Rspamd blacklist domains with wildcards

daz · January 9, 2020, 10:23am

NethServer Version: 7.6.1810
Module: Email

Hello,
I’ve got difficulties coming with spam messages coming from several similar domains like

vip@kup-novinky7.eu
jasnavolba@kup-novinky12.eu
vip@kup-novinky14.eu
etc.

I’ve tried to learn the Rspamd with these messages, but probably due to the changing number in the domain name these messages are still passing through. So I’ve started to learn myself, how to configure Rspamd manually with the intention to blacklist domains with wildcards like

kup-novinky*.eu

But I haven’t got too far, because when I started the testing with just adding a normal (non-wildcard) domain of an public freemail provider (atlas.cz) to the blacklist
/etc/rspamd/blacklist_from_domains.map,
updated the filter with
signal-event nethserver-mail-filter-update
and sent a mail from that domain, the mail went through.

X-Spamd-Result: default: False [1.46 / 20.00];
RCVD_TLS_LAST(0.00)[];
MX_INVALID(0.50)[cached];
FROM_HAS_DN(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
MIME_GOOD(-0.10)[text/plain];
TO_DN_NONE(0.00)[];
DMARC_NA(0.00)[altas.cz];
RCPT_COUNT_ONE(0.00)[1];
RCVD_COUNT_THREE(0.00)[3];
IP_SCORE(1.16)[asn: 6830(4.81), country: AT(0.96)];
RECEIVED_SPAMHAUS_PBL(0.00)[90.38.103.89.zen.spamhaus.org : 127.0.0.11];
R_SPF_NA(0.00)[];
RCVD_IN_DNSWL_LOW(-0.10)[160.121.179.62.list.dnswl.org : 127.0.5.1];
R_DKIM_NA(0.00)[];
MIME_TRACE(0.00)[0:+];
ASN(0.00)[asn:6830, ipnet:62.179.0.0/17, country:AT];
MID_RHS_MATCH_FROM(0.00)[];
FROM_EQ_ENVFROM(0.00)[]

So my questions are:

how to configure rspamd to respect the blacklist /etc/rspamd/blacklist_from_domains.map
how to add domains with wildcards to the blacklist, if possible

I would appreciate any advice on that.
Thank you very much.

m.traeumner · January 10, 2020, 8:25am

@stephdl Can you help here?

stephdl · January 10, 2020, 11:33am

The from domain blacklist is a template, if you add a domain en call the rspamd event it will be overwritten

Try to add a domain manually to the template with a wilcard and simply restart rspamd:

systemctl restart rspamd

I am not aware if we could use a wildcard with rspamd, check the documentation about multimap

m.traeumner · January 10, 2020, 12:41pm

How to work with templates you can find here:
http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

If you have any questions don’t be shy to ask.

stephdl · January 10, 2020, 1:47pm

for now add it manually to the file, then restart rspamd

stephdl · January 10, 2020, 1:52pm

just tested it, wildcard doesn’t work in blacklist of rspamd

stephdl · January 10, 2020, 2:07pm

https://rspamd.com/doc/modules/multimap.html#regexp-maps

this is a clue, in theory we could make a map (/etc/rspamd/local.d/multimap.conf) and create a regex-map to catch your *domain

daz · January 10, 2020, 3:00pm

Thank you very much stephdl for posting this clue.
I have just tried to modify the /etc/rspamd/local.d/multimap.conf by adding the line:

regexp = true;

in the section:

#blacklist the domains of senders
FROM_DOMAINS_BLACKLIST {
....
regexp = true;
message = "Sender domain address rejected";
}

then added a line in
/etc/rspamd/blacklist_from_domains.map:

atl.*\.cz

restarted the rspamd

systemctl restart rspamd

and then sent a test mail from

myemail@atlas.cz

The email didn’t make it through:

Diagnostic-Code: smtp; 554 5.7.1 Sender domain address rejected

So it seems, it works!
Thank you very much for pointing me!
I wonder how it wil work with the real spamming domains.

stephdl · January 10, 2020, 3:03pm

try it please and come back, use \d+ to match the numerical value, think that if you expand the filter event you rewrite your changes

if you tests are concluant we could think to make some changes

daz · January 10, 2020, 3:47pm

I have added the real spamming domains regexes and moved the modifications into the custom templates

/etc/e-smith/templates-custom/etc/rspamd/local.d/multimap.conf/10base
/etc/e-smith/templates-custom/etc/rspamd/blacklist_from_domains.map/10base

and updated the filters and restarted rspamd

signal-event nethserver-mail-filter-update
systemctl restart rspamd

The changes has shown in /etc/rspamd/…, so I hope they will survive updates etc…
I will report, if it help to fight the spam from the problematic domains.

daz · January 13, 2020, 8:09am

Well, it seems I am still missing something. Spams from the respective domains are still coming through.
What I don’t understand and maybe is a reason for the above: I test the multimap filter from my freemail account mymail@atlas.cz. When I send the mail from the freemail’s web interface, it is rejected as expected by the multimap filter:

`Diagnostic-Code: smtp; 554 5.7.1 Sender address rejected`

But when I send the mail from the very same freemail account and address from my e-mail client, it comes through:

Rspamd history:
| IP address: 84.116.36.13
|[Envelope From] From|mymail@altas.cz|
|[Envelope To] To/Cc/Bcc|mymail@myoffice.cz|
|[Envelope To] To/Cc/Bcc|mymail@myoffice.cz|
|Subject|Test|
|Symbols:
MagnitudeValueName|**ASN** (0) [asn:6830, ipnet:84.116.0.0/16, country:AT]
**BAYES_HAM** (-0.616602) [82.06%]
**DMARC_NA** (0) [altas.cz]
**FROM_EQ_ENVFROM** (0)
**FROM_HAS_DN** (0)
**IP_SCORE** (0.681956) [ipnet: 84.116.0.0/16(-2.34), asn: 6830(4.79), country: AT(0.96)]
**MID_RHS_MATCH_FROM** (0)
**MIME_GOOD** (-0.1) [text/plain]
**MIME_TRACE** (0) [0:+]
**MX_INVALID** (0.5) [cached]
**R_DKIM_NA** (0)
**R_SPF_NA** (0)
**RCPT_COUNT_ONE** (0) [1]
**RCVD_COUNT_THREE** (0) [3]
**RCVD_IN_DNSWL_LOW** (-0.1) [13.36.116.84.list.dnswl.org : 127.0.5.1]
**RCVD_TLS_LAST** (0)
**RECEIVED_SPAMHAUS_PBL** (0) [90.38.103.89.zen.spamhaus.org : 127.0.0.11]
**TO_DN_ALL** (0)
**TO_MATCH_ENVRCPT_ALL** (0)|