Different RSpamd score when sending from IPv4 vs. IPv6

tblancher

This is actually a continuation from this post, but is different enough that I didn’t feel right simply updating that topic.

Again, I have two mailcow-dockerized stacks on two separate VPSes (same hosting provider, same data center). I’ve noticed when postfix-mailcow on my personal hobby server (mail.hobby.tld), I get different final scores in rspamd-mailcow for the message in the receiving mail.surname.tld logs whether the sending Postfix uses IPv4 versus IPv6.

The linked topic I resolved by adding AAAA records for the hobby.tld and mail.hobby.tld domains. That improved the situation; RSpamd had been telling Postfix on mail.surname.tld to reject the message outright, because SPF, DKIM, and DMARC didn’t match at all, so it was above the reject threshold.

After adding those AAAA records, the situation did improve. My logwatch messages from mail.hobby.tld were no longer being rejected, but the IPv6 sourced messages are still getting flagged because they’re above the add_header threshold. My hunch right now is I need IPv6-specific SPF, DKIM, and DMARC, but I’m not 100 percent sure that’s correct.

I did find the message that scored high yesterday in the rspamd-mailcow logs on mail.surname.tld, but I’m not entirely sure how to interpret it:

Oct 29 23:02:23 epsilonchunk docker/mailcow/rspamd:1.97-mailcowdockerized-rspamd-mailcow-1[925]: 2024-10-29 23:02:23 #39(normal) <2b74d1>; task; rspamd_task_write_log: id: <20241030040220.C8FF16066D@git.hobby.tld>, qid: <89E1EFFE30>, ip:  ::1, from: <root@git.hobby.tld>, (default: T (add header): [17.21/30.00] [HFILTER_HOSTNAME_UNKNOWN(8.50){},BAYES_SPAM(2.38){92.34%;},BAD_REP_POLICIES(2.00){},RDNS_NONE(2.00){},IP_REPUTATION_SPAM(1.84){asn: 29802(-0.15), country: US(-0.00), ip:  ::1(0.62);},FORGED_SENDER(0.30){logwatch@git.hobby.tld;root@git.hobby.tld;},MIME_HTML_ONLY(0.20){},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){surname.tld:s=dkim:i=1;},ASN(0.00){asn:29802, ip:  ::1/48, country:US;},BCC(0.00){},DMARC_POLICY_ALLOW(0.00){hobby.tld;reject;},FROM_NEQ_ENVFROM(0.00){logwatch@git.hobby.tld;root@git.hobby.tld;},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:~;},MISSING_XM_UA(0.00){},NEURAL_HAM(0.00){-1.000;},PRECEDENCE_BULK(0.00){},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){surname.tld;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_ALLOW(0.00){+mx;},TAGGED_RCPT(0.00){logwatch;},TAG_MOO(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 11282, time: 881.453ms, dns req: 33, digest: <beef5d3d94c27f19dfb46f2b7e125006>, rcpts: <trey+logwatch@surname.tld,trey@surname.tld>, mime_rcpts: <trey+logwatch@surname.tld,>

Here’s the message that came through today, this time via IPv4:

Oct 30 23:02:49 epsilonchunk docker/mailcow/rspamd:1.97-mailcowdockerized-rspamd-mailcow-1[925]: 2024-10-30 23:02:49 #39(normal) <dedb34>; task; rspamd_task_write_log: id: <20241031040244.6D7AE60C41@git.hobby.tld>, qid: <622E51019DC>, ip: 0.0.0.0, from: <root@git.hobby.tld>, (default: F (no action): [4.05/30.00] [BAYES_SPAM(2.28){91.85%;},BAD_REP_POLICIES(2.00){},IP_REPUTATION_HAM(-0.71){asn: 29802(-0.15), country: US(-0.00), ip: 0.0.0.0(-0.56);},FORGED_SENDER(0.30){logwatch@git.hobby.tld;root@git.hobby.tld;},MIME_HTML_ONLY(0.20){},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){surname.tld:s=dkim:i=1;},ASN(0.00){asn:29802, ipnet:0.0.0.0/24, country:US;},BCC(0.00){},DMARC_POLICY_ALLOW(0.00){hobby.tld;reject;},FROM_NEQ_ENVFROM(0.00){logwatch@git.hobby.tld;root@git.hobby.tld;},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:~;},MISSING_XM_UA(0.00){},NEURAL_HAM(0.00){-1.000;},PRECEDENCE_BULK(0.00){},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){surname.tld;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_ALLOW(0.00){+mx;},TAGGED_RCPT(0.00){logwatch;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 11159, time: 1343.337ms, dns req: 36, digest: <f04e0cb68b2ddaf7cc096a741ea43f43>, rcpts: <trey+logwatch@surname.tld,trey@surname.tld>, mime_rcpts: <trey+logwatch@surname.tld,>

Again, I’ve obfuscated the domain names, and the IPv4/IPv6 addresses/networks.

