haraka-plugin-karma 2.3.0 → 2.4.1

package/CHANGELOG.md

@@ -4,6 +4,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### Unreleased
 
+### [2.4.1] - 2026-05-13
+
+- fix: after trapping a denysoft, return denysoft later (vs deny)
+- config: update spammy TLDs
+- fix(config): spamassassin hits -> score
+
+### [2.4.0] - 2026-05-06
+
+- extend spammy_tlds to support multi-label suffixes
+- allow rspamd to deny(soft) image-only spam from specific ASNs
+
 ### [2.3.0] - 2026-05-05
 
 - allow rspamd to greylist image-only spam
@@ -11,12 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### [2.2.0] - 2026-03-31
 
-#### Added
-
 - allow rspamd to greylist ASNs when SA & rspamd agree
-
-#### Changed
-
 - replace to_object with arrays
 - deps(all): updated to latest
 - style: ES2024 updates throughout
@@ -171,3 +177,5 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 [2.1.8]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.1.8
 [2.2.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.2.0
 [2.3.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.3.0
+[2.4.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.4.0
+[2.4.1]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.4.1

package/config/karma.ini

@@ -56,63 +56,102 @@ hooks=unrecognized_command,data,data_post,queue,queue_outbound
 [deny_excludes]
 ; karma captures and scores deny requests from other plugins, permitting finer
 ; control over connection handling. For plugins that should be able to reject
-; the connection, add their name to the plugin list:
-plugins=send_email, tls, access, helo.checks, headers, rspamd, spamassassin, clamd, attachment, limit
+; the connection, add their name to the plugins list:
+plugins=access, attachment, clamd, headers, helo.checks, limit, rspamd, spamassassin, send_email, tls
 
 ; hooks whose DENY rejections should be not be captured.
 hooks=rcpt, queue, queue_outbound
 
 
-[greylist]
-; allow rspamd to greylist (DENYSOFT) instead of karma intercepting the denial.
-; This is only relevant when rspamd is NOT in [deny_excludes] plugins.
+[rspamd_deny]
+; allow rspamd to greylist (DENYSOFT) or reject (DENY) instead of karma intercepting
+; the denial. Only relevant when rspamd is NOT in [deny_excludes] plugins.
 ;
 ; asn[] = 55286 ; ASN numbers eligible for greylisting
 ; asn[] = 33182
-; asn[] = 46717
+; asn[] = 15169
 ;
 ; spamassassin_score = SpamAssassin hits score must exceed this value
 ; spamassassin_score = 5
 
 
 [spammy_tlds]
-; award negative karma to spammy TLDs
+; award negative karma to spammy TLDs or second-level domains
+; multi-label suffixes are supported, e.g.: sa.com=-3
 ; caution, awarding karma > msg_negative_limit may blacklist that TLD
+archi=-5
+baby=-5
 bid=-3
 biz=-2
 bet=-4
+best=-4
 bio=-4
+bond=-4
+boston=-5
 buzz=-3
+cam=-3
+city=-5
+cc=-3
+co=-3
 club=-3
+coach=-5
+codes=-5
+coffee=-5
 company=-4
+coupons=-5
 directory=-4
+dog=-4
+energy=-4
 eu=-4
+financial=-5
 fun=-5
-guru=-4
+fund=-5
+futbol=-5
+gay=-5
+global=-4
+guide=-4
+guru=-5
 gury=-3
+help=-4
 icu=-6
-info=-4
+industries=-4
+info=-5
 link=-3
-me=-1
+live=-5
+love=-6
+makeup=-5
+me=-2
+mobi=-6
 monster=-5
 mom=-5
 na=-6
 ninja=-3
-one=-4
+one=-5
+onl=-5
 pics=-5
+pro=-5
 pw=-2
+rest=-5
 rocks=-3
+rodeo=-5
 ru=-2
-sbs=-4
+sbs=-5
 science=-6
+shop=-6
+site=-8
+skin=-4
+store=-5
 stream=-3
 studio=-5
+support=-5
+tax=-5
 top=-5
 trade=-3
 us=-4
+vin=-5
 work=-4
 xyz=-6
-
+zone=-5
 
