Rspamd/ClamAV False Positives on Large Attachments

mxngjxa

Setup: Ubuntu VPS running mailcow-dockerized

The Problem

I’m experiencing persistent false positives in RSPAMD where legitimate business emails with large attachments (10-25MB, presumably .pdf files) are being rejected as spam. These are important project reports from a trusted business partner that need to get through. I’m using mailcow-dockerized for a while now and it seems that large project reports with a scientific theme will get constantly flagged as spam.

Current Symptoms

RSPAMD Analysis showing:

VIRUS_FOUND (2000) - Major red flag, which is triggering the spam fla
Attachment sizes: ₁₄.8-14.9 MiB consistently

Sample rejected emails:

From: [redacted]
Subject: XXX(Project Weekly Report)
Size: 14.9 MiB attachments
Score: 2004.93 / 15 (way over threshold)

My Questions

VIRUS_FOUND scoring 2000 points - Is this ClamAV being overly aggressive with large attachments? How do I tune this without compromising security?
Bayesian retraining - How many ham samples with large attachments do I need to feed RSPAMD before it stops misclassifying? Current corpus seems spam-heavy. Is this even resolvable with retraining or should I look at the antivirus?

Environment Details

mailcow-dockerized latest
Default RSPAMD configuration
ClamAV enabled
No custom antivirus rules currently

Any guidance on systematically addressing these false positives while maintaining spam protection would be greatly appreciated. This is affecting legitimate business communications and I need to find the place where I can adjust the configurations.

After doing my own research, it seems that there are two locations I can adjust, one being rspamd/local.d/mime_types.conf or rspamd/local.d/antivirus.conf and the other being clamav/clamd.conf. I believe that the messages are shipped over from rspamd to clamd/clamav to check for viruses, which is why I’m more prone to adjusting the clamd settings.

The error message that I am getting in the rspamd web UI is VIRUS_FOUND • CLAM_VIRUS & !MAILCOW_WHITE (2000), and from the rspamd/local.d/antivirus.conf file (see below), it seems that the high spam score is coming from the antivirus.

clamav {
  # Scan whole message
  scan_mime_parts = false;
  #scan_text_mime = true;
  #scan_image_mime = true;
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "clamd:3310";
  max_size = 20971520;
}

Has anyone dealt with similar large attachment issues being flagged as spam? What would you guys say I should check next?

ETNyx

Got 2 notices for you:
1) Best solution is to educate your users to send those files over sharing service as private NextCloud, Google disk or others. Anything else will compromise security of your server/clients.

2) In most cases when attachment is valid and VIRUS_FOUND occur, I find this false positive due to inability of ClamAV to read those files (encryption, password protection). And second reason is some kind of scripting inside those files, like macros in Excel (those can make quiet harming as VBA have quiet large permission including filesystem, network and more). So if those are not false positive, you are glad AV stop those,..