[Rspamd-Users] Phishing email mark as legit with very low score

[Gabriele Nencioni]

Hi all,
I have an issue with a phishing email, with a malicious url points to
garalmiase.xyz:

<a href=3D"https://garalmiase.xyz/ERTY6RUYAERYHTUHTE/ETSHTRHTESDYWRTG6TYGJH=
ETHBNRYTH/SETYHAYH6TUH56356I687UH/AE56YWS357Y6U5HY6UY35YYH66B4TU/SE45Y43YH6=
TUJHT5ERYWS54HTY3564TY35/54EY45WRTUJ5ERYH65UYH56UYH6/6RWYHT5UH6R5RYY54WERTJ=
EH/WS5YHT46TYH54TUH6T4RUHY5YW56/W56TEYW54TYH46ERTH54YH54TUHY65/4W5YTRYW54EY=
THRYE5Y54TH46/W54EYTG54WERYWGW4E6YTHG54TH64/mailbox/W54Y54ERHGB4E54DYG54WYG=
/userarchive/redo.php?email=3Dan-our-mailbox at dada.eu">dada.eu</a>


detected as legit by rpsamd with imho a very low score as you can see
from the rspamd headers:

X-Spamd-Result: default: False [4.50 / 10.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 DMARC_POLICY_SOFTFAIL(0.10)
	 CSI_POOR_REPUTATION_SENDER(2.00)
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 COUNTRY_US(0.20)
	 PREVIOUSLY_DELIVERED(0.00)
	 TO_DN_NONE(0.00)[];
	 R_SPF_SOFTFAIL(0.00)[~all];
	 RCPT_COUNT_ONE(0.00)[1];
	 MIME_HTML_ONLY(0.20)[];
	 SUBJECT_ENDS_EXCLAIM(0.00)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:14061, ipnet:167.99.144.0/20, country:US];
	 MID_RHS_MATCH_FROM(0.00)[];
	 HTTP_TO_HTTPS(2.00)[];



A low number of symbols have been triggered, I expected at least
something like "Symbol: PHISHING [dada.eu->garalmiase.xyz]" but it
didn't happen.

Which could be the reason why?

I have just added that message to BAYES_SPAM, in order to increase the
score of 5.1 points, anyway are there any other actions to do in order
to reject these kind of messages and mark them as spam?


Thanks in advance.
Regards,
-- 
Gabriele Nencioni