annotate mod_firewall/scripts/spam-blocking.pfw @ 5713:dde83f6043e6

mod_audit_register: Include hostpart with audit events here too mod_audit seems to expect this to be JIDs, not bare usernames.
author Kim Alvefur <zash@zash.se>
date Mon, 13 Nov 2023 17:23:49 +0100
parents 09311a8a3cfa
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
1 #### Anti-spam ruleset ###########################################
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
2 #
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
3 # This script provides some foundational anti-spam rules. It aims
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
4 # to PASS stanzas that are definitely not spam, and DROP stanzas
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
5 # that are very likely spam.
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
6 #
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
7 # It does not do any form of content filtering,
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
8 # but this can be implemented by other scripts and
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
9 # modules as desired using the chains documented below.
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
10 #
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
11 #
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
12 # The following chains are available as extension
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
13 # points:
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
14 #
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
15 # ::user/spam_check_custom
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
16 # Apply additional rules to all stanzas before they are checked.
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
17 # Mainly useful to PASS stanzas that you do not want to be
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
18 # filtered.
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
19 #
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
20 # ::user/spam_check_message_custom
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
21 # Apply additional rules to messages from strangers, aiming to
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
22 # PASS stanzas that are not spam and jump to ::user/spam_reject
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
23 # for stanzas that are considered spam.
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
24 #
4148
34a2e8796cff mod_firewall: Update chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4128
diff changeset
25 # ::user/spam_check_message_content_custom
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
26 # Apply additional rules to messages that may be spam, based on
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
27 # message content rules. These may contain more intensive rules,
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
28 # so are executed after all other checks. Rules should jump to
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
29 # ::user/spam_reject if a message is considered spam.
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
30 #
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
31 # ::user/spam_check_presence_custom
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
32 # Apply additional rules to presence that may be spam.
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
33 #
4149
bb60db2b2cd1 mod_firewall: Update another chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4148
diff changeset
34 # ::user/spam_check_subscription_request_custom
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
35 # Apply additional rules to subscription requests.
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
36 #
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
37 # ::user/spam_handle_unknown_custom
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
38 # Override default handling of stanzas that weren't explicitly
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
39 # passed or rejected by the anti-spam checks.
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
40 #
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
41 # ::user/spam_reject_custom
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
42 # Override default handling of stanzas that have
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
43 # been recognised as spam (default is to bounce
2571
a33edc07d829 mod_firewall: spam-blocking.pfw: More comments for documentation
Matthew Wild <mwild1@gmail.com>
parents: 2567
diff changeset
44 # a policy-violation error).
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
45 #
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
46 ##################################################################
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
48 #### Entry point for all incoming stanzas ########################
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 ::deliver
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
51 # Override this if you want to prevent certain stanzas going through
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
52 # the normal spam_check chain
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
53 JUMP_CHAIN=user/spam_check_custom
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
54
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
55 # Run the default spam_check chain
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
56 JUMP_CHAIN=user/spam_check
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
57
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
58 ##################################################################
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
59
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
60 #### General spam-checking rules (all stanzas) ###################
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
61 ::user/spam_check
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
62
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 # Pass stanzas that a user sends to their own account
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 TO SELF?
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 PASS.
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 # Pass stanzas that are addressed to a valid full JID
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 TO FULL JID?
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69 PASS.
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 # Pass stanzas from contacts
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 SUBSCRIBED?
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 PASS.
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75 # Run extra rules that apply to messages only
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 KIND: message
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
77 JUMP CHAIN=user/spam_check_message
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 # Run extra rules that apply to presence stanzas only
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 KIND: presence
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
81 JUMP CHAIN=user/spam_check_presence
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
82
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
83 JUMP CHAIN=user/spam_handle_unknown
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
85 # Default is to allow, override this with
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
86 # the 'user/spam_handle_unknown' chain
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
87 PASS.
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
88
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
89 #### Rules for messages ##########################################
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
90 ::user/spam_check_message
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
92 JUMP CHAIN=user/spam_check_message_custom
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
93
2605
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
94 # Type 'groupchat' messages addressed to an offline full JID are harmless,
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
95 # and should be routed normally to handle MUC 'ghosts' correctly
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
96 TO: <*>@<*>/<*>
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
97 TYPE: groupchat
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
98 PASS.
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
99
5531
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
100 # Mediated MUC invitations are naturally from 'strangers' and have special
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
101 # handling. We lean towards accepting them, unless overridden by custom rules.
