[Rspamd-Users] spam trap with multiple spam trap recipients rejected instead of used for training

Wed Feb 5 10:33:05 UTC 2020

Hello,

I've got a not comprehensible behaviour in my spam trap (tested with rspamd 2.1/2.2 and 2.3).
emails to a dedicated spam trap e-mail adress (example PrefixA at domain.tld) are recognized and handled as a training stuff.
But emails to multiple trap email addresses (PrefixA at domain.tld; PrefixB at domain.tld; PrefixC at domain.tld) are not handled the same way. These emails are rejected.

- below the configuration used
- one real example of a single recipient spam trap email (accepted and trained)
- and one with three spamtrap recipient (rejected)

Does somone had the same behaviour or any idea for these different handling?

BR Chris

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/rspamd/override.d/spamtrap.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
######################################################
# spamtrap
# https://rspamd.com/doc/modules/spamtrap.html (https://rspamd.com/doc/modules/spamtrap.html)
######################################################

action = "no action";
score = 1.0;
learn_fuzzy = true;
learn_spam = true;
#fuzzy_flag = 1;
map = "file://$LOCAL_CONFDIR/local.d/local_spamtrap.map.inc";
enabled = true;

actions {
priority = high;
reject = 100.0;
greylist = null; # Disable greylisting (from 1.8.1)
groups_disabled = ["rbl", "antivirus", "dkim", "spf", "dmarc", "policies"]
symbols_disabled = ["GREYLIST_CHECK", "GREYLIST_SAVE"];
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 spam trap recipient - working spam trap - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
f29201d5dbb9$f813d660$90996f03 at MatthewSmith 176.106.186.35 MatthewSmith at myjavanet.net (mailto:MatthewSmith at myjavanet.net) PrefixC at domain.tld (mailto:PrefixC at domain.tld) Es ist besser, jetzt ?ber Ihre Gesundheit nachzudenken und nicht, wenn der Tau gefallen ist. no action 53.82 / 15 38.5k 0.217 2/5/2020, 9:34:30 AM unknown
[Envelope To] To/Cc/Bcc PrefixC at domain.tld (mailto:PrefixC at domain.tld)
Symbols

Sort by:
LOCAL_FUZZY_DENIED (12) [1:2118193364:1.00:txt,1:7d8c1cec17:1.00:txt]
DBL_SPAM (6.5) [lookingformeds.info:url]
ABUSE_SURBL (5.5) [lookingformeds.info:url]
BAYES_SPAM (5.1) [100.00%]
RBL_SPAMHAUS_XBL (4) [176.106.186.35:from]
RBL_NIXSPAM (4) [176.106.186.35:from]
HFILTER_HOSTNAME_UNKNOWN (2.5)
RBL_MAILSPIKE_WORST (2) [176.106.186.35:from]
RBL_SPAMHAUS_CSS (2) [176.106.186.35:from]
RBL_SENDERSCORE (2) [176.106.186.35:from]
RBL_VIRUSFREE_BOTNET (2) [176.106.186.35:from]
RBL_SEM (1) [176.106.186.35:from]
SUBJECT_NEEDS_ENCODING (1)
AUTH_NA (1)
HFILTER_HELO_IP_A (1) [bp-myjava.myjavanet.net]
SPAMTRAP (1) [PrefixC at domain.tld (mailto:PrefixC at domain.tld)]
R_PARTS_DIFFER (0.62489) [81.2%]
RSPAMD_URIBL (0.5) [lookingformeds.info:url]
MX_GOOD (-0.5) [mail.myjavanet.net]
MID_RHS_NOT_FQDN (0.5)
MIME_BASE64_TEXT (0.1)
MIME_GOOD (-0.1) [multipart/alternative,text/plain]
RCVD_NO_TLS_LAST (0.1)
SEM_URIBL (0) [lookingformeds.info:url]
R_SPF_NA (0) [no SPF record]
SEM_URIBL_FRESH15 (0) [lookingformeds.info:url]
MIME_TRACE (0) [0:+,1:+,2:~]
TO_MATCH_ENVRCPT_ALL (0)
R_DKIM_NA (0)
RCVD_COUNT_THREE (0) [4]
REPLYTO_EQ_FROM (0)
TO_DN_ALL (0)
HAS_REPLYTO (0) [MatthewSmith at myjavanet.net (mailto:MatthewSmith at myjavanet.net)]
SENDER_REP_SPAM (0) [asn: 43451(0.00), country: SK(0.01), ip: 176.106.186.35(0.00)]
FUZZY_DENIED (0) [1:2118193364:1.00:txt,1:7d8c1cec17:1.00:txt]
FROM_EQ_ENVFROM (0)
DMARC_NA (0) [myjavanet.net]
ASN (0) [asn:43451, ipnet:176.106.184.0/22, country:SK]
FROM_HAS_DN (0)
RCPT_COUNT_ONE (0) [1]
ARC_NA (0)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 spam trap recipient - working spam trap - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35BF28DF.5D8DC507 at 123mail.org (mailto:35BF28DF.5D8DC507 at 123mail.org) 185.51.92.103 BrunhildAcht at 123mail.org (mailto:BrunhildAcht at 123mail.org) PrefixA at domain.tld (mailto:PrefixA at domain.tld),PrefixB at domain.tld (mailto:PrefixB at domain.tld),PrefixC at domain.tld (mailto:PrefixC at domain.tld) Ich habe die verdammte Nachricht verpasst reject 60.32 / 15 2.81k 1.156 2/5/2020, 9:31:13 AM unknown
[Envelope To] To/Cc/Bcc PrefixA at domain.tld (mailto:PrefixA at domain.tld), PrefixB at domain.tld (mailto:PrefixB at domain.tld), PrefixC at domain.tld (mailto:PrefixC at domain.tld)
Symbols

