Phishing Feeds¶
Under Phishing Feeds, URL blocklists for known phishing sites are managed. nmg downloads these lists regularly and checks all URLs in mail bodies and attachments against them.
Table¶
| Column | Description |
|---|---|
| Name | Feed label |
| URL | Download URL of the feed file |
| Symbol | rspamd symbol name set on a hit (e.g. NMG_PHISHING_OPENPHISH) |
| Refresh | Update interval in hours |
| Entries | Number of currently loaded phishing URLs/domains |
| Last Checked | Timestamp of the last download attempt |
| Status | Last result: ok, error, empty |
| Built-in | System-provided feed — can be disabled but not deleted |
| Active | Enable/disable the feed |
Form (Add/Edit Feed)¶
| Field | Description |
|---|---|
| Name | Label (free choice) |
| URL | HTTP(S) URL to the feed file |
| Symbol | Symbol name in uppercase ([A-Z0-9_]+), e.g. MY_PHISHING_FEED — registered as an rspamd symbol |
| API Key | Optional HTTP header value for access-restricted feeds (stored encrypted) |
| Refresh Interval | Hours between download attempts (default: 4) |
| Description | Optional free text |
| Active | Activate the feed on the next scheduler run |
Built-in Feeds¶
| Feed | Type | Refresh |
|---|---|---|
| OpenPhish Community | URL list | 4 h |
| PhishTank | URL list | 6 h |
Built-in feeds cover the majority of known phishing campaigns. Custom feeds can be added — e.g. internal threat intelligence or commercial feeds.
Feed Formats¶
nmg supports the following formats (automatically detected):
| Format | Example |
|---|---|
| Simple URL list | https://evil.com/login.html (one URL per line) |
| Domain list | evil.com (one domain per line) |
| CSV with URL column | First column = URL |
Score Impact¶
Each feed has its own rspamd symbol. The score contribution of the symbol is set in Score Tuning. Default: a hit in an active feed increases the score significantly and typically leads to quarantine.
Statistics Display¶
The total number of entries across all active feeds is shown at the top of the page.
Update schedule
The nmg scheduler downloads all feeds according to their configured interval. A feed with refresh_hours: 4 is reloaded at earliest 4 hours after the last successful download — not on every scheduler run.