[Rspamd-Users] Yet another multimap mystery

Tino Hendricks t.hendricks at interpool.de
Wed Mar 13 13:58:39 UTC 2024 

Hi Christian,

thank you so much for your time!

I did as you suggested (I wasn’t aware of the debug feature 🤦‍♂️)

but even with just

root at mail:/tmp# tail -9 /etc/rspamd/local.d/multimap.conf

BEWERBUNGEN {
    type = "content";
    filter = "headers";
    map = "${LOCAL_CONFDIR}/local.d/known_spam_headers.map";
    prefilter = false;
	score = 10.0;
    regexp = true;
}

root at mail:/tmp# cat /etc/rspamd/local.d/known_spam_headers.map
/envelope-from/

I’m getting

2024-03-13 14:36:57 #1422681(controller) <8d24ef>; multimap; multimap.lua:435: check value Return-Path: <hostmaster….Uynjxh1dmSHIPzX8EU=;\x0AReceived: from domain.com ([12.23.45.56])\x0A\x09by domain.com with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\x0A\x09(Exim 4.96)\x0A\x09(envelope-from <hostmaster at domain.com>)\x0A\x09id 1rk0nc-006zEA-1M\x0A\x09for…. Content-Type: multipart/mixed;\x0A boundary="b1=_hT13V8WfAf0KgOqCEZVcJHLWn0ulmIkQkywyMesneo"\x0AContent-Transfer-Encoding: 8bit\x0AContent-Length: 2959359\x0A for multimap BEWERBUNGEN
2024-03-13 14:36:57 #1422681(controller) <8d24ef>; multimap; multimap.lua:474: found return "false" for multimap BEWERBUNGEN

But:
Now I finally did a _restart_ of rspamd, and now it uses the map – I have no idea why it didn’t do it before.

Thanks to everyone!

