Rspamd offers so-called multimaps and their maps. With them you can create rules with or without regular expressions.
I started developing the rules in early 2024 and i am now working on an improved second version.
Before Rspamd, I used an older product called Declude as a spam filtering system for our server as well as for customers. Declude also offered a rule system based on regular expressions. This experience is very useful to me here.
π‘ The rules are updated at least once, but usually several times a day and are therefore sure to be accurate.
π’ If you have any questions or feedback drop me line at the discussions.
π Bugs and problems can be reported here: Issues.
π Feel free to use these maps on your Rspamd server.
The base is the file multimaps.conf in the folder /etc/rspamd/local.d. This file includes all configuration files of the map files. These files are located in the same folder and must also be copied to the server.
The map files of the first generation begin with an underscore _multimap....map.
The second generation does not have the leading underscore.
Important: To be as effective as possible, both versions must be active until the migration is complete.
Finally, the Rspamd service must be restarted
systemctl restart rspamd
The map files in the folder /etc/rspamd/maps.d do not need to be copied. Rspamd loads them directly from Github and caches them locally. New versions are checked periodically.
If I add new map files, the configuration files must be updated accordingly. These are the latest changes:
| Date | File | Reason |
|---|---|---|
| 09.05.25 | multimap.subject.conf | New file for Emojis |
| 10.05.25 | All configuration files! | Splitted in DE and EN versions |
| 13.05.25 | multimap.conf | New files added, old files removed |
| multimap.body.de.scam.conf | New file | |
| multimap.body.en.scam.conf | New file | |
| multimap.body.de.stocks.conf | New file | |
| multimap.body.en.stocks.conf | New file | |
| _multimap_stocks.conf | Old file deleted | |
| _multimap_winning.conf | Old file deleted | |
| 14.05.25 | multimap.whitelist.conf | Three silly typos fixed |
| 16.05.25 | multimap.sender.conf | New map file added |
| 17.05.25 | multimap.subject.de.phishing.conf | New map file added |
| multimap.subject.en.phishing.conf | New map file added | |
| 26.05.25 | multimap.conf | New files added |
| multimap.subject.de.stocks.conf | New file | |
| multimap.subject.en.stocks.conf | New file | |
| 27.05.25 | multimap.conf | New configuration files added |
| multimap.body.de.sale.conf | New file | |
| multimap.body.en.sale.conf | New file | |
| _multimap_base_phrases.conf | Old map files retired/removed | |
| 28.05.25 | multimap.subject.de.sale.conf | New map file added |
| multimap.subject.en.sale.conf | New map file added | |
| 29.05.25 | multimap.conf | New configuration files added |
| multimap.body.de.phishing.conf | New file | |
| multimap.body.en.phishing.conf | New file | |
| 29.05.25 | multimap.conf | Old files removed |
| _multimap_ad.conf | Old file deleted | |
| _multimap_domain.conf | Old file deleted |
Attention: A major migration of the configuration files is necessary: The naming of the "Sender" files was unfortunate and has now been corrected. New configuration files have also been added.
| Date | File | Reason |
|---|---|---|
| 03.06.25 | multimap.conf | New configuration files added |
| multimap.sender.address.conf | New file | |
| multimap.sender.address.de.conf | New file | |
| multimap.sender.address.en.conf | New file | |
| multimap.sender.from.de.*.conf | New files | |
| multimap.sender.from.en.*.conf | New files | |
| multimap.sender.de.*.conf | Old file deleted/renamed | |
| multimap.sender.en.*.conf | Old file deleted/renamed | |
| 04.06.25 | multimap.subject.de.scam.conf | New map file added |
| multimap.subject.en.scam.conf | New map file added | |
| multimap.body.de.scam.conf | New map file added | |
| multimap.body.en.scam.conf | New map file added | |
| 07.06.25 | multimap.body.de.scam.conf | Typo fixed |
| multimap.body.en.scam.conf | Typo fixed | |
| multimap.sender.from.conf | New map file added | |
| 08.06.25 | multimap.sender.from.phishing.conf | New map file added |
| 09.06.25 | multimap.body.de.sale.conf | New map files added |
| multimap.body.en.sale.conf | New map files added | |
| 10.06.25 | multimap.body.de.sale.conf | New map file added |
| multimap.body.en.sale.conf | New map file added | |
| multimap.sender.from | Typo fixed | |
| 13.06.25 | multimap.body.de.scam.conf | New map file added |
| multimap.body.en.scam.conf | New map file added |
What to do:
- Copy these files to the Rspamd server
- Restart the Rspamd service
All map files of the first version are in the folder /etc/rspamd/maps.d. The files of the second edition are stored in subfolders according to the topic.
