[Rspamd-Users] greylisting instead of other spam actions

Kai Schaetzl maillists at conactive.com
Tue Oct 9 10:19:29 UTC 2018


Philip Paeps wrote on Tue, 9 Oct 2018 10:19:31 +0200:

> Please include logs and relevant configuration files.
> 
> I suspect the messages took a shortcut somewhere.

Hi and thanks for the suggestions.
Shouldn't a shortcut not "shortcut" the way thru the rspamd processor? 
e.g. it should stop processing and not show these high scores as it 
doesn't process all the way along.

Here are two messages from the same source that came in one after the 
other. The second one was even detected by Bayes as spam, which looks like 
the first one was learned. But I don't see a message about it getting 
learned.

2018-10-09 09:14:17 #15287(rspamd_proxy) <617037>; proxy; 
rspamd_task_write_log: id: <66484a8c76e8a5ba329c31966ee01a1c at duomo.gr>, 
qid: <AF5B82638C>, ip: 136.243.37.90, from: <oic1_iproc at petronas.com>, 
(default: F (greylist): [4.00/30.00] [MIME_BAD_EXTENSION(8.00)
{ace;},FORGED_RECIPIENTS(2.00)
{bid at petronas.com;email at example.com;},RBL_SENDERSCORE(2.00)
{90.37.243.136.bl.score.senderscore.com;},MIME_GOOD(-0.10)
{multipart/mixed;multipart/alternative;text/plain;},IP_SCORE(0.01)
{country: DE(0.03);},ARC_NA(0.00){},ASN(0.00){asn:24940, 
ipnet:136.243.0.0/16, country:DE;},DMARC_NA(0.00)
{petronas.com;},FREEMAIL_REPLYTO(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00)
{},FROM_HAS_DN(0.00){},GREYLIST(0.00){greylisted;Tue, 09 Oct 2018 07:22:16 
GMT;new record;},HAS_ATTACHMENT(0.00){},HAS_REPLYTO(0.00)
{titanengineerr at gmail.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00)
{2;},RCVD_TLS_LAST(0.00){},RCVD_VIA_SMTP_AUTH(0.00)
{},REPLYTO_DOM_NEQ_FROM_DOM(0.00){},R_DKIM_NA(0.00){},R_SPF_SOFTFAIL
(0.00){~all;},TO_DN_ALL(0.00){},TO_DOM_EQ_FROM_DOM(0.00){}]), len: 911763, 
time: 3106.829ms real, 106.794ms virtual, dns req: 17, digest: 
<079313ae6edfde610636d1641695aca4>, rcpts: <email at example.com>, 
mime_rcpts: <bid at petronas.com>
2018-10-09 09:18:55 #15287(rspamd_proxy) <eee4fd>; proxy; 
rspamd_task_write_log: id: <932a2216c0425078e8e9c9127ec78720 at duomo.gr>, 
qid: <3D51F2643F>, ip: 136.243.37.90, from: <oic1_iproc at petronas.com>, 
(default: F (greylist): [4.00/30.00] [MIME_BAD_EXTENSION(8.00)
{ace;exe;},BAYES_SPAM(4.00){100.00%;},FORGED_RECIPIENTS(2.00)
{bid at petronas.com;email at example.com;},RBL_SENDERSCORE(2.00)
{90.37.243.136.bl.score.senderscore.com;},MIME_GOOD(-0.10)
{multipart/mixed;multipart/alternative;text/plain;},MIME_UNKNOWN(0.10)
{application/x-rar-compressed;},IP_SCORE(0.01){country: DE(0.03);},ARC_NA
(0.00){},ASN(0.00){asn:24940, ipnet:136.243.0.0/16, country:DE;},DMARC_NA
(0.00){petronas.com;},FREEMAIL_REPLYTO(0.00){gmail.com;},FROM_EQ_ENVFROM
(0.00){},FROM_HAS_DN(0.00){},GREYLIST(0.00){greylisted;Tue, 09 Oct 2018 
07:26:53 GMT;meta;},HAS_ATTACHMENT(0.00){},HAS_REPLYTO(0.00)
{titanengineerr at gmail.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00)
{2;},RCVD_TLS_LAST(0.00){},RCVD_VIA_SMTP_AUTH(0.00)
{},REPLYTO_DOM_NEQ_FROM_DOM(0.00){},R_DKIM_NA(0.00){},R_SPF_SOFTFAIL
(0.00){~all;},TO_DN_ALL(0.00){},TO_DOM_EQ_FROM_DOM(0.00){}]), len: 
1818538, time: 1625.932ms real, 18.825ms virtual, dns req: 16, digest: 
<6f218e5160ab78606a835713ea883cf5>, rcpts: <email at example.com>, 
mime_rcpts: <bid at petronas.com>

