[Rspamd-Users] Blacklist domain map intermittent.

Dave Lewis dlewis at dsl-co.com
Mon Jun 17 16:56:13 UTC 2024 

Thanks for this reply !  I'll take these details and start tweaking 😊

 

Appreciate the time you took to give the details !

 

Dave

 

-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Gerald Galster
Sent: Friday, June 14, 2024 10:25 PM
To: User questions <users at lists.rspamd.com>
Subject: Re: [Rspamd-Users] Blacklist domain map intermittent.

 

> I have a blacklist setup in multimap.conf

> 

> BLACKLIST_SENDER_DOMAIN {

>  type = "header";

>  header = "From";

>  filter = "email:domain";

>  #prefilter = "true";

>  map = "/etc/rspamd/blacklist.sender.domain.map";

>  score = 4.0;

>  #action = "rewrite subject";

>  #subject = "*** SPAM *** %s";

>  #message = "Requested action not taken: mailbox unavailable";  regexp 

> = true; }

> 

> And in my blacklist.sender.domain.map I have lists of domains like

> 

> (\.|^)stunningreports.com$

> (\.|^)borntoprofit.com$

> (\.|^)marketmasterymindset.com$

> (\.|^)freshmarketdata.com$

 

 

See  <https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters> https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters:

 

  email:domain:tld -> parse header value as email address and extract effective

  second level domain from it (Somebody < <mailto:user at foo.example.com> user at foo.example.com> -> example.com)

 

To match a domain including all possible subdomains the email:domain:tld filter is sufficient, no regexp needed. Just list one domain per line and remove "regexp = true" from your config.

 

For regex matching see the examples here:

 <https://rspamd.com/doc/modules/multimap.html#regexp-maps> https://rspamd.com/doc/modules/multimap.html#regexp-maps

 

You've omitted the slashes that signal the beginning and end of a regular expression. That might or might not work but I'd add those slashes to be able to add modifiers like 'i' (case insensitive).

 

/(\.|^)stunningreports\.com$/i will match mail.STUNNINGreports.com as well.

 

 

You could also add the following line to /etc/rspamd/local.d/logging.inc and restart rspamd to log which (sub-)domain is processed:

debug_modules=['multimap'];

 

 

Also note there are different types of "from" with SMTP: the envelope from which is used between mailservers and the header from that is usually shown in email clients. These may differ, especially for mails that are generated by software (autoresponder, mailinglists, ...). Your multimap solely uses the From header, not the envelope from, which may or may not be what you want.

 

See  <https://rspamd.com/doc/modules/multimap.html#map-types> https://rspamd.com/doc/modules/multimap.html#map-types

 

Type "from" is defined as:

  matches envelope from (or header From if envelope from is absent)

 

See  <https://rspamd.com/doc/modules/multimap.html#map-attributes> https://rspamd.com/doc/modules/multimap.html#map-attributes

 

  extract_from - attribute extracts values of the sender/recipient

  from the SMTP dialog or the From/To header. To achieve this, set

  the value to smtp, mime, or both to match both sources. It’s

  important to note that extract_from is solely utilized in

  conjunction with the from or rcpt map type.

 

You might consider this alternative approach:

 

BLACKLIST_SENDER_DOMAIN {

  type = "from";

  extract_from = "both";

  filter = "email:domain:tld";

  map = "/etc/rspamd/blacklist.sender.domain.map";

  score = 4.0;

}

 

 

> The initial direction was to have domains in the blacklist just get 

> score high enough to flag it as spam and then rewrite the subject so 

> that it would be delivered to the users spam folder.  I eventually 

> gave up on that ( the lines are commented out) and went to what I 

> found online which appears to auto reject items on the blacklist.  I 

> can work with that too, however the vast majority of the domains don't get blocked..

 

Thresholds are defined in /etc/rspamd/local.d/actions.conf e.g.

 

  actions {

      reject = 15; # Reject when reaching this score

      rewrite_subject = 7;

      subject = "[SPAM] %s";

      add_header = 6; # Add header when reaching this score

      greylist = 4; # Apply greylisting / defer

  }

 

To deliver tagged spammails search your rspamd log for the highest spam score and use this or a higher value for reject in actions.conf.

 

Just keep the order so that the scores are like greylist < add_header < rewrite_subject < reject

 

 <https://rspamd.com/doc/faq.html#what-are-rspamd-actions> https://rspamd.com/doc/faq.html#what-are-rspamd-actions

 <https://github.com/rspamd/rspamd/blob/master/conf/actions.conf> https://github.com/rspamd/rspamd/blob/master/conf/actions.conf

 

Best regards,

Gerald

 

--

Users mailing list

 <mailto:Users at lists.rspamd.com> Users at lists.rspamd.com

 <https://lists.rspamd.com/mailman/listinfo/users> https://lists.rspamd.com/mailman/listinfo/users



-- 
This email has been checked for viruses by Avast antivirus software.
www.avast.com

More information about the Users mailing list