 [tls]
 ; awards based on whether the sender opportunistically encrypted
@@ -201,7 +240,7 @@ early_talker                     = -3
 008 = karma         | pass     | equals | asn          |  1  | ASN reputation is good
 009 = karma         | fail     | equals | asn          | -1  | ASN reputation is bad
 010 = karma         | pass     | equals | asn_all_good |  2  | ASN reputation is very good
-011 = karma         | fail     | equals | asn_all_bad  | -2  | ASN reputation is very bad
+011 = karma         | fail     | equals | asn_all_bad  | -1  | ASN reputation is very bad
 
 012 = karma         | fail     | equals | rfc5321.MailFrom | -1 | RFC Ignorant MTA | Use a RFC compliant MTA
 013 = karma         | fail     | equals | rfc5321.RcptTo   | -1 | RFC Ignorant MTA | Use a RFC compliant MTA
@@ -219,7 +258,7 @@ early_talker                     = -3
 032 = p0f   | os_flavor | equals | XP           | -2  | Windows XP, likely infected by malware | Upgrade to a supported OS
 
 ; give back the point penalized for running windows
-; 080 = fcrdns         | fcrdns  | match  | outlook.com | 1
+080 = fcrdns           | fcrdns  | match  | outlook.com | 1
 ; 081 = fcrdns         | fcrdns@1       =  1 if length gt 0
 ; 082 = fcrdns         | err@1          = -1 if length gt 0
 ; 083 = fcrdns         | fail@1         = -1 if length gt 0
@@ -315,32 +354,34 @@ early_talker                     = -3
 218 = clamd        | fail       | match  | spam         | -2 | Clam AntiVirus Spam
 ;219 = clamd        | pass       | equals | clean       |  1 | Clam AntiVirus Executable
 
-230 = rspamd       | is_spam    | equals | true         | -2 | rspamd detected as spam
-231 = rspamd       | action     | equals | greylist     | -1 | rspamd suggested greylist
-232 = rspamd       | score      | lt     | 0            |  1 | rspamd positive score
-233 = rspamd       | score      | gt     | 6            | -1 | rspamd moderate score
-234 = rspamd       | score      | gt     | 10           | -1 | rspamd high score
-235 = rspamd       | is_spam    | equals | false        |  1 | rspamd detected as ham
-236 = rspamd       | action     | match  | reject       | -2 | rspamd suggested reject
+;230 = rspamd       | action     | match  | reject       | -2 | rspamd suggested reject
+;231 = rspamd       | action     | equals | greylist     | -1 | rspamd suggested greylist
+232 = rspamd       | score      | lt     | 0            |  1 |
+233 = rspamd       | score      | lt     | -5           |  1 |
+234 = rspamd       | score      | lt     | -10          |  1 |
+235 = rspamd       | score      | gt     | 6            | -1 |
+236 = rspamd       | score      | gt     | 10           | -1 |
+237 = rspamd       | is_spam    | equals | true         | -2 | rspamd detected as spam
+238 = rspamd       | is_spam    | equals | false        |  1 | rspamd detected as ham
 
 237 = rspamd       | symbols    | match | DMARC_POLICY_ALLOW | 1 | DMARC policy allow
 238 = rspamd       | symbols    | match | DMARC_POLICY_REJECT |  -6  | DMARC policy reject
 239 = rspamd       | symbols    | match | DMARC_POLICY_QUARANTINE |  -4  | DMARC policy reject
 240 = rspamd       | symbols    | match | DMARC_POLICY_SOFTFAIL   |  -2  | DMARC policy softfail
 
