[Rspamd-Users] rspamd-3.8.4: SPOOF_REPLYTO penalty exception
Gerald Galster
list+rspamd at gcore.biz
Wed May 22 23:09:05 UTC 2024
> Ideally I would need some logic like this:
>
> if ( ip == $MyExternalWebIP && from == $User1 at MyDomail && to == $User2 at MyDomain ){
> score("SPOOF_REPLYTO") = 0
> } else {
> leave SPOOF_REPLYTO at default score 6.0
> }
>
> Is this possible to achieve using a map?
Usually you don't set scores that way in multimaps. Instead you create a symbol
that subtracts from the final score so that SPOOF_REPLYTO is corrected:
score + SPOOF_REPLYTO (6) + MULTIMAP_WHITELIST (-6) = score
For a static user/ip combination you could use user settings with apply/symbol:
https://rspamd.com/doc/configuration/settings.html#settings-structure
Another kind of whitelist is possible using selectors, see this thread:
https://lists.rspamd.com/pipermail/users/2024-March/003182.html
But that seems overly complicated to just receive mails from a webapp.
You could substract 6.0 points for mails coming from your webapp ip, to a certain
recipient or with a certain subject or even a custom mailheader.
You could also check your logs how often SPOOF_REPLYTO hits real spam mails and
reduce or disable the score if it matches rarely. For my purpose I've redefined
SPOOF_REPLYTO to 0.5 instead of 6 points.
> Or using some other Rspamd mechanism?
See my previous mail (settings, lua, ...).
> And maybe stupid questions, it's not clear to me from the documentation:
>
> - what is in multimap rule matching? Regex match is somehow clear, but
> how with normal (non-regexp, non-radix) map (e.g. for from or rcpt) map
> type? Matching key in map (map file in my case) must exactly match?
> Or is taken as substring? And glob/wildcards keys are supported?
There are different map types:
https://rspamd.com/doc/modules/multimap.html#map-types
And directly below:
https://rspamd.com/doc/modules/multimap.html#regexp-maps
"All maps, except for ip and dnsbl maps, support the regexp mode.
In this mode, all keys in maps are treated as regular expressions."
So if you set regexp = true; you can partially match from/to/...
And there are filters that act like glob, e.g.
email:domain:tld -> user at foo.example.com -> (user@*.example.com) -> example.com
In this case they key in the map would be example.com.
https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters
I don't know if there's a need for substring/glob as regular expressions
usually use hyperscan and are quite cheap.
> Does this have anything to do with paragraph https://rspamd.com/doc/modules/multimap.html#maps-flaws ?
> What is "regexp_multi" and "glob_multi" there?
I've never used those. Probably rspamd will store ip address files differently
than regular expression files automatically.
> - "score" and "weight" are synonyms and have same meaning?
Usually, no (I don't know if it's consistently used everywhere).
See this example:
https://rspamd.com/doc/modules/multimap.html#multiple-symbol-maps
Depending on what parameters are given, the score is multiplied with the weight.
Another example would be a whitelist where entries have a positive score.
Using a weight of -1 makes it a negative score that will be subtracted from
the final result.
Also see https://github.com/rspamd/rspamd/issues/992
> - optional "multi" map attribute only make sense for multiple symbol maps?
No, it's oneshot vs all matches (multi = true):
https://rspamd.com/doc/modules/multimap.html#get-all-matches
Best regards,
Gerald
More information about the Users
mailing list