infrastructure features rather than adding more apps for now. I think business-focused features such as 1️⃣ allowing multiple backup locations with custom retention rules, 2️⃣ better spam IP blocking with managed IP lists via URLs, 3️⃣ improved spam filtering in mail, and 4️⃣ syncing a secondary Cloudron instance with the primary Cloudron instance for either load balancing or failover… I consider these to all be very important features that most businesses would consider critical before investing big into Cloudron. And these are just off the top of my head as hopeful features to see added soon. For some of these I know users like me have been waiting for years. The good news is I believe there is some movement for the backup improvements soon.

These features are very important, especially for medium to large businesses that prioritize uptime. I’d absolutely love to see various apps added sooner than later too (such as some of the website analytics apps), don’t get me wrong, but I think for me at least they’re less important than adding resiliency and business feature sets. And heck, the improved spam filtering / blocking would be helpful not only for businesses but personal users too.

Okay everyone... I've spent the past month really fine-tuning the SpamAssassin rules (especially after SpamAssassin was upgraded to 4.0 with Cloudron 8.3), and it seems to be working quite well for me. Spam filtering is never perfect, but it has improved a lot since the last time I took a look at the rules. The list is much longer now, and I added many more rules along with some additional lists for extra checks too.

If you want to use Abusix (which I've found to be very reliable), then you'll need a free API key, and can replace <API_KEY> in the list below with your own.

As always, your own mileage may vary, but this should be an effective SpamAssassin rule set to use. Good luck.

# ============================
# Allowlist / Blocklist Rules
# ============================

score USER_IN_BLOCKLIST 50.0
score USER_IN_ALL_SPAM_TO -50.0
score USER_IN_MORE_SPAM_TO -10.0
score USER_IN_WELCOMELIST -50.0

## Block specific recipients/senders
blocklist_from <EMAIL>

## Allowlist specific recipients/senders
welcomelist_from <EMAIL>


# ============================
# Bayesian Filtering (BAYES)
# ============================

bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam -4.0
bayes_auto_learn_threshold_spam 12.0

score BAYES_00 -6.0
score BAYES_05 -4.0
score BAYES_20 1.5
score BAYES_40 2.5
score BAYES_50 3.25
score BAYES_60 3.75
score BAYES_80 4.25
score BAYES_95 5.5
score BAYES_99 7.0
score BAYES_999 7.5


# ============================
# DNS-based Blocklists (DNSBL)
# ============================

## DNS Blocklists
score RCVD_IN_BL_SPAMCOP_NET 2.5
score RCVD_IN_MSPIKE_BL 0.0
score RCVD_IN_MSPIKE_L2 1.0
score RCVD_IN_MSPIKE_L3 1.5
score RCVD_IN_MSPIKE_L4 3.5
score RCVD_IN_MSPIKE_L5 5.0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL 5.0
score RCVD_IN_SBL_CSS 4.0
score RCVD_IN_VALIDITY_RPBL 1.5
score RCVD_IN_XBL 6.0
score RCVD_IN_ZEN_BLOCKED 0.0
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0

## DNS Whitelists
score RCVD_IN_DNSWL_BLOCKED 0.0
score RCVD_IN_DNSWL_HI -6.0
score RCVD_IN_DNSWL_LOW -2.5
score RCVD_IN_DNSWL_MED -4.5
score RCVD_IN_DNSWL_NONE 0.0
score RCVD_IN_MSPIKE_H2 -1.0
score RCVD_IN_MSPIKE_H3 -1.5
score RCVD_IN_MSPIKE_H4 -3.5
score RCVD_IN_MSPIKE_H5 -5.0
score RCVD_IN_MSPIKE_WL 0.0


# ============================
# URI Blocklists (URIBL)
# ============================

score URIBL_ABUSE_SURBL 6.0
score URIBL_BLACK 7.0
score URIBL_CR_SURBL 3.5
score URIBL_CSS 3.0
score URIBL_CSS_A 3.0
score URIBL_DBL_ABUSE_BOTCC 5.5
score URIBL_DBL_ABUSE_MALW 5.5
score URIBL_DBL_ABUSE_PHISH 5.5
score URIBL_DBL_ABUSE_REDIR 2.0
score URIBL_DBL_ABUSE_SPAM 5.5
score URIBL_DBL_BLOCKED 0.0
score URIBL_DBL_BLOCKED_OPENDNS 0.0
score URIBL_DBL_BOTNETCC 5.5
score URIBL_DBL_ERROR 0.0
score URIBL_DBL_MALWARE 5.5
score URIBL_DBL_PHISH 5.5
score URIBL_DBL_SPAM 5.5
score URIBL_GREY 0.5
score URIBL_MW_SURBL 5.0
score URIBL_PH_SURBL 5.0
score URIBL_RED 2.0
score URIBL_RHS_DOB 2.0
score URIBL_SBL 4.0
score URIBL_SBL_A 3.0
score URIBL_ZEN_BLOCKED 0.0
score URIBL_ZEN_BLOCKED_OPENDNS 0.0


# ============================
# Email Authentication (SPF/DKIM/ARC)
# ============================

## DKIM
score DKIM_INVALID 2.0
score DKIM_ADSP_ALL 2.0
score DKIM_ADSP_CUSTOM_MED 1.5
score DKIM_ADSP_NXDOMAIN 4.5
score DKIM_SIGNED 0.0
score DKIM_VALID 0.0
score DKIM_VALID_AU 0.0
score DKIM_VALID_EF 0.0
score DKIM_VERIFIED 0.0
score DKIMWL_BL 3.0
score DKIMWL_WL_HIGH -6.0
score DKIMWL_WL_MED -4.0
score DKIMWL_WL_MEDHI -4.5
score USER_IN_DEF_DKIM_WL -6.0

## SPF
score FORGED_SPF_HELO 4.0
score SPF_FAIL 4.0
score SPF_HELO_FAIL 2.5
score SPF_HELO_NEUTRAL 1.0
score SPF_HELO_NONE 0.25
score SPF_HELO_PASS -1.0
score SPF_HELO_SOFTFAIL 4.0
score SPF_NEUTRAL 0.0
score SPF_NONE 1.0
score SPF_PASS -1.0
score SPF_SOFTFAIL 1.5
score T_SPF_PERMERROR 2.0
score T_SPF_TEMPERROR 0.0
score USER_IN_DEF_SPF_WL -6.0

## ARC
score ARC_INVALID 2.0
score ARC_SIGNED 0.0
score ARC_VALID -0.5


# ============================
# HTML & MIME Structure Rules
# ============================

score HTML_FONT_LOW_CONTRAST 0.0
score HTML_FONT_SIZE_LARGE 2.0
score HTML_FONT_TINY_NORDNS 0.0
score HTML_IMAGE_ONLY_04 1.25
score HTML_IMAGE_ONLY_08 1.25
score HTML_IMAGE_ONLY_12 1.25
score HTML_IMAGE_ONLY_16 1.25
score HTML_IMAGE_ONLY_20 1.25
score HTML_IMAGE_ONLY_24 1.25
score HTML_IMAGE_ONLY_28 1.25
score HTML_IMAGE_ONLY_32 1.25
score HTML_MESSAGE 0.0
score HTML_MIME_NO_HTML_TAG 0.5
score HTML_OBFUSCATE_05_10 0.5
score HTML_OBFUSCATE_10_20 1.0
score HTML_OBFUSCATE_20_30 2.0
score HTML_OBFUSCATE_30_40 2.5
score HTML_OBFUSCATE_50_60 3.0
score HTML_OBFUSCATE_70_80 3.5
score HTML_OBFUSCATE_90_100 4.0
score HTML_SHORT_LINK_IMG_1 2.0
score HTML_SHORT_LINK_IMG_2 3.0
score HTML_SHORT_LINK_IMG_3 3.0
score MIME_HTML_MOSTLY 0.0
score MIME_HTML_ONLY 0.0
score MPART_ALT_DIFF 0.5
score MPART_ALT_DIFF_COUNT 0.5


