[Rspamd-Users] How to handle MIME encoded headers?
G.W. Haywood
rspamd at jubileegroup.co.uk
Mon Jun 17 16:20:13 UTC 2024
Hi there,
On Mon, 17 Jun 2024, Dan Swartzendruber via Users wrote:
> Been using rspamd for a couple of weeks now, and it works just fine. The
> only issue I'm having is somehow getting tons of financial clickbait articles
> that score low on all defaults, so every day I have to delete dozens of
> these. They get sneaky and encode the subject lines so instead of seeing
> things like 'subject: Taiwan in Dаnger Amіd Chinese Drіlls' it is 'subject:
> =?UTF-8?B?VGFpd2FuIGluIETQsG5nZXIgQW3RlmQgQ2hpbmVzZSBEctGWbGxz?='. So the
> normal header examination setup in multimap.conf won't work because the
> headers have been decoded. I get not authentic emails with the subjects
> encoded this way so I'd like to flag these as spam, but not high enough to be
> outright rejected. So I'd like to look at the undecoded subject headers and
> if I see a regex like '=\?UTF-8\?.*\?=' it would add 7.0 to the score.
> Except as said, the headers are decoded. It seems like the following would
> work (if the subject header was undecoded):
>
> mime_subject_spam {
> type = "header"; <=== needs changing?
> header = "subject";
> filter = "regexp:/.*UTF\-8\?.*\?=/i";
> map = "/var/rspamd/maps/mime_subject_spam.map"; <=== don't need a map
> but it complains, so an empty file?
> symbol = "MIME_SUBJECT_SPAM";
> description = "Detect mime-encoded spam subjects";
> score = 7.0;
> regexp = true;
> }
Have you tried using the /u flag in your regexes?
https://rspamd.com/doc/modules/regexp.html
> p.s. I have to say the docs for rspamd are extremely complete, except that
> everything I look at explains what X and Y and Z are, but I don't see
> examples of how to do what I would like (FWIW, I ginned up the config here by
> looking at samples in modules.d, but that isn't exactly what I need.) What
> am I missing here? Any tips appreciated :)
It isn't easy to find your way around the docs I'm afraid.
There's an alternative take on them which *might* help
https://www.0xf8.org/2018/05/an-alternative-introduction-to-rspamd-configuration-introduction/
but not necessarily with this specific question.
--
73,
Ged.
More information about the Users
mailing list