Folder structure:
base
ββ base.country.map ββ
ββ base.body.charenc.koi8r.map * β
ββ base.body.charenc.windows1251.map * ββ multimap.base.conf
ββ base.body.markup.hidden.map β
ββ base.body.markup.map ββ
β
ββ href
β ββ base.body.href.domain.map * ββ
β ββ base.body.href.domain.ip.map * β
β ββ base.body.href.domain.google.map * β
β ββ base.body.href.nossl.map * ββ multimap.base.body.href.conf
β ββ base.body.href.path.map * β
β ββ base.body.href.path.filename.map * β
β ββ base.body.href.path.wordpress.map * ββ
β
ββ img
ββ base.body.img.domain.ip.map * ββ
ββ base.body.img.domain.tld.map * β
ββ base.body.img.domain.name.map * ββ multimap.base.body.img.conf
ββ base.body.img.nossl.map * β
ββ base.body.img.path.map * β
ββ base.body.img.shortener.map * ββ
lists
ββ list.tld.map * --- multimap.base.body.href.conf
ββ list.url.shortener.map * --- multimap.base.body.href.conf
- -> "one_shot" is set
Folder structure:
body
ββ body.attachment.map ββ
ββ body.emergency.map β
ββ body.special.map β
β β
ββ body.az.orgname.map ββ multimap.body.conf
ββ body.ch.orgname.map β
ββ body.de.orgname.map β
ββ body.us.orgname.map ββ
β
ββ href
β ββ body.href.az.domain.name.map ββ
β ββ body.href.ch.domain.name.map β
β ββ body.href.de.domain.name.map ββ multimap.body.href.conf
β ββ body.href.us.domain.name.map β
β ββ body.href.domain.name.pattern.map β
β ββ body.href.url.path.orgbrandprod.map ββ
β
ββ de
β ββ body.de.map ββ
β ββ body.de.greetings.map β
β ββ body.de.intros.map β
β ββ body.de.message.map ββ multimap.body.de.conf
β ββ body.de.singleword.map β
β ββ body.de.singleword.ucase.map β
β ββ body.de.unsubscribe.map ββ
β β
β ββ body.de.phishing.map ββ
β ββ body.de.phishing.account.map β
β ββ body.de.phishing.alertaction.map β
β ββ body.de.phishing.banking.map β
β ββ body.de.phishing.email.map β
β ββ body.de.phishing.greetings.map β
β ββ body.de.phishing.malware.map β
β ββ body.de.phishing.parcel.map ββ multimap.body.de.phishing.conf
β ββ body.de.phishing.password.map β
β ββ body.de.phishing.payment.map β
β ββ body.de.phishing.refund.map β
β ββ body.de.phishing.rewards.map β
β ββ body.de.phishing.subscription.map β
β ββ body.de.phishing.survey.map ββ
β β
β ββ body.de.sale.map ββ
β ββ body.de.sale.app.map β
β ββ body.de.sale.greetings.map β
β ββ body.de.sale.china.map ββ multimap.body.de.sale.conf
β ββ body.de.sale.media.map β
β ββ body.de.sale.seo.map β
β ββ body.de.sale.website.map ββ
β β
β ββ body.de.stocks.map --- multimap.body.de.stocks.conf
β β
β ββ body.de.scam.map ββ
β ββ body.de.scam.business.map β
β ββ body.de.scam.bignumbers.map β
β ββ body.de.scam.donations.map β
β ββ body.de.scam.investment.map ββ multimap.body.de.scam.conf
β ββ body.de.scam.order.map β
β ββ body.de.scam.payment.map β
β ββ body.de.scam.ransom.map β
β ββ body.de.scam.winning.map ββ
β
ββ en
ββ ....
Folder structure:
sender
ββ sender.address.map ββ
ββ sender.address.orgbrandprod.map ββ multimap.sender.address.conf
ββ sender.address.people.map β
ββ sender.address.tld ββ
β
ββ de
β ββ sender.address.de.map --- multimap.sender.address.de.conf
β
ββ sender.from.phishing.orgbrandprod.map --- multimap.sender.from.phishing.conf
ββ sender.from.phishing.orgbrandprod.ucase.map --- multimap.sender.from.phishing.conf
β
ββ sender.from.orgbrandprod.map ββ
ββ sender.from.people.map ββ multimap.sender.from.conf
ββ sender.from.special.map β
ββ sender.from.title.map ββ
β
ββ de
β ββ sender.from.de.singleword.map --- multimap.sender.from.de.conf
β ββ sender.from.de.singleword.ucase.map --- multimap.sender.from.de.conf
β β
β ββ sender.from.de.map --- multimap.sender.from.de.conf
β ββ sender.from.de.adult.map --- multimap.sender.from.de.adult.conf
β ββ sender.from.de.finance.map --- multimap.sender.from.de.finance.conf
β ββ sender.from.de.gambling.map --- multimap.sender.from.de.gambling.conf
β ββ sender.from.de.health.map --- multimap.sender.from.de.health.conf
β ββ sender.from.de.lottery.map --- multimap.sender.from.de.lottery.conf
β ββ sender.from.de.makemoney.map --- multimap.sender.from.de.makemoney.conf
β ββ sender.from.de.phishing.map --- multimap.sender.from.de.phishing.conf
β ββ sender.from.de.phishing.malware.map --- multimap.sender.from.de.phishing.malware.conf
β ββ sender.from.de.sale.map --- multimap.sender.from.de.sale.conf
β
ββ en
ββ ....