# ============================
# Header / Envelope Heuristics
# ============================

score HEADER_FROM_DIFFERENT_DOMAINS 2.0
score MISSING_DATE 2.5
score MISSING_FROM 2.0
score MISSING_HEADERS 2.5
score MISSING_MID 1.0
score MISSING_SUBJECT 1.0
score MSGID_OUTLOOK_INVALID 4.0
score MISSING_HB_SEP 2.0
score TO_NO_BRKTS_FROM_MSSP 1.5
score REPLYTO_WITHOUT_TO_CC 2.5


# ============================
# Freemail & Identity Rules
# ============================

score FREEMAIL_ENVFROM_END_DIGIT 1.0
score FREEMAIL_FORGED_REPLYTO 2.25
score FREEMAIL_FROM 0.0
score FREEMAIL_REPLY 0.5
score FREEMAIL_REPLYTO 2.0
score FREEMAIL_REPLYTO_END_DIGIT 0.0
score FROM_LOCAL_DIGITS 1.75
score FROM_EXCESS_BASE64 2.5
score FROM_FMBLA_NEWDOM 2.5
score FROM_FMBLA_NEWDOM14 3.0
score FROM_FMBLA_NEWDOM28 2.5
score FROM_SUSPICIOUS_NTLD 2.0
score FORGED_GMAIL_RCVD 3.0
score FORGED_MUA_OUTLOOK 3.0
score FORGED_YAHOO_RCVD 3.0


# ============================
# Scam, Phishing & Social Engineering
# ============================

score ADVANCE_FEE_2 3.0
score ADVANCE_FEE_2_NEW_MONEY 3.0
score ADVANCE_FEE_2_NEW_FORM 3.0
score ADVANCE_FEE_3 3.0
score ADVANCE_FEE_3_NEW 3.0
score ADVANCE_FEE_3_NEW_MONEY 3.0
score ADVANCE_FEE_3_NEW_FORM 3.0
score ADVANCE_FEE_4_NEW 3.0
score ADVANCE_FEE_5_NEW 3.0
score ADVANCE_FEE_5_NEW_FRM_MNY 3.0
score ADVANCE_FEE_5_NEW_MONEY 3.0
score BILLION_DOLLARS 1.0
score DEAR_FRIEND 1.5
score LOTS_OF_MONEY 0.0
score UNCLAIMED_MONEY 4.0
score URG_BIZ 1.5
score FUZZY_CLICK_HERE 1.5
score FUZZY_CREDIT 2.0
score FUZZY_IMPORTANT 2.0
score FUZZY_SECURITY 2.25
score FUZZY_UNSUBSCRIBE 1.0
score SUBJ_AS_SEEN 0.75
score SUBJ_DOLLARS 0.25
score SUBJ_YOUR_DEBT 2.5
score SUBJ_YOUR_FAMILY 0.75


# ============================
# Transport / Network Reputation Rules
# ============================

score NO_RDNS_DOTCOM_HELO 3.0
score RDNS_DYNAMIC 3.5
score RDNS_LOCALHOST 3.5
score RDNS_NONE 2.25
score RCVD_HELO_IP_MISMATCH 1.75
score RCVD_ILLEGAL_IP 4.0
score PDS_BAD_THREAD_QP_64 1.5
score TBIRD_SUSP_MIME_BDRY 2.5
score SPAMMY_XMAILER 2.75
score KHOP_HELO_FCRDNS -0.5
score HELO_DYNAMIC_IPADDR 2.0
score HELO_DYNAMIC_SPLIT_IP 2.0
score UNPARSEABLE_RELAY 0.0


# ============================
# URI & Link Obfuscation
# ============================

score URI_HEX 2.5
score URI_NO_WWW_BIZ_CGI 2.5
score URI_NO_WWW_INFO_CGI 2.5
score URI_OBFU_WWW 3.0
score URI_TRUNCATED 2.5
score HTTPS_HTTP_MISMATCH 0.25
score WEIRD_PORT 4.5


# ============================
# Miscellaneous Heuristics & Content Triggers
# ============================

score ENV_AND_HDR_SPF_MATCH -4.0
score DATE_IN_FUTURE_06_12 2.25
score DATE_IN_PAST_03_06 2.25
score DATE_IN_PAST_06_12 2.25
score PLING_QUERY 1.0
score SHOPIFY_IMG_NOT_RCVD_SFY 0.75
score T_FILL_THIS_FORM_SHORT 0.25
score T_REMOTE_IMAGE 0.25
score STOX_REPLY_TYPE 2.0
score STOX_REPLY_TYPE_WITHOUT_QUOTES 3.0
score SUSPICIOUS_RECIPS 2.5


# ============================
# Spam Eating Monkey DNSBL lists
# ============================

header RCVD_IN_SEM_BACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
describe RCVD_IN_SEM_BACKSCATTER Received from an IP listed by Spam Eating Monkey Backscatter list
tflags RCVD_IN_SEM_BACKSCATTER net
score RCVD_IN_SEM_BACKSCATTER 3.0

header RCVD_IN_SEM_BLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
tflags RCVD_IN_SEM_BLACK net
describe RCVD_IN_SEM_BLACK Received from an IP listed by Spam Eating Monkey Blocklist
score RCVD_IN_SEM_BLACK 3.0

header RCVD_IN_SEM_NETBLACK eval:check_rbl('semnetblack-lastexternal', 'netbl.spameatingmonkey.net')
tflags RCVD_IN_SEM_NETBLACK net
describe RCVD_IN_SEM_NETBLACK Received from an IP listed by Spam Eating Monkeys Network Blocklist
score RCVD_IN_SEM_NETBLACK 1.5

urirhssub SEM_FRESH30 fresh30.spameatingmonkey.net. A 2
body SEM_FRESH30 eval:check_uridnsbl('SEM_FRESH30')
describe SEM_FRESH30 Contains a domain registered less than 30 days ago
tflags SEM_FRESH30 net
score SEM_FRESH30 3.0

urirhssub SEM_URI_BLACK uribl.spameatingmonkey.net. A 2
body SEM_URI_BLACK eval:check_uridnsbl('SEM_URI')
describe SEM_URI_BLACK Contains a URI listed by Spam Eating Monkeys URI Blocklist
tflags SEM_URI_BLACK net
score SEM_URI_BLACK 3.5


# ============================
# JunkEmailFilter HostKarma DNSBL & DNSWL
# ============================

header __RCVD_IN_HOSTKARMA eval:check_rbl('hostkarma', 'hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net

header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('hostkarma','127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
score RCVD_IN_HOSTKARMA_W -3.5

header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('hostkarma','127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
score RCVD_IN_HOSTKARMA_BL 3.0

header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('hostkarma','127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net
score RCVD_IN_HOSTKARMA_BR 1.25