SimplyCorbett

Open rspamd and see why its scoring the email badly?

If you really want to get detailed open the “test selectors” tab and post the raw email.

ETNyx

Those messages are still those logwatch summary from your notebook? Those are only problem? If you want to any help you need to provide more information those 2 log lines are just a fragment, trace those messages through whole stack get mail headers. Also if you mask data like IP and domain no-one will be able to point problem there.

If you do not want disclose those records I would try two approach.

1) Logwatch usually use local MTA to send message, in case of your notebook you will miss all goodies necessary for antispam, also your IP can rotate etc,…. So star using your local MTA as client not a server.

2) Configure your antispam to ignore those messages, or add some rule hitting your message whit high positive score to override negative one. Just from my head for rspamd something like:

#please do not copy&paste this will for sure break something :-)
rules {
  disable_test_for_user {
    priority = high;
    from = "user@example.com"; # Replace with the user's email
    actions {
      reject = null; # Disable specific symbols/tests for this user
    }
    scores {
      TEST_SYMBOL_NAME = 0.0; # Replace TEST_SYMBOL_NAME with the actual test symbol
    }
  }
}

tblancher

So, I was in the middle of editing my post when I got pulled away to take care of my family, and it looks like it lost my edit.

Here’s the rspamd-mailcow logs for the IPv6 message, with newlines added to improve legibility:

Oct 29 23:02:23 epsilonchunk docker/mailcow/rspamd:1.97-mailcowdockerized-rspamd-mailcow-1[925]: 
2024-10-29 23:02:23 #39(normal) <2b74d1>; task; rspamd_task_write_log: id: <20241030040220.C8FF16066D@git.hobby.tld>, 
qid: <89E1EFFE30>, ip:  ::1, from: <root@git.hobby.tld>, 
(default: T (add header): [17.21/30.00] 
[HFILTER_HOSTNAME_UNKNOWN(8.50){}
BAYES_SPAM(2.38){92.34%;}
BAD_REP_POLICIES(2.00){}
RDNS_NONE(2.00){}
IP_REPUTATION_SPAM(1.84){asn: 29802(-0.15)
 country: US(-0.00)
 ip:  ::1(0.62);}
FORGED_SENDER(0.30){logwatch@git.hobby.tld;root@git.hobby.tld;}
MIME_HTML_ONLY(0.20){}
MX_GOOD(-0.01){}
ARC_NA(0.00){}
ARC_SIGNED(0.00){surname.tld:s=dkim:i=1;}
ASN(0.00){asn:29802
 ip:  ::1/48
 country:US;}
BCC(0.00){}
DMARC_POLICY_ALLOW(0.00){hobby.tld;reject;}
FROM_NEQ_ENVFROM(0.00){logwatch@git.hobby.tld;root@git.hobby.tld;}
FROM_NO_DN(0.00){}
MID_RHS_MATCH_FROM(0.00){}
MIME_TRACE(0.00){0:~;}
MISSING_XM_UA(0.00){}
NEURAL_HAM(0.00){-1.000;}
PRECEDENCE_BULK(0.00){}
RCPT_COUNT_ONE(0.00){1;}
RCPT_MAILCOW_DOMAIN(0.00){surname.tld;}
RCVD_COUNT_TWO(0.00){2;}
RCVD_TLS_LAST(0.00){}
R_DKIM_NA(0.00){}
R_SPF_ALLOW(0.00){+mx;}
TAGGED_RCPT(0.00){logwatch;}
TAG_MOO(0.00){}
TO_DN_NONE(0.00){}
TO_MATCH_ENVRCPT_ALL(0.00){}])
 len: 11282
 time: 881.453ms
 dns req: 33
 digest: <beef5d3d94c27f19dfb46f2b7e125006>
 rcpts: <trey+logwatch@surname.tld
trey@surname.tld>
 mime_rcpts: <trey+logwatch@surname.tld>

