[Rspamd-Users] SPAM alerts with wrong action value
Tino Hendricks
t.hendricks at interpool.de
Tue Apr 16 11:36:48 UTC 2024
Hi Martin,
is it possible there’s an additional spam actor in the queue who adds the header?
> X-Spam-Level: ******
Or maybe the header is already in the incoming mail (which is/was sometimes the case with web.de <http://web.de/>, marking their own outgoing mail as SPAM). 🤷🏼♂️
> Am 16.04.2024 um 12:47 schrieb Martin Stenzel via Users <users at lists.rspamd.com>:
>
>
> Hi list, I use the latest version of rspamd on a Linux server
>
> I set up rspamd according to the official documentation.
>
> From time to time I receive mails which are tagged as spam (although they are NOT spam).
>
> The headers show this:
> X-Spam-Level: ******
> X-Spamd-Result: default: False [0.59 / 12.00];
> BAYES_HAM(-3.00)[100.00%];
> FROM_EXCESS_QP(1.20)[];
> REPLYTO_EXCESS_QP(1.20)[];
> URI_COUNT_ODD(1.00)[47];
> FORGED_SENDER(0.30)[info at popularresistance.org,bounce-mc.us2_5197842.1426441-67321fa2dd at mail17.suw91.mcdlv.net];
> MIME_GOOD(-0.10)[multipart/alternative,text/plain];
> HAS_LIST_UNSUB(-0.01)[];
> REDIRECTOR_FALSE(0.00)[facebook.com->list-manage.com:list-manage.com,popularresistance.org->list-manage.com:list-manage.com];
> ARC_NA(0.00)[];
> TO_DN_NONE(0.00)[];
> RCPT_COUNT_ONE(0.00)[1];
> MIME_TRACE(0.00)[0:+,1:+,2:~];
> NEURAL_SPAM(0.00)[0.874];
> REDIRECTOR_URL(0.00)[list-manage.com,twitter.com];
> FROM_HAS_DN(0.00)[];
> FROM_NEQ_ENVFROM(0.00)[info at popularresistance.org,bounce-mc.us2_5197842.1426441-67321fa2dd at mail17.suw91.mcdlv.net];
> PREVIOUSLY_DELIVERED(0.00)[m.stenzel at space.de];
> RCVD_COUNT_FIVE(0.00)[6];
> RCVD_TLS_LAST(0.00)[];
> HAS_REPLYTO(0.00)[info at popularresistance.org];
> TO_MATCH_ENVRCPT_ALL(0.00)[];
> REPLYTO_EQ_FROM(0.00)[]
> X-Rspamd-Action: no action
> X-Rspamd-Queue-Id: B3BDB6C02F8
> X-Rspamd-Server: terve.xy-space.de
> There is the line X-Rspamd-Action: no action
>
>
> But rspamd does act.
>
> My actions.conf looks like this:
> # local.d/actions.conf
> reject = 12.00;
> greylist = 10.00;
> rewrite_subject = 6.00;
> add_header = 5.52;
> subject = "***** SPAM ALERT ***** %s"
>
> The subject of the header looks like this:***** SPAM ALERT ***** Popular Resistance Daily Digest
>
>
> In the logs I find this:
>
>
> (rspamd_proxy) <f54cdf>; proxy; rspamd_task_write_log: id: <33602bebba8fb7dd6e71fb413.67321fa2dd.20240416095943.c47741786b.2323a984 at mail17.suw91.mcdlv.net>, qid: <B09A66C02F7>, ip: 10.4.0.1, from: <bounce-mc.us2_5197842.1426441-67321fa2dd at mail17.suw91.mcdlv.net>, (default: F (no action): [2.59/12.00] [BAYES_HAM(-3.00){100.00%;},FORGED_RECIPIENTS(2.00){m:m.stenzel at space.de;s:archive at mailarchive.xy-space.de;},FROM_EXCESS_QP(1.20){},REPLYTO_EXCESS_QP(1.20){},URI_COUNT_ODD(1.00){47;},FORGED_SENDER(0.30){info at popularresistance.org;bounce-mc.us2_5197842.1426441-67321fa2dd at mail17.suw91.mcdlv.net;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},HAS_LIST_UNSUB(-0.01){},ARC_NA(0.00){},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){info at popularresistance.org;bounce-mc.us2_5197842.1426441-67321fa2dd at mail17.suw91.mcdlv.net;},HAS_REPLYTO(0.00){info at popularresistance.org;},MIME_TRACE(0.00){0:+;1:+;2:~;},NEURAL_SPAM(0.00){0.874;},PREVIOUSLY_DELIVERED(0.00){m.stenzel at space.de;},RCPT_COUNT_ONE(0.00){
> 1;},RCVD_COUNT_FIVE(0.00){6;},RCVD_TLS_LAST(0.00){},REDIRECTOR_FALSE(0.00){facebook.com->list-manage.com:list-manage.com;popularresistance.org->list-manage.com:list-manage.com;},REDIRECTOR_URL(0.00){list-manage.com;twitter.com;},REPLYTO_EQ_FROM(0.00){},TO_DN_NONE(0.00){}]), len: 88228, time: 266.688ms, dns req: 67, digest: <fedd12c3396eef05458c40a6dd10d0da>, rcpts: <archive at mailarchive.xy-space.de>, mime_rcpts: <m.stenzel at space.de>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Martin Stenzel · er/ihm · he/him
> m.stenzel at mail.xy-space.de
>
> An der Drehscheibe 9
> D-50733 Köln · Cologne
> Deutschland · Germany
>
>
>
> This message was checked by ESET Endpoint Antivirus for Linux.
> Detection Engine Version: 29070 (20240416).
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
More information about the Users
mailing list