# ============================
# SpamRATS DNSBL
# ============================

header __RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe __RCVD_IN_SPAMRATS SPAMRATS: sender is listed in SpamRATS
tflags __RCVD_IN_SPAMRATS net
reuse __RCVD_IN_SPAMRATS

header RCVD_IN_SPAMRATS_DYNA eval:check_rbl_sub('spamrats','127.0.0.36')
describe RCVD_IN_SPAMRATS_DYNA RATS-Dyna: sent directly from dynamic IP address
tflags RCVD_IN_SPAMRATS_DYNA net
reuse RCVD_IN_SPAMRATS_DYNA
score RCVD_IN_SPAMRATS_DYNA 2.25

header RCVD_IN_SPAMRATS_NOPTR eval:check_rbl_sub('spamrats','127.0.0.37')
describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
tflags RCVD_IN_SPAMRATS_NOPTR net
reuse RCVD_IN_SPAMRATS_NOPTR
score RCVD_IN_SPAMRATS_NOPTR 2.5

header RCVD_IN_SPAMRATS_SPAM eval:check_rbl_sub('spamrats','127.0.0.38')
describe RCVD_IN_SPAMRATS_SPAM RATS-Spam: sender is a spam source
tflags RCVD_IN_SPAMRATS_SPAM net
reuse RCVD_IN_SPAMRATS_SPAM
score RCVD_IN_SPAMRATS_SPAM 5.5


# ============================
# UCEPROTECT
# ============================

header RCVD_IN_UCEPROTECT_LEVEL_1 eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')
describe RCVD_IN_UCEPROTECT_LEVEL_1 Sender IP listed in UCEPROTECT Level 1
tflags RCVD_IN_UCEPROTECT_LEVEL_1 net
score RCVD_IN_UCEPROTECT_LEVEL_1 4.0

header RCVD_IN_UCEPROTECT_LEVEL_2 eval:check_rbl('uceprotect2', 'dnsbl-2.uceprotect.net.')
describe RCVD_IN_UCEPROTECT_LEVEL_2 Sender IP listed in UCEPROTECT Level 2
tflags RCVD_IN_UCEPROTECT_LEVEL_2 net
score RCVD_IN_UCEPROTECT_LEVEL_2 1.25


# ============================
# Abusix Guardian Mail Relay
# ============================

header __RCVD_IN_ABUSIX eval:check_rbl('abusix', '<API_KEY>.combined.mail.abusix.zone.')
describe __RCVD_IN_ABUSIX Received via a relay in Abusix Guardian Mail
tflags __RCVD_IN_ABUSIX net

header RCVD_IN_ABUSIX_BLACK eval:check_rbl_sub('abusix', '^127\.0\.0\.(?:[23]|200)$')
describe RCVD_IN_ABUSIX_BLACK Received via a relay in Abusix Guardian Mail Black
tflags RCVD_IN_ABUSIX_BLACK net
score RCVD_IN_ABUSIX_BLACK 5.5

header RCVD_IN_ABUSIX_EXPLOIT eval:check_rbl_sub('abusix', '127.0.0.4')
describe RCVD_IN_ABUSIX_EXPLOIT Received via a relay in Abusix Guardian Mail Exploit
tflags RCVD_IN_ABUSIX_EXPLOIT net
score RCVD_IN_ABUSIX_EXPLOIT 6.0

header RCVD_IN_ABUSIX_DYN eval:check_rbl('abusix_dyn', '<API_KEY>.combined.mail.abusix.zone.', '^127\.0\.0\.1[12]$')
describe RCVD_IN_ABUSIX_DYN Received via a relay in Abusix Guardian Mail Dynamic
tflags RCVD_IN_ABUSIX_DYN net
score RCVD_IN_ABUSIX_DYN 1.5

header RCVD_IN_ABUSIX_WHITE eval:check_rbl('abusix_white', '<API_KEY>.combined.mail.abusix.zone.', '127.0.2.1')
describe RCVD_IN_ABUSIX_WHITE Received via a relay in Abusix Guardian Mail White
tflags RCVD_IN_ABUSIX_WHITE nice net
score RCVD_IN_ABUSIX_WHITE -1.5

urirhsbl URIBL_ABUSIX_DBLACK <API_KEY>.dblack.mail.abusix.zone. A
body URIBL_ABUSIX_DBLACK eval:check_uridnsbl('URIBL_ABUSIX_DBLACK')
describe URIBL_ABUSIX_DBLACK Contains a spam URL listed in the Abusix domain blocklist
tflags URIBL_ABUSIX_DBLACK net
score URIBL_ABUSIX_DBLACK 6.0

urirhssub URIBL_ABUSIX_WHITE <API_KEY>.white.mail.abusix.zone. A 127.0.2.1
body URIBL_ABUSIX_WHITE eval:check_uridnsbl('URIBL_ABUSIX_WHITE')
describe URIBL_ABUSIX_WHITE Contains a domain listed in the Abusix domain whitelist
tflags URIBL_ABUSIX_WHITE nice net
score URIBL_ABUSIX_WHITE -0.25


# ============================
# Ascams RBLs (IP Reputation)
# ============================

header RCVD_IN_ASCAMS_BLOCK eval:check_rbl('ascams_block', 'block.ascams.com.')
describe RCVD_IN_ASCAMS_BLOCK Sender listed in Ascams Block RBL
tflags RCVD_IN_ASCAMS_BLOCK net
score RCVD_IN_ASCAMS_BLOCK 1.25

header RCVD_IN_ASCAMS_DROP eval:check_rbl('ascams_white', 'dnsbl.ascams.com.')
describe RCVD_IN_ASCAMS_DROP Sender listed in Ascams DROP list
tflags RCVD_IN_ASCAMS_DROP nice net
score RCVD_IN_ASCAMS_DROP 3.0


# ============================
# DroneBL DNSBL
# ============================

header RCVD_IN_DRONEBL eval:check_rbl('dronebl', 'dnsbl.dronebl.org.')
describe RCVD_IN_DRONEBL Sender listed in DroneBL (suspected bot/malware)
tflags RCVD_IN_DRONEBL net
score RCVD_IN_DRONEBL 3.0


# ============================
# GBUDB Truncate DNSBL
# ============================

header RCVD_IN_GBUDB_TRUNCATE eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB_TRUNCATE Sender listed in GBUDB Truncate
tflags RCVD_IN_GBUDB_TRUNCATE net
score RCVD_IN_GBUDB_TRUNCATE 4.0


# ============================
# Usenix S5H
# ============================

header RCVD_IN_S5H_BL eval:check_rbl_txt('s5hbl', 'all.s5h.net.')
describe RCVD_IN_S5H_BL Listed at all.s5h.net
tflags RCVD_IN_S5H_BL net
score RCVD_IN_S5H_BL 0.5


# ============================
# Backscatterer.org 
# ============================

header RCVD_IN_BACKSCATTERER eval:check_rbl('backscatterer', 'ips.backscatterer.org.')
describe RCVD_IN_BACKSCATTERER IP listed in Backscatterer (backscatter spam)
tflags RCVD_IN_BACKSCATTERER net
score RCVD_IN_BACKSCATTERER 3.5

It's been quite a long time since 7.3.2 came out and it seems there are a number of important fixes in 7.3.3 that many are waiting for but I still don't see that out even as a beta release. Is there any ETA for when that will arrive by any chance?

I don't mean to sound like a broken record on it nor do I mean to rush it, I'm just eager to see 7.3.3 as it contains some important fixes and just surprised it hasn't been released yet.

Personally I'm really looking forward to this section of the changelog (though there's plenty of other changes in the list too):

* remove external df module
* Show remaining disk space in usage graph
* Make users and groups available for the new app link dialog
* Show swaps in disk graphs
* disk usage: run once a day
* mail: fix 100% cpu use with unreachable servers
* security: do not password reset mail to cloudron owned mail domain
* logrotate: only keep 14 days of logs
* mail: fix dnsbl count when all servers are removed
* applink: make users and groups available for the new app link dialog

A side note: It may just be me here, but for what it's worth I'm wondering if a bit more frequent release cycle with smaller releases may be helpful here so bug fixes & quality-of-life improvements can get out quicker to users. New features can of course be held back / reserved for more 'major' releases as they'd require more thorough testing. Just something to ponder if you may have been considering that already as I see more and more apps go to that sort of development cycle so that upgrades are less risky for admins while everyone benefits from more frequent bug fixes.