-251 = spamassassin | hits       | lt     |  0           |   1 |
-252 = spamassassin | hits       | lt     | -2           |   1 |
-253 = spamassassin | hits       | lt     | -5           |   1 |
-254 = spamassassin | hits       | lt     | -10          |   2 |
-255 = spamassassin | hits       | lt     | -20          |   5 |
-256 = spamassassin | hits       | gt     |   1          |  -1 |
-257 = spamassassin | hits       | gt     |   2          |  -1 |
-259 = spamassassin | hits       | gt     |   3          |  -2 |
-260 = spamassassin | flag       | equals | Yes          |  -5 | SpamAssassin detected as spam
-;261 = spamassassin | hits       | gt     |   6          |  -2 |
-;263 = spamassassin | hits       | gt     |   8          |  -2 |
-264 = spamassassin | hits       | gt     |   9          |  -2 |
-265 = spamassassin | hits       | gt     |  20          | -10 |
+251 = spamassassin | score      | lt     |  0           |   1 |
+252 = spamassassin | score      | lt     | -2           |   1 |
+253 = spamassassin | score      | lt     | -5           |   1 |
+254 = spamassassin | score      | lt     | -10          |   2 |
+255 = spamassassin | score      | lt     | -20          |   5 |
+256 = spamassassin | score      | gt     |   1          |  -1 |
+257 = spamassassin | score      | gt     |   2          |  -1 |
+258 = spamassassin | score      | gt     |   3          |  -2 |
+;259 = spamassassin | score      | gt     |   6          |  -2 |
+;260 = spamassassin | score      | gt     |   8          |  -2 |
+261 = spamassassin | score      | gt     |   9          |  -2 |
+262 = spamassassin | score      | gt     |  20          | -10 |
+;263 = spamassassin | flag       | equals | Yes          |  -5 | SpamAssassin detected as spam
 
 280 = known-senders | pass      | equals | wks           |  5  | Known Sender
 281 = known-senders | pass      | length | gt 0          |  5  | Known Sender

package/index.js

@@ -50,23 +50,15 @@ exports.load_karma_ini = function () {
   this.merge_redis_ini()
 
   const cfg = this.cfg
-  if (cfg.deny?.hooks) {
-    this.deny_hooks = this.stringToArray(cfg.deny.hooks)
-  }
+  if (cfg.deny?.hooks) this.deny_hooks = this.stringToArray(cfg.deny.hooks)
 
   const e = cfg.deny_excludes
-  if (e?.hooks) {
-    this.deny_exclude_hooks = this.stringToArray(e.hooks)
-  }
-  if (e?.plugins) {
-    this.deny_exclude_plugins = this.stringToArray(e.plugins)
-  }
+  if (e?.hooks) this.deny_exclude_hooks = this.stringToArray(e.hooks)
+  if (e?.plugins) this.deny_exclude_plugins = this.stringToArray(e.plugins)
 
-  if (cfg.result_awards) {
-    this.preparse_result_awards()
-  }
+  if (cfg.result_awards) this.preparse_result_awards()
 
-  this.greylist_asns = cfg.greylist?.asn ?? []
+  this.rspamdDenyAsns = cfg.rspamd_deny?.asn ?? cfg.greylist?.asn ?? []
 
   if (!cfg.redis) cfg.redis = {}
   if (!cfg.redis.host && cfg.redis.server_ip) {
@@ -393,29 +385,24 @@ exports.should_we_skip = function (connection) {
   return false
 }
 
-exports.should_rspamd_greylist = function (connection) {
+exports.should_rspamd_deny = function (connection) {
   // check connection's ASN is in the configured list
-  let asnr = connection.results.get('asn')
-  if (!asnr?.asn) asnr = connection.results.get('geoip')
-  if (!asnr?.asn) return false
-  if (!this.greylist_asns.includes(String(asnr.asn))) return false
+  const cr = connection.results
+  const asn = cr.get('asn')?.asn ?? cr.get('geoip')?.asn
+  if (!this.rspamdDenyAsns.includes(String(asn))) return false
 
   // check SpamAssassin score exceeds configured threshold
   const saScore = parseFloat(
     connection.transaction?.results?.get('spamassassin')?.hits ?? 0,
   )
-  const saThreshold = parseFloat(this.cfg.greylist?.spamassassin_score ?? 5)
-  if (saScore >= saThreshold) return true
+  const saThreshold = parseFloat(this.cfg.rspamd_deny?.spamassassin_score ?? 5)
+  if (saScore >= saThreshold) return true // SA & rspamd agree
 
-  if (connection.transaction.header.get('X-Google-Group-Id')) return true
-
-  // image-only spam: message body is a single embedded image
-  if (
-    connection.transaction.header
-      .get('content-type')
-      ?.startsWith('multipart/related')
-  )
-    return true
+  const gGroups = connection.transaction.header.get('X-Google-Group-Id')
+  const imgOnly = connection.transaction.header
+    .get('content-type')
+    ?.startsWith('multipart/related')
+  if (gGroups && imgOnly) return true
 
   return false
 }
@@ -445,18 +432,17 @@ exports.should_we_deny = function (next, connection, hook) {
     return this.apply_tarpit(connection, hook, score, next)
   }
 
