[Rspamd-Users] Grab.com or amazonses.com messages are scored 11.99

Wed Jul 10 15:46:58 UTC 2019

On 10.07.2019 15:22, Sophie Loewenthal wrote:
> Hi,
> 
> I just realised that email from grab.com were being marked as spam.  Grab.com is the biggest competition to Uber in South East Asia.    The poison pill was a whopping 11.99.
> 
> Why did FUZZY_DENIED assign 11.99 points and did it assign based on grab.com or amazonses.com?
> 
> (default: T (reject): [15.06/14.00] [FUZZY_DENIED(11.99)
> 705c5943fd8776c629e6244fc565b33eea27cd9a3d6d69b5b5b1bc100e7d8a9002cdd1baa5ea172059c52c676e8c73106cc0c3c3c188f318a6b90615444c47a8 with weight: 0.99, probability 1.00, in list: FUZZY_DENIED:1
> 
If you are sure that it is a false positive, you can request delisting of this hash on https://bl.rspamd.com/ .

> 2019-07-10 12:03:01 #1143(normal) <47b077>; task; rspamd_task_write_log: id: <0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at email.amazonses.com>, qid: <B31475B>, ip: 54.240.11.165, from: <0100016bdbc3dc5e-83aabfcd-fa7d-48a6-bc47-fd4b23d0dc88-000000 at ses-us-east-1.grab.com>, (default: T (reject): [15.06/14.00] [FUZZY_DENIED(11.99){1:705c5943fd:1.00:txt;}, ...

> 
> 
> I see I can whitelist grab.com but I prefer to understand how this hit in the first place. Especially such a high scoring rule could reject many legitimate senders.
> 
> Or how could I disable FUZZY_DENIED?
> 
> 
> Where should I put something like this:
> settings {
>      SJL_grab_com {
>          priority = high;
>          from = "@grab.com";
>          from = "/@grab\.com$/";
>          apply "default" {
>              FUZZY_DENIED = 0.0;
>          }
>      }
> }
> 

I think the from domain in your sample is not @grab.com but @ses-us-east-1.grab.com .

You can put the following in the local.d/setting.conf :

SJL_grab_com {
     priority = high;
     from = "@ses-us-east-1.grab.com";
     apply {
         FUZZY_DENIED = 0.0;
     }
}

If those mails come from different 3rd level domains, you can use multiple 'from =' directives or a regexp like 'from = "/@ses-us-east-[1-4]\.grab\.com$/";' (it is just an example, please modify it accordingly).