Dear Mailcow-Team and Community First of all a huge thanks to you all for your contribution to an easy to install and maintainable full featured email server solution on open source base to use for everybody! 💪 I'm mailcow user since a year and impressed how good and simple the solution works for daily usage. My goal would be to stay long therm here. Unfortunately is there a point which increases doubts. The spam detection rate is terrible bad! My email boxes are getting literally flooded on a daily base. Only minor amount keeps hanging in the junk box. That tarnishes the pleasure to run the mailcow solution long term. Is there a plan and timeline to address this point for instance with AI powered technology? I would help and/or donate for such a plan to make/keep mailcow a good choice for the future. All I found on this topic is this mailcow post => "Rspamd GPT [Plugin"](https://community.mailcow.email/d/4028-rspamd-gpt-plugin) Wish list: - Data Privacy: Option to use Local AI - Green resource-saving design: allowing embedded system to run e.g. trigger AI filter through rspamd threshold (Rspamd GPT Plugin) and using distilled models - Continuous Improvement: Open and transparent community way to share filter experience - System Protection: Blacklist/block connections for repeat offender through help of AI Are there any planned efforts in this directions? Maybe an adapted version of DeepSeek could be an easy option for now?

Honestly, I'm not having issues with spam detection. The rspamd fuzzy was down for some days, but was recently fixed. Maybe that caused some minor bump in spam raise on your side. You can use the GPT plugin (see [rspamd docs](https://rspamd.com/doc/modules/gpt.html)) nowadays without any issues, if you wish to. It does integrate transparently with mailcow. (It also has options to run it with your own ollama installation, if you happen to have one) What also helps to some degree is the [url_redirector rspamd plugin (docs)](https://rspamd.com/doc/modules/url_redirector.html). I do have it enabled, works well. It isn't enabled by default, because it can potentially cause quite some HTTP/S calls for resolving redirections. (which not all users want) Hope this helps

Dear @"DocFraggle"#1599 and @"pkernstock"#1 The changed rspam settings are online since almost a week. There is much less spam in my inbox. However, the detection rate is still a kind of poor. As that type of spam emails have so a simple email subject pattern. I would expect a much aggressive learning curve to block them entirely after a short while and not even seeing them in the junk folder anymore. This is unfortunately not the case. Here is an example from 2 days ago: [upl-image-preview uuid=54a47c30-6798-452d-9222-393dfc1c87d5 url=https://community.mailcow.email/assets/files/2025-02-25/1740515254-258462-image.png alt={TEXT?}] A while ago some manual log analysis showed me altering IP addresses as source of this spam terror from same IP subnet of a dutch ISP. Any idea to directly firewall block such IP's after certain re-occurrence of spam terror? E.g. kind of Regex log filter via Fail2Ban? Or similar?

AI-Powered Spam Filtering

pkernstock

VulcanTom It’s new to me this option supports to run a local AI instance.

It was added in a quite recent rspamd commit: rspamd/rspamdb33cbea

VulcanTom My HW is on embedded level very moderate on power consumption and performance. I don’t want to kill my server. Do you have some experience to share?

On a VM with approx. 20 cores @ 2 GHz a quick “Hello, how are you” takes approx. 15 minutes to reply and around 20 GB of memory or so. On a RTX 3080 Ti, it takes around 5 seconds.

VulcanTom Regarding the url_redirector, is there further documentation on what this exactly does? The rspam docs are too cryptic to me only showing the config coding.

In a nutshell, it follows redirects of links in an email and then scores the links if they are known bad. In other words, it “resolves” URL shorteners such as j.mp

VulcanTom

@pkernstock Thanks again for your active response. Okay, so the local GPT is not an option at all. I’m looking for something power consumption below 10 watts average during daylong. It’s my home server and I do not want to waist power. Maximum possible to use a notebook CPU powered server with peak consumption of 55 watts.
Regarding the redirects, this might be an option. I checked most of my spam really has a link in there. Here is an overview of example spam I get. The spam looks very focused coming from a single source. Unfortunately are the source IP addresses alternating otherwise I would simply block them.

DocFraggle

VulcanTom I had the same problem with these exact SPAM mails. I changed some RSpamd symbols, see this thread:

https://community.mailcow.email/d/4411-too-much-spam-going-through-mailcow/2

I changed the following:

BAYES_SPAM = 6 (default 4.5)
IP_REPUTATION_SPAM = 6 (default 4.5)
BAD_REP_POLICIES = 3 (default 2)

This decreased the above mails by ~ 90%

I have to add: you have to move all of these mails to your Junk folder in order to train the Bayes algorithm, otherwise you won’t get the BAYES_SPAM symbol to fire. I think with the current configuration you need 200(?) learned mails

pkernstock

The hint from @DocFraggle in regards to Junk folder is a crucial one. I’ve been hit with same emails lately, but barely getting these through now (without adjusting outlined symbols). So BAYES seems to be properly trained now.

