[Rspamd-Users] Yet another multimap mystery

Philipp Fäustlin philipp.faeustlin at uni-hohenheim.de
Wed Mar 13 10:48:04 UTC 2024 

Am 13.03.24 um 11:13 schrieb Tino Hendricks via Users:
> Hi list,
>
> I’m trying to create a multimap that catches a certain type of SPAM that always features three significant, individual headers.
>
> To reduce it to maximum simplicity and for testing purposes I stripped everything down to a single header which I can’t even get to match.
>
> In my
> /etc/rspamd/local.d/multimap.conf I have (besides other, working maps)
>
> BEWERBUNGEN {
>      type = "content";
>      filter = "headers";
>      map = "${LOCAL_CONFDIR}/known_spam_headers.map";
>      prefilter = false;
>      score = 10.0;
>      regexp = true;
> }
> (I also tried „filters = full“ to no avail)
>
> with
> /etc/rspamd/local.d//known_spam_headers.map nothing else but
>
> /Return-Path: <hostmaster.*/
>
> rspamadm configdump successfully confirms it’s loaded, but output is
>
> rspamc symbols <theEmail>
> Results for file: 1710323151.2603_1.mail:2,S (0.144 seconds)
> [Metric: default]
> Action: no action
> Spam: false
> Score: 2.29 / 15.00
> Symbol: ARC_NA (0.00)
> Symbol: BAD_REP_POLICIES (0.50)
> Symbol: BAYES_SPAM (0.09)[55.85%]
> Symbol: DKIM_TRACE (0.00)[dom.com:+]
> Symbol: DMARC_POLICY_ALLOW (0.00)[domain.com, quarantine]
> Symbol: FROM_HAS_DN (0.00)
> Symbol: FROM_NEQ_ENVFROM (0.00)[email at domain.com, hostmaster at domain.com]
> Symbol: HAS_ATTACHMENT (0.00)
> Symbol: HAS_REPLYTO (0.00)[email at domain.com]
> Symbol: HFILTER_HOSTNAME_UNKNOWN (2.50)
> Symbol: MID_RHS_MATCH_FROM (0.00)
> Symbol: MIME_GOOD (-0.10)[multipart/mixed]
> Symbol: MIME_HTML_ONLY (0.20)
> Symbol: MIME_TRACE (0.00)[0:+, 1:~, 2:~]
> Symbol: NEURAL_HAM (-0.00)[-0.980]
> Symbol: PREVIOUSLY_DELIVERED (-1.00)[recipient at domain.com]
> Symbol: RCPT_COUNT_ONE (0.00)[1]
> Symbol: RCVD_COUNT_THREE (0.00)[3]
> Symbol: RCVD_NO_TLS_LAST (0.10)
> Symbol: RCVD_VIA_SMTP_AUTH (0.00)
> Symbol: REPLYTO_EQ_FROM (0.00)
> Symbol: R_DKIM_ALLOW (0.00)[domain.com:s=email]
> Symbol: TO_DN_NONE (0.00)
> Message-ID: hT13V8WfAf0KgOqCEZVcJHLWn0ulmIkQkywyMesneo at domain.com
> Urls: []
> Emails: ["email at domain.com“]
>
> What am I missing?
>
> Thank you very much.
>
> Tino

Not sure but the "Return-Path:" Header is probably set by postfix after 
rspamd checked the message.

Because it is the last header in the received mail, I guess.

I think you should test against "ENVFROM" not the header for that.

Best regards

Philipp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5357 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.rspamd.com/pipermail/users/attachments/20240313/7b50bd32/attachment.bin>

More information about the Users mailing list