Here’s the message that came through IPv4, for comparison:

Oct 30 23:02:49 epsilonchunk docker/mailcow/rspamd:1.97-mailcowdockerized-rspamd-mailcow-1[925]: 
2024-10-30 23:02:49 #39(normal) <dedb34>; task; rspamd_task_write_log: id: <20241031040244.6D7AE60C41@git.hobby.tld>, 
qid: <622E51019DC>, ip: 0.0.0.0, from: <root@git.hobby.tld>, 
(default: F (no action): [4.05/30.00] 
[BAYES_SPAM(2.28){91.85%;}
BAD_REP_POLICIES(2.00){}
IP_REPUTATION_HAM(-0.71){asn: 29802(-0.15)
 country: US(-0.00)
 ip: 0.0.0.0(-0.56);}
FORGED_SENDER(0.30){logwatch@git.hobby.tld;root@git.hobby.tld;}
MIME_HTML_ONLY(0.20){}
MX_GOOD(-0.01){}
ARC_NA(0.00){}
ARC_SIGNED(0.00){surname.tld:s=dkim:i=1;}
ASN(0.00){asn:29802
 ipnet:0.0.0.0/24
 country:US;}
BCC(0.00){}
DMARC_POLICY_ALLOW(0.00){hobby.tld;reject;}
FROM_NEQ_ENVFROM(0.00){logwatch@git.hobby.tld;root@git.hobby.tld;}
FROM_NO_DN(0.00){}
MID_RHS_MATCH_FROM(0.00){}
MIME_TRACE(0.00){0:~;}
MISSING_XM_UA(0.00){}
NEURAL_HAM(0.00){-1.000;}
PRECEDENCE_BULK(0.00){}
RCPT_COUNT_ONE(0.00){1;}
RCPT_MAILCOW_DOMAIN(0.00){surname.tld;}
RCVD_COUNT_TWO(0.00){2;}
RCVD_TLS_LAST(0.00){}
R_DKIM_NA(0.00){}
R_SPF_ALLOW(0.00){+mx;}
TAGGED_RCPT(0.00){logwatch;}
TO_DN_NONE(0.00){}
TO_MATCH_ENVRCPT_ALL(0.00){}])
 len: 11159
 time: 1343.337ms
 dns req: 36
 digest: <f04e0cb68b2ddaf7cc096a741ea43f43>
 rcpts: <trey+logwatch@surname.tld
trey@surname.tld>
 mime_rcpts: <trey+logwatch@surname.tld>

So, reading this, it looks like HFILTER_HOSTNAME_UNKNOWN and RDNS failures are triggered on the IPv6 message. I suspect this is because I don’t have an IPv6 PTR record. I’ll need to check with my hosting provider to see if they can set the IPv6 PTR record to my mail.hobby.tld. I’ll also need to do the same for our surname.tld.

To answer your questions:

I run logwatch on all the Linux systems I control, even the VPSes hosting hobby.tld and surname.tld
this particular case is because the messages from both my hobby VPS and my laptop get sent through mail.hobby.tld, which then forwards to my email address at surname.tld.
the problem comes because sometimes the SMTP connection between the two VPSes goes over IPv6 sometimes, and over IPv4 when the problem isn’t apparent.
rather than disable IPv6, I’d prefer to fix it properly, which I think I determined above.

tblancher

Yep, this was the solution. Having a proper IPv6 PTR record for mail.hobby.tld fixed it. I confirmed I received the logwatch email in my inbox this morning from the IPv6 address; the RSpamd score this time was actually less than zero!

esackbauer

@pkernstock I prepared 2 pull requests for the documentation to include that IPv6 should also have RDNS if used.
mailcow/mailcow-dockerized-docs782
mailcow/mailcow-dockerized-docs781

tblancher

esackbauer

That would be wonderful! I’d also recommend an article discussing how to tweak the RSpamd thresholds, as it’s rather difficult to know what to set those to; I just guessed. The mailcow-dockerized defaults were too strict for me. I’m not going to tell a large US conglomerate that manufacturers many popular brands in the US how to run their mail server.