[Rspamd-Users] Blacklist domain map intermittent.

Sat Jun 15 02:25:08 UTC 2024

> I have a blacklist setup in multimap.conf
> 
> BLACKLIST_SENDER_DOMAIN {
>  type = "header";
>  header = "From";
>  filter = "email:domain";
>  #prefilter = "true";
>  map = "/etc/rspamd/blacklist.sender.domain.map";
>  score = 4.0;
>  #action = "rewrite subject";
>  #subject = "*** SPAM *** %s";
>  #message = "Requested action not taken: mailbox unavailable";
>  regexp = true;
> }
> 
> And in my blacklist.sender.domain.map I have lists of domains like
> 
> (\.|^)stunningreports.com$
> (\.|^)borntoprofit.com$
> (\.|^)marketmasterymindset.com$
> (\.|^)freshmarketdata.com$

See https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters:

  email:domain:tld -> parse header value as email address and extract effective
  second level domain from it (Somebody <user at foo.example.com> -> example.com)

To match a domain including all possible subdomains the email:domain:tld
filter is sufficient, no regexp needed. Just list one domain per line and
remove "regexp = true" from your config.

For regex matching see the examples here:
https://rspamd.com/doc/modules/multimap.html#regexp-maps

You've omitted the slashes that signal the beginning and end of a regular
expression. That might or might not work but I'd add those slashes to be
able to add modifiers like 'i' (case insensitive).

/(\.|^)stunningreports\.com$/i will match mail.STUNNINGreports.com as well.

You could also add the following line to /etc/rspamd/local.d/logging.inc and
restart rspamd to log which (sub-)domain is processed:
debug_modules=['multimap'];

Also note there are different types of "from" with SMTP: the envelope from
which is used between mailservers and the header from that is usually
shown in email clients. These may differ, especially for mails that are
generated by software (autoresponder, mailinglists, ...). Your multimap
solely uses the From header, not the envelope from, which may or may not
be what you want.

See https://rspamd.com/doc/modules/multimap.html#map-types

Type "from" is defined as:
  matches envelope from (or header From if envelope from is absent)

See https://rspamd.com/doc/modules/multimap.html#map-attributes

  extract_from - attribute extracts values of the sender/recipient
  from the SMTP dialog or the From/To header. To achieve this, set
  the value to smtp, mime, or both to match both sources. It’s
  important to note that extract_from is solely utilized in
  conjunction with the from or rcpt map type.

You might consider this alternative approach:

BLACKLIST_SENDER_DOMAIN {
  type = "from";
  extract_from = "both";
  filter = "email:domain:tld";
  map = "/etc/rspamd/blacklist.sender.domain.map";
  score = 4.0;
}

> The initial direction was to have domains in the blacklist just get score
> high enough to flag it as spam and then rewrite the subject so that it would
> be delivered to the users spam folder.  I eventually gave up on that ( the
> lines are commented out) and went to what I found online which appears to
> auto reject items on the blacklist.  I can work with that too, however the
> vast majority of the domains don't get blocked.. 

Thresholds are defined in /etc/rspamd/local.d/actions.conf e.g.

  actions {
      reject = 15; # Reject when reaching this score
      rewrite_subject = 7;
      subject = "[SPAM] %s";
      add_header = 6; # Add header when reaching this score
      greylist = 4; # Apply greylisting / defer
  }

To deliver tagged spammails search your rspamd log for the highest
spam score and use this or a higher value for reject in actions.conf.

Just keep the order so that the scores are like
greylist < add_header < rewrite_subject < reject

https://rspamd.com/doc/faq.html#what-are-rspamd-actions
https://github.com/rspamd/rspamd/blob/master/conf/actions.conf

Best regards,
Gerald