Getmail: Spam subject is not rewritten with rspamd

Bug
,
1

NethServer Version: 7.5.1804
Module: pop3 connector

hi,
i configured the POP3 Connector to get mail from the provider. I have enabled antivirus and antispam checks. When an email exceeds the threshold, rspamd adds to the header of the “X-getmail-filter-classifier: Action: rewrite subject” but the subject does not change and the email is not moved into the junk folder.

thank you

1 Like
2

same for me here, got similar / same problem for rsamd, but did not request support as I am stuck in several other problems …

3

what is the exact header please added by rspamd ?, there are known limitations https://rspamd.com/doc/integration.html#lda-mode when you install nethserver-getmail

4

I stephane: … nothing. No header was added, but the history reports that an email was considered as spam (value > 5) and the subject was rewritten:

grafik
grafik.png1909×48 3.45 KB

but within any mail client (sogo, Iphone, thunderbird), the email is found in the inbox (not in the spam folder) with its original subject.

Yes, I eed to counterceck as I recieved this email (and most others spam) via getmail from an external account…

TIA
Thorsten

5

did you check the source of the email (option in thunderbird or sogo), I believe that the tag ‘X-SPAM’ ‘YES’ was added but dovecot send to junk only ‘X-SPAM-FLAG’ ‘YES’

get-mail is here for retro compatibility, but it is not a nice way to handle email :frowning: moreover rspamd cannot works well in this configuration, it can only add headers, maybe we could use this header to reject email but postfix is not triggered at this level.

6

No, If I look at the source code of the e-mail, no tag / text is fould ([CRTL]+F) when searching for “SPAM” …

7

could you forward me the email as attachment please to stephdl at de-labrusse.fr

8

image
image.png1643×877 173 KB

1 Like
9

Normally

image

1 Like
10

Dear Stephan,

email forewared as requested. My I kindly ask you to replay due to some issues on my server DNS setup: Some mail providers still refuse to talk to me… Logfile for you seems te be OK, I just want to make sure :slight_smile:
THX
Thorsten

11

no email from you :’(

paste and share it in a gist provider please https://gist.github.com/

12

Maybe we have a bug here but do not know how to teach dovecot/sieve to modify the subject, or to reject the email.

I need the inputs of @giacomo and @davidep (later, actually he is drinking a margarita at the beach)

EDIT: this is a good reading https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples

13

An important question is obviously, to prevent introducing false positives:
Are all the e-mails with this altered header spam mails?

14

OK, getting weard:

here my message.log of the mail to you: no errors. Also my mail queue is empty. . Kindly ask you to countercheck your spam folder. … :slight_smile:

Zusammenfassung

Aug 20 14:33:39 ebb-s01 rspamd[1869]: <5114eb>; proxy; rspamd_task_write_log: id: <6e3-5b7ab500-7-26cb5240@162361151>, qid: <BCDEB1085D85>, ip: 127.0.0.1, from: <myname@mydomain.tld>, (default: F (add header): [5.00/20.00] [R_SUSPICIOUS_URL(5.00){4570595.ru;},SIGNED_SMIME(-2.00){},MIME_BAD_ATTACHMENT(1.60){p7s;},MID_RHS_NOT_FQDN(0.50){},MIME_GOOD(-0.20){multipart/signed;multipart/mixed;multipart/alternative;text/plain;},MIME_UNKNOWN(0.10){message/rfc822;application/x-pkcs7-signature;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 9525, time: 376.672ms real, 6.128ms virtual, dns req: 9, digest: <cd646228d7f14522a903e78d33e26158>, rcpts: <yourname@yourdomain.tld>, mime_rcpts: <yourname@yourdomain.tld> Aug 20 14:33:40 ebb-s01 postfix/smtp[8293]: BCDEB1085D85: to=<yourname@yourdomain.tld>, relay=mail.yourdomain.tld[164.132.77.216]:25, delay=2, delays=0.47/0.01/0.58/0.98, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D052C180B3915)

second here is the respective spammers e-mail:

