[Rspamd-Users] rspamd-3.8.4: SPOOF_REPLYTO penalty exception

Gerald Galster list+rspamd at gcore.biz
Fri May 24 00:10:03 UTC 2024 

>>> Ideally I would need some logic like this:
>>> 
>>> if ( ip == $MyExternalWebIP && from == $User1 at MyDomail && to == $User2 at MyDomain ){
>>>   score("SPOOF_REPLYTO") = 0
>>> } else {
>>>   leave SPOOF_REPLYTO at default score 6.0
>>> }
>>> 
>>> Is this possible to achieve using a map?  
>> [...]
> 
> I did combined multimap with selectors, with this in local.d/multimap.conf :
[...]

This is different from the example I suggested:
(https://lists.rspamd.com/pipermail/users/2024-March/003182.html)

TEST_RCPT_FROM_WHITE {
 type = "selector";
 selector = 'from.lower.append(";");rcpts.lower';
 symbol = "TEST_RCPT_FROM_WHITE";
 map = "/etc/rspamd/local.d/whitelist_rcpt_from.map";
 description = "whitelist rcpt_mail:from combination";
 prefilter = true;
 score = -1.0;
}

The file /etc/rspamd/local.d/whitelist_rcpt_from.map would contain:
from-mail at domain.com;to-mail at otherdomain.tld 

There are other selectors, including ip:
https://rspamd.com/doc/configuration/selectors.html

You could expand the example above and if it does not work, enable debugging
in local.d/logging.inc. Set debug_modules=['multimap']; to log what's going on.


> I would much prefer some simple notation like:
> 
> if (ip == "1.2.3.4" && from == "usr1 at my.dom <mailto:usr1 at my.dom>" && to == "usr2 at my.dom <mailto:usr2 at my.dom>")SPOOF_REPLYTO=0

That's why I sent you that link:
https://rspamd.com/doc/configuration/settings.html#settings-structure

The example there includes from, rcpt, ip, ... and with apply you can set a lower
SPOOF_REPLYTO score if that combination matches.


A multimap is convenient if there are lots of entries or if they change a lot.
The local.d/settings.conf is a more static approach.


> Is something similar possible in lua? Are some examples for such cases?

Yes, but you'd have to look yourself.

https://rspamd.com/doc/developers/writing_rules.html#useful-task-manipulations

See the rspamd_config.SUBJ_ALL_CAPS example. With task:get_header('Subject')
you get the email subject and task implements many more methods, including
recipients, ip, ...

https://rspamd.com/doc/lua/rspamd_task.html

> - The recipient and sender rules contain the domain - not the full 
> address. I don't know how to specify it. If I write 'selector = "from";' /
> 'selector = "rcpts";' instead of 'selector = "from:domain";' / 
> 'selector = "rcpts:domain";', and add addresses to the map, it 
> doesn't work. And I do not know why.
> Are somewhere described data transformation method for selectors?

Selectors are described here:
https://rspamd.com/doc/configuration/selectors.html

As I suggested above you could enable debugging to see what's going on.

>> [...]
>> I don't know if there's a need for substring/glob as regular expressions
>> usually use hyperscan and are quite cheap.
> 
> IMO filters do something a little different than matching in a map.
> I agree that a regexp map will cover more options than glob/wildcard 
> expressions - but those are simpler to write and often suffice.

Due to the way hyperscan works, checking thousands of substrings/globs
is probably more expensive than equivalent regexes.

Regexes may look unfamiliar at first, but they're not overly complex here:

*.domain.com -> /\.domain\.com$/
domain.*     -> /^domain\./
*domain*     -> /domain/

Best regards
Gerald

More information about the Users mailing list