[Rspamd-Users] messages tagged as spam when sending encrypted and signed via Thunderbird

David Mehler dave.mehler at gmail.com
Thu Apr 23 06:46:47 UTC 2020 

Hello,

I just sent another message and checked on the web interface history
tab and got this one line:

748bc1f3-093a-fde1-f3d1-a8e5e3c8a809 at example.com	rewrite subject	4.80
/ 15	4/23/2020, 2:33:45 AM

Makes no sense as to why a fully encrypted message will make a subject
get tagged at 4.8.

Since I knew the message was sent at 2:33 I took the entire 2:33
minute here's the excerpt from my rspamd.log if it helps:

2020-04-23 02:32:59 #3710(controller) <78ygbp>; monitored;
rspamd_monitored_dns_cb: DNS reply returned 'no error' for
list.dnswl.org while 'no records with this name' was expected when
querying for '1.0.0.127.list.dnswl.org'(likely DNS spoofing or BL
internal issues)
2020-04-23 02:33:44 #3322(rspamd_proxy) <652600>; proxy;
proxy_accept_socket: accepted milter connection from
/var/run/rspamd/milter.sock port 0
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; milter;
rspamd_milter_process_command: got connection from 69.133.29.184:62555
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_message_parse: loaded message; id:
<748bc1f3-093a-fde1-f3d1-a8e5e3c8a809 at example.com>; queue-id:
<3C086EB2FF>; size: 8305; checksum: <c8994cbf8fc2cb7763098f839ba5f42b>
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_mime_part_detect_language: detected part language: nl
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua;
greylist.lua:203: skip greylisting for local networks and/or
authorized users
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; spf.lua:185:
skip SPF checks for local networks and authorized users
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
dkim_symbol_callback: skip DKIM checks for local networks and
authorized users
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
dkim_module_load_key_format: cannot load dkim key
/var/db/rspamd/dkim/example.com.dkim.key: cannot stat key file:
'/var/db/rspamd/dkim/example.com.dkim.key' No such file or directory
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; dmarc.lua:596:
skip DMARC checks as either SPF or DKIM were not checked
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua;
once_received.lua:98: Skipping once_received for authenticated user or
local network
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; dcc.lua:252:
dcc: clean, returned result A - info: body=1 fuz1=1
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; razor.lua:150:
RAZOR: returned result is ham
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_symcache_finalize_item: slow rule: RAZOR(231): 418.28 ms;
enable slow timer delay
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of
classifier bayes: not enough learns 59; 200 required
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_stat_classifiers_process: skip statistics as SPAM class is
missing
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_task_write_log: id:
<748bc1f3-093a-fde1-f3d1-a8e5e3c8a809 at example.com>, qid: <3C086EB2FF>,
ip: 69.133.29.184, user: dmehler at example.com, from:
<dmehler at example.com>, (default: T (rewrite subject): [4.80/15.00]
[KEYWORD_BL(5.00){},MIME_GOOD(-0.20){multipart/encrypted;},ARC_NA(0.00){},ASN(0.00){asn:10796,
ipnet:69.133.0.0/18,
country:US;},FREEMAIL_ENVRCPT(0.00){gmail.com;},FREEMAIL_TO(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:~;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TAGGED_RCPT(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]),
len: 8305, time: 568.794ms, dns req: 1, digest:
<04f566a27ec72c984ce9fac2cdafc07d>, rcpts:
<dave.mehler at gmail.com,example at gmail.com>, mime_rcpts:
<dave.mehler at gmail.com,>
2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned,
5 regexps matched, 184 regexps total, 53 regexps cached, 0B scanned
using pcre, 6.37KiB scanned total
2020-04-23 02:33:46 #3322(rspamd_proxy) <dbf775>; proxy;
proxy_milter_finish_handler: finished milter connection


Suggestions welcome.
Thanks.
Dave.


On 4/22/20, Arno Welzel <privat at arnowelzel.de> wrote:
> David Mehler:
>
>> Hello,
>>
>> I'm setting up Thunderbird for users who want to send email remotely.
>> If I send a message normally, no Pgp encryption and signing it goes
>> through just fine. I am using Thunderbird with the Enigmail plugin. If
>> I send a message through the server that is both signed and encrypted
>> rspamd prepends the subject with [spam].
>>
>> I'm not seeing anything in my logs that looks like an error or issue.
>> Has anyone else seen this?
>
> In the web UI there is a "history" tab which also shows the reasons why
> a mail was seen as spam. Did you check this?
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>

More information about the Users mailing list