[Rspamd-Users] Phishing email mark as legit with very low score

Durga Prasad Malyala dp.malyala at gmail.com
Mon Jul 29 23:14:21 UTC 2019 

On Mon, Jul 29, 2019, 17:17 Gabriele Nencioni <gabriele.nencioni at register.it>
wrote:

> Hi all,
> I have an issue with a phishing email, with a malicious url points to
> garalmiase.xyz:
>
> <a href=3D"
> https://garalmiase.xyz/ERTY6RUYAERYHTUHTE/ETSHTRHTESDYWRTG6TYGJH=
>
> ETHBNRYTH/SETYHAYH6TUH56356I687UH/AE56YWS357Y6U5HY6UY35YYH66B4TU/SE45Y43YH6=
>
> TUJHT5ERYWS54HTY3564TY35/54EY45WRTUJ5ERYH65UYH56UYH6/6RWYHT5UH6R5RYY54WERTJ=
>
> EH/WS5YHT46TYH54TUH6T4RUHY5YW56/W56TEYW54TYH46ERTH54YH54TUHY65/4W5YTRYW54EY=
>
> THRYE5Y54TH46/W54EYTG54WERYWGW4E6YTHG54TH64/mailbox/W54Y54ERHGB4E54DYG54WYG=
> /userarchive/redo.php?email=3Dan-our-mailbox at dada.eu">dada.eu</a>
>
>
> detected as legit by rpsamd with imho a very low score as you can see
> from the rspamd headers:
>
> X-Spamd-Result: default: False [4.50 / 10.00];
>          ARC_NA(0.00)[];
>          RCVD_VIA_SMTP_AUTH(0.00)[];
>          DMARC_POLICY_SOFTFAIL(0.10)
>          CSI_POOR_REPUTATION_SENDER(2.00)
>          FROM_HAS_DN(0.00)[];
>          TO_MATCH_ENVRCPT_ALL(0.00)[];
>          COUNTRY_US(0.20)
>          PREVIOUSLY_DELIVERED(0.00)
>          TO_DN_NONE(0.00)[];
>          R_SPF_SOFTFAIL(0.00)[~all];
>          RCPT_COUNT_ONE(0.00)[1];
>          MIME_HTML_ONLY(0.20)[];
>          SUBJECT_ENDS_EXCLAIM(0.00)[];
>          FROM_EQ_ENVFROM(0.00)[];
>          R_DKIM_NA(0.00)[];
>          RCVD_TLS_LAST(0.00)[];
>          ASN(0.00)[asn:14061, ipnet:167.99.144.0/20, country:US];
>          MID_RHS_MATCH_FROM(0.00)[];
>          HTTP_TO_HTTPS(2.00)[];
>
>
>
> A low number of symbols have been triggered, I expected at least
> something like "Symbol: PHISHING [dada.eu->garalmiase.xyz]" but it
> didn't happen.
>
> Which could be the reason why?
>
> I have just added that message to BAYES_SPAM, in order to increase the
> score of 5.1 points, anyway are there any other actions to do in order
> to reject these kind of messages and mark them as spam?
>
>
> Thanks in advance.
> Regards,
> --
> Gabriele Nencioni
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

Hi,
How did you attach that warning at top?
Thank you
DP

>
>

More information about the Users mailing list