[Rspamd-Users] rspamd-3.8.4: SPOOF_REPLYTO penalty exception

Franta Hanzlík franta at hanzlici.cz
Thu May 23 01:50:24 UTC 2024 

Gerald, thanks again!

On Thu, 23 May 2024 01:09:05 +0200
Gerald Galster <list+rspamd at gcore.biz> wrote:

> > Ideally I would need some logic like this:
> > 
> > if ( ip == $MyExternalWebIP && from == $User1 at MyDomail && to == $User2 at MyDomain ){
> >    score("SPOOF_REPLYTO") = 0
> > } else {
> >    leave SPOOF_REPLYTO at default score 6.0
> > }
> > 
> > Is this possible to achieve using a map?  
> 
> Usually you don't set scores that way in multimaps. Instead you create a symbol
> that subtracts from the final score so that SPOOF_REPLYTO is corrected:
> score + SPOOF_REPLYTO (6) + MULTIMAP_WHITELIST (-6) = score
> 
> For a static user/ip combination you could use user settings with apply/symbol:
> https://rspamd.com/doc/configuration/settings.html#settings-structure
> 
> 
> Another kind of whitelist is possible using selectors, see this thread:
> https://lists.rspamd.com/pipermail/users/2024-March/003182.html
> 
> But that seems overly complicated to just receive mails from a webapp.
> 
> You could substract 6.0 points for mails coming from your webapp ip, to a certain
> recipient or with a certain subject or even a custom mailheader.
> 
> You could also check your logs how often SPOOF_REPLYTO hits real spam mails and
> reduce or disable the score if it matches rarely. For my purpose I've redefined
> SPOOF_REPLYTO to 0.5 instead of 6 points.

I did combined multimap with selectors, with this in local.d/multimap.conf :

LC_WL_SPOOF_REPLYTO {
  type = "combined";
  require_symbols = "SPOOF_REPLYTO"	# ?? I don't know what exactly it means
  score = -7;
  rules {
    domod {			# sender domain
      map = "/etc/rspamd/local.d/maps.d/multimap_wl_mySpoof_fromdomain.map";
      selector = "from:domain";
    }
    domto {			# recipient domain
      map = "/etc/rspamd/local.d/maps.d/multimap_wl_mySpoof_rcptdomain.map";
      selector = "rcpts:domain";
    }
    mywebip {
      selector = ip;		#
      map = "/etc/rspamd/local.d/maps.d/multimap_wl_mywebip.map";
    }  
  };
  expression = "domod & domto & mywebip"
};

And it seems working, on hit is in rspamd_task_write_log log record
symbol:
LC_WL_SPOOF_REPLYTO(-7.00){domto=mulac.cz;mywebip=185.175.84.206;domod=mulac.cz;},

But I think this solution is more than suboptimal:
- rather complex expression, and in addition, there are other 3 map 
files, each with a single entry.
I would much prefer some simple notation like:

if (ip == "1.2.3.4" && from == "usr1 at my.dom" && to == "usr2 at my.dom")SPOOF_REPLYTO=0

Is something similar possible in lua? Are some examples for such cases?


- The recipient and sender rules contain the domain - not the full 
address. I don't know how to specify it. If I write 'selector = "from";' /
'selector = "rcpts";' instead of 'selector = "from:domain";' / 
'selector = "rcpts:domain";', and add addresses to the map, it 
doesn't work. And I do not know why.
Are somewhere described data transformation method for selectors?

On multimap#conditional-map doc page is example with :domain transformation 
method only - are any other methods? Selector documentation seems to me 
very terse (and that applies not only to selectors:), without examples. 
Maybe enough for an Rspamd expert, but not for a beginner... ;)
Rspamd seems like a powerful tool, but not for a nerd like me... ;)


> > Or using some other Rspamd mechanism?  
> 
> See my previous mail (settings, lua, ...).
> 
> 
> > And maybe stupid questions, it's not clear to me from the documentation:
> > 
> > - what is in multimap rule matching? Regex match is somehow clear, but 
> > how with normal (non-regexp, non-radix) map (e.g. for from or rcpt) map 
> > type? Matching key in map (map file in my case) must exactly match?
> > Or is taken as substring? And glob/wildcards keys are supported?  
> 
> There are different map types:
> https://rspamd.com/doc/modules/multimap.html#map-types
> 
> And directly below:
> https://rspamd.com/doc/modules/multimap.html#regexp-maps
> 
> "All maps, except for ip and dnsbl maps, support the regexp mode.
>  In this mode, all keys in maps are treated as regular expressions."
> 
> So if you set regexp = true; you can partially match from/to/...
> 
> And there are filters that act like glob, e.g.
> email:domain:tld -> user at foo.example.com -> (user@*.example.com) -> example.com
> In this case they key in the map would be example.com.
> 
> https://rspamd.com/doc/modules/multimap.html#from-rcpt-and-header-filters
> 
> I don't know if there's a need for substring/glob as regular expressions
> usually use hyperscan and are quite cheap.

IMO filters do something a little different than matching in a map.
I agree that a regexp map will cover more options than glob/wildcard 
expressions - but those are simpler to write and often suffice.

> > Does this have anything to do with paragraph https://rspamd.com/doc/modules/multimap.html#maps-flaws ?
> > What is "regexp_multi" and "glob_multi" there?  
> 
> I've never used those. Probably rspamd will store ip address files differently
> than regular expression files automatically.

 
> > - "score" and "weight" are synonyms and have same meaning?  
> 
> Usually, no (I don't know if it's consistently used everywhere).
> 
> See this example:
> https://rspamd.com/doc/modules/multimap.html#multiple-symbol-maps
> 
> Depending on what parameters are given, the score is multiplied with the weight.
> 
> Another example would be a whitelist where entries have a positive score.
> Using a weight of -1 makes it a negative score that will be subtracted from
> the final result.
> 
> Also see https://github.com/rspamd/rspamd/issues/992

Ah, sure, I see, thank you.

> > - optional "multi" map attribute only make sense for multiple symbol maps?  
> 
> No, it's oneshot vs all matches (multi = true):
> https://rspamd.com/doc/modules/multimap.html#get-all-matches

I understand, thanks.

> Best regards,
> Gerald
> -- 
-- 
Thank You, Gerald!  Franta Hanzlík

More information about the Users mailing list