[Rspamd-Users] Regexp Rejecting Authenticated Users

Gerald Galster list+rspamd at gcore.biz
Tue Dec 7 21:34:35 UTC 2021 

> I perhaps have a similar query to Jurgen regarding the usage of regular
> express in Rspamd.
> 
> After checking out a few sites, I found one that had a list of regular
> expressions like those show immediately below.
> 
> /luxury accomomdation/gi
> /luxury accommodations/gi

g means match multiple times which is not necessary. If you want to score
multiple time use "multi = true;" in multimap.conf rule.

It's sufficient to check for /luxury accomodation/i because
"luxury accomodations" already contains "luxury accomodation".

/i modifier = case insensitive, just use it when needed


> I used this section in /usr/local/etc/rspamd/local.d/multimap.conf:
> 
> PROBABLE_SPAM {
> 	type = "content";
> 	filter = "headers";
> 	map = "/usr/local/etc/rspamd/local.d/common.spam.regexp.map";
> 	action = "reject";
> 	regexp = true;
> 	}
> 
> I'll admit that I took it on faith to use the 'g' modifier but now that
> I look at the following URL, I cannot find any mention of this modifier.

drop the g and add multiple = true after regexp = true if you want to score
multiple times. If you just want to match "luxury accomodation" the first
occurence is enough to trigger the rule. There is no benefit in matching
multiple times, it already matched.

If your mail contains "luxury accomodations" ten times and you have
"multiple = true" with a score of 1 then rspamd will add 10 points.

Be careful with "multiple = true": if your regex matches too easily this
could result in a high spamscore, learning ham mails as spam. If those
mails do have company signatures, other valid mails may be blocked.

> https://rspamd.com/doc/modules/regexp.html
> 
> For a while all seemed ok but then at what seemed like a few days, all
> of my submissions to external recipients were being rejected by my mail
> server with the 'PROBABLE_SPAM' reason. This would occur whether I
> submitted a mail externally or on my own LAN which I thought I'd
> whitelisted.

With hyperscan you can't see which rule matched but if you don't have
lots of rules you could add an individual score for each rule which
you can find in rspamd log later. That way you could find the rule
that matched.

If everything gets blocked then you matched something that all your
mails have in common, e.g. your mailservers hostname.

Best regards
Gerald

More information about the Users mailing list