[Rspamd-Users] Yet another multimap mystery

Tino Hendricks t.hendricks at interpool.de
Wed Mar 13 12:20:12 UTC 2024 

Hi Philipp,

thank you very much for diving into it!

Sounds like a trap I’ve been falling into before.

But since I'm testing with an exported, local .eml-File the "Return-Path:“ Header is present.

To be sure I tested with another, single header 

/\(envelope-from <hostmaster at .*/

Again same results (no match on BEWERBUNGEN) with 

rspamc symbols <theEmail>

But I’m correct doing a "systemctl reload rspamd“ is sufficient for rspamd to take into account the changed files, right?

Thankful for any ideas,

Tino

> Am 13.03.2024 um 11:48 schrieb Philipp Fäustlin <philipp.faeustlin at uni-hohenheim.de>:
> 
> Am 13.03.24 um 11:13 schrieb Tino Hendricks via Users:
>> Hi list,
>> 
>> I’m trying to create a multimap that catches a certain type of SPAM that always features three significant, individual headers.
>> 
>> To reduce it to maximum simplicity and for testing purposes I stripped everything down to a single header which I can’t even get to match.
>> 
>> In my
>> /etc/rspamd/local.d/multimap.conf I have (besides other, working maps)
>> 
>> BEWERBUNGEN {
>>     type = "content";
>>     filter = "headers";
>>     map = "${LOCAL_CONFDIR}/known_spam_headers.map";
>>     prefilter = false;
>>     score = 10.0;
>>     regexp = true;
>> }
>> (I also tried „filters = full“ to no avail)
>> 
>> with
>> /etc/rspamd/local.d//known_spam_headers.map nothing else but
>> 
>> /Return-Path: <hostmaster.*/
>> 
>> rspamadm configdump successfully confirms it’s loaded, but output is
>> 
>> rspamc symbols <theEmail>
>> Results for file: 1710323151.2603_1.mail:2,S (0.144 seconds)
>> [Metric: default]
>> Action: no action
>> Spam: false
>> Score: 2.29 / 15.00
>> Symbol: ARC_NA (0.00)
>> Symbol: BAD_REP_POLICIES (0.50)
>> Symbol: BAYES_SPAM (0.09)[55.85%]
>> Symbol: DKIM_TRACE (0.00)[dom.com:+]
>> Symbol: DMARC_POLICY_ALLOW (0.00)[domain.com, quarantine]
>> Symbol: FROM_HAS_DN (0.00)
>> Symbol: FROM_NEQ_ENVFROM (0.00)[email at domain.com, hostmaster at domain.com]
>> Symbol: HAS_ATTACHMENT (0.00)
>> Symbol: HAS_REPLYTO (0.00)[email at domain.com]
>> Symbol: HFILTER_HOSTNAME_UNKNOWN (2.50)
>> Symbol: MID_RHS_MATCH_FROM (0.00)
>> Symbol: MIME_GOOD (-0.10)[multipart/mixed]
>> Symbol: MIME_HTML_ONLY (0.20)
>> Symbol: MIME_TRACE (0.00)[0:+, 1:~, 2:~]
>> Symbol: NEURAL_HAM (-0.00)[-0.980]
>> Symbol: PREVIOUSLY_DELIVERED (-1.00)[recipient at domain.com]
>> Symbol: RCPT_COUNT_ONE (0.00)[1]
>> Symbol: RCVD_COUNT_THREE (0.00)[3]
>> Symbol: RCVD_NO_TLS_LAST (0.10)
>> Symbol: RCVD_VIA_SMTP_AUTH (0.00)
>> Symbol: REPLYTO_EQ_FROM (0.00)
>> Symbol: R_DKIM_ALLOW (0.00)[domain.com:s=email]
>> Symbol: TO_DN_NONE (0.00)
>> Message-ID: hT13V8WfAf0KgOqCEZVcJHLWn0ulmIkQkywyMesneo at domain.com
>> Urls: []
>> Emails: ["email at domain.com“]
>> 
>> What am I missing?
>> 
>> Thank you very much.
>> 
>> Tino
> 
> Not sure but the "Return-Path:" Header is probably set by postfix after rspamd checked the message.
> 
> Because it is the last header in the received mail, I guess.
> 
> I think you should test against "ENVFROM" not the header for that.
> 
> Best regards
> 
> Philipp
> 
> -- 
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list