I've been spending a long time lately on spam improvements on the Cloudron mail server. I've made a ton of improvements and while still not perfect (it never will be) it's a giant leap over how it was a few weeks ago.

I already made some updates in the other post on DNSBLs, for anyone who hasn't seen that already.

I've also improved the spam classifications for anything that gets past the DNSBLs. It was already pretty decent at classifying spam that was spam with no false-positives, however there was still a good amount getting to the inbox for some users in particular. I've trained them to use the spam folder and archive folder accordingly to train the filter for their account, but I also made a whole bunch of tweaks in the custom rules to overwrite scoring server-wide.

Tip: You can easily override the default SpamAssassin scores or even create your own rules using the Custom Spam Filtering Rules feature in Cloudron.

I thought I'd share what I have currently which adds in a few new providers as well as increasing the scores from their defaults. Here is what I've got currently and it seems to be working very well for me and my users with no false-positives that I can find and much more in the spam box where they should be. Feel free to adapt of course for your own servers.

The main highlights of the changes I made was the following:

• Increasing the scores for various DNSBLs where appropriate from their defaults
• Increasing the scores for SPF failures but keeping them still reasonable as not ever mail server has setup SPF correctly even if legitimate
• Modifying the scores for the BAYES_ learning ones, scoring them according to their confidence levels (and a bit above the default in most cases)
• Added three new DNSBLs for SpamAssassin (seen at the bottom of the list) which when combined with the overall scoring changes for DNSBLs built-in has provided a noticeable improvement in spam recognition

# scoring DNSBLs (blocklists & allowlists)
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_DNSWL_LOW -0.5
score RCVD_IN_DNSWL_MED -2.5
score RCVD_IN_DNSWL_HI -5.0
score RCVD_IN_GBUDB 4.0
score RCVD_IN_JMF_BL 3.0
score RCVD_IN_MSPIKE_H3 -2.0
score RCVD_IN_MSPIKE_H4 -3.0
score RCVD_IN_MSPIKE_H5 -3.5
score RCVD_IN_MSPIKE_L3 2.0
score RCVD_IN_MSPIKE_L4 3.0
score RCVD_IN_MSPIKE_L5 3.5
score RCVD_IN_MSPIKE_WL 0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SORBS_BLOCK 2.0
score RCVD_IN_SORBS_DUL 2.0
score RCVD_IN_SORBS_HTTP 2.0
score RCVD_IN_SORBS_MISC 2.0
score RCVD_IN_SORBS_SMTP 2.0
score RCVD_IN_SORBS_SOCKS 2.0
score RCVD_IN_SORBS_SPAM 2.0
score RCVD_IN_SORBS_WEB 2.0
score RCVD_IN_SORBS_ZOMBIE 2.0
score RCVD_IN_SPAMRATS 4.0
score RCVD_IN_XBL 3.5
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL_CSS 3.5
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.5
score RCVD_IN_ZEN_BLOCKED 0.5

# scoring URIBLs
score URIBL_ABUSE_SURBL 3.0
score URIBL_BLACK 3.0
score URIBL_CR_SURBL 3.0
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 2.0
score URIBL_DBL_ABUSE_MALW  2.0
score URIBL_DBL_ABUSE_PHISH 2.0
score URIBL_DBL_ABUSE_REDIR 2.0
score URIBL_DBL_ABUSE_SPAM 2.0
score URIBL_DBL_BLOCKED 2.0
score URIBL_DBL_BLOCKED_OPENDNS 2.0
score URIBL_DBL_BOTNETCC 2.0
score URIBL_DBL_ERROR 2.0
score URIBL_DBL_MALWARE 2.0
score URIBL_DBL_PHISH 2.0
score URIBL_DBL_SPAM 2.0
score URIBL_GREY 1.5
score URIBL_MW_SURBL 2.0
score URIBL_PH_SURBL 2.0
score URIBL_RED 2.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 2.0
score URIBL_SBL_A 2.0
score URIBL_WS_SURBL 2.0
score URIBL_ZEN_BLOCKED 2.0
score URIBL_ZEN_BLOCKED_OPENDNS 2.0

# scoring SPF & DKIM
score DKIM_INVALID 1.0
score DKIM_SIGNED -0.5
score DKIM_VALID -0.5
score DKIM_VALID_AU -0.5
score DKIM_VALID_EF -0.5
score DKIM_VERIFIED -1.0
score SPF_FAIL 2.0
score SPF_HELO_FAIL 2.0
score SPF_HELO_NEUTRAL 0.5
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS -0.5
score SPF_HELO_SOFTFAIL 1.0
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS -0.5
score SPF_SOFTFAIL 1.5

# scoring BAYES
score BAYES_00 -1.5
score BAYES_05  -1.0
score BAYES_20  -0.5
score BAYES_40  0.5
score BAYES_50  1.0
score BAYES_60  1.5
score BAYES_80  2.0
score BAYES_95  3.0
score BAYES_99  4.5
score BAYES_999 5.0

# additional scoring tweaks
score BILLION_DOLLARS 2.0
score FREEMAIL_FROM 0.5
score HEADER_FROM_DIFFERENT_DOMAINS 3.5
score HTML_FONT_LOW_CONTRAST 2.0
score HTML_MESSAE 0.5
score LOTS_OF_MONEY 1.5
score MISSING_HEADERS 1.0

# add GDUB TRUNCATE DNSBL
header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB Listed in truncate.gbudb.net
tflags RCVD_IN_GBUDB net

# add JMF-Black DNSBL
header RCVD_IN_JMF_BL eval:check_rbl('jmfbl', 'black.junkemailfilter.com.')
describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com
tflags RCVD_IN_JMF_BL net

# add Spamrats DNSBL
header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com
tflags RCVD_IN_SPAMRATS net

Latest round of SpamAssassin rules I'm using, if anyone is interested.

The highlights here are just a couple of things:

• A few new sources which come with new rules
• Slight scoring tweaks on just a few rules

Of course, as they say... YMMV.

# scoring DNSBLs (blocklists & allowlists)
score RCVD_IN_BL_SPAMCOP_NET 2.5
score RCVD_IN_DNSWL_HI -5.0
score RCVD_IN_DNSWL_LOW -0.5
score RCVD_IN_DNSWL_MED -2.5
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_GBUDB 4.5
score RCVD_IN_IADB_DK -0.5
score RCVD_IN_IADB_DOPTIN_GT50 -0.5
score RCVD_IN_IADB_DOPTIN_LT50 -0.5
score RCVD_IN_IADB_EDDB -0.5
score RCVD_IN_IADB_EPIA -0.5
score RCVD_IN_IADB_GOODMAIL -0.5
score RCVD_IN_IADB_LISTED -0.5
score RCVD_IN_IADB_LOOSE -0.5
score RCVD_IN_IADB_MI_CPEAR 0
score RCVD_IN_IADB_MI_CPR_30 0
score RCVD_IN_IADB_MI_CPR_MAT 0.0
score RCVD_IN_IADB_NOCONTROL -0.5
score RCVD_IN_IADB_OOO -0.5
score RCVD_IN_IADB_OPTIN -0.5
score RCVD_IN_IADB_OPTIN_GT50 -0.5
score RCVD_IN_IADB_OPTIN_LT50 -0.5
score RCVD_IN_IADB_OPTOUTONLY -0.5
score RCVD_IN_IADB_RDNS -0.5
score RCVD_IN_IADB_SENDERID -0.5
score RCVD_IN_IADB_SPF -0.5
score RCVD_IN_IADB_UNVERIFIED_1 -0.5
score RCVD_IN_IADB_UNVERIFIED_2 -0.5
score RCVD_IN_IADB_UT_CPEAR 0
score RCVD_IN_IADB_UT_CPR_30 0
score RCVD_IN_IADB_UT_CPR_MAT 0
score RCVD_IN_JMF_BL 2.5
score RCVD_IN_MSPIKE_BL 0.0
score RCVD_IN_MSPIKE_H2 0.0
score RCVD_IN_MSPIKE_H3 -0.5
score RCVD_IN_MSPIKE_H4 -2.0
score RCVD_IN_MSPIKE_H5 -3.0
score RCVD_IN_MSPIKE_L2 1.5
score RCVD_IN_MSPIKE_L3 3.5
score RCVD_IN_MSPIKE_L4 4.5
score RCVD_IN_MSPIKE_L5 5.0
score RCVD_IN_MSPIKE_WL 0.0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL 3.5
score RCVD_IN_SBL_CSS 3.5
score RCVD_IN_SEM_BACKSCATTER 1.5
score RCVD_IN_SEM_BLACK 3.5
score RCVD_IN_SEM_NET_BLACK 2.5
score RCVD_IN_SORBS_BLOCK 2.5
score RCVD_IN_SORBS_DUL 2.5
score RCVD_IN_SORBS_HTTP 2.5
score RCVD_IN_SORBS_MISC 2.5
score RCVD_IN_SORBS_SMTP 2.5
score RCVD_IN_SORBS_SOCKS 2.5
score RCVD_IN_SORBS_SPAM 2.5
score RCVD_IN_SORBS_WEB 2.5
score RCVD_IN_SORBS_ZOMBIE 2.5
score RCVD_IN_SPAMRATS 2.5
score RCVD_IN_XBL 3.5
score RCVD_IN_ZEN_BLOCKED 0.0
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0