The first message scores around 12, the second around 16. Both are marked 
as "greylist" in the web ui and got delivered without subject rewrite or 
added header.

I'm not sure what the relevant config would be. local.d/actions.conf has 
this (I think these are the defaults):

reject = 30; # Reject when reaching this score
add_header = 10; # Add header when reaching this score (probably spam)
rewrite_subject = 7; #optional
greylist = 4; # Apply greylisting when reaching this score (will emit 
`soft reject action`)
subject = "(SPAM) %s"

This config is not overwritten somewhere else, the Configuration page in 
the web ui shows the same figures.

I *do* have spam that gets the add_header action or rewrite subject, but 
*much* less. Almost all of those greylisted would qualify for spam.
Is maybe in this case the MIME_BAD_EXTENSION score not getting counted for 
the overall score? But others don't hit this rule, anyway.

What does this mean?
GREYLIST(0.00){greylisted;Tue, 09 Oct 2018 07:22:16 GMT;new record;}

Is this the time until it is going to greylist it?
09:14:17 ist CEST = 7:14 GMT.
So, 8 minutes?
But I don't see postfix rejecting it. Not at postscreen time, not at 
rspamd time. I don't understand why I should greylist it twice. Can I 
disable greylisting in rspamd and have only postscreen greylist it?

This is from the postfix log (grepping for sender domain and IP address):

Oct  9 09:14:17 b03 postfix/qmgr[19759]: AF5B82638C: 
from=<oic1_iproc at petronas.com>, size=912002, nrcpt=1 (queue active)
Oct  9 09:18:55 b03 postfix/qmgr[19759]: 3D51F2643F: 
from=<oic1_iproc at petronas.com>, size=1818777, nrcpt=1 (queue active)

Oct  9 09:14:06 b03 postfix/postscreen[626]: CONNECT from 
[136.243.37.90]:56555 to [IP]:25
Oct  9 09:14:12 b03 postfix/postscreen[626]: PASS NEW 
[136.243.37.90]:56555
Oct  9 09:14:12 b03 postfix/smtpd[631]: connect from www12.cybnet.biz
[136.243.37.90]
Oct  9 09:14:13 b03 postfix/smtpd[631]: AF5B82638C: 
client=www12.cybnet.biz[136.243.37.90]
Oct  9 09:14:17 b03 postfix/smtpd[631]: disconnect from www12.cybnet.biz
[136.243.37.90] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct  9 09:18:52 b03 postfix/postscreen[1624]: CONNECT from 
[136.243.37.90]:58956 to [IP]:25
Oct  9 09:18:53 b03 postfix/postscreen[1624]: PASS OLD 
[136.243.37.90]:58956
Oct  9 09:18:53 b03 postfix/smtpd[1625]: connect from www12.cybnet.biz
[136.243.37.90]
Oct  9 09:18:53 b03 postfix/smtpd[1625]: 3D51F2643F: 
client=www12.cybnet.biz[136.243.37.90]
Oct  9 09:18:55 b03 postfix/smtpd[1625]: disconnect from www12.cybnet.biz
[136.243.37.90] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

Thanks!

Kai




More information about the Users mailing list