haraka-plugin-karma 2.2.0 → 2.4.0

package/CHANGELOG.md

@@ -4,14 +4,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### Unreleased
 
-### [2.2.0] - 2026-03-31
+### [2.4.0] - 2026-05-06
 
-#### Added
+- extend spammy_tlds to support multi-label suffixes
+- allow rspamd to deny(soft) image-only spam from specific ASNs
 
-- allow rspamd to greylist ASNs when SA & rspamd agree
+### [2.3.0] - 2026-05-05
 
-#### Changed
+- allow rspamd to greylist image-only spam
+- allow rspamd to greylist Google Groups messages
 
+### [2.2.0] - 2026-03-31
+
+- allow rspamd to greylist ASNs when SA & rspamd agree
 - replace to_object with arrays
 - deps(all): updated to latest
 - style: ES2024 updates throughout
@@ -165,3 +170,5 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 [2.1.7]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.1.7
 [2.1.8]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.1.8
 [2.2.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.2.0
+[2.3.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.3.0
+[2.4.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.4.0

package/config/karma.ini

@@ -63,25 +63,21 @@ plugins=send_email, tls, access, helo.checks, headers, rspamd, spamassassin, cla
 hooks=rcpt, queue, queue_outbound
 
 
-[greylist]
-; When a connection comes from one of the listed ASNs and both SpamAssassin
-; and rspamd scores exceed their respective thresholds, allow rspamd to
-; greylist (DENYSOFT) instead of karma intercepting the denial.
-; This is only relevant when rspamd is NOT in [deny_excludes] plugins.
+[rspamd_deny]
+; allow rspamd to greylist (DENYSOFT) or reject (DENY) instead of karma intercepting
+; the denial. Only relevant when rspamd is NOT in [deny_excludes] plugins.
 ;
 ; asn[] = 55286 ; ASN numbers eligible for greylisting
 ; asn[] = 33182
-; asn[] = 46717
+; asn[] = 15169
 ;
 ; spamassassin_score = SpamAssassin hits score must exceed this value
 ; spamassassin_score = 5
-;
-; rspamd_score = rspamd score must exceed this value
-; rspamd_score = 6
 
 
 [spammy_tlds]
-; award negative karma to spammy TLDs
+; award negative karma to spammy TLDs or second-level domains
+; multi-label suffixes are supported, e.g.: sa.com=-3
 ; caution, awarding karma > msg_negative_limit may blacklist that TLD
 bid=-3
 biz=-2

package/index.js

@@ -50,23 +50,15 @@ exports.load_karma_ini = function () {
   this.merge_redis_ini()
 
   const cfg = this.cfg
-  if (cfg.deny?.hooks) {
-    this.deny_hooks = this.stringToArray(cfg.deny.hooks)
-  }
+  if (cfg.deny?.hooks) this.deny_hooks = this.stringToArray(cfg.deny.hooks)
 
   const e = cfg.deny_excludes
-  if (e?.hooks) {
-    this.deny_exclude_hooks = this.stringToArray(e.hooks)
-  }
-  if (e?.plugins) {
-    this.deny_exclude_plugins = this.stringToArray(e.plugins)
-  }
+  if (e?.hooks) this.deny_exclude_hooks = this.stringToArray(e.hooks)
+  if (e?.plugins) this.deny_exclude_plugins = this.stringToArray(e.plugins)
 
-  if (cfg.result_awards) {
-    this.preparse_result_awards()
-  }
+  if (cfg.result_awards) this.preparse_result_awards()
 
-  this.greylist_asns = cfg.greylist?.asn ?? []
+  this.rspamdDenyAsns = cfg.rspamd_deny?.asn ?? cfg.greylist?.asn ?? []
 
   if (!cfg.redis) cfg.redis = {}
   if (!cfg.redis.host && cfg.redis.server_ip) {
@@ -393,34 +385,26 @@ exports.should_we_skip = function (connection) {
   return false
 }
 
-exports.should_rspamd_greylist = function (connection) {
+exports.should_rspamd_deny = function (connection) {
   // check connection's ASN is in the configured list
-  let asnr = connection.results.get('asn')
-  if (!asnr?.asn) asnr = connection.results.get('geoip')
-  if (!asnr?.asn) return false
-  if (!this.greylist_asns.includes(String(asnr.asn))) return false
+  const cr = connection.results
+  const asn = cr.get('asn')?.asn ?? cr.get('geoip')?.asn
+  if (!this.rspamdDenyAsns.includes(String(asn))) return false
 
