[Rspamd-Users] Rule not triggering on test email

Albrecht Backhaus albrecht.backhaus at gmail.com
Tue Nov 12 18:00:09 UTC 2019 

Am 12.11.2019 18:42:51, "Sophie Loewenthal" <sophie at klunky.co.uk> 
schrieb:

>Hi guys,
>
>
>I wrote this rule to kill off some uncatchable spam:
>
># cat /etc/rspamd/local.d/settings.conf
>SJL_AIRMAIL_DIE {
>re = "From=/\@mail\.appcenter\.ms/iH" ;
>group = "header";
>description = "Poison pill"
>score = 10; # 10 set for testing. Will be 20 later.
>}
>
>The test email contains this string:
>From: App Center Team <no-reply at mail.appcenter.ms>
>
>Tested with this but the mail was scored with 1.58 / 15.00
>
>  # cat 1573523082.M912671P31937.mx10\,S\=19091\,W\=19642\:2\,Sbs |rspamc symbols
>Results for file: stdin (1.180 seconds)
>[Metric: default]
>Action: no action
>Spam: false
>Score: 1.58 / 15.00
>Symbol: ARC_NA (0.00)
>Symbol: DKIM_TRACE (0.00)[mail.appcenter.ms:+]
>Symbol: DMARC_POLICY_ALLOW (-0.50)[mail.appcenter.ms, reject]
>Symbol: FROM_HAS_DN (0.00)
>Symbol: FROM_NEQ_ENVFROM (0.00)[no-reply at mail.appcenter.ms, 6d3e4e4a.EAAAAHyUnjUCAAAAAAAAAARsquQAAAA6pnMAAAAAAAvpOQBdyg6J at bnc3.mail.appcenter.ms]
>Symbol: HAS_LIST_UNSUB (-0.01)
>Symbol: MANY_INVISIBLE_PARTS (1.00)[10]
>Symbol: MIME_HTML_ONLY (0.20)
>Symbol: MIME_TRACE (0.00)[0:~]
>Symbol: MX_GOOD (-0.01)[cached: bnc3.mailjet.com]
>Symbol: PREVIOUSLY_DELIVERED (0.00)[sophie at klunky.co.uk]
>Symbol: RCPT_COUNT_ONE (0.00)[1]
>Symbol: RCVD_COUNT_TWO (0.00)[2]
>Symbol: RCVD_NO_TLS_LAST (0.10)
>Symbol: R_DKIM_ALLOW (-0.20)[mail.appcenter.ms:s=mailjet]
>Symbol: TO_DN_ALL (0.00)
>Symbol: ZERO_FONT (1.00)[20]
>Message-ID: 6d3e4e4a.EAAAAHyUnjUCAAAAAAAAAARsquQAAAA6pnMAAAAAAAvpOQBdyg6J at mailjet.com
>Urls: ["www.reddit.com","join.slack.com","fonts.googleapis.com","www.hockeyapp.net","airmailapp.com","install.appcenter.ms"]
>
>
>What did I miss and am I testing this the right way?
>
>Thanks, So.
>--
>Users mailing list
>Users at lists.rspamd.com
>https://lists.rspamd.com/mailman/listinfo/users

Hi Sophie

Looks as if the RE is not catching the senders address. Did a quick 
check with my magic regex tool :-)

Here is the result:

From=/\@mail\.appcenter\.ms/iH

Match the character string “From=/” literally (case sensitive) «From=/»
Match the character “@” literally «\@»
Match the character string “mail” literally (case sensitive) «mail»
Match the character “.” literally «\.»
Match the character string “appcenter” literally (case sensitive) 
«appcenter»
Match the character “.” literally «\.»
Match the character string “ms/iH” literally (case sensitive) «ms/iH»

I do have some similar spam candidates on my mail server. I would prefer 
to blacklist the senders address or the tld (if possible).

Regards, Albrecht

More information about the Users mailing list