[Rspamd-Users] How to check, which expression matched?

Winkelmann, Bun-Jan bun-jan.winkelmann at uni-hamburg.de
Wed Aug 14 13:52:59 UTC 2024 

Hi Johannes,

we have a multimap with regular expression. I index the regex pattern to see which rule exactly match.

Example reputation_regex.map:
/bad.*compare/i   BODY_PHISHING:2:rule7
/I am a phishing mail/i   BODY_PHISHING:0.5:rule8
/verify\syour\saccount/i  BODY_PHISHING:1:rule9

It is describe here under topic "Maps content" https://rspamd.com/doc/modules/multimap.html

Maybe you can change your map and rescan the mail to see which lines match with the mail. You can see the matched rules in the logfile, webpage or in the email header.

-- 
Bun-Jan Winkelmann
Universität Hamburg
Regionales Rechenzentrum / Regional Computing Center
Basis-Infrastruktur / Basic Infrastructure
Team Storage, Dateidienste, Backup/Archiv und E-Mail / Storage, Data Services, Back-up/Archive and Email Team
E-Mail- und Groupware-Infrastruktur / Email and Groupware Infrastructure

Schlueterstrasse 70
20146 Hamburg

-----Ursprüngliche Nachricht-----
Von: Users <users-bounces at lists.rspamd.com> Im Auftrag von Johannes Rohr
Gesendet: Mittwoch, 14. August 2024 14:22
An: users at lists.rspamd.com
Betreff: [Rspamd-Users] How to check, which expression matched?

I've got a map with banned subjects. Now one mail has been rejected which is a clear false positive.

Even though debugging is on and multimap is listed under "debug modules", the log only shows  that rspamd found a match, but it doesn't say which expression matched.


4-08-14 14:00:54 #1763298(normal) <d59bc5>; multimap; multimap.lua:544: 
got return "1" (err code = 200) for multimap SUBJECT_BLACKLISTED
2024-08-14 14:00:54 #1763298(normal) <d59bc5>; metric;
insert_metric_result: want to insert symbol SUBJECT_BLACKLISTED, initial weight 1.00
2024-08-14 14:00:54 #1763298(normal) <d59bc5>; symcache; is_allowed: 
allow execution of SUBJECT_BLACKLISTED settings id 428 allows implicit execution of the symbols;
2024-08-14 14:00:54 #1763298(normal) <d59bc5>; metric;
insert_metric_result: metric multiplier for SUBJECT_BLACKLISTED is 5.00
2024-08-14 14:00:54 #1763298(normal) <d59bc5>; metric;
insert_metric_result: final insertion for symbol SUBJECT_BLACKLISTED, score 5.00, factor: 5
2024-08-14 14:00:54 #1763298(normal) <d59bc5>; task;
rspamd_add_passthrough_result: 
<0799031c-39fa-467c-b911-06ddfd0ebd4f at jpberlin.de>: set pre-result
  to 'reject' (no score): 'Matched map: SUBJECT_BLACKLISTED' from
multimap(1)

Is there a simple way  to find out? Because, inspecting the map, I am unable to find an obvious match.

Thanks,

Johannes

--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7231 bytes
Desc: not available
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240814/7b333afe/attachment.bin>

More information about the Users mailing list