Return-Path: <grant@leracz.com>
Received: from ohanavolleyball.com ([138.197.214.204]) by mx-ha.web.de
 (mxweb010 [212.227.15.17]) with ESMTP (Nemesis) id 1MpmTh-1gCLru3BZl-00pwPO
 for <myname@web.de>; Sat, 18 Aug 2018 14:21:20 +0200
Subject: New order
Date: Sat, 18 Aug 2018 12:21:19 +0000
Content-Type: text/html; charset="UTF-8"
From: Ross Ramos Support <grant@leracz.com>
Enthusiastic-Plowman-Bong: royally
Semantics-Kanji: 1751
Content-Transfer-Encoding: 7bit
Escaping-Inductions-Comprising: b89a87c8de5
To: "myname@web.de" <myname@web.de>
Message-ID: <69ec6f87acacfd23d82a@leracz.com>
MIME-Version: 1.0
Envelope-To: <myname@web.de>
X-UI-Filterresults: junk:10;V01:K0:uhXvKqDnCBs=:ixLKiAhED5RdhoV36pA9UhXGwpf7
 yaT4tflqVHlQeFEAaL1bU5y3xR95emg5zYkDQuREiTxRE918t7sqSEz11Eqm5tw4riWBXfCVf
 FiVQWjjfpQknFKqofFcLkepqVMfKXL7QBYqztfXoXDxC33UG3lDywnrsbOqDCTihKrkqcOAKA
 7T/E2TLN/AnjS0hLQ5hYe0Hltk13/vt5TwhEMajWmly0OT8w+Zs9MQYBYWN6aSKN6xWxGJnUa
 hgdLL1yfzNZvvMAPBuWvmq75ml7wgFOKvThjhTrfZBauhRrkzZSDBX7YZzmH0CzkNjCgkCeqy
 YXAirzXF3smLY0BT7+Iz0ACBOASvrQETrU7vBpIQ8Le22f61buKvQdj+UnEjbXP9HoTe1c0c1
 HeB3ltoOrHH1d1ldfm0Q93ydbL8dsGG31qqEB//UX25Y1f2wNiO8zjAKQUaQEbZckbuV5pGPe
 STWYNeTyHWkcZq/Vhv1QVwpejdpKKXBS2+YP1QEOxMYaYxwa5bzWngUBFWMgO4+ezLapZ0gsZ
 6IGB6NELATW4qYJIBsoZoUG2W/zybp4sW0O4b2FJ85yJ+efJgJeTZTGr5Pkp34LNDoTwGBOGH
 SQiKtnK45Bh6eNkqa4zhnfAFtZftEj8v7hJs5nq+cGczfGRIONxmrWsA3nEe5RquC68DyqLxi
 MP1KIhDIwNi9eoaGRqn/dtUXLo03iyilz2F6ubaO/StvaR6rg2JizWviuSGhtvqQKnFH68x2c
 cH9xti02GjsAQ7na9GL8OQ28H67gIo1/9P7aT1fsvxHi5U1wsWQ+6G9S8rWrBOsoJ0m/nQQ0/
 nIm9hp9zqbKbP851eN016pXhRZ5U00uyoDIz97tWLKTXBbsDo6rNO8or1cbe7pFwRqXHIZZJW
 VU5sbkNYw9psI2jnO6LspSkv3jYFEPtpk+2JySSYNahkyAd5wmJZ974WwuEQhX/Eq1B0hMbm7
 g492NYMunIkptNama1iP66wnbwDo/m2ovfGDPDfM5GA0nwcE07BSnZeZOxIRTcELRFsDZagng
 mm8Bz0CWmOdNdQrfA1htSPzS/5igsTQm9Y8XOD9T8pYsT1S9Wqs1FfTjQcB/xVj8Gt3cEQi3Y
 7af4kxT8NKPMlytRHRFgb7nxQbLaEtcFHG+1T0LaF7M662+D4W0iC65BzDbaT9LVN23hB9n0s
 2q2k7RkzJpPGquvSD4GXP+dQSeuS9YNVNTmRlezCmPr7/lvCMKnq/dYbsRG4wdY3/Q7vohcmR
 8/1vjULVk3/NNUIr/dmH9j/V/3BffxJ2PM8E5wHLzuwVszH1wE/gcQSyEYPxysMcyMJn56fIw
 x6zHOeAwX33wSgOXaUKePB+cL4jgHlctwRwRriZ4eRO3vCT5LeIsOMA+CLU4lpTtjHv/+DOuX
 r8KjgthsdybDtmkaIYWP4UrAdmpAaccJ7XG27yTe45dy5VYYYIQu2XyQzfIHC6l/UaBZo2AiO
 8//+j3UIIvPeHoa7piyuoIU4maNHcs3+vylqG3j9oUuKkpxYpEodX7Wrygyg0iKUWu9hLnBKw
 JOzRNP2aC2jEryPcNy/uy2OlvLVS1GTXFTGSNtv98xjO4rzEY4KkaMA7q+M8o9o/QTch2MN5p
 mCM3xMeRUvpj0RVJCWY091/T+NvKq3cnOfBA0uZFizJQ5sF8QZ5d1LUXC6dNDsRPns4AVA7TA
 rjOEAI8owFI3BWo7IO85Yyq4o6aSnjokKjvglonQGMC5siDtf+UWC8vB9mfsPsw9SKQo7r6fS
 SP9onZdwDu5C/2x7E1wB2rxu5ananoB8VXrU9RTP7au+hnIuCqS4QvLM31Y/GxP4ZwAXR6dRL
 c79fxz/IIH6L5KSE/CsE2tAgfDJLSiSM89Yp6KqOhgC+DI+g2Z/MmT4k3057Ng7ljL6/ASfxp
 P+JFEEgY7f2eIq/6cEsmpSgCZYMLVjNd1fLQJ6g9YMCl02DNWxbZ5e/iUMBgR4ZaZNKLlnvJG
 tOzPSVSWG1hCQcf2Rp/gQHnE7eKhoj29boDCY5JRluirCzOhQcdcOaZMWkm/S4SJdsy7C4T2n
 QwfJqtn7B4OWt8NNLVGkQx7DhGV/HQN4fQcVmeROzA8OnPrkzfum/go4ZT8vwU86s7nuwNVgf
 vrQ/DsWWxv+C2YsGrc+RL/mcMqnz1Eb4VRoVNHGYDbgih3aHGt08iooWvOhAD3WawHgB1y43e
 MjUIl4LywLBjNH5iwl8EtvFAkCi2lcwrSJjyX2FGeHT2tSKJ9GQQlXIZxlP+R5Qnxmz0tNB/d
 kexYN+0/aNMqLhWuRopTuTPHMvmSZ2RrcVw==
X-getmail-filter-classifier: Action: rewrite subject
X-EsetId: 37303A29E5E4B16261766A

