[Rspamd-Users] Multimap and syntax...

Fri Mar 1 10:54:44 UTC 2024

Hello,

I have attached my config dump file here: 
https://www.leicht.info/rspamd-dump.txt

Rspamd 3.8.4
rspamadm configtest
syntax OK

When I take a closer look at your answers, it seems that the income 
filtering is mainly done by Bayes and you train this filter. The 
decisive factor is the score of an email as to whether it is listed as 
spam or ham in the Bayes filter.

I completely deleted the redis entries for rspamd and started learning 
from scratch. But after a few hours I have a large surplus of Ham 
entries - about 100:10. I don't think that's the point of the matter. 
After one day I have 5000 BAYES_HAM entries and 600 BAYES_SPAM.

But when I look at spam emails that get through, BAYES_SPAM/HAM is not 
checked at all.

Here is an example of Spam:

X-Spamd-Result: default: False [0.81 / 30.00];
	R_DKIM_ALLOW(1.11)[gexton.us:s=root];
	MX_INVALID(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[gexton.us,reject];
	R_SPF_ALLOW(-0.20)[+ip4:209.141.51.0/24];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCPT_COUNT_ONE(0.00)[1];
	DKIM_TRACE(0.00)[gexton.us:+];
	ASN(0.00)[asn:53667, ipnet:209.141.32.0/19, country:US];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	MISSING_XM_UA(0.00)[];
	SPF_REPUTATION_SPAM(0.00)[0.78822517302659];
	DKIM_REPUTATION(0.00)[0.78822517302659];
	HAS_WP_URI(0.00)[];
	GENERIC_REPUTATION(0.00)[0.78822517302659];
	FROM_EQ_ENVFROM(0.00)[];
The sender Email ist on my multimap blacklist. No Multimap test and no 
BAYES Test.

Here is an example of a non-spam:
X-Spamd-Result: default: False [1.87 / 30.00];
	INFO_TO_INFO_LU(2.00)[];
	SUBJECT_HAS_CURRENCY(1.00)[];
	DMARC_POLICY_ALLOW(-0.50)[unitedplugins.com,reject];
	R_DKIM_ALLOW(-0.20)[unitedplugins.com:s=mailjet];
	R_SPF_ALLOW(-0.20)[+ip4:185.250.236.0/22];
	MAILLIST(-0.11)[generic];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	MX_GOOD(-0.01)[];
	HAS_LIST_UNSUB(-0.01)[];
	DKIM_TRACE(0.00)[unitedplugins.com:+];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	SPF_REPUTATION_HAM(0.00)[-0.51883337370734];
	IP_REPUTATION_HAM(0.00)[asn: 200069(-0.21), country: FR(0.00), 	 ip: 
185.250.237.60(0.00)];

I trained the email as HAM. But no BAYES entry appears. In addition, the 
domain is in a multimap whitelist which is also not displayed. The email 
is accepted, but only just.

Am 28.02.2024 um 15:15 schrieb Gerald Galster:

> Rspamd includes the public suffix list (see https://publicsuffix.org/list/).
> https://github.com/rspamd/rspamd/blob/master/contrib/publicsuffix/effective_tld_names.dat

Ok, then I don't have to worry about the multiple TLDs. Rspamd does this 
automatically.

> 
> Try to be more precise when reading the documentation.
> 

Unfortunately, the documentation is very confusing and not very 
structured. You don't recognize the connections.

> Just a hint: if you add e.g. adidas.com to your whitelist, any spammer that sends with @adidas.com is probably whitelisted due to score -20.
> I'd rather train rspamd to filter spam and use those maps to assist learning. Otherwise a spammail with an added score of -20 will probably be learned as ham, which can ruin your bayes filter.

Should an email that does not actually come from adidas.com not be 
checked further and be assessed differently as phishing? Check against 
DKIM and MX. This makes it clear that the email doesn't really come from 
adidias.com, right? OK, maybe -20 is a bit much.

But what always surprises me is that it's hard to understand why 
sometimes my multimaps work and the next email doesn't. Why I can see 
that Bayesian statistics counts up for incoming emails, but no check is 
displayed in the email fields.

Please don't be mad at me for my stupid questions, but I want to learn this.

Thanks
Christian