Rspamd rejecting mail from outlook.com, fetched by fetchmail.

roelofz

Hi,

All other mail is accepted from other domains, below is what rspamd reports about the mail:

FREEMAIL_POLICY_FAILURE (16)
FORGED_W_BAD_POLICY (3)
RCVD_NO_TLS_LAST (0.1)
ARC_REJECT (0.1) [cv is fail on i=4]
MIME_GOOD (-0.1) [multipart/alternative,text/plain]
TO_MATCH_ENVRCPT_ALL (0)
RCPT_MAILCOW_DOMAIN (0) [example.nl]
MID_RHS_MATCH_FROMTLD (0)
MISSING_XM_UA (0)
PREVIOUSLY_DELIVERED (0) [recipient@example.nl]
FORGED_SENDER (0) [sender@outlook.com,SRS0=yT3f=7K=outlook.com=sender@provider.net]
FROM_HAS_DN (0)
MIME_TRACE (0) [0:+,1:+,2:~]
FROM_NEQ_ENVFROM (0) [sender@outlook.com,SRS0=yT3f=7K=outlook.com=sender@provider.net]
RCVD_COUNT_SEVEN (0) [7]
NEURAL_SPAM (0) [1.000]
TO_DN_ALL (0)
BCC (0)
RCPT_COUNT_ONE (0) [1]

Eerlier I was able to recieve mail from Outlook.com, now it fails.
The latest update.sh performed on mailcow was last weekend, and then I noticed this for the first time (mail gets stuck in de provider pop mailbox as fetchmail can not pass it through to postfix.
As said, other mail arrives without problems.

is there a problem with Rspamd, of is there something I should learn rspamd to not false positive these mails for this reason.

Thanks for your help!

ETNyx

No, there is no problem in rspamd, problem is that sender is forged and this behavior is commonly used by spammers.

What to do? Whitelist sender in this mailbox.

roelofz

This is happening for every email originating from outlook.com, every mail.
So all mail from outlook.com, hotmail.com is forged?

Work email (365) is accepted.

Is there something in my config what could cause this, on this part nothing has changed in the last few months (fetchmail retrieving pop boxes from provider and resending it to mailcow). I did change the way email is sent outside (moved from smtp2go to another sending provider, this took a lot of effort, not guaranteeing I broke something else causing the incoming line to stutter (and still convinced the fetchmail construction has not changed).

I’m really puzzled with this, hope you can give me some direction to alter this.

ETNyx

No, if sender is originating from outlook.com that this is not happening (assuming all DMARC, SPF,.. and so are valid).

Your problem is that mail is originating at provider.net not outlook.com that’s the forgery,…

roelofz

I get what you’re pointing at, the provider notation sounded very strange to me, still very strange the result is only outlook.com gets rejected, other emails don’t.

Is there a way to change this in rspamd temporarely so mails will pass through for the time being (The RSPAMD interface is not very intuitive for me), so any hint in whitelisting would help me a lot.

So in your opinion the provider must have changed something for this to be triggert?

ETNyx

I do not know full pipeline, so my guess is mail is “routed”:
provider.net --> outlook.com (redirect) --> your MC
best solution is
provider.net --> your MC
or at least

For solving this at your MC, at least temporary is log into recipient@example.nl MC UI (assuming this is your mailbox), go into antispam settings and whitelist sender@provider.net (and/or sender@outlook.com not sure now,…). This way you should bypass this false-positive (for you). Just for this combination of recipient and sender. It’s most surgical solution that does not affect overall settings.

You may consider (bellow i do not recommend those,..)

That said you can change FREEMAIL_POLICY_FAILURE score, but this allow others bad actors easily bypass your antispam (not just from outlook.com, not just from providet.net, not just for recipient@example.nl)

Also you can add outlook.com as forwarding host in your MC but this allow (possibly) others bad actors from outlook.com bypass your antispam

[unknown] still very strange the result is only outlook.com gets rejected, other emails don’t.

You did not show any of those other senders, my assumption is that they are not classified as free mail, so they are not under this rule (FREEMAIL_POLICY_FAILURE). Or maybe they know how to send e-mail properly, starting whit not breaking ARC and other antispam features,..

roelofz

Freemail policy for all.

The flow is Outlook.com > provider > MC
All mail passess provider.net, zo this one should be trusted.
The problem may be all mail gets then accepted as in 100%.
I don’t know where to add provider.net to the whitelist, is it in the configuration part of the web interface, or in opt/mailcow/data/conf/rdspam…?
Adding a Forwarder (provider.net) with or without rspamd activated) does not have effect, maybe because I use Fetchmail and not mx based receiving? Tips on this part are welcome, how to make a trust rule for provider.net
I see differences in headers saved a year ago and current headers, so I have contacted my provider.