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
102 NOT FROM FULL JID?
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
103 INSPECT: {http://jabber.org/protocol/muc#user}x/invite
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
104 JUMP CHAIN=user/spam_check_muc_invite
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
105
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106 # Non-chat message types often generate pop-ups in clients,
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
107 # so we won't accept them from strangers
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
108 NOT TYPE: chat
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
109 JUMP CHAIN=user/spam_reject
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
110
4148
34a2e8796cff mod_firewall: Update chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4128
diff changeset
111 JUMP CHAIN=user/spam_check_message_content
34a2e8796cff mod_firewall: Update chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4128
diff changeset
112
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
113 # This chain can be used by other scripts
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
114 # and modules that analyze message content
4148
34a2e8796cff mod_firewall: Update chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4128
diff changeset
115 JUMP CHAIN=user/spam_check_message_content_custom
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
116
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
117 ##################################################################
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
118
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
119 #### Rules for presence stanzas ##################################
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
120 ::user/spam_check_presence
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
121
2567
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
122 JUMP CHAIN=user/spam_check_presence_custom
5e1fb7e6b558 mod_firewall: spam-blocking.pfw: Add more extension points
Matthew Wild <mwild1@gmail.com>
parents: 2566
diff changeset
123
2605
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
124 # Presence to offline full JIDs is harmless, and should be routed
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
125 # normally to handle MUC 'ghosts' correctly
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
126 TO: <*>@<*>/<*>
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
127 PASS.
8908d001faf3 mod_firewall: spam-blocking.pfw: Allow groupchat messages and presence to offline full JIDs
Matthew Wild <mwild1@gmail.com>
parents: 2571
diff changeset
128
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
129 # These may be received if rosters get out of sync and are harmless
2557
56db2ab3b853 mod_firewall: spam-blocking.pfw: Allow unsubscribe/unsubscribed presence
Matthew Wild <mwild1@gmail.com>
parents: 2556
diff changeset
130 # because they will not be routed to the client unless necessary
56db2ab3b853 mod_firewall: spam-blocking.pfw: Allow unsubscribe/unsubscribed presence
Matthew Wild <mwild1@gmail.com>
parents: 2556
diff changeset
131 TYPE: unsubscribe|unsubscribed
56db2ab3b853 mod_firewall: spam-blocking.pfw: Allow unsubscribe/unsubscribed presence
Matthew Wild <mwild1@gmail.com>
parents: 2556
diff changeset
132 PASS.
56db2ab3b853 mod_firewall: spam-blocking.pfw: Allow unsubscribe/unsubscribed presence
Matthew Wild <mwild1@gmail.com>
parents: 2556
diff changeset
133
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
134 # We don't want to receive presence from random strangers,
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
135 # but still allow subscription requests
4128
879955a32a37 mod_firewall: spam-blocking.pfw: allow subscription acks through
Matthew Wild <mwild1@gmail.com>
parents: 2605
diff changeset
136 NOT TYPE: subscribe|subscribed
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
137 DROP.
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
138
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
139 # This chain can be used by other scripts
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
140 # and modules to filter subscription requests
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
141 JUMP CHAIN=user/spam_check_subscription_request
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
142
4149
bb60db2b2cd1 mod_firewall: Update another chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4148
diff changeset
143 JUMP CHAIN=user/spam_check_subscription_request_custom
bb60db2b2cd1 mod_firewall: Update another chain name for consistency
Matthew Wild <mwild1@gmail.com>
parents: 4148
diff changeset
144
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
145 ##################################################################
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
146
5531
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
147 #### Rules for MUC invitations ###################################
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
148
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
149 ::user/spam_check_muc_invite
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
150
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
151 # This chain can be used to inspect the invitation and determine
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
152 # the appropriate action. Otherwise, we proceed with the default
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
153 # action below.
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
154 JUMP CHAIN=user/spam_check_muc_invite_custom
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
155
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
156 # Allow mediated MUC invitations by default
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
157 PASS.
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
158
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
159 #### Stanzas reaching this chain will be rejected ################
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
160 ::user/spam_reject
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
161
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
162 # This chain can be used by other scripts
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
163 # and modules to override the default behaviour
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
164 # when rejecting spam stanzas
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
165 JUMP CHAIN=user/spam_reject_custom
2556
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
166
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 LOG=Rejecting suspected spam: $(stanza:top_tag())
cc01a5bfcf3b mod_firewall: spam-blocking.pfw, initial anti-spam ruleset
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 BOUNCE=policy-violation
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
169
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
170 ##################################################################
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
171
5531
af2778f4ee29 mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com>
parents: 4149
diff changeset
172 #### Stanzas that may be spam, but we're not sure either way #####
2565
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
173 ::user/spam_handle_unknown
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
174
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
175 # This chain can be used by other scripts
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
176 # and modules to apply additional checks, or to
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
177 # override the default behaviour
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
178 JUMP CHAIN=user/spam_handle_unknown_custom
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
179
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
180 #LOG=[debug] Spam check allowing: $(stanza:top_tag())
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
181
fc53165d8afe spam-blocking.pfw: Much improvement
Matthew Wild <mwild1@gmail.com>
parents: 2557
diff changeset
182 ##################################################################