[Rspamd-Users] Blacklist domain map intermittent.

[Dave Lewis]

Hi everyone

 

I'm a new user to rspamd.  I recently switched over from spam assassin and
so far I am very happy and impressed.  The configuration is just easier in
general and it is definitely catching more than SA used to.  

 

I am however having a problem with blacklists/maps.  I've done a bunch of
reading and I think I have it configured correctly but it doesn't seem to
work every time.. 

 

I have a blacklist setup in multimap.conf

 

BLACKLIST_SENDER_DOMAIN {

  type = "header";

  header = "From";

  filter = "email:domain";

  #prefilter = "true";

  map = "/etc/rspamd/blacklist.sender.domain.map";

  score = 4.0;

  #action = "rewrite subject";

#subject = "*** SPAM *** %s";

#message = "Requested action not taken: mailbox unavailable";

  regexp = true;

}

 

And in my blacklist.sender.domain.map I have lists of domains like

 

(\.|^)stunningreports.com$

(\.|^)borntoprofit.com$

(\.|^)marketmasterymindset.com$

(\.|^)freshmarketdata.com$

 

The initial direction was to have domains in the blacklist just get score
high enough to flag it as spam and then rewrite the subject so that it would
be delivered to the users spam folder.  I eventually gave up on that ( the
lines are commented out) and went to what I found online which appears to
auto reject items on the blacklist.  I can work with that too, however the
vast majority of the domains don't get blocked.. 

 

For example, here's one that didn't work. 

I've sanitized the log by replacing the email recipient address with
XXXX at XXXX.com

 

2024-06-13 21:17:25 #146367(rspamd_proxy) <65f882>; proxy;
dkim_module_key_handler: stored DKIM key for
13dkim1._domainkey.mail.freshmarketdata.com in LRU cache for 271 seconds,
440/2000 elements in the cache

2024-06-13 21:17:25 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: DKIM_CHECK(31): 1024.06 ms

2024-06-13 21:17:25 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule:
SURBL_URIBL_SPAMEATINGMONKEY_NET(37): 1088.06 ms

2024-06-13 21:17:25 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: SURBL_PUBLIC_SARBL_ORG(36):
1124.06 ms

2024-06-13 21:17:25 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: RCVD_IN_DNSWL(195): 1208.06 ms

2024-06-13 21:17:26 #146367(rspamd_proxy) <65f882>; proxy;
spf_plugin_callback: stored record for bounce.mail.freshmarketdata.com
(0xeac5916c57f1a202) in LRU cache for 40 seconds, 328/2000 elements in the
cache

2024-06-13 21:17:26 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: R_SPF_FAIL(32): 2044.13 ms

2024-06-13 21:17:26 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule:
SURBL_FRESH15_SPAMEATINGMONKEY_NET(39): 2048.13 ms

2024-06-13 21:17:26 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: SURBL_MULTI_SURBL_ORG(34): 1036.12
ms

2024-06-13 21:17:26 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: MAILSPIKE(188): 2260.13 ms

2024-06-13 21:17:27 #146367(rspamd_proxy) <65f882>; lua; rbl.lua:162: error
looking up freshmarketdata.com.dwl.dnswl.org: query refused

2024-06-13 21:17:27 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: DWL_DNSWL(193): 2020.15 ms

2024-06-13 21:17:27 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: SURBL_DBL_SPAMHAUS_ORG(40):
2044.15 ms

2024-06-13 21:17:28 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: SURBL_ZEN_SPAMHAUS_ORG(38):
4056.18 ms

2024-06-13 21:17:28 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_symcache_finalize_item: slow rule: SURBL_URIBL_RSPAMD_COM(41):
3124.18 ms