VulcanTom

Dear @DocFraggle and @pkernstock

Thanks for your prompt reply and support. My server just got updated from Nov-24 release to latest. The default values after the mailcow upgrade where:
BAYES_SPAM = 4.5
IP_REPUTATION_SPAM = 4.0
BAD_REP_POLICIES = 2.0

I changed them now as @DocFraggle recommended. I’m curious to see how much spam filtering gets improved and share my feedback after a while of field testing.

VulcanTom

Dear @DocFraggle and @pkernstock

The changed rspam settings are online since almost a week. There is much less spam in my inbox. However, the detection rate is still a kind of poor. As that type of spam emails have so a simple email subject pattern. I would expect a much aggressive learning curve to block them entirely after a short while and not even seeing them in the junk folder anymore. This is unfortunately not the case. Here is an example from 2 days ago:

A while ago some manual log analysis showed me altering IP addresses as source of this spam terror from same IP subnet of a dutch ISP. Any idea to directly firewall block such IP’s after certain re-occurrence of spam terror? E.g. kind of Regex log filter via Fail2Ban? Or similar?

maybl8

VulcanTom Any idea to directly firewall block such IP’s after certain re-occurrence of spam terror?

I block subnets via iptables but it is not recommended here.

pkernstock

But as per your screenshot, it is in the junk folder. So it’s fine? Just ignore it in the spam folder.

VulcanTom

Well, the score is extremely low. Some spam of same type do still snake through. Additionally, I don’t want think how much “brute force” traffic only this type of spam is causing on my email server. They should become simply blocked, not just nicely archived. On top of that, I’m not a fan to see how intensive my junk/quarantine is getting flooded. Good luck to find a false negative in that spam chaos.

smares

How do you enable the GPT plugin? I tried editing data/conf/rspamd/rspamd.conf.local with

gpt {
  enabled = true;
  api_key = "my API key";
  model = "gpt-4o-mini";
}

but the plugin is not loaded and the OpenAI dashboard shows that the key was never used.

w64

smares

The instructions in mailcow docs are about new modules, not included in rspamd. GPT plugin is included already in rspamd-mailcow. So basically, it’s needed to be created a new config file: data/conf/rspamd/local.d/gpt.conf
Open the file and fill the configuration parameters:

enabled = true; # Enable the plugin
type = “openai”; # Supported types: openai, ollama
api_key = “xxx”; # Your key to access the API
model = “gpt-4o-mini”; # Model name
max_tokens = 1000; # Maximum tokens to generate
temperature = 0.0; # Temperature for sampling
timeout = 10s; # Timeout for requests
prompt = “xxx”; # Prompt for the model (use default if not set)
condition = “xxx”; # Custom condition (lua function)
autolearn = true; # Autolearn if gpt classified
reply_conversion = “xxx”; # Reply conversion (lua code)
url = “https://api.openai.com/v1/chat/completions”; # URL for the API
allow_passthrough = false; # Check messages with passthrough result
allow_ham = false; # Check messages that are apparent ham (no action and negative score)
reason_header = “X-GPT-Reason”; # Add header with reason (null to disable)
json = false; # Use JSON format for response

Restarting rspamd-mailcow will load the gpt.lua plugin and if loading is successfull, you can view this messages in the rspamd-mailcow logs:
rspamd-mailcow-1 | 2025-02-28 23:41:30 #1(main) <1n5m8f>; lua; lua_redis.lua:605: use default Redis settings for gpt rspamd-mailcow-1 | 2025-02-28 23:41:30 #1(main) <1n5m8f>; cfg; rspamd_init_lua_filters: init lua module gpt from /usr/share/rspamd/plugins/gpt.lua; digest: bfd7f51817

I am in testing a ollama model, but i get errors like this one:
call to (GPT_CHECK) failed (2): /usr/share/rspamd/plugins/gpt.lua:192: attempt to call field 'get_displayed_text_part' (a nil value); trace: [1]:{/usr/share/rspamd/plugins/gpt.lua:192 - condition [Lua]}; [2]:{/usr/share/rspamd/plugins/gpt.lua:854 - <unknown> [Lua]};

…and can’t understand if gpt plugin for now support only openai, or ollama support is also implemented completely, but my configuration of the config file is wrong somehow?

smares

Thanks, works fine so far with OpenAI.

laitco

Hi!

as well implemented with GPT-4o-mini. Just wanted to ask if you are fine with this model and how the spam detection works on your site after integrating it? Is it more aqurrate? Did you modified something noticable?

I am currently running this:

enabled = true; # Enable the plugin
type = “openai”;
api_key = “XXXXXXXXXXXXXXX”;
model = “gpt-4o-mini”;
max_tokens = 500;
temperature = 0.2;
top_p = 0.8;
timeout = 15s;
autolearn = true;

stefan21

pkernstock What also helps to some degree is the url_redirector rspamd plugin (docs) Rspamd - rapid spam filtering system.URL redirector moduleRspamd is an advanced spam filtering system and email processing framework that allows evaluation of messages by a number of rules including regular expressions, statistical analysis and custom services such as URL black lists. . I do have it enabled, works well. It isn’t enabled by default, because it can potentially cause quite some HTTP/S calls for resolving redirections. (which not all users want)

As far as I understand out of the config:

'# Module documentation can be found at https://rspamd.com/doc/modules/multimap.html

multimap {
redirector {
type = “url”;
filter = “tld”;
map = “https://maps.rspamd.com/rspamd/redirectors.inc.zst”;
symbol = “REDIRECTOR_URL”;
description = “The presence of a redirector in the mail”;
score = 0.0;
one_shot = true;
}

Default score is 0.0 - what score do you suggest for this symbol?