# scoring URIBLs
score URIBL_ABUSE_SURBL 4.0
score URIBL_BLACK 4.5
score URIBL_CR_SURBL 4.0
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 3.5
score URIBL_DBL_ABUSE_MALW  3.5
score URIBL_DBL_ABUSE_PHISH 3.5
score URIBL_DBL_ABUSE_REDIR 3.5
score URIBL_DBL_ABUSE_SPAM 3.5
score URIBL_DBL_BLOCKED 0.0
score URIBL_DBL_BLOCKED_OPENDNS 0.0
score URIBL_DBL_BOTNETCC 3.5
score URIBL_DBL_ERROR 3.5
score URIBL_DBL_MALWARE 3.5
score URIBL_DBL_PHISH 3.5
score URIBL_DBL_SPAM 3.5
score URIBL_GREY 1.0
score URIBL_MW_SURBL 4.0
score URIBL_PH_SURBL 4.0
score URIBL_RED 1.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 2.0
score URIBL_SBL_A 2.0
score URIBL_SEM 3.0
score URIBL_SEM_FRESH30 1.5
score URIBL_WS_SURBL 3.0
score URIBL_ZEN_BLOCKED 0.0
score URIBL_ZEN_BLOCKED_OPENDNS 0.0

# scoring DKIM & SPF
score DKIM_INVALID 1.5
score DKIM_SIGNED 0.0
score DKIM_VALID 0.0
score DKIM_VALID_AU 0.0
score DKIM_VALID_EF 0.0
score DKIM_VERIFIED 0.0
score DKIMWL_BL 3.0
score DKIMWL_WL_HIGH -3.5
score DKIMWL_WL_MED -1.5
score DKIMWL_WL_MEDHI -2.5
score FORGED_SPF_HELO 3.0
score SPF_FAIL 1.5
score SPF_HELO_FAIL 1.5
score SPF_HELO_NEUTRAL 1.0
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS 0.0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS 0.0
score SPF_SOFTFAIL 1.5

# scoring BAYES
score BAYES_00 -3.0
score BAYES_05  -1.5
score BAYES_20  0.5
score BAYES_40  1.5
score BAYES_50  2.0
score BAYES_60  3.0
score BAYES_80  4.0
score BAYES_95  4.5
score BAYES_99  5.0
score BAYES_999 1.5

# scoring HTML
score HTML_FONT_LOW_CONTRAST 0.5
score HTML_IMAGE_ONLY_04 1.5
score HTML_IMAGE_ONLY_08 2.0
score HTML_IMAGE_ONLY_12 2.0
score HTML_IMAGE_ONLY_16 2.0
score HTML_IMAGE_ONLY_20 2.0
score HTML_IMAGE_ONLY_24 2.5
score HTML_IMAGE_ONLY_28 2.5
score HTML_IMAGE_ONLY_32 3.0
score HTML_IMAGE_RATIO_02 0.0
score HTML_IMAGE_RATIO_04 0.0
score HTML_IMAGE_RATIO_06 0.0
score HTML_IMAGE_RATIO_08 0.0
score HTML_MESSAGE 0.0

# scoring HEADER & MISSING
score HEADER_FROM_DIFFERENT_DOMAINS 0.5
score HEADER_SPAM 2.5
score MISSING_DATE 3.0
score MISSING_FROM 1.5
score MISSING_HB_SEP 0.0
score MISSING_HEADERS 1.5
score MISSING_MID 1.0
score MISSING_MIMEOLE 2.0
score MISSING_SUBJECT 2.0

# scoring FREEMAIL
score FORGED_GMAIL_RCVD 2.5
score FORGED_YAHOO_RCVD 2.5
score FREEMAIL_ENVFROM_END_DIGIT 0.5
score FREEMAIL_FORGED_REPLYTO 1.5
score FREEMAIL_FROM 0
score FREEMAIL_REPLY 1.0
score FREEMAIL_REPLYTO 1.0
score FREEMAIL_REPLYTO_END_DIGIT 0.5
score MALFORMED_FREEMAIL 4.0

# additional scoring tweaks
score BILLION_DOLLARS 2.0
score BODY_URI_ONLY 1.5
score EMPTY_MESSAGE 1.5
score HELO_DYNAMIC_SPLIT_IP 2.0
score HK_RANDOM_ENVFROM 0.5
score HK_RANDOM_FROM 0.5
score LOTS_OF_MONEY 0.5
score MPART_ALT_DIFF 1.0
score MPART_ALT_DIFF_COUNT 1.5
score NO_DNS_FOR_FROM 0.5
score PDS_TONAME_EQ_TOLOCAL 0.5
score PDS_TONAME_EQ_TOLOCAL_VSHORT 0.5
score RDNS_NONE 1.5
score REPLYTO_WITHOUT_TO_CC 2.5
score UNPARSEABLE_RELAY 0.5
score URI_DQ_UNSUB 2.0

# add GDUB TRUNCATE DNSBL
header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB Listed in truncate.gbudb.net
tflags RCVD_IN_GBUDB net

# add JMF-Black DNSBL
header RCVD_IN_JMF_BL eval:check_rbl('jmf', 'black.junkemailfilter.com.')
describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com
tflags RCVD_IN_JMF_BL net

# add Spamrats DNSBL
header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com
tflags RCVD_IN_SPAMRATS net

# add SpamEatingMonkey backscatter DNSBL
header RCVD_IN_SEM_BACKSCATTER eval:check_rbl('sem', 'backscatter.spameatingmonkey.net')
tflags RCVD_IN_SEM_BACKSCATTER net
describe RCVD_IN_SEM_BACKSCATTER Received from an IP listed by SEM-BACKSCATTER

# add SpamEatingMonkey network blacklist DNSBL
header RCVD_IN_SEM_NET_BLACK eval:check_rbl('sem', 'netbl.spameatingmonkey.net')
tflags RCVD_IN_SEM_NET_BLACK net
describe RCVD_IN_SEM_NET_BLACK Received from an IP listed by SpamEatingMonkeys