2024-06-13 21:17:29 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_task_write_log: id:
bac92760-d0d5-4baf-805f-44887b97a431 at iad4s13mta1019.xt.local
<mailto:bac92760-d0d5-4baf-805f-44887b97a431 at iad4s13mta1019.xt.local> , qid:
<0C405AD>, ip: 128.245.250.115, from:
bounce-1317_HTML-17891736-13542-546006256-0 at bounce.mail.freshmarketdata.com
<mailto:bounce-1317_HTML-17891736-13542-546006256-0 at bounce.mail.freshmarketd
ata.com> , (default: F (no action): [1.96/12.00]
[FORGED_SENDER(1.50){s.woods at mail.freshmarketdata.com;bounce-1317_HTML-17891
736-13542-546006256-0 at bounce.mail.freshmarketdata.com;},HFILTER_FROMHOST_NOR
ES_A_OR_MX(1.50){bounce.mail.freshmarketdata.com;},BAYES_HAM(-1.00){100.00%;
},FROM_NEQ_ENVFROM(1.00){s.woods at mail.freshmarketdata.com;bounce-1317_HTML-1
7891736-13542-546006256-0 at bounce.mail.freshmarketdata.com;},RCVD_DKIM_ARC_DN
SWL_HI(-1.00){},IP_SCORE(1.00){ip
<mailto:%7bs.woods at mail.freshmarketdata.com;bounce-1317_HTML-17891736-13542-
546006256-0 at bounce.mail.freshmarketdata.com;%7d,HFILTER_FROMHOST_NORES_A_OR_
MX(1.50)%7bbounce.mail.freshmarketdata.com;%7d,BAYES_HAM(-1.00)%7b100.00%25;
%7d,FROM_NEQ_ENVFROM(1.00)%7bs.woods at mail.freshmarketdata.com;bounce-1317_HT
ML-17891736-13542-546006256-0 at bounce.mail.freshmarketdata.com;%7d,RCVD_DKIM_
ARC_DNSWL_HI(-1.00)%7b%7d,IP_SCORE(1.00)%7bip> : (1.08), ipnet:
128.245.0.0/16(2.20), asn: 14340(1.69), country:
US(0.02);},DMARC_POLICY_ALLOW(-0.50){mail.freshmarketdata.com;reject;},RCVD_
IN_DNSWL_HI(-0.50){115.250.245.128.list.dnswl.org :
127.0.10.3;},MANY_INVISIBLE_PARTS(0.24){2;},ZERO_FONT(0.24){1;},R_DKIM_ALLOW
(-0.20){mail.freshmarketdata.com:s=13dkim1;},R_SPF_ALLOW(-0.20){+ip4:128.245
.248.0/21;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},HAS_LIST_UNS
UB(-0.01){},MX_GOOD(-0.01){cached:
bounce.s13.exacttarget.com;},ARC_NA(0.00){},ASN(0.00){asn:14340,
ipnet:128.245.0.0/16,
country:US;},DKIM_TRACE(0.00){mail.freshmarketdata.com:+;},DWL_DNSWL_FAIL(0.
00){freshmarketdata.com.dwl.dnswl.org:query
refused;},FROM_HAS_DN(0.00){},HAS_REPLYTO(0.00){reply-ff001573706006-1317_HT
ML-17891736-546006256-0 at mail.freshmarketdata.com;},MIME_TRACE(0.00){0:+;1:+;
2:~;},PREVIOUSLY_DELIVERED(0.00){XXXX at XXXX.com;},RCPT_COUNT_ONE(0.00){1;},RC
VD_COUNT_TWO(0.00){2;},RCVD_TLS_ALL(0.00){},REPLYTO_DN_EQ_FROM_DN(0.00){},RE
PLYTO_DOM_EQ_FROM_DOM(0.00){},RWL_MAILSPIKE_GOOD(0.00){115.250.245.128.rep.m
ailspike.net
<mailto:%7breply-ff001573706006-1317_HTML-17891736-546006256-0 at mail.freshmar
ketdata.com;%7d,MIME_TRACE(0.00)%7b0:+;1:+;2:~;%7d,PREVIOUSLY_DELIVERED(0.00
)%7bXXXX at XXXX.com;%7d,RCPT_COUNT_ONE(0.00)%7b1;%7d,RCVD_COUNT_TWO(0.00)%7b2;
%7d,RCVD_TLS_ALL(0.00)%7b%7d,REPLYTO_DN_EQ_FROM_DN(0.00)%7b%7d,REPLYTO_DOM_E
Q_FROM_DOM(0.00)%7b%7d,RWL_MAILSPIKE_GOOD(0.00)%7b115.250.245.128.rep.mailsp
ike.net>  : 127.0.0.18;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]),
len: 24399, time: 6628.211ms real, 23.628ms virtual, dns req: 31, digest:
<0e0c085e3fb1550f50b2da5584b0bc82>, rcpts: XXXX at XXXX.com, mime_rcpts:
XXXX at XXXX.com

