[Rspamd-Users] Control rspamd depending on subject content

Sun Jan 21 11:18:16 UTC 2024

> Hi there,
>
> On Sat, 20 Jan 2024, Andreas wrote:
>
>> To avoid annoying spam that gets through Rspamd, I wrote this script
>>
>> #!/bin/bash +x
>> if [ ! $UID = 0 ]
>> then
>>       /usr/bin/su -
>> fi
>> ...
>
I had this kind of spam approaching my server as well.  These mails 
usually do have subjects like e.g.

> info reze-ptfrei anfordern
The rbl module does not help here. I do use rbl and these kind of mails 
do not get filtered by rbl and they do have a proper dkim signature and 
pass spf and dmarc whithout problems. See following example:
> *DMARC_POLICY_ALLOW*(-0.5)[smartlocaldigital.com,reject]
> *R_DKIM_ALLOW*(-0.2)[smartlocaldigital.com:s=root]
> *R_SPF_ALLOW*(-0.2)[+ip4:198.98.61.0/24]
> *MIME_GOOD*(-0.1)[multipart/alternative,text/plain]
> *MX_GOOD*(-0.01)[]
> *FROM_HAS_DN*(0)
> *TO_DN_ALL*(0)
> *FROM_EQ_ENVFROM*(0)
> *RCPT_COUNT_ONE*(0)[1]
> *ASN*(0)[asn:53667, ipnet:198.98.48.0/20, country:US]
> *TO_MATCH_ENVRCPT_ALL*(0)
> *MISSING_XM_UA*(0)
> *MID_RHS_MATCH_FROMTLD*(0)
> *RCVD_COUNT_ZERO*(0)[0]
> *DKIM_TRACE*(0)[smartlocaldigital.com:+]
> *MIME_TRACE*(0)[0:+,1:+,2:~]
> *ARC_NA*(0)

I then use the following multimap definitions to fight against that kind 
of spam:

> body_content_blacklisted {
>             type = "content";
>             filter = "body"; # can be headers, full, oneline, text, 
> rawtext
>             map = 
> "file:///etc/rspamd/local.d/maps.d/blacklist_body_content.map";
>             symbol = "BODY_CONTENT_BLACKLISTED";
>             regexp = true;
> }
> header_content_blacklisted {
>             type = "content";
>             filter = "headers"; # can be headers, full, oneline, text, 
> rawtext
>             map = 
> "file:///etc/rspamd/local.d/maps.d/blacklist_header_content.map";
>             symbol = "HEADER_CONTENT_BLACKLISTED";
>             regexp = true;
> }
> full_content_blacklisted {
>             type = "content";
>             filter = "full"; # can be headers, full, oneline, text, 
> rawtext
>             map = 
> "file:///etc/rspamd/local.d/maps.d/blacklist_full_content.map";
>             symbol = "FULL_CONTENT_BLACKLISTED";
>             regexp = true;
> }

You then can easily populate the respective map via web gui with the 
desired expression. Example map:

> /etc/rspamd/local.d/maps.d/blacklist_full_content.map
> # blacklisted full content
> Abverkauf
> Arbeitsbeginn
> Bewerbungsprozess
> deepblue
> discount
> erektion
> Gratis-Muster
> iphone
> Kaufentscheider
> klicktipp
> Kryptohandel
> Lager-Überhang
> Liebesleben
> Liebesspiel
> Litauen
> Lohnkosten
> Manneskraft
> Mitarbeiterüberlassung
> Orgasmus
> Osteuropa
> Potenz
> Praeparate
> Schnäppchenpreis
> sensationelles Angebot
> sexuell
> Sonderaktion
> Sonderangebot
> Sonderposten
> Sonderpreis
> Sonderverkauf
> Spar-Tipp
> Top_Angebot
> traden
> unschlagbares Angebot
> Vorteilspreis
> Werbemittel
> Wunderpillen
> Zeitarbeitsfirma
> Zielgruppe