Folder structure:
subject
ββ subject.health.medname.map --- multimap.subject.health.conf
ββ subject.orgbrandprod.map ββ
ββ subject.special.map ββ multimap.subject.conf
ββ subject.special.emoji.map ββ
β
ββ de
β ββ subject.de.map ββ
β ββ subject.de.greetings.map β
β ββ subject.de.message.map ββ multimap.subject.de.conf
β ββ subject.de.singleword.map β
β ββ subject.de.singleword.ucase.map ββ
β β
β ββ subject.de.adult.map --- multimap.subject.de.adult.conf
β ββ subject.de.finance.map --- multimap.subject.de.finance.conf
β ββ subject.de.gambling.map --- multimap.subject.de.gambling.conf
β ββ subject.de.health.map --- multimap.subject.de.health.conf
β β
β ββ subject.de.phishing.map ββ
β ββ subject.de.phishing.account.map β
β ββ subject.de.phishing.alertaction.map β
β ββ subject.de.phishing.banking.map β
β ββ subject.de.phishing.email.map β
β ββ subject.de.phishing.malware.map β
β ββ subject.de.phishing.parcel.map β
β ββ subject.de.phishing.password.map ββ multimap.subject.de.phishing.conf
β ββ subject.de.phishing.payment.map β
β ββ subject.de.phishing.refund.map β
β ββ subject.de.phishing.rewards.map β
β ββ subject.de.phishing.subscription.map β
β ββ subject.de.phishing.survey.map ββ
β β
β ββ subject.de.sale.map ββ
β ββ subject.de.sale.app.map β
β ββ subject.de.sale.china.map β
β ββ subject.de.sale.media.map ββ multimap.subject.de.sale.conf
β ββ subject.de.sale.seo.map β
β ββ subject.de.sale.website.map ββ
β β
β ββ subject.de.scam.map ββ
β ββ subject.de.scam.bignumbers.map β
β ββ subject.de.scam.business.map β
β ββ subject.de.scam.donation.map ββ multimap.subject.de.scam.conf
β ββ subject.de.scam.investment.map * β
β ββ subject.de.scam.order.map β
β ββ subject.de.scam.payment.map β
β ββ subject.de.scam.winning.map ββ
β β
β ββ subject.de.stocks.map --- multimap.subject.de.stocks.conf
β
ββ en
ββ ....
Folder structure:
whitelist
ββ body.href.url.az.whitelist.map + ββ
ββ body.href.url.ch.whitelist.map + β
ββ body.href.url.de.whitelist.map + β
ββ body.href.url.us.whitelist.map + β
β β
ββ header.ip.whitelist.map + β
β β
ββ de ββ multimap.whitelist.conf
β ββ body.de.whitelist.map β
β ββ sender.from.de.whitelist.map β
β ββ subject.de.whitelist.map β
β β
ββ en β
ββ .... ββ
+ -> "prefilter" is set
Unfortunately, whitelisting with the prefilter option set doesn't work in some cases. I don't know why, and I can't find any help in the community. What a pity!
If you want to increase or decrease a symbol's score, you can do so in the UI. Click "Symbols" in the menu, then find the desired symbol and change the score.
Important
- You can only change the scoring for a map file, or rather its symbol, and not for a single rule.
- The scoring for a single rule can be changed in the map file.
Unfortunately, Rspamd is unable to log the rule(s) of a map file that fired. This complicates the whole process in case of an error.
There's always a risk that an email will be mistakenly marked as spam.
If a map file is to blame, I'm happy to change or remove a rule. My rules are designed specifically for German-speaking countries. Therefore, some phrases might be too strong for English-speaking countries.
Open an issue and I'll be happy to resolve the issue.
Great! I love fresh spam! To create one or more rules, I need the complete, unaltered email. Send it to spamcop[Γ€t]netfusion[dΓΆt]ch and add the word "SPAM" to the subject line.