Sort by:
LOCAL_FUZZY_DENIED (8.718017) [1:7b0ada51d6:0.68:txt]
DBL_SPAM (6.5) [dat02grlswet.info:url]
ABUSE_SURBL (5.5) [dat02grlswet.info:url]
BAYES_SPAM (5.1) [100.00%]
RBL_SPAMHAUS_XBL (4) [185.51.92.103:from]
RBL_BLOCKLISTDE (4) [185.51.92.103:from]
RBL_NIXSPAM (4) [185.51.92.103:from]
HFILTER_HOSTNAME_UNKNOWN (2.5)
RBL_MAILSPIKE_WORST (2) [185.51.92.103:from]
RBL_SPAMHAUS_CSS (2) [185.51.92.103:from]
HTML_SHORT_LINK_IMG_1 (2)
RBL_SENDERSCORE (2) [185.51.92.103:from]
RBL_VIRUSFREE_BOTNET (2) [185.51.92.103:from]
FROM_EXCESS_BASE64 (1.5)
SUBJ_EXCESS_BASE64 (1.5)
RBL_SEM (1) [185.51.92.103:from]
MX_INVALID (1)
REPLYTO_UNPARSEABLE (1)
RDNS_NONE (1)
RECEIVED_SPAMHAUS_SBL (1) [101.197.189.20:received]
MIME_BASE64_TEXT_BOGUS (1)
RSPAMD_URIBL (0.5) [dat02grlswet.info:url]
MIME_HTML_ONLY (0.2)
MIME_BASE64_TEXT (0.1)
RCVD_NO_TLS_LAST (0.1)
DMARC_POLICY_SOFTFAIL (0.1) [123mail.org : No valid SPF, No valid DKIM,none]
FREEMAIL_ENVFROM (0) [123mail.org]
SEM_URIBL_FRESH15 (0) [dat02grlswet.info:url]
MIME_TRACE (0) [0:~]
R_SPF_NEUTRAL (0) [?all]
TO_MATCH_ENVRCPT_ALL (0)
FREEMAIL_REPLYTO (0) [123mail.org]
R_DKIM_NA (0)
ASN (0) [asn:202170, ipnet:185.51.92.0/24, country:PT]
TO_DN_ALL (0)
RCVD_COUNT_FIVE (0) [6]
FUZZY_DENIED (0) [1:518338db6a:0.75:txt]
FROM_EQ_ENVFROM (0)
RCPT_COUNT_THREE (0) [3]
FROM_HAS_DN (0)
FREEMAIL_FROM (0) [123mail.org]
MID_RHS_MATCH_FROM (0)
SENDER_REP_SPAM (0) [asn: 202170(0.40), country: PT(0.01), ip: 185.51.92.103(0.00)]
ARC_NA (0)
RECEIVED_SPAMHAUS_PBL (0) [213.231.238.11:received,99.241.187.92:received]
REPLYTO_EXCESS_BASE64 (0)
IP_SCORE_FREEMAIL (0)