haraka-plugin-karma 2.4.0 → 2.4.1

package/CHANGELOG.md

@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ### Unreleased
 
+### [2.4.1] - 2026-05-13
+
+- fix: after trapping a denysoft, return denysoft later (vs deny)
+- config: update spammy TLDs
+- fix(config): spamassassin hits -> score
+
 ### [2.4.0] - 2026-05-06
 
 - extend spammy_tlds to support multi-label suffixes
@@ -172,3 +178,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 [2.2.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.2.0
 [2.3.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.3.0
 [2.4.0]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.4.0
+[2.4.1]: https://github.com/haraka/haraka-plugin-karma/releases/tag/v2.4.1

package/config/karma.ini

@@ -56,8 +56,8 @@ hooks=unrecognized_command,data,data_post,queue,queue_outbound
 [deny_excludes]
 ; karma captures and scores deny requests from other plugins, permitting finer
 ; control over connection handling. For plugins that should be able to reject
-; the connection, add their name to the plugin list:
-plugins=send_email, tls, access, helo.checks, headers, rspamd, spamassassin, clamd, attachment, limit
+; the connection, add their name to the plugins list:
+plugins=access, attachment, clamd, headers, helo.checks, limit, rspamd, spamassassin, send_email, tls
 
 ; hooks whose DENY rejections should be not be captured.
 hooks=rcpt, queue, queue_outbound
@@ -79,41 +79,79 @@ hooks=rcpt, queue, queue_outbound
 ; award negative karma to spammy TLDs or second-level domains
 ; multi-label suffixes are supported, e.g.: sa.com=-3
 ; caution, awarding karma > msg_negative_limit may blacklist that TLD
+archi=-5
+baby=-5
 bid=-3
 biz=-2
 bet=-4
+best=-4
 bio=-4
+bond=-4
+boston=-5
 buzz=-3
+cam=-3
+city=-5
+cc=-3
+co=-3
 club=-3
+coach=-5
+codes=-5
+coffee=-5
 company=-4
+coupons=-5
 directory=-4
+dog=-4
+energy=-4
 eu=-4
+financial=-5
 fun=-5
-guru=-4
+fund=-5
+futbol=-5
+gay=-5
+global=-4
+guide=-4
+guru=-5
 gury=-3
+help=-4
 icu=-6
-info=-4
+industries=-4
+info=-5
 link=-3
-me=-1
+live=-5
+love=-6
+makeup=-5
+me=-2
+mobi=-6
 monster=-5
 mom=-5
 na=-6
 ninja=-3
-one=-4
+one=-5
+onl=-5
 pics=-5
+pro=-5
 pw=-2
+rest=-5
 rocks=-3
+rodeo=-5
 ru=-2
-sbs=-4
+sbs=-5
 science=-6
+shop=-6
+site=-8
+skin=-4
+store=-5
 stream=-3
 studio=-5
+support=-5
+tax=-5
 top=-5
 trade=-3
 us=-4
+vin=-5
 work=-4
 xyz=-6
-
+zone=-5
 
 [tls]
 ; awards based on whether the sender opportunistically encrypted
@@ -202,7 +240,7 @@ early_talker                     = -3
 008 = karma         | pass     | equals | asn          |  1  | ASN reputation is good
 009 = karma         | fail     | equals | asn          | -1  | ASN reputation is bad
 010 = karma         | pass     | equals | asn_all_good |  2  | ASN reputation is very good
-011 = karma         | fail     | equals | asn_all_bad  | -2  | ASN reputation is very bad
+011 = karma         | fail     | equals | asn_all_bad  | -1  | ASN reputation is very bad
 
 012 = karma         | fail     | equals | rfc5321.MailFrom | -1 | RFC Ignorant MTA | Use a RFC compliant MTA
 013 = karma         | fail     | equals | rfc5321.RcptTo   | -1 | RFC Ignorant MTA | Use a RFC compliant MTA
@@ -220,7 +258,7 @@ early_talker                     = -3
 032 = p0f   | os_flavor | equals | XP           | -2  | Windows XP, likely infected by malware | Upgrade to a supported OS
 
 ; give back the point penalized for running windows
-; 080 = fcrdns         | fcrdns  | match  | outlook.com | 1
+080 = fcrdns           | fcrdns  | match  | outlook.com | 1
 ; 081 = fcrdns         | fcrdns@1       =  1 if length gt 0
 ; 082 = fcrdns         | err@1          = -1 if length gt 0
 ; 083 = fcrdns         | fail@1         = -1 if length gt 0
@@ -316,32 +354,34 @@ early_talker                     = -3
 218 = clamd        | fail       | match  | spam         | -2 | Clam AntiVirus Spam
 ;219 = clamd        | pass       | equals | clean       |  1 | Clam AntiVirus Executable
 
-230 = rspamd       | is_spam    | equals | true         | -2 | rspamd detected as spam
-231 = rspamd       | action     | equals | greylist     | -1 | rspamd suggested greylist
-232 = rspamd       | score      | lt     | 0            |  1 | rspamd positive score
-233 = rspamd       | score      | gt     | 6            | -1 | rspamd moderate score
-234 = rspamd       | score      | gt     | 10           | -1 | rspamd high score
-235 = rspamd       | is_spam    | equals | false        |  1 | rspamd detected as ham
-236 = rspamd       | action     | match  | reject       | -2 | rspamd suggested reject
+;230 = rspamd       | action     | match  | reject       | -2 | rspamd suggested reject
+;231 = rspamd       | action     | equals | greylist     | -1 | rspamd suggested greylist
+232 = rspamd       | score      | lt     | 0            |  1 |
+233 = rspamd       | score      | lt     | -5           |  1 |
+234 = rspamd       | score      | lt     | -10          |  1 |
+235 = rspamd       | score      | gt     | 6            | -1 |
+236 = rspamd       | score      | gt     | 10           | -1 |
+237 = rspamd       | is_spam    | equals | true         | -2 | rspamd detected as spam
+238 = rspamd       | is_spam    | equals | false        |  1 | rspamd detected as ham
 
