[Rspamd-Users] Ignoring mail forward servers & spamtrap Envelope multiple addresses

Sat Jan 11 16:30:24 UTC 2020

Hi,

I'm currently fine-tuning my rspamd setup and I've stumbled across a
couple of smaller issues which I can't explain yet and couldn't find
more information about in the documentation.

- reputation module - IP address selection:
I have a couple of mail redirects pointing to my mail server. A example
header (of a spam mail) looks like this:

Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.134])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.tbspace.de (Postfix) with ESMTPS id 222C75FC3A
	for <redacted at redacted.de>; Fri, 10 Jan 2020 18:57:19 +0100 (CET)
Received: from [212.227.15.41] ([212.227.15.41]) by mx.kundenserver.de
 (mxeue010 [212.227.15.41]) with ESMTP (Nemesis) id 1MQ7G4-1j3E3a0w9w-00MDuq
 for <redacted at redacted.de>; Fri, 10 Jan 2020 18:57:18 +0100
Received: from [212.227.15.41] ([212.227.15.41]) by mx.kundenserver.de
 (mxeue010 [212.227.15.41]) with ESMTP (Nemesis) id 1Mv2Dw-1jghby0Woa-00qrqC
 for <redacted at redacted.de>; Fri, 10 Jan 2020 18:57:18 +0100
Received: from [212.227.15.41] ([212.227.15.41]) by mx.kundenserver.de
 (mxeue010 [212.227.15.41]) with ESMTP (Nemesis) id
1MNd5X-1j1qD70RvX-00PFv1;
 Fri, 10 Jan 2020 18:57:18 +0100
Received: from trading-tips1.net ([104.149.18.200]) by mx.kundenserver.de
 (mxeue010 [212.227.15.41]) with ESMTP (Nemesis) id 1Mox8I-1jSpJA0JEE-00qJKY
 for <redacted at redacted.de>; Fri, 10 Jan 2020 18:57:18 +0100

Now, mx.kundenserver.de and the 212.227.15.0/24 range is operated by a
large german ISP and thus has good reputation.
Unfortunately that causes a lot of spammails to be mistakenly get good
scores. The real sender IP is listed on a couple of blacklists and would
have a much worse reputation.
Is there a way to "ignore" IP addresses in the selection of mail server
addresses for the reputation module?

- Spamtrap - Matching on multiple addresses in Envelope To:

I have configured the spamtrap module in order to train my fuzzy store
with some local language spam I'm dealing with.
Unfortunately, the behaviour of the spamtrap module seems to be a bit odd.
This was tested with regexes in a map file and also with domains in the
redis.

When a mail with multiple addresses in the Envelope To is received, the
spamtrap never seems to match:
[Envelope To] To/Cc/Bcc:
[taylorxkcao at redacted.de, tayqizty at redacted.de, tbanish at redacted.de,
tbatgbewkrwosg at redacted.de] taylorxkcao at redacted.de

With single addresses in the envelope, everything works as expected, the
mail is assigned the SPAMTRAP-symbol, discarded and trained.

My mapfile looks like this (regex is not matching on start and end on
purpose for testing):
"/.*@redacted.de.*/i
redacted.de
@redacted.de

"

Is this a bug in the spamtrap module? Any suggestions on how to fix or
maybe workaround this?

I am using Rspamd 2.2 on Debian Buster, installed from the official
Debian repo.

Thanks for your time.

Best regards,
Tobias