[Rspamd-Users] Email hits BAYES_* after a few times

Sophie Loewenthal sophie at klunky.co.uk
Sun Jun 2 18:47:28 UTC 2019


Hi,

For some reason emails that come in more than twice start hitting BAYES_* rule, but these emails were not processed by 'rspamc learn_spam' or 'rspamc learn_ham', those can be discounted.  How does this email get into BAYES when I didn’t feed any eamils from the sender into rspamc learn_spam? 

e.g

2nd email:
x-copernica-mid: pom:baiqkbat5s3friee:feedback.smartphonehoesjes.nl
X-Rspamd-Queue-Id: B012D5B
X-Spamd-Result: default: False [6.86 / 14.00];
	 ARC_NA(0.00)[];
	 BAYES_SPAM(4.34)[98.00%];
	 R_DKIM_ALLOW(-0.20)[copernica.com:s=two,smartphonehoesjes.nl:s=two];
	 FROM_HAS_DN(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:145.255.128.0/21];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 TO_DN_NONE(0.00)[];
	 HTML_SHORT_LINK_IMG_1(2.00)[];
	 HAS_LIST_UNSUB(-0.01)[];
	 URI_COUNT_ODD(1.00)[31];
	 RCPT_COUNT_ONE(0.00)[1];
	 MANY_INVISIBLE_PARTS(0.20)[3];
	 DKIM_TRACE(0.00)[copernica.com:+,smartphonehoesjes.nl:+];
	 DMARC_POLICY_ALLOW(-0.50)[smartphonehoesjes.nl,none];
	 RCVD_IN_DNSWL_NONE(0.00)[131.131.255.145.list.dnswl.org : 127.0.15.0];
	 MX_GOOD(-0.01)[publisher.copernica.nl];
	 SUBJECT_ENDS_EXCLAIM(0.00)[];
	 FORGED_SENDER(0.30)[nieuwsbrief at smartphonehoesjes.nl,pom-baiqkbat5s3friee at feedback.smartphonehoesjes.nl];
	 RCVD_COUNT_ZERO(0.00)[0];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 IP_SCORE(0.04)[asn: 60781(0.26), country: NL(-0.07)];
	 ASN(0.00)[asn:60781, ipnet:145.255.128.0/21, country:NL];
	 FROM_NEQ_ENVFROM(0.00)[nieuwsbrief at smartphonehoesjes.nl,pom-baiqkbat5s3friee at feedback.smartphonehoesjes.nl]


3rd email:
X-Spamd-Result: default: False [8.29 / 14.00];
	 ARC_NA(0.00)[];
	 DMARC_POLICY_ALLOW(-0.50)[smartphonehoesjes.nl,none];
	 R_DKIM_ALLOW(-0.20)[copernica.com:s=zero,smartphonehoesjes.nl:s=zero];
	 BAYES_SPAM(5.04)[99.85%];
	 FROM_HAS_DN(0.00)[];
	 PHISH_EMOTION(1.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:145.255.128.0/21];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 TO_DN_NONE(0.00)[];
	 HAS_LIST_UNSUB(-0.01)[];
	 URI_COUNT_ODD(1.00)[65];
	 RCPT_COUNT_ONE(0.00)[1];
	 MANY_INVISIBLE_PARTS(0.60)[7];
	 MX_GOOD(-0.01)[publisher.copernica.nl];
	 DKIM_TRACE(0.00)[copernica.com:+,smartphonehoesjes.nl:+];
	 RCVD_IN_DNSWL_NONE(0.00)[245.135.255.145.list.dnswl.org : 127.0.15.0];
	 SUBJECT_ENDS_EXCLAIM(0.00)[];
	 FORGED_SENDER(0.30)[nieuwsbrief at smartphonehoesjes.nl,pom-baiqkbctvu37zmfg at feedback.smartphonehoesjes.nl];
	 RCVD_COUNT_ZERO(0.00)[0];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 IP_SCORE(0.05)[asn: 60781(0.31), country: NL(-0.07)];
	 ASN(0.00)[asn:60781, ipnet:145.255.128.0/21, country:NL];
	 FROM_NEQ_ENVFROM(0.00)[nieuwsbrief at smartphonehoesjes.nl,pom-baiqkbctvu37zmfg at feedback.smartphonehoesjes.nl];
	 PHISHING(1.32)[handyhuellen.de->smartphonehoesjes.nl]


It’s a bit rum : How could i investigate this?

Thank, Sophie 







More information about the Users mailing list