Phishing Keywords¶
Under Phishing Keywords, keywords and patterns are managed that indicate phishing attempts, social engineering, or business email compromise. Hits increase the rspamd score.
Table¶
| Column | Description |
|---|---|
| Pattern | Search text or regular expression |
| Regex | Whether the pattern is interpreted as regex |
| Target | Which part of the mail is checked |
| Language | Optional language restriction (de, en, empty = all) |
| Hits | Number of detections in the selected time range |
| Built-in | System-provided pattern |
| Description | Optional free text |
| Active | Enable/disable the pattern |
Form¶
| Field | Description |
|---|---|
| Pattern | Search text (e.g. reset your password) or regex (e.g. (?i)account\s+suspended) |
| Regex | Evaluate pattern as a regular expression |
| Target | Which part of the mail to check (see below) |
| Language | Optional: apply only to mails in this language |
| Description | Free text |
| Active | Activate immediately |
Target Options¶
| Target | Description |
|---|---|
subject |
Subject line |
body |
Mail body (HTML and plaintext) |
header_from |
Header-From address |
header_to |
Header-To address |
Regex Tips¶
Phishing keywords are checked case-insensitively when the regex option is active. Useful patterns:
# Urgency words (EN)
(?i)(immediately|urgent|within\s+\d+\s+(hours?|minutes?))
# Account suspension patterns (EN)
(?i)account\s+(suspended|deactivated|locked|restricted)
# Password reset patterns (EN)
(?i)(reset|change|update)\s+your\s+(password|credentials)
# CEO fraud indicators
(?i)(wire\s+transfer|urgent\s+payment|bank\s+details)
Statistics (Keyword Hits)¶
The statistics view shows hit counts per keyword for the selected time range (24h / 7d / 30d). This reveals:
- Which patterns are actively triggering
- Whether a pattern generates too many false positives (high hit count on ham)
- Which patterns never trigger (consider disabling)
Score tuning
Phishing keywords generate rspamd symbols. Their score weight can be adjusted in Mail Configuration → Score Tuning without deleting the keywords.
Pre-installed Keywords (Examples)¶
| Pattern | Target | Description |
|---|---|---|
verify your account |
body | Typical EN phishing phrase |
account suspended |
body | Account suspension phishing |
payment overdue |
subject | BEC/invoice fraud pattern |
click here to confirm |
body | Generic phishing CTA |