daz
(Daniel Zeman)
January 9, 2020, 10:23am
1
NethServer Version: 7.6.1810
Module: Email
Hello,
I’ve got difficulties coming with spam messages coming from several similar domains like
vip@kup-novinky7.eu
jasnavolba@kup-novinky12.eu
vip@kup-novinky14.eu
etc.
I’ve tried to learn the Rspamd with these messages, but probably due to the changing number in the domain name these messages are still passing through. So I’ve started to learn myself, how to configure Rspamd manually with the intention to blacklist domains with wildcards like
kup-novinky*.eu
But I haven’t got too far, because when I started the testing with just adding a normal (non-wildcard) domain of an public freemail provider (atlas.cz) to the blacklist
/etc/rspamd/blacklist_from_domains.map,
updated the filter with
signal-event nethserver-mail-filter-update
and sent a mail from that domain, the mail went through.
X-Spamd-Result: default: False [1.46 / 20.00];
RCVD_TLS_LAST(0.00)[];
MX_INVALID(0.50)[cached];
FROM_HAS_DN(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
MIME_GOOD(-0.10)[text/plain];
TO_DN_NONE(0.00)[];
DMARC_NA(0.00)[altas.cz];
RCPT_COUNT_ONE(0.00)[1];
RCVD_COUNT_THREE(0.00)[3];
IP_SCORE(1.16)[asn: 6830(4.81), country: AT(0.96)];
RECEIVED_SPAMHAUS_PBL(0.00)[90.38.103.89.zen.spamhaus.org : 127.0.0.11];
R_SPF_NA(0.00)[];
RCVD_IN_DNSWL_LOW(-0.10)[160.121.179.62.list.dnswl.org : 127.0.5.1];
R_DKIM_NA(0.00)[];
MIME_TRACE(0.00)[0:+];
ASN(0.00)[asn:6830, ipnet:62.179.0.0/17, country:AT];
MID_RHS_MATCH_FROM(0.00)[];
FROM_EQ_ENVFROM(0.00)[]
So my questions are:
how to configure rspamd to respect the blacklist /etc/rspamd/blacklist_from_domains.map
how to add domains with wildcards to the blacklist, if possible
I would appreciate any advice on that.
Thank you very much.
2 Likes
m.traeumner
(Michael Träumner)
January 10, 2020, 8:25am
2
@stephdl Can you help here?
2 Likes
stephdl
(Stéphane de Labrusse)
January 10, 2020, 11:33am
3
The from domain blacklist is a template, if you add a domain en call the rspamd event it will be overwritten
Try to add a domain manually to the template with a wilcard and simply restart rspamd:
systemctl restart rspamd
I am not aware if we could use a wildcard with rspamd, check the documentation about multimap
1 Like
m.traeumner
(Michael Träumner)
January 10, 2020, 12:41pm
4
How to work with templates you can find here:
http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html
If you have any questions don’t be shy to ask.
stephdl
(Stéphane de Labrusse)
January 10, 2020, 1:47pm
5
for now add it manually to the file, then restart rspamd
stephdl
(Stéphane de Labrusse)
January 10, 2020, 1:52pm
6
just tested it, wildcard doesn’t work in blacklist of rspamd
stephdl
(Stéphane de Labrusse)
January 10, 2020, 2:07pm
7
https://rspamd.com/doc/modules/multimap.html#regexp-maps
this is a clue, in theory we could make a map (/etc/rspamd/local.d/multimap.conf) and create a regex-map to catch your *domain
daz
(Daniel Zeman)
January 10, 2020, 3:00pm
8
Thank you very much stephdl for posting this clue.
I have just tried to modify the /etc/rspamd/local.d/multimap.conf by adding the line:
regexp = true;
in the section:
#blacklist the domains of senders
FROM_DOMAINS_BLACKLIST {
....
regexp = true;
message = "Sender domain address rejected";
}
then added a line in
/etc/rspamd/blacklist_from_domains.map:
atl.*\.cz
restarted the rspamd
systemctl restart rspamd
and then sent a test mail from
myemail@atlas.cz
The email didn’t make it through:
Diagnostic-Code: smtp; 554 5.7.1 Sender domain address rejected
So it seems, it works!
Thank you very much for pointing me!
I wonder how it wil work with the real spamming domains.
1 Like
stephdl
(Stéphane de Labrusse)
January 10, 2020, 3:03pm
9
try it please and come back, use \d+ to match the numerical value, think that if you expand the filter event you rewrite your changes
if you tests are concluant we could think to make some changes
daz
(Daniel Zeman)
January 10, 2020, 3:47pm
10
I have added the real spamming domains regexes and moved the modifications into the custom templates
/etc/e-smith/templates-custom/etc/rspamd/local.d/multimap.conf/10base
/etc/e-smith/templates-custom/etc/rspamd/blacklist_from_domains.map/10base
and updated the filters and restarted rspamd
signal-event nethserver-mail-filter-update
systemctl restart rspamd
The changes has shown in /etc/rspamd/…, so I hope they will survive updates etc…
I will report, if it help to fight the spam from the problematic domains.
2 Likes
daz
(Daniel Zeman)
January 13, 2020, 8:09am
11
Well, it seems I am still missing something. Spams from the respective domains are still coming through.
What I don’t understand and maybe is a reason for the above: I test the multimap filter from my freemail account mymail@atlas.cz. When I send the mail from the freemail’s web interface, it is rejected as expected by the multimap filter:
`Diagnostic-Code: smtp; 554 5.7.1 Sender address rejected`
Rspamd history:
| IP address|46.255.227.252|
|[Envelope From] From|mymail@atlas.cz|
|[Envelope To] To/Cc/Bcc|mymail@myoffice.cz|
|[Envelope To] To/Cc/Bcc|mymail@myoffice.cz|
|Subject|test
|
Symbols:
MagnitudeValueName **ASN** (0) [asn:43614, ipnet:46.255.224.0/21, country:CZ]
**FROM_BLACKLIST** (0) [mymail@atlas.cz]
But when I send the mail from the very same freemail account and address from my e-mail client, it comes through:
Rspamd history:
| IP address: 84.116.36.13
|[Envelope From] From|mymail@altas.cz|
|[Envelope To] To/Cc/Bcc|mymail@myoffice.cz|
|[Envelope To] To/Cc/Bcc|mymail@myoffice.cz|
|Subject|Test|
|Symbols:
MagnitudeValueName|**ASN** (0) [asn:6830, ipnet:84.116.0.0/16, country:AT]
**BAYES_HAM** (-0.616602) [82.06%]
**DMARC_NA** (0) [altas.cz]
**FROM_EQ_ENVFROM** (0)
**FROM_HAS_DN** (0)
**IP_SCORE** (0.681956) [ipnet: 84.116.0.0/16(-2.34), asn: 6830(4.79), country: AT(0.96)]
**MID_RHS_MATCH_FROM** (0)
**MIME_GOOD** (-0.1) [text/plain]
**MIME_TRACE** (0) [0:+]
**MX_INVALID** (0.5) [cached]
**R_DKIM_NA** (0)
**R_SPF_NA** (0)
**RCPT_COUNT_ONE** (0) [1]
**RCVD_COUNT_THREE** (0) [3]
**RCVD_IN_DNSWL_LOW** (-0.1) [13.36.116.84.list.dnswl.org : 127.0.5.1]
**RCVD_TLS_LAST** (0)
**RECEIVED_SPAMHAUS_PBL** (0) [90.38.103.89.zen.spamhaus.org : 127.0.0.11]
**TO_DN_ALL** (0)
**TO_MATCH_ENVRCPT_ALL** (0)|