 237 = rspamd       | symbols    | match | DMARC_POLICY_ALLOW | 1 | DMARC policy allow
 238 = rspamd       | symbols    | match | DMARC_POLICY_REJECT |  -6  | DMARC policy reject
 239 = rspamd       | symbols    | match | DMARC_POLICY_QUARANTINE |  -4  | DMARC policy reject
 240 = rspamd       | symbols    | match | DMARC_POLICY_SOFTFAIL   |  -2  | DMARC policy softfail
 
-251 = spamassassin | hits       | lt     |  0           |   1 |
-252 = spamassassin | hits       | lt     | -2           |   1 |
-253 = spamassassin | hits       | lt     | -5           |   1 |
-254 = spamassassin | hits       | lt     | -10          |   2 |
-255 = spamassassin | hits       | lt     | -20          |   5 |
-256 = spamassassin | hits       | gt     |   1          |  -1 |
-257 = spamassassin | hits       | gt     |   2          |  -1 |
-259 = spamassassin | hits       | gt     |   3          |  -2 |
-260 = spamassassin | flag       | equals | Yes          |  -5 | SpamAssassin detected as spam
-;261 = spamassassin | hits       | gt     |   6          |  -2 |
-;263 = spamassassin | hits       | gt     |   8          |  -2 |
-264 = spamassassin | hits       | gt     |   9          |  -2 |
-265 = spamassassin | hits       | gt     |  20          | -10 |
+251 = spamassassin | score      | lt     |  0           |   1 |
+252 = spamassassin | score      | lt     | -2           |   1 |
+253 = spamassassin | score      | lt     | -5           |   1 |
+254 = spamassassin | score      | lt     | -10          |   2 |
+255 = spamassassin | score      | lt     | -20          |   5 |
+256 = spamassassin | score      | gt     |   1          |  -1 |
+257 = spamassassin | score      | gt     |   2          |  -1 |
+258 = spamassassin | score      | gt     |   3          |  -2 |
+;259 = spamassassin | score      | gt     |   6          |  -2 |
+;260 = spamassassin | score      | gt     |   8          |  -2 |
+261 = spamassassin | score      | gt     |   9          |  -2 |
+262 = spamassassin | score      | gt     |  20          | -10 |
+;263 = spamassassin | flag       | equals | Yes          |  -5 | SpamAssassin detected as spam
 
 280 = known-senders | pass      | equals | wks           |  5  | Known Sender
 281 = known-senders | pass      | length | gt 0          |  5  | Known Sender

package/index.js

@@ -439,15 +439,17 @@ exports.should_we_deny = function (next, connection, hook) {
     rejectMsg = rejectMsg.replace(/\{uuid\}/, connection.uuid)
   }
 
+  const deny_rc = r.deny_rc ?? constants.DENY
+
   return this.apply_tarpit(connection, hook, score, () => {
-    next(constants.DENY, rejectMsg)
+    next(deny_rc, rejectMsg)
   })
 }
 
 exports.hook_deny = function (next, connection, params) {
   if (this.should_we_skip(connection)) return next()
 
-  const [_pi_rc, , pi_name, , , pi_hook] = params
+  const [pi_rc, , pi_name, , , pi_hook] = params
 
   // exceptions, whose 'DENY' should not be captured
   if (pi_name) {
@@ -464,9 +466,31 @@ exports.hook_deny = function (next, connection, params) {
   connection.results.add(this, { msg: `deny: ${pi_name}` })
   connection.results.incr(this, { score: -2 })
 
+  // Remember the worst-severity intercepted code so a later karma-issued
+  // deny doesn't escalate a soft reject (e.g. rspamd greylist) to a hard
+  // reject.
+  this.track_intercepted_rc(connection, pi_rc)
+
   next(constants.OK) // resume the connection
 }
 
+exports.track_intercepted_rc = function (connection, pi_rc) {
+  const k = connection.results.get('karma')
+  if (!k) return
+
+  if (pi_rc === constants.DENY || pi_rc === constants.DENYDISCONNECT) {
+    connection.results.add(this, { deny_rc: constants.DENY })
+    return
+  }
+
+  if (
+    (pi_rc === constants.DENYSOFT || pi_rc === constants.DENYSOFTDISCONNECT) &&
+    k.deny_rc !== constants.DENY
+  ) {
+    connection.results.add(this, { deny_rc: constants.DENYSOFT })
+  }
+}
+
 exports.hook_connect = function (next, connection) {
   if (this.should_we_skip(connection)) return next()
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "haraka-plugin-karma",
-  "version": "2.4.0",
+  "version": "2.4.1",
   "description": "A heuristics scoring and reputation engine for SMTP connections",
   "main": "index.js",
   "files": [
@@ -39,7 +39,7 @@
   },
   "devDependencies": {
     "@haraka/eslint-config": "^2.0.4",
-    "haraka-test-fixtures": "^1.4.1"
+    "haraka-test-fixtures": "^1.4.3"
   },
   "prettier": {
     "singleQuote": true,