I’ve noticed a large increase in the amount of spam arriving in my mailbox in the last couple of weeks. Until then, rspamd was doing a great job filtering this crap, but recently it seems to be letting me down. These new arrivals are all scoring below zero in rspamd - even if I reset the neural database (which is rating them as ham and giving them a -5 adjustment), they’re still not even hitting the 7 points needed for greylisting, let alone getting flagged as spam:
X-Spamd-Result: default: False [-1.34 / 15.00];
BAYES_SPAM(2.03)[97.43%];
RCPT_WANTS_SUBJECT_TAG(0.00)[jon@xxxxxx.net];
MX_INVALID(0.50)[];
R_SPF_ALLOW(-0.20)[+mx];
TO_DN_NONE(0.00)[];
ARC_SIGNED(0.00)[ i=1];
MIME_BASE64_TEXT_BOGUS(1.00)[];
RBL_VIRUSFREE_UNKNOWN_FAIL(0.00)[82.147.70.71:server fail];
DKIM_TRACE(0.00)[merialrewardprogram.com:+];
CTYPE_MIXED_BOGUS(0.00)[];
MIME_BASE64_TEXT(0.10)[];
NEURAL_HAM_SHORT(-2.61)[-1.307];
DMARC_POLICY_ALLOW(-0.50)[merialrewardprogram.com,reject];
RCVD_COUNT_ONE(0.00)[1];
FROM_EQ_ENVFROM(0.00)[];
MIME_TRACE(0.00)[0:+,1:~,2:+];
ASN(0.00)[asn:13259, ipnet:82.147.70.0/24, country:RU];
MID_RHS_MATCH_FROM(0.00)[];
RCPT_MAILCOW_DOMAIN(0.00)[xxxxxx.net];
ARC_NA(0.00)[];
R_DKIM_ALLOW(-0.20)[merialrewardprogram.com:s=default];
FROM_HAS_DN(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
HTML_SHORT_LINK_IMG_1(2.00)[];
MIME_GOOD(-0.10)[multipart/mixed,text/plain];
PREVIOUSLY_DELIVERED(0.00)[jon@xxxxxx.net];
NEURAL_HAM_LONG(-3.35)[-0.836];
HAS_LIST_UNSUB(-0.01)[];
RCPT_COUNT_ONE(0.00)[1];
RCVD_TLS_ALL(0.00)[]
They all seem to share the same characteristics - the body content is base64 encoded, and includes an image with alt text of “Trouble viewing this message? Click here”, and an “Unsubscribe” link. All the links point back to the sending domain, and they all pass DKIM and SPF, so it would appear that they’re all coming from genuine compromised domains.
Has anyone else seen this recent trend? I know next to nothing about rspamd - is there a support community for it? Is Mailcow’s implementation standard?
Thanks in advance,
Jon