Issue with Rspamd and spam score

kimdre

I sometimes receive spam mails, that have a score higher than my minimum score to get flagged as spam but they don’t for some reason.
E.g. A mail has a score of 8,83 but doesn’t get flagged, even though the spam/junk score setting of my mailbox is 6-15
Is this normal behaviour?

ETNyx

Can you send headers from e-mail what exactly rspam did?

kimdre

These are the headers of one of the spam mail I’m talking about

Message-ID: <143764402400372176456715736687830768455750613311@almalinux.gb.net>
From: "Kein Verlangen nach Zigaretten" <ovkiwfr@almalinux.gb.net>
To: <terminabsage@lukasplath.de>
Subject: Nicozero - Ihre Freiheit von Nikotin!
Date: Tue, 28 Jan 2025 17:38:52 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0006_01DB71A9.37177EE0"

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01DB71A9.37177EE0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01DB71A9.37177EE0"

------=_NextPart_000_0007_01DB71A9.37177EE0
Content-Type: text/plain;
	charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A  =0D=0A  =0D=0A    =0D=0A  =20=
    =0D=0A      Nicozero - mit dem =0D=0A      rauchen=0D=0A    =20=
 aufzuh&#246;ren ist =0D=0A      einfach!=0D=0A       =0D=0A  =0D=
=0A    =0D=0A       =0D=0A      Wie ich f&#252;r immer mit dem Ra=
uchen aufgeh&#246;rt =0D=0A      habe.=0D=0A       =0D=0A      Ic=
h habe 1000 Mal versucht mit dem Rauchen =0D=0A      aufzuh&#246;=
ren=0D=0A      und es scheint, dass es mir beim 1001=0D=0A      M=
al endlich gelungen ist!=0D=0A       =0D=0A  =0D=0A    =0D=0A   =20=
  Seit sechs Monaten finde ich =0D=0A      Raucher ziemlich eklig=
=0D=0A      und werde niemals einer von =0D=0A      ihnen werden.=
=0D=0A       =0D=0A      =0D=0A       =0D=0A      M&#246;chtet ih=
r es auch so? =0D=0A      &gt;&gt;&gt;=0D=0A
------=_NextPart_000_0007_01DB71A9.37177EE0
Content-Type: text/html;
	charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

And this is the rspamd score with a forged recepient address, that didn’t even got flagged as one.

However another mailbox that also received a similiar spam mail marked it as spam with no issues:

esackbauer

kimdre Matched map: GLOBAL_RCPT_WL

Looks like someone did the global whitelist a little too generous.
Pls check all your whitelistings.
Do NOT put any mailbox addresses or mail domains from mailcows own domains on a recipient whitelist!

kimdre

esackbauer Thank you I guess I misunderstood the meaning of that filter. 🙂