[Rspamd-Users] How to debug unexpected RSPAMD_EMAILBL score?

Vsevolod Stakhov vsevolod at rspamd.com
Tue Jun 18 16:48:11 UTC 2019


On 18/06/2019 17:11, Vadim Zeitlin wrote:
>  Hello,
> 
>  Emails from a particular person get filtered as spam by rspamd (version
> 1.9.4 with mostly default configuration) that I'm running because of the
> elevated score for RSPAMD_EMAILBL (9.50). I'd like to understand where is
> this coming from and which email exactly triggers this. Looking in the log
> I see something like this (slightly redacted and wrapped for ease of
> reading):
> 
> 2019-06-18 17:32:30 #11569(normal) <505c92>; task; rspamd_task_write_log:
> id: <xxx>, qid: <xxx>, ip: xxx, from: <someone at domain.com>, (default: T (add
> header): [6.77/15.00] [RSPAMD_EMAILBL(9.50){.;pdj11uthygksitexhj564i1yyehsjbft;},
> BAYES_HAM(-5.62){96.47%;},AUTH_NA(1.00){},REPLYTO_UNPARSEABLE(1.00){},
> URI_COUNT_ODD(1.00){5;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},
> ...
> 
> and I have no idea where does this weird "pdj11uthygksitexhj564i1yyehsjbft"
> string come from. Looking at the only other occurrence of RSPAMD_EMAILBL in
> my log, I see this:

It is the result of hashing to protect privacy when querying emails over
DNS.

This particular result - an email that is `.` looks very bad. I tried my
best to avoid this crap but it seems I've failed (again). Do you have a
message sample to share with me (presumably via private email)?

In the meantime this hash is deleted but it can appear again I suppose...

> RSPAMD_EMAILBL(9.50){longgiacomputer.gmail.com;y6k3i5t3suzw3ygj6jrz3sgydey1d84u;}
> 
> which would seem to indicate that the actual blacklisted email is supposed
> to be in the first field, but in the case of the false positive above it is
> empty, so could someone please explain what's going on here?
> 
>  On a related note, how can I test RSPAMD_EMAILBL manually? I thought I was
> just supposed to make a DNS lookup of localpart.domain.email.rspamd.com,
> but looking up longgiacomputer.gmail.com.email.rspamd.com returns SERVFAIL
> and for longgiacomputer at gmail.com.email.rspamd.com I get NXDOMAIN.


Just check this hash against it.



More information about the Users mailing list