[Rspamd-Users] Control rspamd depending on subject content

Tino Hendricks t.hendricks at interpool.de
Sun Jan 21 11:37:24 UTC 2024


Hi Albrecht,

thanks for sharing because we all get hit by these mails. 
I don’t see which of the words in your blacklist_full_content.map would hit the
>> info reze-ptfrei anfordern

Because the hyphen is at another position every time. 

Thanks 

Tino
> Am 21.01.2024 um 12:23 schrieb Albrecht Backhaus <albrecht.backhaus at gmail.com>:
> 
> 
>> Hi there,
>> 
>>> On Sat, 20 Jan 2024, Andreas wrote:
>>> 
>>> To avoid annoying spam that gets through Rspamd, I wrote this script
>>> 
>>> #!/bin/bash +x
>>> if [ ! $UID = 0 ]
>>> then
>>>       /usr/bin/su -
>>> fi
>>> ...
>> 
> I had this kind of spam approaching my server as well.  These mails usually do have subjects like e.g.
> 
>> info reze-ptfrei anfordern
> The rbl module does not help here. I do use rbl and these kind of mails do not get filtered by rbl and they do have a proper dkim signature and pass spf and dmarc whithout problems. See following example:
>> *DMARC_POLICY_ALLOW*(-0.5)[smartlocaldigital.com,reject]
>> *R_DKIM_ALLOW*(-0.2)[smartlocaldigital.com:s=root]
>> *R_SPF_ALLOW*(-0.2)[+ip4:198.98.61.0/24]
>> *MIME_GOOD*(-0.1)[multipart/alternative,text/plain]
>> *MX_GOOD*(-0.01)[]
>> *FROM_HAS_DN*(0)
>> *TO_DN_ALL*(0)
>> *FROM_EQ_ENVFROM*(0)
>> *RCPT_COUNT_ONE*(0)[1]
>> *ASN*(0)[asn:53667, ipnet:198.98.48.0/20, country:US]
>> *TO_MATCH_ENVRCPT_ALL*(0)
>> *MISSING_XM_UA*(0)
>> *MID_RHS_MATCH_FROMTLD*(0)
>> *RCVD_COUNT_ZERO*(0)[0]
>> *DKIM_TRACE*(0)[smartlocaldigital.com:+]
>> *MIME_TRACE*(0)[0:+,1:+,2:~]
>> *ARC_NA*(0)
> 
> I then use the following multimap definitions to fight against that kind of spam:
> 
>> body_content_blacklisted {
>>             type = "content";
>>             filter = "body"; # can be headers, full, oneline, text, rawtext
>>             map = "file:///etc/rspamd/local.d/maps.d/blacklist_body_content.map";
>>             symbol = "BODY_CONTENT_BLACKLISTED";
>>             regexp = true;
>> }
>> header_content_blacklisted {
>>             type = "content";
>>             filter = "headers"; # can be headers, full, oneline, text, rawtext
>>             map = "file:///etc/rspamd/local.d/maps.d/blacklist_header_content.map";
>>             symbol = "HEADER_CONTENT_BLACKLISTED";
>>             regexp = true;
>> }
>> full_content_blacklisted {
>>             type = "content";
>>             filter = "full"; # can be headers, full, oneline, text, rawtext
>>             map = "file:///etc/rspamd/local.d/maps.d/blacklist_full_content.map";
>>             symbol = "FULL_CONTENT_BLACKLISTED";
>>             regexp = true;
>> }
> 
> You then can easily populate the respective map via web gui with the desired expression. Example map:
> 
>> /etc/rspamd/local.d/maps.d/blacklist_full_content.map
>> # blacklisted full content
>> Abverkauf
>> Arbeitsbeginn
>> Bewerbungsprozess
>> deepblue
>> discount
>> erektion
>> Gratis-Muster
>> iphone
>> Kaufentscheider
>> klicktipp
>> Kryptohandel
>> Lager-Überhang
>> Liebesleben
>> Liebesspiel
>> Litauen
>> Lohnkosten
>> Manneskraft
>> Mitarbeiterüberlassung
>> Orgasmus
>> Osteuropa
>> Potenz
>> Praeparate
>> Schnäppchenpreis
>> sensationelles Angebot
>> sexuell
>> Sonderaktion
>> Sonderangebot
>> Sonderposten
>> Sonderpreis
>> Sonderverkauf
>> Spar-Tipp
>> Top_Angebot
>> traden
>> unschlagbares Angebot
>> Vorteilspreis
>> Werbemittel
>> Wunderpillen
>> Zeitarbeitsfirma
>> Zielgruppe
> 
> 
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users


More information about the Users mailing list