 <html>   
  
  
   
 
 <head> <title></title> 
</head>  
    
    
    
<body> 
   
   
    

<br><br>  Hello  <br><br>   
   
   
You have<a href="http://4570595.ru/anticipated.php?New order69ec6f87acacfd23d82a" style="color:#3e6995;text-decoration:none;">  
<span style="font-weight:bold;"> 8</span> messages</a>  <br><br> 
  

   

<a href="http://4570595.ru/anticipated.php?View" style="text-align:center; width:142px; margin-top:17px;margin-bottom:17px;width:152px; display: inline-block; -moz-border-radius: 55px; -webkit-border-radius: 55px; border-radius: 55px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; background-color: #e2223f; color: #ffffff; padding: 15px 55px; font-size: 15px; font-weight: 750; line-height: 15px; height: 15px; text-decoration: none; margin-right: 15px;">View</a>     
<br><br>  Ross Ramos, Support   
 
  
   
 <br><br>     

This message was sent to myname&#064;web.de.
  
<span style="font-size: 14pt;">Please <a href="http://4570595.ru/anticipated.php?uid-69ec6f87acacfd23d82a" style="color:#3b5998;text-decoration:none;">unsubscribe</a> if you don't want to receive these e-mail .</span>  <br><br> 
8/18/2018  <br><br>    
    
   </body>  </html>
15

got it in spam for your second attempts :slight_smile:

X-Spamd-Result: default: False [13.03 / 19.90];
	 R_SPF_ALLOW(-0.20)[+a];
	 HAS_ATTACHMENT(1.00)[];
	 TO_DN_NONE(0.00)[];
	 MX_GOOD(-0.01)[cached: mail.exxxxus.world];
	 DKIM_TRACE(0.00)[ebbxxxxaus.world:~];
	 DMARC_POLICY_ALLOW(-0.25)[exxxxxxus.world,none];
	 FROM_EQ_ENVFROM(0.00)[];
	 IP_SCORE(0.18)[country: EU(0.91)];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:1836, ipnet:80.254.160.0/19, country:EU];
	 BAYES_HAM(-1.19)[89.09%];
	 MIME_UNKNOWN(0.10)[message/rfc822,application/x-pkcs7-signature];
	 SPAM_FLAG(5.00)[];
	 FROM_HAS_DN(0.00)[];
	 SIGNED_SMIME(-2.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,multipart/alternative,text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[stephdl at de-labrusse.fr];
	 MIME_BAD_ATTACHMENT(1.60)[p7s];
	 RCPT_COUNT_ONE(0.00)[1];
	 R_DKIM_PERMFAIL(1.00)[ebxxxxus.world];
	 R_SUSPICIOUS_URL(5.00)[4570595.ru];
	 MID_RHS_NOT_FQDN(0.50)[];
	 RCVD_COUNT_TWO(0.00)[2];
	 HFILTER_HOSTNAME_UNKNOWN(2.50)[];
	 GREYLIST(0.00)[pass,meta]
16

at least uf … I am still stuck to this here …

… I feard your server would not accept my emails …

17

yes spf, dkim and dmarc

you could use also a smarthost

18

Hi Mark,

no, only those where rspamd worked

image
image.png1732×46 14.5 KB

19

in the other case

image
image1730×49 10.8 KB

image

20

well, I have the feeling that a sieve script can

  • modify/set a header
  • reject(bounce message) or discard (reject silently)
  • move an email in junk folder

but I never read something on sieve and subject rewriting, I worry it could be not possible, I read this also https://www.dovecot.org/list/dovecot/2007-October/026079.html