[Rspamd-Users] A question about known_senders module

Gerald Galster list+rspamd at gcore.biz
Tue Jul 16 18:27:28 UTC 2024 

>>> With the release of 3.9 and the changes to the known_senders and replies module, I wanted to take a look at enabling known_senders (I already was using replies)
>>> But, the docs [1] leave me with something of a question, namely the domains setting.
>>> Am I understanding it correctly that all senders on all domains found in the file will have the symbol_check_mail_global symbol added?
>> Some user at gmail.com sends an email to you, the content is legit and you reply.
>> This sender is then considered legitimate as you would not reply to spammers.
>> On further mails a symbol like INC_MAIL_KNOWN_GLOBALLY is set, to help with
>> separating the good and the bad guys for domains with millions of users.
> 
> This is how I think the replies module work, which since 3.9 can work closer together with known_senders.

See https://github.com/rspamd/rspamd/blob/master/src/plugins/lua/replies.lua

Hopefully not missing anything by quickly looking at replies.lua there are mainly two functions,
replies_check and replies_check_cookie, that are called when registering symbols.
Both of them are looking for an "in-reply-to" header and return if not found.

Therefore my conclusion is that the replies module is for replies only whereas the known senders
module helps with completely new mails.

> But, configuring the known_senders module includes a long list of domains, and it is this list i'm not sure about what actually does.

You can download that list, unpack it with unzstd and have a look at it.
These seem to be freemailers like gmail with potentially millions of customers like

  gmail.com, gmail.com.br, gmx.at, gmx.biz, gmx.ch, gmx.co.uk, gmx.com, gmx.de, gmx.eu,
  gmx.info, gmx.li, gmx.net, gmx.org, gmx.us, hotmail.co.uk, hotmail.com, hotmail.de, ...

The documentation says:

  The known_senders plugin is used to maintain a list of known sender domains and classify
  incoming emails based on these domains. It can be especially useful for distinguishing
  known senders from potentially malicious or unknown ones.

Usually maildomains do have a manageable number of email accounts so you can rely on
ip reputation and domain reputation to help with good senders. This does not apply to
freemailers with millions of email accounts. The known senders module can help here.

Best regards,
Gerald

More information about the Users mailing list