[Rspamd-Users] How to debug unexpected RSPAMD_EMAILBL score?

Vadim Zeitlin vz-rspamd at zeitlins.org
Tue Jun 18 20:02:20 UTC 2019 

On Tue, 18 Jun 2019 17:48:11 +0100 Vsevolod Stakhov <vsevolod at rspamd.com> wrote:

VS> On 18/06/2019 17:11, Vadim Zeitlin wrote:
VS> >  Hello,
VS> > 
VS> >  Emails from a particular person get filtered as spam by rspamd (version
VS> > 1.9.4 with mostly default configuration) that I'm running because of the
VS> > elevated score for RSPAMD_EMAILBL (9.50). I'd like to understand where is
VS> > this coming from and which email exactly triggers this. Looking in the log
VS> > I see something like this (slightly redacted and wrapped for ease of
VS> > reading):
VS> > 
VS> > 2019-06-18 17:32:30 #11569(normal) <505c92>; task; rspamd_task_write_log:
VS> > id: <xxx>, qid: <xxx>, ip: xxx, from: <someone at domain.com>, (default: T (add
VS> > header): [6.77/15.00] [RSPAMD_EMAILBL(9.50){.;pdj11uthygksitexhj564i1yyehsjbft;},
VS> > BAYES_HAM(-5.62){96.47%;},AUTH_NA(1.00){},REPLYTO_UNPARSEABLE(1.00){},
VS> > URI_COUNT_ODD(1.00){5;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},
VS> > ...
VS> > 
VS> > and I have no idea where does this weird "pdj11uthygksitexhj564i1yyehsjbft"
VS> > string come from. Looking at the only other occurrence of RSPAMD_EMAILBL in
VS> > my log, I see this:
VS> 
VS> It is the result of hashing to protect privacy when querying emails over
VS> DNS.

 Ah, yes, of course, this makes total sense, thanks for explaining it!

VS> This particular result - an email that is `.` looks very bad. I tried my
VS> best to avoid this crap but it seems I've failed (again). Do you have a
VS> message sample to share with me (presumably via private email)?

 Unfortunately all the examples I have are Review Board notification emails
sent to many people and with plenty of details about the internal code
base, so I don't think I can share this without redacting them heavily.
Please let me know if this could still be useful or I could try ask the
person in question to send me an email directly (because this is definitely
specific to this particular person, none of the other Review Board
notifications suffer from this problem). So far I've tried sending me
various emails with forged "From" header myself, but they don't trigger the
bug neither.

VS> >  On a related note, how can I test RSPAMD_EMAILBL manually? I thought I was
VS> > just supposed to make a DNS lookup of localpart.domain.email.rspamd.com,
VS> > but looking up longgiacomputer.gmail.com.email.rspamd.com returns SERVFAIL
VS> > and for longgiacomputer at gmail.com.email.rspamd.com I get NXDOMAIN.
VS> 
VS> Just check this hash against it.

 OK, this works, thanks. Is there any way to compute this hash from the
command line for testing purposes?

 Thanks again,
VZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <https://lists.rspamd.com/pipermail/users/attachments/20190618/0d1cb394/attachment.bin>

More information about the Users mailing list