• Fflo-m

      Moolevel 0
    • Post #1

    Hi all,

    I receive a few spam messages every day which i think should be easily recognized as spam. However, the spam score is quite low.
    May I ask if anybody has an Idea why mailcow / rspamd is behaving this way?

    pflichten-von-unternehmern-zur-datenaktualisierung.eml
    6kB
    pers-reich-durch-bitcoin.eml
    9kB
    info-re-zeptfrei-bestellen.eml
    8kB
    info-wie-geld-verdienen-mit-bitcoin.eml
    9kB

    Thanks a lot guys!

    • DocFraggle

      • Community Hero
      Moolevel 265
    • Post #2
    • Edited

    Funny, I get the same SPAM mails for a few weeks now, but didn’t have the time to get into the details yet…

    EDIT: quick update, I checked the headers of the mails which weren’t flagged. They always have these symbols:

    BAYES_SPAM(4.38)[99.67%];
BAD_REP_POLICIES(2.00)[];
IP_REPUTATION_SPAM(1.33)[asn: 53667(0.33), country: US(0.00), ip: 209.141.56.58(0.00)];

    The final score is <8 which is my current limit to flag mails. So I went ahead and adjusted these sysmbols via the Rspamd UI. I set the following values:

    BAYES_SPAM = 6 (default 4.5)
    IP_REPUTATION_SPAM = 6 (default 4.5)
    BAD_REP_POLICIES = 3 (default 2)

    Let’s see if this changes things

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    • Fflo-m

        Moolevel 0
      • Post #3

      Thanks for your reply. I will try to adapt the settings.
      Also i’ve seen that those mails get the symbol BAD_WORDS and/or BAD_WORDS_DE, but with a funny low value of 0.1, resulting in e.g.
      BAD_WORDS_DE(0.20)[];

      Do you think it’s safe to increse this to, lets say, 5-8 ? (with default header + reject settings)

        • DocFraggle

          • Community Hero
          Moolevel 265
        • Post #4

        flo-m Do you think it’s safe to increse this to, lets say, 5-8

        Hmm… I would be careful with that…

        BTW, I checked two of your attached mails, they don’t have the BAYES symbol… do you regularly move those mails into the SPAM folder in order for Rspamd to learn them as SPAM?

            • Fflo-m

                Moolevel 0
              • Post #5

              DocFraggle
              yes, i regulary move those to the spam folder for my accounts. Maybe it needs more training, as my spam/ham db is only +/- 250 learns…

                2 months later

                • Felix

                    Moolevel 0
                  • Post #6

                  I use this custom Lua snippet in my data/conf/rspamd/lua/rspamd.local.lua for exactly this type of spam:

                  rspamd_config:register_symbol({
  name = "SUBJECT_STARTS_WITH_LOCAL",
  type = "normal",
  callback = function(task)
    local util = require("rspamd_util")
    local lua_util = require("lua_util")
    local to = task:get_header("To")
    local subject = task:get_header("Subject")

    if to == nil or subject == nil then
      return false
    end

    local lp = util.parse_mail_address(to, task:get_mempool())
    return lp ~= nil and #lp == 1 and lp[1]["user"] ~= nil and lua_util.str_startswith(subject, lp[1]["user"])
  end,
  score = 4.0,
  description = "Subject starts with local part of To",
})

                  It checks if the subject begins with the local part of the email address (e.g. info for info@example.com).

                  No one is typing