[Rspamd-Users] 'X-Spam: Yes' is added to some messages that have lesser score than spam threshold

André Peters andre.peters at debinux.de
Fri Feb 8 21:34:51 UTC 2019 

Also looks like the message might already have a X-Spam header when it 
arrives:

     SPAM_FLAG(0.00)[];

I don't think Rspamd would detect its own flag.

------ Originalnachricht ------
Von: "Tim Harman via Users" <users at lists.rspamd.com>
An: "User questions" <users at lists.rspamd.com>
Cc: "Tim Harman" <tim at muppetz.com>
Gesendet: 08.02.2019 22:30:19
Betreff: Re: [Rspamd-Users] 'X-Spam: Yes' is added to some messages that 
have lesser score than spam threshold

>On 09/02/2019 8:15 am, Yasuhiro KIMURA wrote:
>
>>  Hello all.
>>
>>  On my home server 'extended_spam_headers = true' is added to
>>  $CONFDIR/local.d/milter_headers.conf. Yesterday I checked
>>  X-Spamd-Result header of some messages and found strange behaviors of
>>  Rspamd.
>>
>>  For example one message I received yesterday had following
>>  X-Spamd-Result header.
>>
>>  ----------------------------------------------------------------------
>>  X-Spamd-Result: default: False [-97.81 / 1000.00];
>>  ARC_NA(0.00)[];
>>  RCVD_VIA_SMTP_AUTH(0.00)[];
>>  SPAM_FLAG(0.00)[];
>>  RCVD_COUNT_FIVE(0.00)[6];
>>  FROM_HAS_DN(0.00)[];
>>  FORWARDED(0.00)[user at example.com];
>>  MV_CASE(0.50)[];
>>  MIME_GOOD(-0.10)[text/plain];
>>  TO_DN_NONE(0.00)[];
>>  DMARC_NA(0.00)[examle.com];
>>  HAS_LIST_UNSUB(-0.01)[];
>>  RCPT_COUNT_ONE(0.00)[1];
>>  AUTH_NA(1.00)[];
>>  RCVD_TLS_LAST(0.00)[];
>>  MID_CONTAINS_FROM(1.00)[];
>>  FORGED_SENDER_FORWARDING(0.00)[];
>>  MAILLIST(-0.20)[mailman];
>>  R_SPF_NA(0.00)[];
>>  FORGED_SENDER(0.00)[user at examle.com,foo-bounces at ml.example.org];
>>  TO_OR_CC_INCLUDE_HAM_ADDRESSES(-100.00)[];
>>  R_DKIM_NA(0.00)[];
>>  MIME_TRACE(0.00)[0:+];
>>  HAS_REPLYTO(0.00)[foo at ml.examle.org];
>>  FROM_NEQ_ENVFROM(0.00)[user at examle.com,foo-bounces at ml.examle.org];
>>  FORGED_SENDER_MAILLIST(0.00)[]
>>  ----------------------------------------------------------------------
>>
>>  As you can see the score of this message is minus and obviously less
>>  than spam threshold. But still 'X-Spam: Yes' was added to it.
>>
>>  I found about 10 or so cases from messages that I received yesterday.
>>
>>  Then why this happens? Are there any cases that message is judged spam
>>  regardless of its score value? Or is it bug of Rspamd?
>>
>>  Conditions and settings are as following.
>>
>>  OS: FreeBSD 12.0-RELEASE amd64
>>  Rspamd: 1.8.3, installed by using FreeBSD port (mail/rspamd)
>>
>>  $CONFDIR/local.d/actions.conf:
>>  ----------------------------------------------------------------------
>>  reject = 1000;
>>  ----------------------------------------------------------------------
>>
>>  $CONFDIR/local.d/logging.inc:
>>  ----------------------------------------------------------------------
>>  debug_modules = ["bayes"];
>>  ----------------------------------------------------------------------
>>
>>  $CONFDIR/local.d/milter_headers.conf
>>  ----------------------------------------------------------------------
>>  extended_spam_headers = true;
>>  ----------------------------------------------------------------------
>>
>>  $CONFDIR/local.d/regexp.conf
>>  ----------------------------------------------------------------------
>>  HAS_7Z_ATTACHMENT {
>>  re = "Content-Type=/application\\/octet-stream.*name=.*\\.7z/B || Content-Disposition=/attachment.*filename=.*\\.7z/B";
>>  score = 20.0;
>>  description = "Has *.7z attachment";
>>  group = "header";
>>  }
>>
>>  HAS_DISPOSITION_NOTIFICATION_TO {
>>  re = "header_exists('Disposition-Notification-To')";
>>  score = 20.0;
>>  description = "Has Disposition-Notification-To header";
>>  group = "header";
>>  }
>>
>>  SPAM_FLAG {
>>  score = 0;
>>  }
>>
>>  SUBJECT_INCLUDES_HAM_WORDS {
>>  re = "Subject=/(20[0-9]{2}-[01][0-9]-[0-3][0-9] [0-2][0-9]:[0-5][0-9] [+-]?[01][0-9]{3} (Security|System) Events|[A-Za-z0-9.-]+: BruteForceBlocker blocking [0-9.]+\\/32|Logwatch for [A-Za-z0-9.-]+ \\(Linux\\))|(daily|weekly|monthly)( security)? run output/H";
>>  score = -100.0;
>>  description = "Subject includes ham words";
>>  group = "header";
>>  }
>>
>>  SUBJECT_INCLUDES_SPAM_WORDS {
>>  re = "Subject=/(cialis|direct axis|levitra|penisole|viagra|vpxl|アラート:アカウントが一時的に中断されています|最終的なお知らせ:あなたのアカウントは中断されます|代.*开|开.*票|发.*票)/Hiu";
>>  score = 10.0;
>>  description = "Subject includes spam words";
>>  group = "header";
>>  }
>>
>>  TO_OR_CC_INCLUDE_HAM_ADDRESSES {
>>  re = "To=/@ml.example.org/H || Cc=/@ml.example.org/H";
>>  score = -100.0;
>>  description = "To or Cc includes ham addresses";
>>  group = "header";
>>  }
>>  ----------------------------------------------------------------------
>>
>>  $CONFDIR/override.d/options.inc
>>  ----------------------------------------------------------------------
>>  local_addrs = [192.168.100.0/25, 192.168.100.128/26, fe80::/10];
>>  ----------------------------------------------------------------------
>>
>>  Best Regards.
>>
>>  ---
>>  Yasuhiro KIMURA
>
>You have tuned the setting at which rspamd REJECTS spam.
>
>You have not tuned the "probable spam" metric, which is the score at
>which rspamd writes in the X-Spam header.
>
>I would suggest a bit more time reading the rspamd manual pages :)
>--
>Users mailing list
>Users at lists.rspamd.com
>https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list