Or is it already covered by this symbol?

surbl DBL_ABUSE_REDIR DBL uribl abused spammed redirector domain –> score 1,50

stefan21

Following this: https://rspamd.com/doc/modules/url_redirector.html

includes this: redirector_hosts_map = “${LOCAL_CONFDIR}/local.d/maps.d/redirectors.inc”;

after: #'docker compose restart rspamd-mailcow
and: #'docker compose exec rspamd-mailcow /bin/bash
'# cd /var/lib/rspamd
'# ls -l shows a new map file: f3933e67d5f9574a9eaf78cd0a8e99140ecc502e.map
'# cd cd /etc/rspamd/maps.d
ls -l shows a different time stamp and size of the file redirectors.inc

Question 1: is the map-file copied to redirectors.inc?
Question 2: a test email with a domain of the map-file, is not beeing scanned, means it goes through rspamd.

What am I doing wrong? Do I overlook something?

stefan21

Took me a whole day to figure out, how the url_redirector proper works. For those, who are interested:

proxmox 8.4.1
debian vm: /etc/debian_version 12.10
mailcow: 2025-03b
rspamd: 3.11.1

create a file in in local.d/ as url_redirector.conf:
# How many urls to check max_urls = 5;# Maximum body to process
max_size = 10k;
# Follow merely redirectors redirectors_only = true;# Redis key for top urls
top_urls_key = ‘rdr:top_urls’;
# How many top urls to save top_urls_count = 200;# Check only those redirectors
redirector_hosts_map = “${LOCAL_CONFDIR}/local.d/maps.d/redirectors.inc”;

Take care for the owner settings of the file.

in rspamd admin –> symbols –> multimap REDIRECTOR_URL The presence of a redirector in the mail –> score this one with i.e. “5” (depending on your general settings). Save it.
Here’s a cavecat: if you send from a sogo contact a test email with i.e. "<a href=“https://bit.ly/lalelu">google.de</a>“ you’d expect, to get a soft-reject, greylist or a reject. BUT SOGO_CONTACT has per default a score of ”-99.0″. So trusting your sogo contacts could compromise your system. To me this logic does not really making sense to trust a sogo contact of a user, does it?
Now the struggle begins:

a) in rspamd admin –> symbols –> sogo –> score both one with i.e. “-1.0” (depending on your general settings). Save it. But not helping (alone?).
b) in local.d/groups.conf change the SOGO_CONTACT score to “-1.0”. Not helping (alone?).
c) in rspamd/dynmaps/settings.php find SOGO_CONTACT and score it to “-1.0”. Helps.

Did a) - c) always with a docker compose restart rspamd-mailcow

To be safe restart the whole cow with docker compose down and docker compose up -d.

Send a test email from a sogo contact. The logs are showing something like this:

“rspamd-mailcow-1 | 2025-05-13 20:05:17 #40(normal) <33A3D1>; task; rspamd_task_write_log: id: 8ed92e1cf39141548488876d2fd8f279@kabelbw.de, qid: <33A3D14276A>, ip: 14.25.28.66, from: x.y@kabelbw.de, (default: F (soft reject): [7.17/9.00] [REDIRECTOR_URL(5.00){bit.ly;},BAD_REP_POLICIES(3.00){},DWL_DNSWL_LOW(-1.00){kabelbw.de:dkim;},SOGO_CONTACT(-1.00){},…”

As bit.ly is in the redirector_map this one gets a score of “5.0” from the REDIRECTOR_URL. And the sogo contact get a score of “-1.0” from the SOGO_CONTACT symbol.

The mail is as expected soft rejected.

Maybe I overlooked something. If there is a more simple way, I’d like to know. What I also don’t know, if this survives an update. We’ll see.

Generally spoken, I’d never give a user email contact a trust-score of -99.0. Why should I? Who knows all about his email contacts and the IT behind.

stefan21

Could be another approach. In system - settings - rspamd-settings-map adding a rule like this:

settings {
whitelist_sogo_userdomain {
priority = 5;
apply “default” {
SOGO_CONTACT = -1.0;
}
symbols [
“SOGO_CONTACT”
]
}

Could be worth to be tested. Will it work? No syntax test while adding to the active settings map. No error in logs shown…

stefan21

I rescaled the groups.conf and the settings.php back to -99.0. I left the symbols with -1.0.

I added a rule like this:

whitelist_sogo_userdomain {
priority = 5;
apply “default” {
SOGO_CONTACT = -1.0;
}
symbols [
“SOGO_CONTACT”
]
}

A test email from a sogo contact of a user is scored with -1.0. Seems to work… Maybe somebody else could test this?

stefan21

This approach makes only sense with a few users. Otherwise a system wide setting (see above) should be the first choice.

shafiqnoorzai

👍👍👍👍