-  let rejectMsg = 'very bad karma score: {score}'
-  if (this.cfg.deny && this.cfg.deny.message) {
-    rejectMsg = this.cfg.deny.message
-  }
+  let rejectMsg = this.cfg.deny?.message ?? `very bad karma score: ${score}`
 
   if (/\{/.test(rejectMsg)) {
     rejectMsg = rejectMsg.replace(/\{score\}/, score)
     rejectMsg = rejectMsg.replace(/\{uuid\}/, connection.uuid)
   }
 
+  const deny_rc = r.deny_rc ?? constants.DENY
+
   return this.apply_tarpit(connection, hook, score, () => {
-    next(constants.DENY, rejectMsg)
+    next(deny_rc, rejectMsg)
   })
 }
 
@@ -469,12 +455,7 @@ exports.hook_deny = function (next, connection, params) {
   if (pi_name) {
     if (pi_name === 'karma') return next()
     if (this.deny_exclude_plugins.includes(pi_name)) return next()
-    // allow rspamd to greylist when configured ASN/score conditions are met
-    if (
-      pi_rc === constants.DENYSOFT &&
-      pi_name === 'rspamd' &&
-      this.should_rspamd_greylist(connection)
-    )
+    if (pi_name === 'rspamd' && this.should_rspamd_deny(connection))
       return next()
   }
   if (pi_hook && this.deny_exclude_hooks.includes(pi_hook)) return next()
@@ -485,9 +466,31 @@ exports.hook_deny = function (next, connection, params) {
   connection.results.add(this, { msg: `deny: ${pi_name}` })
   connection.results.incr(this, { score: -2 })
 
+  // Remember the worst-severity intercepted code so a later karma-issued
+  // deny doesn't escalate a soft reject (e.g. rspamd greylist) to a hard
+  // reject.
+  this.track_intercepted_rc(connection, pi_rc)
+
   next(constants.OK) // resume the connection
 }
 
+exports.track_intercepted_rc = function (connection, pi_rc) {
+  const k = connection.results.get('karma')
+  if (!k) return
+
+  if (pi_rc === constants.DENY || pi_rc === constants.DENYDISCONNECT) {
+    connection.results.add(this, { deny_rc: constants.DENY })
+    return
+  }
+
+  if (
+    (pi_rc === constants.DENYSOFT || pi_rc === constants.DENYSOFTDISCONNECT) &&
+    k.deny_rc !== constants.DENY
+  ) {
+    connection.results.add(this, { deny_rc: constants.DENYSOFT })
+  }
+}
+
 exports.hook_connect = function (next, connection) {
   if (this.should_we_skip(connection)) return next()
 
@@ -934,13 +937,17 @@ exports.check_spammy_tld = function (mail_from, connection) {
   if (!this.cfg.spammy_tlds) return
   if (mail_from.isNull()) return // null sender (bounce)
 
-  const from_tld = mail_from.host.split('.').pop()
+  const labels = mail_from.host.split('.')
 
-  const tld_penalty = parseFloat(this.cfg.spammy_tlds[from_tld] || 0)
-  if (tld_penalty === 0) return
+  for (let i = 0; i < labels.length; i++) {
+    const suffix = labels.slice(i).join('.')
+    const tld_penalty = parseFloat(this.cfg.spammy_tlds[suffix] || 0)
+    if (tld_penalty === 0) continue
 
-  connection.results.incr(this, { score: tld_penalty })
-  connection.results.add(this, { fail: 'spammy.TLD' })
+    connection.results.incr(this, { score: tld_penalty })
+    connection.results.add(this, { fail: 'spammy.TLD' })
+    return
+  }
 }
 
 exports.check_syntax_RcptTo = function (connection) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "haraka-plugin-karma",
-  "version": "2.3.0",
+  "version": "2.4.1",
   "description": "A heuristics scoring and reputation engine for SMTP connections",
   "main": "index.js",
   "files": [
@@ -39,7 +39,7 @@
   },
   "devDependencies": {
     "@haraka/eslint-config": "^2.0.4",
-    "haraka-test-fixtures": "^1.4.1"
+    "haraka-test-fixtures": "^1.4.3"
   },
   "prettier": {
     "singleQuote": true,