# add SpamEatingMonkey blacklist DNSBL
header RCVD_IN_SEM_BLACK eval:check_rbl('sem', 'bl.spameatingmonkey.net')
tflags RCVD_IN_SEM_BLACK net
describe RCVD_IN_SEM_BLACK Received from an IP listed by SpamEatingMonkeys

# add SpamEatingMonkey URIBL
urirhssub URIBL_SEM uribl.spameatingmonkey.net. A 2
body URIBL_SEM eval:check_uridnsbl('URIBL_SEM')
describe URIBL_SEM Contains a URI listed by SpamEatingMonkeys
tflags URIBL_SEM net

# add SpamEatingMonkey fresh domain URIBL
urirhssub URIBL_SEM_FRESH30 fresh30.spameatingmonkey.net. A 2
body URIBL_SEM_FRESH30 eval:check_uridnsbl('URIBL_SEM_FRESH30')
describe URIBL_SEM_FRESH30 From a domain registered less than 30 days ago
tflags URIBL_SEM_FRESH30 net

While I noticed some improvements in my last set of rules I also saw a few extras getting through to my inbox too, so I think the last update was a "one step forward, two steps back" update, so I apologize if anyone saw a decrease in effectiveness if using the latest list. I immediately made some tweaks and have noticed this seems to be more effective. Let me know if you have any issues though.

# scoring BAYES
score BAYES_00 -5.0
score BAYES_05 -4.0
score BAYES_20 1.0
score BAYES_40 2.0
score BAYES_50 2.5
score BAYES_60 3.0
score BAYES_80 3.5
score BAYES_95 4.0
score BAYES_99 4.5
score BAYES_999 1.0

# scoring DNSBLs & DNSWLs
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_BLOCKED 0
score RCVD_IN_DNSWL_HI -6.0
score RCVD_IN_DNSWL_LOW -2.0
score RCVD_IN_DNSWL_MED -4.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_HOSTKARMA_BL 2.0
score RCVD_IN_HOSTKARMA_BR 0.5
score RCVD_IN_HOSTKARMA_W -5.0
score RCVD_IN_MSPIKE_BL 0.0
score RCVD_IN_MSPIKE_H2 -0.5
score RCVD_IN_MSPIKE_H3 -0.5
score RCVD_IN_MSPIKE_H4 -2.0
score RCVD_IN_MSPIKE_H5 -3.0
score RCVD_IN_MSPIKE_L3 0.5
score RCVD_IN_MSPIKE_L4 2.0
score RCVD_IN_MSPIKE_L5 3.0
score RCVD_IN_MSPIKE_WL 0.0
score RCVD_IN_MSPIKE_ZBI 2.0
score RCVD_IN_PBL 3.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SBL_CSS 3.0
score RCVD_IN_SPAMRATS_DYNA 2.0
score RCVD_IN_SPAMRATS_NOPTR 2.0
score RCVD_IN_SPAMRATS_SPAM 3.0
score RCVD_IN_XBL 3.0
score RCVD_IN_ZEN_BLOCKED 0.0
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0

# scoring URIBLs
score URIBL_ABUSE_SURBL 4.5
score URIBL_BLACK 4.5
score URIBL_CR_SURBL 3.5
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 3.0
score URIBL_DBL_ABUSE_MALW 3.0
score URIBL_DBL_ABUSE_PHISH 3.0
score URIBL_DBL_ABUSE_REDIR 1.0
score URIBL_DBL_ABUSE_SPAM 3.0
score URIBL_DBL_BLOCKED 0.0
score URIBL_DBL_BLOCKED_OPENDNS 0.0
score URIBL_DBL_BOTNETCC 3.0
score URIBL_DBL_ERROR 0.0
score URIBL_DBL_MALWARE 3.0
score URIBL_DBL_PHISH 3.0
score URIBL_DBL_SPAM 3.0
score URIBL_GREY 1.0
score URIBL_MW_SURBL 3.5
score URIBL_PH_SURBL 3.5
score URIBL_RED 0.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 3.0
score URIBL_SBL_A 3.0
score URIBL_ZEN_BLOCKED 0.0
score URIBL_ZEN_BLOCKED_OPENDNS 0.0

# scoring DKIM & SPF
score DKIM_INVALID 1.5
score DKIM_SIGNED 0.0
score DKIM_VALID 0.0
score DKIM_VALID_AU 0.0
score DKIM_VALID_EF 0.0
score DKIM_VERIFIED 0.0
score DKIMWL_BL 3.0
score DKIMWL_WL_HIGH -3.5
score DKIMWL_WL_MED -2.5
score DKIMWL_WL_MEDHI -3.0
score FORGED_SPF_HELO 3.0
score SPF_FAIL 1.5
score SPF_HELO_FAIL 1.5
score SPF_HELO_NEUTRAL 1.0
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS 0.0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS 0.0
score SPF_SOFTFAIL 1.5
score USER_IN_DEF_DKIM_WL -5.0

# scoring HTML
score HTML_FONT_LOW_CONTRAST 0.5
score HTML_IMAGE_ONLY_04 1.0
score HTML_IMAGE_ONLY_08 1.0
score HTML_IMAGE_ONLY_12 1.0
score HTML_IMAGE_ONLY_16 1.5
score HTML_IMAGE_ONLY_20 1.5
score HTML_IMAGE_ONLY_24 2.0
score HTML_IMAGE_ONLY_28 2.5
score HTML_IMAGE_ONLY_32 3.0
score HTML_IMAGE_RATIO_02 0.0
score HTML_IMAGE_RATIO_04 0.0
score HTML_IMAGE_RATIO_06 0.0
score HTML_IMAGE_RATIO_08 0.0
score HTML_MESSAGE 0.0
score HTML_MIME_NO_HTML_TAG 0.5
score HTML_SHORT_LINK_IMG_1 2.5
score HTML_SHORT_LINK_IMG_2 1.5
score HTML_SHORT_LINK_IMG_3 0.5

# scoring HEADER & MISSING
score HEADER_FROM_DIFFERENT_DOMAINS 0.5
score MISSING_DATE 3.0
score MISSING_FROM 1.5
score MISSING_HEADERS 2.0
score MISSING_SUBJECT 1.0

# scoring FREEMAIL
score FREEMAIL_ENVFROM_END_DIGIT 0.5
score FREEMAIL_FORGED_REPLYTO 1.0
score FREEMAIL_FROM 0
score FREEMAIL_REPLY 0.5
score FREEMAIL_REPLYTO 0.5
score FREEMAIL_REPLYTO_END_DIGIT 0.5

# additional scoring tweaks
score HELO_DYNAMIC_SPLIT_IP 3.0
score LOTS_OF_MONEY 0.5
score MPART_ALT_DIFF 0.5
score MPART_ALT_DIFF_COUNT 0.5
score RDNS_NONE 0.5
score T_FILL_THIS_FORM_SHORT 0.5
score UNPARSEABLE_RELAY 0.5

# add JunkEmailFilter HostKarma DNSBL & DNSWL
header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net
header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net

# add Spamrats DNSBL
header __RCVD_IN_SPAMRATS eval:check_rbl('spamrats-lastexternal','all.spamrats.com.')
describe __RCVD_IN_SPAMRATS SPAMRATS: sender is listed in SpamRats
tflags __RCVD_IN_SPAMRATS net
reuse __RCVD_IN_SPAMRATS
header RCVD_IN_SPAMRATS_DYNA eval:check_rbl_sub('spamrats-lastexternal','127.0.0.36')
describe RCVD_IN_SPAMRATS_DYNA RATS-Dyna: sent directly from dynamic IP address
tflags RCVD_IN_SPAMRATS_DYNA net
reuse RCVD_IN_SPAMRATS_DYNA
header RCVD_IN_SPAMRATS_NOPTR eval:check_rbl_sub('spamrats-lastexternal','127.0.0.37')
describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
tflags RCVD_IN_SPAMRATS_NOPTR net
reuse RCVD_IN_SPAMRATS_NOPTR
header RCVD_IN_SPAMRATS_SPAM eval:check_rbl_sub('spamrats-lastexternal','127.0.0.38')
describe RCVD_IN_SPAMRATS_SPAM RATS-Spam: sender is a spam source
tflags RCVD_IN_SPAMRATS_SPAM net
reuse RCVD_IN_SPAMRATS_SPAM

I think it'd be great if we could have users connect to mail.<theirDomain> instead of mail.<mainCloudronDomain>. Right now, they need to connect to something like mail.<mainCloudronDomain> instead of their own, which can create confusion and isn't as nice as it could be.

