[Rspamd-Users] How to handle MIME encoded headers?

Dan Swartzendruber dan999 at druber.com
Mon Jun 17 15:07:09 UTC 2024


Been using rspamd for a couple of weeks now, and it works just fine.  
The only issue I'm having is somehow getting tons of financial clickbait 
articles that score low on all defaults, so every day I have to delete 
dozens of these.  They get sneaky and encode the subject lines so 
instead of seeing things like 'subject: Taiwan in Dаnger Amіd Chinese 
Drіlls' it is 'subject: 
=?UTF-8?B?VGFpd2FuIGluIETQsG5nZXIgQW3RlmQgQ2hpbmVzZSBEctGWbGxz?='.  So 
the normal header examination setup in multimap.conf won't work because 
the headers have been decoded.  I get not authentic emails with the 
subjects encoded this way so I'd like to flag these as spam, but not 
high enough to be outright rejected.  So I'd like to look at the 
undecoded subject headers and if I see a regex like '=\?UTF-8\?.*\?=' it 
would add 7.0 to the score.  Except as said, the headers are decoded.  
It seems like the following would work (if the subject header was 
undecoded):

mime_subject_spam {
         type = "header"; <=== needs changing?
         header = "subject";
         filter = "regexp:/.*UTF\-8\?.*\?=/i";
         map = "/var/rspamd/maps/mime_subject_spam.map"; <=== don't need 
a map but it complains, so an empty file?
         symbol = "MIME_SUBJECT_SPAM";
         description = "Detect mime-encoded spam subjects";
         score = 7.0;
         regexp = true;
}

p.s. I have to say the docs for rspamd are extremely complete, except 
that everything I look at explains what X and Y and Z are, but I don't 
see examples of how to do what I would like (FWIW, I ginned up the 
config here by looking at samples in modules.d, but that isn't exactly 
what I need.)  What am I missing here?  Any tips appreciated :)



More information about the Users mailing list