[Rspamd-Users] Yet another multimap mystery

C. Bernard rspamd_users_ml at cmb.ch
Wed Mar 13 13:15:06 UTC 2024 

Hi Tino

On 2024-03-13 13:20, Tino Hendricks via Users wrote:
> Hi Philipp,
> 
> thank you very much for diving into it!
> 
> Sounds like a trap I’ve been falling into before.
> 
> But since I'm testing with an exported, local .eml-File the 
> "Return-Path:“ Header is present.
> 
> To be sure I tested with another, single header
> 
> /\(envelope-from <hostmaster at .*/

use:
/envelope-from..?hostmaster/

My example is root, as this I can test better with.
I couldn't match the ( nor the @. The "..?" matches the TAB and the "<" 
if there is one. My example is local, therefore it is non-canonified at 
that stage in the miltr / process.
The @ is not seen by rspamd in my case (caonofy follows as it seems 
after scanning probably; it is not in the Received header below)
Why the ( did not match, not sure. rspamd follows "pcre" regex and in my 
tests on regex101 it matched with the parenthesis "(".

and set in logging.inc:
debug_modules = ["multimap"];

I see now:
2024-03-13 13:55:12 #66320(normal) <62a67c>; multimap; multimap.lua:563: 
check value Received: (from root at localhost)\x0A\x09by beastly.vbz.ch 
(8.18.1/8.17.1/Submit) id 42DCtC9i079538\x0A\x09for spamstat at vbz.ch; 
Wed, 13 Mar 2024 13:55:12 +0100 (CET)\x0A\x09(envelope-from 
root)\x0D\x0ADate: Wed, 13 Mar 2024 13:55:12 +0100 (CET)\x0D\x0AFrom: 
Charlie Root <root at beastly.vbz.ch>\x0D\x0AMessage-Id: 
<202403131255.42DCtC9i079538 at beastly.vbz.ch>\x0D\x0ATo: 
spamstat at vbz.ch\x0D\x0ASubject: Spam of the day statistic \x0D\x0A for 
multimap BEWERBUNGEN

/Domain "anonymised" :)

maybe some "raw" or so the "match type" to try out after the last / :
https://rspamd.com/doc/modules/regexp.html


[root at beastly /usr/local/etc/rspamd/local.d]# tail -9 multimap.conf
# War nur ein Test
BEWERBUNGEN {
     type = "content";
     filter = "headers";
     map = "/usr/local/etc/rspamd/local.d/test.map";
     prefilter = false;
     score = 0.1;
     regexp = true;
}

[root at beastly /usr/local/etc/rspamd/local.d]# cat test.map
/envelope-from root/

> 
> Again same results (no match on BEWERBUNGEN) with
> 
> rspamc symbols <theEmail>
> 
> But I’m correct doing a "systemctl reload rspamd“ is sufficient for 
> rspamd to take into account the changed files, right?

Yes, I do that as well. .map changes are going into effect after 
changing the .map file, no need for restart on changing that.

Cheers
Christian

> 
> Thankful for any ideas,
> 
> Tino
> 
>> Am 13.03.2024 um 11:48 schrieb Philipp Fäustlin 
>> <philipp.faeustlin at uni-hohenheim.de>:
>> 
>> Am 13.03.24 um 11:13 schrieb Tino Hendricks via Users:
>>> Hi list,
>>> 
>>> I’m trying to create a multimap that catches a certain type of SPAM 
>>> that always features three significant, individual headers.
>>> 
>>> To reduce it to maximum simplicity and for testing purposes I 
>>> stripped everything down to a single header which I can’t even get to 
>>> match.
>>> 
>>> In my
>>> /etc/rspamd/local.d/multimap.conf I have (besides other, working 
>>> maps)
>>> 
>>> BEWERBUNGEN {
>>>     type = "content";
>>>     filter = "headers";
>>>     map = "${LOCAL_CONFDIR}/known_spam_headers.map";
>>>     prefilter = false;
>>>     score = 10.0;
>>>     regexp = true;
>>> }
>>> (I also tried „filters = full“ to no avail)
>>> 
>>> with
>>> /etc/rspamd/local.d//known_spam_headers.map nothing else but
>>> 
>>> /Return-Path: <hostmaster.*/
>>> 
>>> rspamadm configdump successfully confirms it’s loaded, but output is
>>> 
>>> rspamc symbols <theEmail>
>>> Results for file: 1710323151.2603_1.mail:2,S (0.144 seconds)
>>> [Metric: default]
>>> Action: no action
>>> Spam: false
>>> Score: 2.29 / 15.00
>>> Symbol: ARC_NA (0.00)
>>> Symbol: BAD_REP_POLICIES (0.50)
>>> Symbol: BAYES_SPAM (0.09)[55.85%]
>>> Symbol: DKIM_TRACE (0.00)[dom.com:+]
>>> Symbol: DMARC_POLICY_ALLOW (0.00)[domain.com, quarantine]
>>> Symbol: FROM_HAS_DN (0.00)
>>> Symbol: FROM_NEQ_ENVFROM (0.00)[email at domain.com, 
>>> hostmaster at domain.com]
>>> Symbol: HAS_ATTACHMENT (0.00)
>>> Symbol: HAS_REPLYTO (0.00)[email at domain.com]
>>> Symbol: HFILTER_HOSTNAME_UNKNOWN (2.50)
>>> Symbol: MID_RHS_MATCH_FROM (0.00)
>>> Symbol: MIME_GOOD (-0.10)[multipart/mixed]
>>> Symbol: MIME_HTML_ONLY (0.20)
>>> Symbol: MIME_TRACE (0.00)[0:+, 1:~, 2:~]
>>> Symbol: NEURAL_HAM (-0.00)[-0.980]
>>> Symbol: PREVIOUSLY_DELIVERED (-1.00)[recipient at domain.com]
>>> Symbol: RCPT_COUNT_ONE (0.00)[1]
>>> Symbol: RCVD_COUNT_THREE (0.00)[3]
>>> Symbol: RCVD_NO_TLS_LAST (0.10)
>>> Symbol: RCVD_VIA_SMTP_AUTH (0.00)
>>> Symbol: REPLYTO_EQ_FROM (0.00)
>>> Symbol: R_DKIM_ALLOW (0.00)[domain.com:s=email]
>>> Symbol: TO_DN_NONE (0.00)
>>> Message-ID: hT13V8WfAf0KgOqCEZVcJHLWn0ulmIkQkywyMesneo at domain.com
>>> Urls: []
>>> Emails: ["email at domain.com“]
>>> 
>>> What am I missing?
>>> 
>>> Thank you very much.
>>> 
>>> Tino
>> 
>> Not sure but the "Return-Path:" Header is probably set by postfix 
>> after rspamd checked the message.
>> 
>> Because it is the last header in the received mail, I guess.
>> 
>> I think you should test against "ENVFROM" not the header for that.
>> 
>> Best regards
>> 
>> Philipp
>> 
>> --
>> Users mailing list
>> Users at lists.rspamd.com
>> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list