Setting up a CNAME alone isn't doable because the certificate shown by Cloudron mail.<mainCloudronDomain> needs to include the hostnames (via SNI I believe?) that matches the one they'd use in their mail clients such as mail.<theirDomain>.

Would love to see that functionality added to Cloudron along with setting up the CNAME records in all domains which aren't the primary domain so that each user on exampleA.com can connect to mail.exampleA.com instead of mail.<mainCloudronDomain>.

@girish said in What's coming in 7.3:

Updated the changelog if anyone is interested - https://git.cloudron.io/cloudron/box/-/blob/master/CHANGES#L2511

This may be minor, but may I suggest the changelogs be sorted alphabetically so that we can see related changes easier per function (i.e. mail)?

If we did that, not only would it make it easier for admins to read and parse, but the development team could detect duplicate entries in the changelog easier

Note that there are two duplicate entries such as the following:

• mail: fix issue where signature was appended to text attachments
• mail: catch all address can be any domain

Sorted alphabetically:

* Applinks - app bookmarks in dashboard
* IPv6: initial support for ipv6 only server
* Proxied apps
* Randomize certificate generation cronjob to lighten load on Let's Encrypt servers
* UI: fix issue where mailbox display name was not init correctly
* User directory: Cloudron connector uses 2FA auth
* acme: Randomize certificate renewal check over a whole day
* backups: Fix precondition check which was not erroring if mount is missing
* backups: allow space in label name
* backups: optional encryption of backup file names
* eventlog: add event for impersonated user login
* filemanager: add split view
* graphs: cgroup v2 support
* graphs: show app disk usage graphs
* ldap & user directory: Remove virtual user and admin groups
* ldap: remove virtual user and admin groups to ldap user records
* mail: accept only STARTTLS servers for relay
* mail: add queue management API and UI
* mail: add storage quota support
* mail: allow aliases to have wildcard
* mail: catch all address can be any domain
* mail: catch all address can be any domain
* mail: fix crash when solr is enabled on Ubuntu 22 (cgroup v2 detection fix)
* mail: fix issue where certificate renewal did not restart the mail container properly
* mail: fix issue where signature was appended to text attachments
* mail: fix issue where signature was appended to text attachments
* nginx: fix zero length certs when out of disk space
* notification: Fix crash when backupId is null
* port bindings: add read only flag
* proxyAuth: add supportsBearerAuth flag
* redis: restart button will now rebuild if the container is missing
* wasabi: add singapore and sydney regions

Well, I gave myself a fun little short project (took maybe 30 minutes) today where I replaced every app icon in the Dashboard of Cloudron. Here's what it looks like:

I used FlatIcon's website, filtering to Free icons and for Linear Colour as the style. I was surprised at how many fairly accurate icons I could find, even one for my email 'autoconfig' app which I had doubted I'd be able to find a good icon replacement for. Even found separate ones for the two websites which aren't really websites at all but just redirect visitors to another externally hosted website on a different domain (two clients are realtors who just wanted their own short marketing domain name for email and then having the web address forward to their actual realtor's webpage for their own listings), so they're literally just the LAMP app with a single html file which does an immediate redirect.

I may make further changes, or heck I may even revert back to the default app icons in the future, but I thought this was a nice little distraction to change the overall look of the Dashboard by replacing all the app icons with new ones, and ensuring a bit of consistency where possible between them all too so that none of them stood out from others. I think it went fairly well. Just wanted to share to maybe inspire others if they think they'd benefit from some extra bit of flair in their Dashboard.

I think it'd be really useful to have an alternative LAMP app using the LEMP stack instead (basically just replacing Apache with Nginx). If this is possible, it'd be great to see this in the Cloudron App Store alongside the LAMP app.

For context... this thread is what made me want to suggest this idea more formally: https://forum.cloudron.io/topic/5784/apache-vulnerabilities/

In some cases, Nginx can be much more performant than Apache too particularly under heavier loads, so it'd be good to have Nginx as an option instead of only Apache for those who want to really eek out a bit more performance of their web servers.

Some external references supporting this idea of Nginx being a better performer than Apache:

https://hackr.io/blog/nginx-vs-apache - "NGINX performs 2.5 times faster than Apache according to a benchmark test performed by running up to 1,000 simultaneous connections. Another benchmark running with 512 simultaneous connections, showed that NGINX is about twice as fast and consumed less memory. Undoubtedly, NGINX has an advantage over Apache with static content. So if you need to serve concurrent static content, NGINX is a preferred choice."

https://kinsta.com/blog/nginx-vs-apache/ - "In short, Apache uses processes for every connection (and with worker mpm it uses threads). As traffic rises, it quickly becomes too expensive. [...] Event mpm goes a bit further in terms of optimization, but some tests show that it can’t outrun Nginx. Especially when we talk about static files, where Nginx serves as much as double the requests that Apache does. Nginx ideally has one worker process per CPU/core. The difference of Nginx worker processes is that each one can handle hundreds of thousands of incoming network connections per worker. There is no need to create new threads or processes for each connection. This is the reason why major Content Delivery Networks, like Cloudflare, MaxCDN, and our partner KeyCDN — or websites like Netflix — find Nginx crucial for their content delivery.

There is a channel I subscribe to on YouTube and just over an hour ago they uploaded one with running FreeScout on Cloudron. Thought that was pretty neat! Hopefully more and more people publicize the Cloudron product.

I haven’t seen too many of his videos (and I confess I didn’t watch this whole video either because I am not yet interested in FreeScout), but stumbled across a few videos of his for another software tool I was using for WordPress. Not trying to promote him at all here haha, but just trying to say he has a decent bit of clout at 17.9k subscribers, which I think that just makes it all the more awesome for Cloudron that he did one involving the Cloudron platform. The work here is being noticed beyond just us old frequently seen Cloudron users. Haha.

It looks like Bunny.net (the awesome CDN) is entering the world of DNS hosting! Would love to see support for this added to Cloudron once it's ready.

Their blog post about it is here: https://bunny.net/blog/transforming-internet-routing-introducing-bunny-dns/

A public preview is expected in April 2022 (currently private beta until then). It will also be free to use (unless using their scripting too).

@girish speaking for myself, I’d love the ability to auto-update apps (or set it based on each app so some won’t auto-update) while keeping the actual Cloudron server version a manual update. Not sure if that’s a good idea or not but I’d rather allow some to update and others to not. Much like I mark some plugins as “trusted” in MainWP for managing all my WordPress installs where it auto-updates within 48 hours, and some plugins as “untrusted” which means it requires manual intervention before updating. That same concept could maybe be applied within Cloudron.

But otherwise I think it’s not too bad the way it is… if people don’t like auto-updates then disable it. Simple as that. But I do think there could be improvements to the update mechanism to allow for more granularity.

PS - sorry you have to deal with the occasional a**hole like ‘yeku’ above. They do not represent the vast majority of us who are very happy a project like Cloudron exists in the first place.