Tino

> Am 13.03.2024 um 14:15 schrieb C. Bernard via Users <users at lists.rspamd.com>:
> 
> Hi Tino
> 
> On 2024-03-13 13:20, Tino Hendricks via Users wrote:
>> Hi Philipp,
>> thank you very much for diving into it!
>> Sounds like a trap I’ve been falling into before.
>> But since I'm testing with an exported, local .eml-File the "Return-Path:“ Header is present.
>> To be sure I tested with another, single header
>> /\(envelope-from <hostmaster at .*/
> 
> use:
> /envelope-from..?hostmaster/
> 
> My example is root, as this I can test better with.
> I couldn't match the ( nor the @. The "..?" matches the TAB and the "<" if there is one. My example is local, therefore it is non-canonified at that stage in the miltr / process.
> The @ is not seen by rspamd in my case (caonofy follows as it seems after scanning probably; it is not in the Received header below)
> Why the ( did not match, not sure. rspamd follows "pcre" regex and in my tests on regex101 it matched with the parenthesis "(".
> 
> and set in logging.inc:
> debug_modules = ["multimap"];
> 
> I see now:
> 2024-03-13 13:55:12 #66320(normal) <62a67c>; multimap; multimap.lua:563: check value Received: (from root at localhost)\x0A\x09by beastly.vbz.ch <http://beastly.vbz.ch/>(8.18.1/8.17.1/Submit) id 42DCtC9i079538\x0A\x09for spamstat at vbz.ch <mailto:spamstat at vbz.ch>; Wed, 13 Mar 2024 13:55:12 +0100 (CET)\x0A\x09(envelope-from root)\x0D\x0ADate: Wed, 13 Mar 2024 13:55:12 +0100 (CET)\x0D\x0AFrom: Charlie Root <root at beastly.vbz.ch <mailto:root at beastly.vbz.ch>>\x0D\x0AMessage-Id: <202403131255.42DCtC9i079538 at beastly.vbz.ch <mailto:202403131255.42DCtC9i079538 at beastly.vbz.ch>>\x0D\x0ATo: spamstat at vbz.ch <mailto:spamstat at vbz.ch>\x0D\x0ASubject: Spam of the day statistic \x0D\x0A for multimap BEWERBUNGEN
> 
> /Domain "anonymised" :)
> 
> maybe some "raw" or so the "match type" to try out after the last / :
> https://rspamd.com/doc/modules/regexp.html
> 
> 
> [root at beastly /usr/local/etc/rspamd/local.d]# tail -9 multimap.conf
> # War nur ein Test
> BEWERBUNGEN {
>    type = "content";
>    filter = "headers";
>    map = "/usr/local/etc/rspamd/local.d/test.map";
>    prefilter = false;
>    score = 0.1;
>    regexp = true;
> }
> 
> [root at beastly /usr/local/etc/rspamd/local.d]# cat test.map
> /envelope-from root/
> 
>> Again same results (no match on BEWERBUNGEN) with
>> rspamc symbols <theEmail>
>> But I’m correct doing a "systemctl reload rspamd“ is sufficient for rspamd to take into account the changed files, right?
> 
> Yes, I do that as well. .map changes are going into effect after changing the .map file, no need for restart on changing that.
> 
> Cheers
> Christian
> 
>> Thankful for any ideas,
>> Tino
>>> Am 13.03.2024 um 11:48 schrieb Philipp Fäustlin <philipp.faeustlin at uni-hohenheim.de>:
>>> Am 13.03.24 um 11:13 schrieb Tino Hendricks via Users:
>>>> Hi list,
>>>> I’m trying to create a multimap that catches a certain type of SPAM that always features three significant, individual headers.
>>>> To reduce it to maximum simplicity and for testing purposes I stripped everything down to a single header which I can’t even get to match.
>>>> In my
>>>> /etc/rspamd/local.d/multimap.conf I have (besides other, working maps)
>>>> BEWERBUNGEN {
>>>>    type = "content";
>>>>    filter = "headers";
>>>>    map = "${LOCAL_CONFDIR}/known_spam_headers.map";
>>>>    prefilter = false;
>>>>    score = 10.0;
>>>>    regexp = true;
>>>> }
>>>> (I also tried „filters = full“ to no avail)
>>>> with
>>>> /etc/rspamd/local.d//known_spam_headers.map nothing else but
>>>> /Return-Path: <hostmaster.*/
>>>> rspamadm configdump successfully confirms it’s loaded, but output is
>>>> rspamc symbols <theEmail>
>>>> Results for file: 1710323151.2603_1.mail:2,S (0.144 seconds)
>>>> [Metric: default]
>>>> Action: no action
>>>> Spam: false
>>>> Score: 2.29 / 15.00
>>>> Symbol: ARC_NA (0.00)
>>>> Symbol: BAD_REP_POLICIES (0.50)
>>>> Symbol: BAYES_SPAM (0.09)[55.85%]
>>>> Symbol: DKIM_TRACE (0.00)[dom.com:+]
>>>> Symbol: DMARC_POLICY_ALLOW (0.00)[domain.com, quarantine]
>>>> Symbol: FROM_HAS_DN (0.00)
>>>> Symbol: FROM_NEQ_ENVFROM (0.00)[email at domain.com, hostmaster at domain.com]
>>>> Symbol: HAS_ATTACHMENT (0.00)
>>>> Symbol: HAS_REPLYTO (0.00)[email at domain.com]
>>>> Symbol: HFILTER_HOSTNAME_UNKNOWN (2.50)
>>>> Symbol: MID_RHS_MATCH_FROM (0.00)
>>>> Symbol: MIME_GOOD (-0.10)[multipart/mixed]
>>>> Symbol: MIME_HTML_ONLY (0.20)
>>>> Symbol: MIME_TRACE (0.00)[0:+, 1:~, 2:~]
>>>> Symbol: NEURAL_HAM (-0.00)[-0.980]
>>>> Symbol: PREVIOUSLY_DELIVERED (-1.00)[recipient at domain.com]
>>>> Symbol: RCPT_COUNT_ONE (0.00)[1]
>>>> Symbol: RCVD_COUNT_THREE (0.00)[3]
>>>> Symbol: RCVD_NO_TLS_LAST (0.10)
>>>> Symbol: RCVD_VIA_SMTP_AUTH (0.00)
>>>> Symbol: REPLYTO_EQ_FROM (0.00)
>>>> Symbol: R_DKIM_ALLOW (0.00)[domain.com:s=email]
>>>> Symbol: TO_DN_NONE (0.00)
>>>> Message-ID: hT13V8WfAf0KgOqCEZVcJHLWn0ulmIkQkywyMesneo at domain.com
>>>> Urls: []
>>>> Emails: ["email at domain.com“]
>>>> What am I missing?
>>>> Thank you very much.
>>>> Tino
>>> Not sure but the "Return-Path:" Header is probably set by postfix after rspamd checked the message.
>>> Because it is the last header in the received mail, I guess.
>>> I think you should test against "ENVFROM" not the header for that.
>>> Best regards
>>> Philipp
>>> --
>>> Users mailing list
>>> Users at lists.rspamd.com
>>> https://lists.rspamd.com/mailman/listinfo/users
> -- 
> Users mailing list
> Users at lists.rspamd.com <mailto:Users at lists.rspamd.com>
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list