Hi all, I receive a few spam messages every day which i think should be easily recognized as spam. However, the spam score is quite low. May I ask if anybody has an Idea why mailcow / rspamd is behaving this way? [upl-file uuid=42962766-6510-46db-9191-77ebda2a285c size=6kB]pflichten-von-unternehmern-zur-datenaktualisierung.eml[/upl-file] [upl-file uuid=9f6df870-624e-4d66-9ed4-b8f028842b17 size=9kB]pers-reich-durch-bitcoin.eml[/upl-file] [upl-file uuid=e955fc8d-182c-45cc-b590-53f7487eb71e size=8kB]info-re-zeptfrei-bestellen.eml[/upl-file] [upl-file uuid=90b3bc64-4fb4-4e80-b2ed-16e41ef1504b size=9kB]info-wie-geld-verdienen-mit-bitcoin.eml[/upl-file] Thanks a lot guys!

Too much spam going through mailcow

flo-m

Hi all,

I receive a few spam messages every day which i think should be easily recognized as spam. However, the spam score is quite low.
May I ask if anybody has an Idea why mailcow / rspamd is behaving this way?

pflichten-von-unternehmern-zur-datenaktualisierung.eml

6kB

pers-reich-durch-bitcoin.eml

9kB

info-re-zeptfrei-bestellen.eml

8kB

info-wie-geld-verdienen-mit-bitcoin.eml

9kB

Thanks a lot guys!

DocFraggle

Funny, I get the same SPAM mails for a few weeks now, but didn’t have the time to get into the details yet…

EDIT: quick update, I checked the headers of the mails which weren’t flagged. They always have these symbols:

BAYES_SPAM(4.38)[99.67%];
BAD_REP_POLICIES(2.00)[];
IP_REPUTATION_SPAM(1.33)[asn: 53667(0.33), country: US(0.00), ip: 209.141.56.58(0.00)];

The final score is <8 which is my current limit to flag mails. So I went ahead and adjusted these sysmbols via the Rspamd UI. I set the following values:

BAYES_SPAM = 6 (default 4.5)
IP_REPUTATION_SPAM = 6 (default 4.5)
BAD_REP_POLICIES = 3 (default 2)

Let’s see if this changes things

flo-m

Thanks for your reply. I will try to adapt the settings.
Also i’ve seen that those mails get the symbol BAD_WORDS and/or BAD_WORDS_DE, but with a funny low value of 0.1, resulting in e.g.
BAD_WORDS_DE(0.20)[];

Do you think it’s safe to increse this to, lets say, 5-8 ? (with default header + reject settings)

DocFraggle

flo-m Do you think it’s safe to increse this to, lets say, 5-8

Hmm… I would be careful with that…

BTW, I checked two of your attached mails, they don’t have the BAYES symbol… do you regularly move those mails into the SPAM folder in order for Rspamd to learn them as SPAM?

flo-m

DocFraggle
yes, i regulary move those to the spam folder for my accounts. Maybe it needs more training, as my spam/ham db is only +/- 250 learns…