@jdaviescoates Great idea! I'd definitely love to be a part of something like that.

What I do:
I do freelance web & tech services as a side business, and that includes hosting a bunch of things for customers which I do on Cloudron. Specifically WordPress websites for roughly 15 clients, and recently even some SFTP servers for one client too. Also a nodeBB forum for a client, Bitwarden password manager, email hosting of course, webmail apps, all that jazz. WordPress and email is the vast majority of what I host for my clients, but I get to dabble in other areas too which I like. Oh and web analytics too of course as that's bundled with my web hosting plan I sell to them, and to my surprise many of them actually really like seeing the emailed report from Matomo where they see all the results from each city, country, dates and times of busy traffic, etc. When I started offering it I honestly didn't think too many people would care, but most of them really like that part. I guess it sort of helps justify to them why they have a website in the first place so they can see how many people they're effectively reaching and such too in one area.

I don't necessarily market my services as a Saas-Cloudron or anything like that, just to be clear in case that's kind of what you were asking earlier, but I am very open in spreading the word of Cloudron (sounds like I'm in a cult, lol) to any of my clients that want to learn more about how I manage things, and even link to Cloudron from my website, so generally the customers that actually care to know that stuff all know I'm using Cloudron as the platform for everything.

Quick side story about the SFTP server I recently setup, just because I think it's really cool, haha:
Using Surfer, I setup an SFTP server to bridge a medical clinic (client of mine) administering COVID-19 tests and the lab they hired to actually process the tests. Before, they were emailing constantly between clinic and lab and it was a hassle for them to keep track of everything... and we later found out that the lab they contracted actually had a script which they use for their larger clients I guess - it polls the SFTP server every 5 minutes for a CSV file which the clinic fills it out and saves to the SFTP server for each patient, each patient being it's own row on the CSV. It's streamlined their entire process now - just that one thing alone - to the point where they get their results much faster now from the lab and can then forward that to the patients much quicker than before as it's way less overhead in communications between the lab and clinic. Once I heard about this and set it up for them and learned how much better it made things for them, honestly I was humbled in a way, I consider myself fortunate to have been a very very very tiny part of that process to ensure people can get their COVID-19 test results sooner. It really wasn't much work on my part at all, Cloudron made it easy to implement! It was still cool to be a part of an improvement to this essential service in my region none-the-less.

Sorry I'm rambling on now, lol, the answer to your original question is "Yes, I offer services to my clients that I host using Cloudron". haha.

As Radicale isn't the most RFC-compliant (they even state that's not their goal), it'd be nice to have a more compliant CardDAV and CalDAV server to use as an alternative to Radicale, SOGo, and Nextcloud.

A good one I have seen recommended often is "sabre/dav". It's also updated more often than Radicale too from what I can tell. I think this would be a great addition for those people who want a more pure CalDAV and CardDAV server.

https://sabre.io/dav/
https://github.com/sabre-io/dav

Great job guys! Super long changelog, happy to see many of the changes included there! I'm going to upgrade likely tomorrow night.

PS - Girish, the migration went well from you manually adding in the self-signed certs the other day. I really appreciate the awesome support and help with that! You guys rock!

Wanted to write a quick update: Anyone wanting to enable an RBL can now do so very easily in the new 7.x Cloudron version! Big thanks to the Cloudron team for implementing that feature!

Since many visit this thread (it's even linked in the documentation now too!) for the list of the various RBLs and experience with them, reviewing them, etc... I wanted to add one more to the list which I've been testing out for a little bit and so far seems great, blocking spam from bad IPs which even hours later still isn't on some of the other popular blacklists when I've been checking manually to verify things.

Abusix is a premium service, however they do have a free tier which offers a rather large 5,000 queries per day - and I suspect most of us are not close to that amount in a single day, many likely not even over the course of a week - effectively meaning we can get premium-level spam filtering for free. They have several different lists they manage, but the recommended one to use is their combined.mail.abusix.zone zone which checks three separate lists of theirs out of the several. It is their "recommended" one for production servers offering a good balance of more checks and performance using one single lookup zone without being too overbearing as to include false-positives, this way it greatly limits any false-positives (of which I've seen zero so far!).

The only downside is a very minor cosmetic issue in Cloudron with it as the Abusix list is something like <UUID>.combined.mail.abusix.zone since it's premium so it's a unique URL to every user, and as such it's a very long URL due to the UUID which means some of the log entries in Cloudron's UI for denied messages get pretty long looking. I may file a feature request later for us to perhaps try naming our zones how owe want them to so we can avoid really long named ones in the logs, but overall it's just a cosmetic issue and nothing else.

So just to summarize, the ones I'm using with great success so far are the following:

<UUID>.combined.mail.abusix.zone
zen.spamhaus.org
bl.mailspike.net

Just an FYI - I recently found (thanks to @girish for setting the wheels in motion for me to dig into this) that there is some form of whitelisting/allowlisting in SpamAssassin via Cloudron's UI. It's not perfectly matching what we are looking for in this feature request, but should help buy some time for those who need this capability right away. Here's the goods on it:

• The pros: you can use this right away!
• The cons: It's not a true "whitelist" since spam processing still proceeds (a true whitelist/allowlist in my mind means it completely skips spam processing completely), but setting the score to be incredibly low should effectively force all messages that may have otherwise been "spam" into the inbox for the user (and onwards for mailing lists too), it basically achieves the same result as we're wanting for the most part. I don't think it can be done by IP, but will work for domain. The values also accept wildcard characters to help "whitelist" an entire domain.

From the other post I made (pasting it here for convenience):

I can confirm through testing that if I add a section to the SpamAssassin rules such as the following, this works! So this is a great workaround to not having direct whitelisting capabilities, using the whitelist_to rule and score.

# whitelisting addresses
score USER_IN_WHITELIST_TO -100
whitelist_to email1@example.com
whitelist_to email2@example.com
whitelist_to *@test.com
Using the above (but of course substituting the actual email addresses) worked in my testing.

Similarly, the whitelist_from will work too on the opposite end of the equation... that will apply to who sent the message rather than who the message was directed to.

Hope this helps

Reference: https://forum.cloudron.io/post/33254

@imc67 I definitely agree, lots of areas for improvements.

I do have one item of your post I wanted to share my two cents on though...

Wordfence imho needs to be installed by default in Wordpress

This is just my personal view so take it with a grain of salt of course, I don't think there's really any right or wrong way to it. My two cents...

I have the belief that we should aim to keep all apps (WordPress included) about as close to default as the developer intended for the app, leaving Cloudron to just handle the default user and mail config for the app, etc. I think it's a bit of a slippery slope to add in all these extras regardless of how important they may be for certain use-cases, because the line needs to be drawn somewhere of course and deciding where that line is isn't particularly clear. In such a case, I'd ere on the side of "keep it as close to default as possible as intended by the developer" to stay free of any tightrope walking so-to-speak. haha.

For WordPress in particular, there's practically hundreds of thousands of plugins available, some of which are "default installs" in my environments where I have a template setup with the ones I use all the time for example, but I would never want to force my defaults on others because what works for me or the plugins I prefer to use may not work or be preferred by other users. Security plugins are one area where there's a ton of them, and there was a similar discussion not too long ago I had regarding a suggestion for including a caching plugin by default too.

And that's kind of the slippery slope I am referring too... what is the criteria for when a "default plugin suggestion" gets approved, and when would one get denied?

I just really want to see apps be as close to default as possible. But of course that's just my two cents. I'm sure many might disagree with me. haha.

I totally agree with the rest of your suggestions though, I would love to see the improvements for additional security in the Cloudron server itself. I completely forgot about the GEO-blocking request for countries, that'd be pretty great to have!