[Rspamd-Users] Blacklist domain map intermittent.
Dan Swartzendruber
dswartz at druber.com
Mon Jun 17 18:29:18 UTC 2024
This was helpful for me as well!
> On Jun 17, 2024, at 2:22 PM, Dave Lewis <dlewis at dsl-co.com> wrote:
>
> Thanks for this reply ! I'll take these details and start tweaking 😊
>
>
>
> Appreciate the time you took to give the details !
>
>
>
> Dave
>
>
>
> -----Original Message-----
> From: Users <users-bounces at lists.rspamd.com> On Behalf Of Gerald Galster
> Sent: Friday, June 14, 2024 10:25 PM
> To: User questions <users at lists.rspamd.com>
> Subject: Re: [Rspamd-Users] Blacklist domain map intermittent.
>
>
>
>> I have a blacklist setup in multimap.conf
>
>>
>
>> BLACKLIST_SENDER_DOMAIN {
>
>> type = "header";
>
>> header = "From";
>
>> filter = "email:domain";
>
>> #prefilter = "true";
>
>> map = "/etc/rspamd/blacklist.sender.domain.map";
>
>> score = 4.0;
>
>> #action = "rewrite subject";
>
>> #subject = "*** SPAM *** %s";
>
>> #message = "Requested action not taken: mailbox unavailable"; regexp
>
>> = true; }
>
>>
>
>> And in my blacklist.sender.domain.map I have lists of domains like
>
>>
>
>> (\.|^)stunningreports.com$
>
>> (\.|^)borntoprofit.com$
>
>> (\.|^)marketmasterymindset.com$
>
>> (\.|^)freshmarketdata.com$
>
>
>
>
>
> See <https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters> https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters:
>
>
>
> email:domain:tld -> parse header value as email address and extract effective
>
> second level domain from it (Somebody < <mailto:user at foo.example.com> user at foo.example.com> -> example.com)
>
>
>
> To match a domain including all possible subdomains the email:domain:tld filter is sufficient, no regexp needed. Just list one domain per line and remove "regexp = true" from your config.
>
>
>
> For regex matching see the examples here:
>
> <https://rspamd.com/doc/modules/multimap.html#regexp-maps> https://rspamd.com/doc/modules/multimap.html#regexp-maps
>
>
>
> You've omitted the slashes that signal the beginning and end of a regular expression. That might or might not work but I'd add those slashes to be able to add modifiers like 'i' (case insensitive).
>
>
>
> /(\.|^)stunningreports\.com$/i will match mail.STUNNINGreports.com as well.
>
>
>
>
>
> You could also add the following line to /etc/rspamd/local.d/logging.inc and restart rspamd to log which (sub-)domain is processed:
>
> debug_modules=['multimap'];
>
>
>
>
>
> Also note there are different types of "from" with SMTP: the envelope from which is used between mailservers and the header from that is usually shown in email clients. These may differ, especially for mails that are generated by software (autoresponder, mailinglists, ...). Your multimap solely uses the From header, not the envelope from, which may or may not be what you want.
>
>
>
> See <https://rspamd.com/doc/modules/multimap.html#map-types> https://rspamd.com/doc/modules/multimap.html#map-types
>
>
>
> Type "from" is defined as:
>
> matches envelope from (or header From if envelope from is absent)
>
>
>
> See <https://rspamd.com/doc/modules/multimap.html#map-attributes> https://rspamd.com/doc/modules/multimap.html#map-attributes
>
>
>
> extract_from - attribute extracts values of the sender/recipient
>
> from the SMTP dialog or the From/To header. To achieve this, set
>
> the value to smtp, mime, or both to match both sources. It’s
>
> important to note that extract_from is solely utilized in
>
> conjunction with the from or rcpt map type.
>
>
>
> You might consider this alternative approach:
>
>
>
> BLACKLIST_SENDER_DOMAIN {
>
> type = "from";
>
> extract_from = "both";
>
> filter = "email:domain:tld";
>
> map = "/etc/rspamd/blacklist.sender.domain.map";
>
> score = 4.0;
>
> }
>
>
>
>
>
>> The initial direction was to have domains in the blacklist just get
>
>> score high enough to flag it as spam and then rewrite the subject so
>
>> that it would be delivered to the users spam folder. I eventually
>
>> gave up on that ( the lines are commented out) and went to what I
>
>> found online which appears to auto reject items on the blacklist. I
>
>> can work with that too, however the vast majority of the domains don't get blocked..
>
>
>
> Thresholds are defined in /etc/rspamd/local.d/actions.conf e.g.
>
>
>
> actions {
>
> reject = 15; # Reject when reaching this score
>
> rewrite_subject = 7;
>
> subject = "[SPAM] %s";
>
> add_header = 6; # Add header when reaching this score
>
> greylist = 4; # Apply greylisting / defer
>
> }
>
>
>
> To deliver tagged spammails search your rspamd log for the highest spam score and use this or a higher value for reject in actions.conf.
>
>
>
> Just keep the order so that the scores are like greylist < add_header < rewrite_subject < reject
>
>
>
> <https://rspamd.com/doc/faq.html#what-are-rspamd-actions> https://rspamd.com/doc/faq.html#what-are-rspamd-actions
>
> <https://github.com/rspamd/rspamd/blob/master/conf/actions.conf> https://github.com/rspamd/rspamd/blob/master/conf/actions.conf
>
>
>
> Best regards,
>
> Gerald
>
>
>
> --
>
> Users mailing list
>
> <mailto:Users at lists.rspamd.com> Users at lists.rspamd.com
>
> <https://lists.rspamd.com/mailman/listinfo/users> https://lists.rspamd.com/mailman/listinfo/users
>
>
>
> --
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
More information about the Users
mailing list