[Rspamd-Users] Grab.com or amazonses.com messages are scored 11.99

Sophie Loewenthal sophie at klunky.co.uk
Wed Jul 10 12:22:41 UTC 2019 

Hi,

I just realised that email from grab.com were being marked as spam.  Grab.com is the biggest competition to Uber in South East Asia.    The poison pill was a whopping 11.99.

Why did FUZZY_DENIED assign 11.99 points and did it assign based on grab.com or amazonses.com?

(default: T (reject): [15.06/14.00] [FUZZY_DENIED(11.99)
705c5943fd8776c629e6244fc565b33eea27cd9a3d6d69b5b5b1bc100e7d8a9002cdd1baa5ea172059c52c676e8c73106cc0c3c3c188f318a6b90615444c47a8 with weight: 0.99, probability 1.00, in list: FUZZY_DENIED:1


Full details here from rspamd.log:
2019-07-10 12:02:59 #1143(normal) <47b077>; task; accept_socket: accepted connection from 127.0.0.1 port 48788, task ptr: 00005603BBFFD950
2019-07-10 12:02:59 #1143(normal) <47b077>; task; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
2019-07-10 12:02:59 #1143(normal) <47b077>; task; rspamd_message_parse: loaded message; id: <0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at email.amazonses.com>; queue-id: <B31475B>; size: 28960; checksum: <aba5d795ccc3fd337327e44a933505ee>
2019-07-10 12:02:59 #1143(normal) <47b077>; task; rspamd_mime_part_detect_language: detected part language: en
2019-07-10 12:02:59 #1143(normal) <47b077>; task; spf_plugin_callback: stored record for ses-us-east-1.grab.com (0x1287b69ecc726753) in LRU cache for 297 seconds, 232/2000 elements in the cache
2019-07-10 12:02:59 #1143(normal) <47b077>; task; dkim_module_key_handler: stored DKIM key for 6gbrjpgwjskckoa6a5zn6fwqkn67xbtw._domainkey.amazonses.com in LRU cache for 3600 seconds, 255/2000 elements in the cache
2019-07-10 12:02:59 #1143(normal) <47b077>; task; dkim_module_key_handler: stored DKIM key for 5gnattqsgcw2hwce6ukeoabtqs2utx7r._domainkey.grab.com in LRU cache for 3600 seconds, 256/2000 elements in the cache
2019-07-10 12:03:00 #1143(normal) <47b077>; task; fuzzy_insert_result: found exact fuzzy hash(txt) 705c5943fd8776c629e6244fc565b33eea27cd9a3d6d69b5b5b1bc100e7d8a9002cdd1baa5ea172059c52c676e8c73106cc0c3c3c188f318a6b90615444c47a8 with weight: 0.99, probability 1.00, in list: FUZZY_DENIED:1
2019-07-10 12:03:01 #1143(normal) <47b077>; task; rspamd_symcache_process_symbols: <0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at email.amazonses.com> has already scored more than 16.13, so do not plan more checks
2019-07-10 12:03:01 #1143(normal) <47b077>; lua; neural.lua:449: trained ANN rule RFANN, save spam vector, 205 bytes
2019-07-10 12:03:01 #1143(normal) <47b077>; task; rspamd_task_write_log: id: <0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at email.amazonses.com>, qid: <B31475B>, ip: 54.240.11.165, from: <0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at ses-us-east-1.grab.com>, (default: T (reject): [15.06/14.00] [FUZZY_DENIED(11.99){1:705c5943fd:1.00:txt;},MIME_MA_MISSING_TEXT(2.00){},IP_SCORE(-1.45){ipnet: 54.240.8.0/21(-4.10), asn: 14618(-3.08), country: US(-0.08);},R_BAD_CTE_7BIT(1.05){7bit;utf8;},CTYPE_MIXED_BOGUS(1.00){},BAYES_HAM(-0.61){82.03%;},MV_CASE(0.50){},FORGED_SENDER(0.30){no-reply at grab.com;0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at ses-us-east-1.grab.com;},MIME_HTML_ONLY(0.20){},BAD_REP_POLICIES(0.10){},MANY_INVISIBLE_PARTS(0.10){2;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;},MX_GOOD(-0.01){feedback-smtp.us-east-1.amazonses.com;feedback-smtp.us-east-1.amazonses.com;feedback-smtp.us-east-1.amazonses.com;},ARC_NA(0.00){},ASN(0.00){asn:14618, ipnet:54.240.8.0/21, country:US;},DKIM_TRACE(0.00){grab.com:+;amazonses.com:+;},DMARC_POLICY_ALLOW(0.00){grab.com;quarantine;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){no-reply at grab.com;0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at ses-us-east-1.grab.com;},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},RCVD_IN_DNSWL_NONE(0.00){165.11.240.54.list.dnswl.org : 127.0.15.0;},R_DKIM_ALLOW(0.00){grab.com:s=5gnattqsgcw2hwce6ukeoabtqs2utx7r;amazonses.com:s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw;},R_SPF_ALLOW(0.00){+ip4:54.240.0.0/18;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 28960, time: 2196.438ms real, 17.763ms virtual, dns req: 47, digest: <aba5d795ccc3fd337327e44a933505ee>, rcpts: <user at example.co.uk>, mime_rcpts: <user at example.co.uk>
2019-07-10 12:03:01 #1143(normal) <47b077>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 185 regexps total, 95 regexps cached, 0B scanned using pcre, 28.31KiB scanned total


I see I can whitelist grab.com but I prefer to understand how this hit in the first place. Especially such a high scoring rule could reject many legitimate senders.  

Or how could I disable FUZZY_DENIED?


Where should I put something like this:
settings {
    SJL_grab_com {
        priority = high;
        from = "@grab.com";
        from = "/@grab\.com$/";
        apply "default" {
            FUZZY_DENIED = 0.0;
        }
    }
}


Best,
Sophie

More information about the Users mailing list