Much more Spam after Update from 7.7 to 7.9

TK_KSH · February 24, 2021, 2:43pm

NethServer Version: 7.9.2009

Hello,
we have major problems with spam since the update from 7.7 to 7.9. It seems that the rspamd is not working, but the logs say otherwise. We get up to 120 junk-mails per Day.

In the last few days I have tested whether the rspamd works at all. That’s how I have it
Spam threshold set to 1 - without success, no change of the situation,
the graylist set to 1 - without success, no change of the situation.

If I go to rspamd and scan the source code of one of this mails, I get a spam level of 27 (= reject), but the mail is still delivered. The mail seems to be recognized as spam, but is still delivered.
See LOG: from: heinrichshzrtdzvolker@alexussro.com, (default: T (reject): [27.16 / 20.00]
Can someone help? Thank you.

mark_nl · February 25, 2021, 6:54am

Hi @TK_KSH,

Can you tell a little bit about your setup ?

As an example:
Has the nethserver a red interface and is the mail received on that interface?

TK_KSH · February 25, 2021, 9:44am

Hi,

I pick up the mails via getmail (pop3-connector). The neth-box is not a direct MX. My settings:

Mark as spam ist set to : 4.5
Reject is set to : 20
Greylist is set to: 4

I’ve searched rspamd’s logs, but can’t find anything that helps. Do you need somthing more? Thanks for help.

mark_nl · February 25, 2021, 10:06am

Do not use getmail myself, however difference found between 7.7 and 7.9 seems to be on 7.9 the mail-filter for getmail is disabled by default.

Is it enabled in the getmail settings ? (AFAIK this can be done in the server-manager)

SOURCE:

mark_nl · February 25, 2021, 11:11am

Sorry stupid question; obviously yes otherwise it would not be scanned at all.

I thingk to have a clue:

The mail form getmail is parsed to rspamd emulating the message was received from the specified ip address 127.0.0.1. Which is a (trusted) local address and respected since my commit correcting the syntax of local_addrs.

cc/ @stephdl

stephdl · February 25, 2021, 11:49am

We need the full email transaction of a supposed spam from maillog, from the hello to the end of the transaction.

TK_KSH · February 25, 2021, 12:28pm

Hello,
damn it was that simple. Mark, you’re right.

Of course the filters were still switched on in version 7.7 and now in version 7.9 they were all switched off. It never occurred to me to look again in the basic settings.

Thanks for the quick help!!!

mark_nl · February 25, 2021, 12:35pm

@TK_KSH Glad you are sorted out!

@stephdl we can discus my doubt regarding -i 127.0.0.1 later.
(feel responsible for possible side effects the commit correcting local_addrs can have)

stephdl · February 25, 2021, 12:49pm

It is feature that when the email is on localhost we skip some checks, not all checks

The mantra is the same, do never use getmail