2024-06-13 21:17:29 #146367(rspamd_proxy) <65f882>; proxy;
rspamd_protocol_http_reply: regexp statistics: 787 pcre regexps scanned, 5
regexps matched, 185 regexps total, 13 regexps cached, 94.29KiB scanned
using pcre, 94.29KiB scanned total

 

And yet here's one that worked.

 

2024-06-13 18:36:43 #146367(rspamd_proxy) <8385ae>; proxy;
proxy_accept_socket: accepted milter connection from 127.0.0.1 port 42688

2024-06-13 18:36:59 #146367(rspamd_proxy) <8385ae>; milter;
rspamd_milter_process_command: got connection from 13.110.239.239:47040

2024-06-13 18:36:59 #146367(rspamd_proxy) <8385ae>; proxy;
rspamd_message_parse: loaded message; id:
228755ea-9946-4d18-93f5-62bf77eeb52b at iad4s12mta1049.xt.local
<mailto:228755ea-9946-4d18-93f5-62bf77eeb52b at iad4s12mta1049.xt.local> ;
queue-id: <63B18AD>; size: 26644; checksum:
<5007a99b4219c7c6b48b1146e39cfe3c>

2024-06-13 18:37:00 #146367(rspamd_proxy) <8385ae>; proxy;
rspamd_symcache_finalize_item: slow rule: ASN_CHECK(170): 1224.03 ms

2024-06-13 18:37:00 #146367(rspamd_proxy) <8385ae>; proxy;
rspamd_add_passthrough_result:
228755ea-9946-4d18-93f5-62bf77eeb52b at iad4s12mta1049.xt.local
<mailto:228755ea-9946-4d18-93f5-62bf77eeb52b at iad4s12mta1049.xt.local> : set
pre-result to 'reject' (no score): 'Matched map: BLACKLIST_SENDER_DOMAIN'
from multimap(1)

2024-06-13 18:37:00 #146367(rspamd_proxy) <8385ae>; proxy;
rspamd_task_write_log: id:
228755ea-9946-4d18-93f5-62bf77eeb52b at iad4s12mta1049.xt.local
<mailto:228755ea-9946-4d18-93f5-62bf77eeb52b at iad4s12mta1049.xt.local> , qid:
<63B18AD>, ip: 13.110.239.239, from:
bounce-7533_HTML-345066463-189156-534010671-0 at bounce.sr.stunningreports.com
<mailto:bounce-7533_HTML-345066463-189156-534010671-0 at bounce.sr.stunningrepo
rts.com> , (default: T (reject): [0.00/12.00] [ASN(0.00){asn:14340,
ipnet:13.110.0.0/16,
country:US;},BLACKLIST_SENDER_DOMAIN(0.00){bounce.sr.stunningreports.com;}])
, len: 26644, time: 1228.039ms real, 1.469ms virtual, dns req: 1, digest:
<5007a99b4219c7c6b48b1146e39cfe3c>, rcpts: XXXX at XXX.com
<mailto:XXXX at XXX.com> , mime_rcpts: XXXX at XXXX.com <mailto:XXXX at XXXX.com> ,
forced: reject "Matched map: BLACKLIST_SENDER_DOMAIN"; score=nan (set by
multimap)

2024-06-13 18:37:00 #146367(rspamd_proxy) <8385ae>; proxy;
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 0
regexps matched, 185 regexps total, 0 regexps cached, 0B scanned using pcre,
0B scanned total

 

I'm at a loss.  I suspect it has something to do with the headers but I'm
not sure how to change the config to ensure that it always works.

 

Has anyone seen this before and figured out a way to make it work every time
?

 

Thanks in advance for your help/guidance.

 

Dave



-- 
This email has been checked for viruses by Avast antivirus software.
www.avast.com