[Rspamd-Users] 'X-Spam: Yes' is added to some messages that have lesser score than spam threshold

Fri Feb 8 21:30:19 UTC 2019

On 09/02/2019 8:15 am, Yasuhiro KIMURA wrote:

> Hello all.
> 
> On my home server 'extended_spam_headers = true' is added to
> $CONFDIR/local.d/milter_headers.conf. Yesterday I checked
> X-Spamd-Result header of some messages and found strange behaviors of
> Rspamd.
> 
> For example one message I received yesterday had following
> X-Spamd-Result header.
> 
> ----------------------------------------------------------------------
> X-Spamd-Result: default: False [-97.81 / 1000.00];
> ARC_NA(0.00)[];
> RCVD_VIA_SMTP_AUTH(0.00)[];
> SPAM_FLAG(0.00)[];
> RCVD_COUNT_FIVE(0.00)[6];
> FROM_HAS_DN(0.00)[];
> FORWARDED(0.00)[user at example.com];
> MV_CASE(0.50)[];
> MIME_GOOD(-0.10)[text/plain];
> TO_DN_NONE(0.00)[];
> DMARC_NA(0.00)[examle.com];
> HAS_LIST_UNSUB(-0.01)[];
> RCPT_COUNT_ONE(0.00)[1];
> AUTH_NA(1.00)[];
> RCVD_TLS_LAST(0.00)[];
> MID_CONTAINS_FROM(1.00)[];
> FORGED_SENDER_FORWARDING(0.00)[];
> MAILLIST(-0.20)[mailman];
> R_SPF_NA(0.00)[];
> FORGED_SENDER(0.00)[user at examle.com,foo-bounces at ml.example.org];
> TO_OR_CC_INCLUDE_HAM_ADDRESSES(-100.00)[];
> R_DKIM_NA(0.00)[];
> MIME_TRACE(0.00)[0:+];
> HAS_REPLYTO(0.00)[foo at ml.examle.org];
> FROM_NEQ_ENVFROM(0.00)[user at examle.com,foo-bounces at ml.examle.org];
> FORGED_SENDER_MAILLIST(0.00)[]
> ----------------------------------------------------------------------
> 
> As you can see the score of this message is minus and obviously less
> than spam threshold. But still 'X-Spam: Yes' was added to it.
> 
> I found about 10 or so cases from messages that I received yesterday.
> 
> Then why this happens? Are there any cases that message is judged spam
> regardless of its score value? Or is it bug of Rspamd?
> 
> Conditions and settings are as following.
> 
> OS: FreeBSD 12.0-RELEASE amd64
> Rspamd: 1.8.3, installed by using FreeBSD port (mail/rspamd)
> 
> $CONFDIR/local.d/actions.conf:
> ----------------------------------------------------------------------
> reject = 1000;
> ----------------------------------------------------------------------
> 
> $CONFDIR/local.d/logging.inc:
> ----------------------------------------------------------------------
> debug_modules = ["bayes"];
> ----------------------------------------------------------------------
> 
> $CONFDIR/local.d/milter_headers.conf
> ----------------------------------------------------------------------
> extended_spam_headers = true;
> ----------------------------------------------------------------------
> 
> $CONFDIR/local.d/regexp.conf
> ----------------------------------------------------------------------
> HAS_7Z_ATTACHMENT {
> re = "Content-Type=/application\\/octet-stream.*name=.*\\.7z/B || Content-Disposition=/attachment.*filename=.*\\.7z/B";
> score = 20.0;
> description = "Has *.7z attachment";
> group = "header";
> }
> 
> HAS_DISPOSITION_NOTIFICATION_TO {
> re = "header_exists('Disposition-Notification-To')";
> score = 20.0;
> description = "Has Disposition-Notification-To header";
> group = "header";
> }
> 
> SPAM_FLAG {
> score = 0;
> }
> 
> SUBJECT_INCLUDES_HAM_WORDS {
> re = "Subject=/(20[0-9]{2}-[01][0-9]-[0-3][0-9] [0-2][0-9]:[0-5][0-9] [+-]?[01][0-9]{3} (Security|System) Events|[A-Za-z0-9.-]+: BruteForceBlocker blocking [0-9.]+\\/32|Logwatch for [A-Za-z0-9.-]+ \\(Linux\\))|(daily|weekly|monthly)( security)? run output/H";
> score = -100.0;
> description = "Subject includes ham words";
> group = "header";
> }
> 
> SUBJECT_INCLUDES_SPAM_WORDS {
> re = "Subject=/(cialis|direct axis|levitra|penisole|viagra|vpxl|アラート：アカウントが一時的に中断されています|最終的なお知らせ：あなたのアカウントは中断されます|代.*开|开.*票|发.*票)/Hiu";
> score = 10.0;
> description = "Subject includes spam words";
> group = "header";
> }
> 
> TO_OR_CC_INCLUDE_HAM_ADDRESSES {
> re = "To=/@ml.example.org/H || Cc=/@ml.example.org/H";
> score = -100.0;
> description = "To or Cc includes ham addresses";
> group = "header";
> }
> ----------------------------------------------------------------------
> 
> $CONFDIR/override.d/options.inc
> ----------------------------------------------------------------------
> local_addrs = [192.168.100.0/25, 192.168.100.128/26, fe80::/10];
> ----------------------------------------------------------------------
> 
> Best Regards.
> 
> ---
> Yasuhiro KIMURA

You have tuned the setting at which rspamd REJECTS spam. 

You have not tuned the "probable spam" metric, which is the score at
which rspamd writes in the X-Spam header. 

I would suggest a bit more time reading the rspamd manual pages :)