   // check SpamAssassin score exceeds configured threshold
   const saScore = parseFloat(
-    connection.transaction?.results?.get('spamassassin')?.hits,
+    connection.transaction?.results?.get('spamassassin')?.hits ?? 0,
   )
-  const saThreshold = parseFloat(this.cfg.greylist?.spamassassin_score)
-  if (isNaN(saScore) || isNaN(saThreshold) || saScore <= saThreshold)
-    return false
+  const saThreshold = parseFloat(this.cfg.rspamd_deny?.spamassassin_score ?? 5)
+  if (saScore >= saThreshold) return true // SA & rspamd agree
 
-  // check rspamd score exceeds configured threshold
-  const rspamdScore = parseFloat(
-    connection.transaction?.results?.get('rspamd')?.score,
-  )
-  const rspamdThreshold = parseFloat(this.cfg.greylist?.rspamd_score)
-  if (
-    isNaN(rspamdScore) ||
-    isNaN(rspamdThreshold) ||
-    rspamdScore <= rspamdThreshold
-  )
-    return false
+  const gGroups = connection.transaction.header.get('X-Google-Group-Id')
+  const imgOnly = connection.transaction.header
+    .get('content-type')
+    ?.startsWith('multipart/related')
+  if (gGroups && imgOnly) return true
 
-  return true
+  return false
 }
 
 exports.should_we_deny = function (next, connection, hook) {
@@ -448,10 +432,7 @@ exports.should_we_deny = function (next, connection, hook) {
     return this.apply_tarpit(connection, hook, score, next)
   }
 
-  let rejectMsg = 'very bad karma score: {score}'
-  if (this.cfg.deny && this.cfg.deny.message) {
-    rejectMsg = this.cfg.deny.message
-  }
+  let rejectMsg = this.cfg.deny?.message ?? `very bad karma score: ${score}`
 
   if (/\{/.test(rejectMsg)) {
     rejectMsg = rejectMsg.replace(/\{score\}/, score)
@@ -466,18 +447,13 @@ exports.should_we_deny = function (next, connection, hook) {
 exports.hook_deny = function (next, connection, params) {
   if (this.should_we_skip(connection)) return next()
 
-  const [pi_rc, , pi_name, , , pi_hook] = params
+  const [_pi_rc, , pi_name, , , pi_hook] = params
 
   // exceptions, whose 'DENY' should not be captured
   if (pi_name) {
     if (pi_name === 'karma') return next()
     if (this.deny_exclude_plugins.includes(pi_name)) return next()
-    // allow rspamd to greylist when configured ASN/score conditions are met
-    if (
-      pi_rc === constants.DENYSOFT &&
-      pi_name === 'rspamd' &&
-      this.should_rspamd_greylist(connection)
-    )
+    if (pi_name === 'rspamd' && this.should_rspamd_deny(connection))
       return next()
   }
   if (pi_hook && this.deny_exclude_hooks.includes(pi_hook)) return next()
@@ -937,13 +913,17 @@ exports.check_spammy_tld = function (mail_from, connection) {
   if (!this.cfg.spammy_tlds) return
   if (mail_from.isNull()) return // null sender (bounce)
 
-  const from_tld = mail_from.host.split('.').pop()
+  const labels = mail_from.host.split('.')
 
-  const tld_penalty = parseFloat(this.cfg.spammy_tlds[from_tld] || 0)
-  if (tld_penalty === 0) return
+  for (let i = 0; i < labels.length; i++) {
+    const suffix = labels.slice(i).join('.')
+    const tld_penalty = parseFloat(this.cfg.spammy_tlds[suffix] || 0)
+    if (tld_penalty === 0) continue
 
-  connection.results.incr(this, { score: tld_penalty })
-  connection.results.add(this, { fail: 'spammy.TLD' })
+    connection.results.incr(this, { score: tld_penalty })
+    connection.results.add(this, { fail: 'spammy.TLD' })
+    return
+  }
 }
 
 exports.check_syntax_RcptTo = function (connection) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "haraka-plugin-karma",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "description": "A heuristics scoring and reputation engine for SMTP connections",
   "main": "index.js",
   "files": [