[Rspamd-Users] 'X-Spam: Yes' is added to some messages that have lesser score than spam threshold

Fri Feb 8 19:15:51 UTC 2019

Hello all.

On my home server 'extended_spam_headers = true' is added to
$CONFDIR/local.d/milter_headers.conf. Yesterday I checked
X-Spamd-Result header of some messages and found strange behaviors of
Rspamd.

For example one message I received yesterday had following
X-Spamd-Result header.

----------------------------------------------------------------------
X-Spamd-Result: default: False [-97.81 / 1000.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 SPAM_FLAG(0.00)[];
	 RCVD_COUNT_FIVE(0.00)[6];
	 FROM_HAS_DN(0.00)[];
	 FORWARDED(0.00)[user at example.com];
	 MV_CASE(0.50)[];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_DN_NONE(0.00)[];
	 DMARC_NA(0.00)[examle.com];
	 HAS_LIST_UNSUB(-0.01)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 AUTH_NA(1.00)[];
	 RCVD_TLS_LAST(0.00)[];
	 MID_CONTAINS_FROM(1.00)[];
	 FORGED_SENDER_FORWARDING(0.00)[];
	 MAILLIST(-0.20)[mailman];
	 R_SPF_NA(0.00)[];
	 FORGED_SENDER(0.00)[user at examle.com,foo-bounces at ml.example.org];
	 TO_OR_CC_INCLUDE_HAM_ADDRESSES(-100.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 HAS_REPLYTO(0.00)[foo at ml.examle.org];
	 FROM_NEQ_ENVFROM(0.00)[user at examle.com,foo-bounces at ml.examle.org];
	 FORGED_SENDER_MAILLIST(0.00)[]
----------------------------------------------------------------------

As you can see the score of this message is minus and obviously less
than spam threshold. But still 'X-Spam: Yes' was added to it.

I found about 10 or so cases from messages that I received yesterday.

Then why this happens? Are there any cases that message is judged spam
regardless of its score value? Or is it bug of Rspamd?

Conditions and settings are as following.

OS: FreeBSD 12.0-RELEASE amd64
Rspamd: 1.8.3, installed by using FreeBSD port (mail/rspamd)

$CONFDIR/local.d/actions.conf:
----------------------------------------------------------------------
reject = 1000;
----------------------------------------------------------------------

$CONFDIR/local.d/logging.inc:
----------------------------------------------------------------------
debug_modules = ["bayes"];
----------------------------------------------------------------------

$CONFDIR/local.d/milter_headers.conf
----------------------------------------------------------------------
extended_spam_headers = true;
----------------------------------------------------------------------

$CONFDIR/local.d/regexp.conf
----------------------------------------------------------------------
HAS_7Z_ATTACHMENT {
    re = "Content-Type=/application\\/octet-stream.*name=.*\\.7z/B || Content-Disposition=/attachment.*filename=.*\\.7z/B";
    score = 20.0;
    description = "Has *.7z attachment";
    group = "header";
}

HAS_DISPOSITION_NOTIFICATION_TO {
    re = "header_exists('Disposition-Notification-To')";
    score = 20.0;
    description = "Has Disposition-Notification-To header";
    group = "header";
}

SPAM_FLAG {
    score = 0;
}

SUBJECT_INCLUDES_HAM_WORDS {
    re = "Subject=/(20[0-9]{2}-[01][0-9]-[0-3][0-9] [0-2][0-9]:[0-5][0-9] [+-]?[01][0-9]{3} (Security|System) Events|[A-Za-z0-9.-]+: BruteForceBlocker blocking [0-9.]+\\/32|Logwatch for [A-Za-z0-9.-]+ \\(Linux\\))|(daily|weekly|monthly)( security)? run output/H";
    score = -100.0;
    description = "Subject includes ham words";
    group = "header";
}

SUBJECT_INCLUDES_SPAM_WORDS {
    re = "Subject=/(cialis|direct axis|levitra|penisole|viagra|vpxl|アラート：アカウントが一時的に中断されています|最終的なお知らせ：あなたのアカウントは中断されます|代.*开|开.*票|发.*票)/Hiu";
    score = 10.0;
    description = "Subject includes spam words";
    group = "header";
}

TO_OR_CC_INCLUDE_HAM_ADDRESSES {
    re = "To=/@ml.example.org/H || Cc=/@ml.example.org/H";
    score = -100.0;
    description = "To or Cc includes ham addresses";
    group = "header";
}
----------------------------------------------------------------------

$CONFDIR/override.d/options.inc
----------------------------------------------------------------------
local_addrs = [192.168.100.0/25, 192.168.100.128/26, fe80::/10];
----------------------------------------------------------------------

Best Regards.

---
Yasuhiro KIMURA