[Rspamd-Users] messages tagged as spam when sending encrypted and signed via Thunderbird

Stefan Bauer cubewerk at gmail.com
Thu Apr 23 07:32:32 UTC 2020 

Only the message body is encrypted with S/MIME. The subject is part of the
header.

Am Do., 23. Apr. 2020 um 08:47 Uhr schrieb David Mehler <
dave.mehler at gmail.com>:

> Hello,
>
> I just sent another message and checked on the web interface history
> tab and got this one line:
>
> 748bc1f3-093a-fde1-f3d1-a8e5e3c8a809 at example.com        rewrite subject
> 4.80
> / 15    4/23/2020, 2:33:45 AM
>
> Makes no sense as to why a fully encrypted message will make a subject
> get tagged at 4.8.
>
> Since I knew the message was sent at 2:33 I took the entire 2:33
> minute here's the excerpt from my rspamd.log if it helps:
>
> 2020-04-23 02:32:59 #3710(controller) <78ygbp>; monitored;
> rspamd_monitored_dns_cb: DNS reply returned 'no error' for
> list.dnswl.org while 'no records with this name' was expected when
> querying for '1.0.0.127.list.dnswl.org'(likely DNS spoofing or BL
> internal issues)
> 2020-04-23 02:33:44 #3322(rspamd_proxy) <652600>; proxy;
> proxy_accept_socket: accepted milter connection from
> /var/run/rspamd/milter.sock port 0
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; milter;
> rspamd_milter_process_command: got connection from 69.133.29.184:62555
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_message_parse: loaded message; id:
> <748bc1f3-093a-fde1-f3d1-a8e5e3c8a809 at example.com>; queue-id:
> <3C086EB2FF>; size: 8305; checksum: <c8994cbf8fc2cb7763098f839ba5f42b>
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_mime_part_detect_language: detected part language: nl
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua;
> greylist.lua:203: skip greylisting for local networks and/or
> authorized users
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; spf.lua:185:
> skip SPF checks for local networks and authorized users
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> dkim_symbol_callback: skip DKIM checks for local networks and
> authorized users
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> dkim_module_load_key_format: cannot load dkim key
> /var/db/rspamd/dkim/example.com.dkim.key: cannot stat key file:
> '/var/db/rspamd/dkim/example.com.dkim.key' No such file or directory
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; dmarc.lua:596:
> skip DMARC checks as either SPF or DKIM were not checked
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua;
> once_received.lua:98: Skipping once_received for authenticated user or
> local network
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; dcc.lua:252:
> dcc: clean, returned result A - info: body=1 fuz1=1
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; lua; razor.lua:150:
> RAZOR: returned result is ham
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_symcache_finalize_item: slow rule: RAZOR(231): 418.28 ms;
> enable slow timer delay
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of
> classifier bayes: not enough learns 59; 200 required
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_stat_classifiers_process: skip statistics as SPAM class is
> missing
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_task_write_log: id:
> <748bc1f3-093a-fde1-f3d1-a8e5e3c8a809 at example.com>, qid: <3C086EB2FF>,
> ip: 69.133.29.184, user: dmehler at example.com, from:
> <dmehler at example.com>, (default: T (rewrite subject): [4.80/15.00]
>
> [KEYWORD_BL(5.00){},MIME_GOOD(-0.20){multipart/encrypted;},ARC_NA(0.00){},ASN(0.00){asn:10796,
> ipnet:69.133.0.0/18,
> country:US;},FREEMAIL_ENVRCPT(0.00){gmail.com;},FREEMAIL_TO(0.00){
> gmail.com
> ;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:~;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TAGGED_RCPT(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]),
> len: 8305, time: 568.794ms, dns req: 1, digest:
> <04f566a27ec72c984ce9fac2cdafc07d>, rcpts:
> <dave.mehler at gmail.com,example at gmail.com>, mime_rcpts:
> <dave.mehler at gmail.com,>
> 2020-04-23 02:33:45 #3322(rspamd_proxy) <652600>; proxy;
> rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned,
> 5 regexps matched, 184 regexps total, 53 regexps cached, 0B scanned
> using pcre, 6.37KiB scanned total
> 2020-04-23 02:33:46 #3322(rspamd_proxy) <dbf775>; proxy;
> proxy_milter_finish_handler: finished milter connection
>
>
> Suggestions welcome.
> Thanks.
> Dave.
>
>
> On 4/22/20, Arno Welzel <privat at arnowelzel.de> wrote:
> > David Mehler:
> >
> >> Hello,
> >>
> >> I'm setting up Thunderbird for users who want to send email remotely.
> >> If I send a message normally, no Pgp encryption and signing it goes
> >> through just fine. I am using Thunderbird with the Enigmail plugin. If
> >> I send a message through the server that is both signed and encrypted
> >> rspamd prepends the subject with [spam].
> >>
> >> I'm not seeing anything in my logs that looks like an error or issue.
> >> Has anyone else seen this?
> >
> > In the web UI there is a "history" tab which also shows the reasons why
> > a mail was seen as spam. Did you check this?
> > --
> > Users mailing list
> > Users at lists.rspamd.com
> > https://lists.rspamd.com/mailman/listinfo/users
> >
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
>

More information about the Users mailing list