Composites (Combination Rules)¶

Under Composites, rspamd composite rules are managed. A composite rule combines multiple rspamd symbols with boolean logic into a new, independent symbol with its own score.

Composites are the most powerful tool for linking existing detection signals — without editing the rspamd configuration directly.

Fields¶

Field	Description
Name	Symbol name in uppercase, e.g. `NMG_TRUSTED_RELAY_PASS` — must match the pattern `[A-Z][A-Z0-9_]{2,63}`
Expression	Boolean combination of rspamd symbols (see syntax)
Score	rspamd score contribution when the composite fires (negative = ham bonus)
Policy	What happens to the input symbols after the composite fires
Description	Optional free text
Active	Enable/disable the composite
Builtin	System-provided rules — editable but not deletable

Expression Syntax¶

Composites use rspamd composite expression language:

Operator	Meaning	Example
`&`	AND — both symbols must fire	`SPF_FAIL & DKIM_TRACE_FAIL`
`\\|`	OR — at least one must fire	`RCVD_IN_ZEN \\| RCVD_IN_BARRACUDA`
`!`	NOT — symbol must not fire	`RCVD_IN_ZEN & !DKIM_VALID`
`(` `)`	Grouping	`(SPF_FAIL \\| DKIM_FAIL) & !WHITELIST`

Examples:

# Known RBL hits without valid DKIM → hard spam
NMG_RBL_NO_DKIM = RCVD_IN_ZEN & !DKIM_VALID

# Outbound submission mails (no inbound filter needed)
NMG_OUTBOUND_OK = NMG_OUTBOUND_SUBMISSION & DKIM_VALID

# Suspicious TLD combined with missing SPF alignment
NMG_SUSPICIOUS_COMBO = NMG_SUSPICIOUS_TLD & SPF_FAIL & !NMG_TRUSTED_RELAY

Available symbols

All currently active rspamd symbols can be viewed in the rspamd web UI (http://localhost:11334) under Symbols. Alternatively: rspamadm configdump | grep -i symbol.

Policy Options¶

The policy determines what happens to the input symbols after the composite fires:

Policy	Behaviour
`leave`	Input symbols remain in the score (default)
`remove_weight`	Score weights of the input symbols are set to 0
`remove_symbol`	Input symbols are completely removed from the result
`remove_existing`	Removes input symbols and prevents them from firing again

When to use which policy:

leave — when the composite is an additional signal and the individual signals should still count
remove_weight — when the composite "replaces" the individual signals and double-counting should be avoided
remove_symbol — when the individual signals are irrelevant after composite evaluation (e.g. normalisation)
remove_existing — for strict exclusion, typically for allowlist composites

Score Direction¶

Score	Effect
Positive (e.g. `5.0`)	Increases spam score → towards quarantine/reject
Negative (e.g. `-3.0`)	Decreases spam score → ham bonus, reduces false positive risk
`0.0`	Composite fires (visible as symbol), does not change score

Builtin Composites¶

nmg ships pre-configured composites for typical scenarios (e.g. origin tag combinations, outbound detection). These can be edited (score, policy, active/inactive) but not deleted.

Use Cases¶

Reducing false positives¶

NMG_KNOWN_NEWSLETTER = BULK_SENDER & DKIM_VALID & !RCVD_IN_ZEN
score: -2.0   policy: leave

Reduces score for legitimate mass mail with valid DKIM that is not listed in Spamhaus.

Detecting specific attack patterns¶

NMG_BEC_PATTERN = FROM_NEQ_ENVELOPE_FROM & !DKIM_VALID & NMG_SUSPICIOUS_TLD
score: 8.0   policy: remove_weight

Combines multiple BEC indicators into an independent score signal.

Excluding outbound mail from filter rules¶

NMG_SKIP_RBL_OUTBOUND = NMG_OUTBOUND_SUBMISSION & RCVD_IN_ZEN
score: 0.0   policy: remove_symbol

Removes RBL hits for outgoing submissions (own IPs may appear in RBLs).