[Rspamd-Users] Control rspamd depending on subject content

Thu Feb 29 18:06:25 UTC 2024

Am Donnerstag, 29. Februar 2024, 18:19:22 CET schrieb G.W. Haywood:
> Hi there,
> 
> On Thu, 29 Feb 2024, Andreas wrote:
> > ... /etc/rspamd/local.d/maps.d/banned_subjects.map:
> > 
> > /*recipe-for-egg*/ BLOCK_SUBJECT:4.5
> 
> You haven't used the 'i' modifier in the regexes which you've shown
> to make them case insensitive.  That may be deliberate, but most of
> the time I use it in, er, case the spammers use the 'shift' keys.
> 
> Be aware of the rules for constructing regexes.  They're a bit quirky.
> Just as the character '*' is special in filename globs, it's special
> in regexes too, but in a different way.  In a filename glob it more or
> less means "anything".  In a regex, unless it is 'escaped', it means
> "match if the character immediately preceding the asterisk is repeated
> zero or more times".  I'm not sure your regex will do what you want it
> to do.  Perhaps you mean something like
> 
> /.*recipe-for-egg.*/
> 
> There are plenty of regex tutorials on the Web, but when you search do
> be aware that there are different types of regex:
> 
> https://en.wikipedia.org/wiki/Regular_expression#Syntax
> 
> They are mostly somewhat similar, with enough differences to make life
> interesting if you use more than one kind of them.  The kind used by
> rspamd is called "Perl Compatible Regular Expressions" (usually PCRE).
> Perl's regexes are IMNSHO the best to use for more or less anything.
> Avoid POSIX regexes if you can - I use them a lot and I wish I didn't
> have to.
> 
> Even though rspamd uses PCRE, it has extended the syntax for its own
> purposes.  The rspamd extensions let you specify exactly where to look
> in the message for the match so it's much easier to avoid accidentally
> matching something that you didn't mean to match - and it's also a lot
> more efficient in terms of computing resources of course, you could be
> searching just a single line instead of a huge image.  Look at
> 
> https://rspamd.com/doc/modules/regexp.html#regular-expressions
> 
> which shows you how you can identify with very good granularity the
> part or parts of the message which you want to search.  For example
> the 'Subject' header you could use
> 
> Subject=/egg/i{header}
> 
> looks *only* in the Subject header for the string ('egg' or 'Egg' or
> 'EGG' or 'eGG' or...).
> 
> Header field names are case insensitive according to the RFCs.
> 
> > However, emails with “info prescription-free pharmacy” are still
> > allowed through.
> 
> Maybe I'm missing something here but I think you need to show us more
> of your config and generally give more details.  Which part of the
> message are you searching for the text?  Is the search case sensitive?
> 
> This link might help:
> 
> https://jeffknerr.github.io/rspamd/regex/multimap/2021/03/02/rspamd-multimap
> -regex-examples.html
> 
> it was just a random result from my search using 'startpage.com' (the
> Google front end which I prefer) for
> 
> "rspamd regex examples"
> 
> It looked like it made sense and the guy had made it work for him.  I
> can't vouch for it, with more searching time I'm sure you could do a
> lot better.
> 
> > I would also be interested in the syntax
> > “map = “file:///etc/rspamd/local.d/maps.d/banned_subjects.map”;”
> > must be or whether
> > “map = “/etc/rspamd/local.d/maps.d/banned_subjects.map”;”
> > correct is?
> 
> The use of both is shown at
> 
> https://rspamd.com/doc/modules/multimap.html#principles-of-work
> 
> Using a URI instead of using a file path changes the way in which the
> content is accessed.  If there's no compelling reason to use a URI, I
> would always use the simpler file path.
> 
> Have you used
> 
> rspamadm configtest
> 
> to check your configuration?

Thanks to you,

that’s 
postfix/cleanup[2579711]: A196112007E: milter-reject: END-OF-MESSAGE from mail-
lj1-x236.google.com[2a00:1450:4864:20::236]: 5.7.1 Matched map: BLOCK_SUBJECT

what I want to see.
True, sometimes the devil is in the details. I overlooked that with the dots 
in the regexes.

The note with the variables for the path is also more my thing. In the docs 
and even in the config files
/* Example setup
sender_from_whitelist_user {
           type = "from";
           filter = "email:user";
           map = "file:///tmp/from.map";
           symbol = "SENDER_FROM_WHITELIST_USER";
           action = "accept"; # Prefilter mode
}*/
""file://...." is favored instead.
Anyway, thank you very much for your feedback.

Best regards

Andreas