Rspamd delete "

Support
1

What can I do to have this sender’s emails accepted on my server?

We have an service provider that has misconfigured their server or maybe my own server has it blocked; and I can’t receive their emails.

This appears in the blocked mail

FUZZY_DENIED (15) [1:fc284e33f6:1.00:txt]
DMARC_POLICY_REJECT (12) [xyz.mx : No valid SPF,reject]
BAYES_SPAM (8.092517) [99.98%]
VIOLATED_DIRECT_SPF (3.5)
R_SPF_FAIL (1) [-all:c]
IP_REPUTATION_HAM (-0.334835) [no useful because my dmz/firewall]
GENERIC_REPUTATION (-0.289587) [-0.2895866339342]
MIME_HTML_ONLY (0.2)
RCVD_NO_TLS_LAST (0.1)
MIME_BASE64_TEXT (0.1)
MX_GOOD (-0.01) []
HAS_LIST_UNSUB (-0.01)
FROM_NO_DN (0)
DKIM_TRACE (0) [xyz.mx:~]
R_DKIM_PERMFAIL (0) [xyz.mx:s=default2]
RCPT_COUNT_ONE (0) [1]
PREVIOUSLY_DELIVERED (0) [myuser@miserver.com]
TO_DN_NONE (0)
ASN (0) [not useful by dmz/firewall]
NEURAL_SPAM (0) [0.900]
TO_MATCH_ENVRCPT_ALL (0)
MIME_TRACE (0) [0:~]
RCVD_COUNT_THREE (0) [3]
FROM_EQ_ENVFROM (0)

This was from yesterday to today morning, at noon I added it to the “Accept from” filter, and it changed a little bit but still rejecting them.

Symbol "FUZZY_DENIED (15) [1:fc284e33f6:1.00:txt]" has disappeared but still blocking

DMARC_POLICY_REJECT (12) [xyz.mx : No valid SPF,reject]
BAYES_SPAM (8.09739) [99.99%]
VIOLATED_DIRECT_SPF (3.5)
R_SPF_FAIL (1) [-all]
IP_REPUTATION_HAM (-0.333909) [not useful by dmz/firewall]
GENERIC_REPUTATION (-0.288753) [-0.28875315363048]
MIME_HTML_ONLY (0.2)
RCVD_NO_TLS_LAST (0.1)
MIME_BASE64_TEXT (0.1)
MX_GOOD (-0.01) []
HAS_LIST_UNSUB (-0.01)
FROM_NO_DN (0)
DKIM_TRACE (0) [xyz.mx:~]
RCPT_COUNT_ONE (0) [1]
PREVIOUSLY_DELIVERED (0) [myuser@miserver.com]
TO_DN_NONE (0)
R_DKIM_PERMFAIL (0) [xyz.mx:s=default2]
ASN (0) [not useful by dmz/firewall]
TO_MATCH_ENVRCPT_ALL (0)
MIME_TRACE (0) [0:~]
NEURAL_SPAM (0) [0.773]
RCVD_COUNT_THREE (0) [3]
FROM_EQ_ENVFROM (0)

Interestingly, an email did arrive from someone else from the same server; I suspect they have more than one server and one of them is misconfigured (spf) hence the rejection.
This is from yesterday:

SUBJ_ALL_CAPS (1.2) [50]
BAYES_HAM (-0.545883) [80.81%]
DMARC_POLICY_ALLOW_WITH_FAILURES (-0.5)
IP_REPUTATION_HAM (-0.331496) [not useful by dmz/firewall]
GENERIC_REPUTATION (-0.287315) [-0.28731519734701]
R_DKIM_ALLOW (-0.2) [xyz.mx:s=selector1]
MIME_GOOD (-0.1) [multipart/mixed,multipart/alternative,text/plain]
MX_GOOD (-0.01) []
DKIM_TRACE (0) [xyz.mx:+]
RCVD_TLS_LAST (0)
FROM_HAS_DN (0)
R_SPF_FAIL (0) [-all]
NEURAL_HAM (0) [-0.999]
ASN (0) [not useful by dmz/firewall]
FROM_EQ_ENVFROM (0)
RCPT_COUNT_TWO (0) [2]
TO_DN_SOME (0)
TO_DN_EQ_ADDR_SOME (0)
MIME_TRACE (0) [0:+,1:+,2:+,3:~,4:~]
DMARC_POLICY_ALLOW (0) [xyz.mx,reject]
RCVD_COUNT_THREE (0) [3]
TO_MATCH_ENVRCPT_SOME (0)
HAS_ATTACHMENT (0)

Thanks in advance and best regards.

Edit 1.
I have looked for a way to delete that FUZZY_DENIED (15) [1:fc284e33f6:1.00:txt], but I have not been able to find an example or something very detailed to see if this is the cause.

And I don’t even know if it is possible to simulate the sending of that sender to check that I could receive it
(I’m thinking of something, I’ll try and comment).
I will see if editing the code of the accepted mail I can simulate the sending of the blocked sender.

Ediit 2.

image
image1318×92 12 KB

It seems to have worked, but we will see if their mails arrive.

I wonder if bad emails will arrive with this. :thinking:

2

You could ask to fire the administrator whom set the dns entry of the domain name. It seems he asked a strong directive spf. If the email is not exactly sent by a specific ip address then we must reject the email

Rspamd simply does what we expect of it

2 Likes
3

Yes, the same thing has occurred.
This domain has been the target of impersonation for years, and fake emails arrive with viruses and all sorts of crap.
I guess the said administrator tried to avoid it without realizing the serious flaw.

@stephdl
Do you think that by relaxing my protections (whitelisting the address) I am shooting myself in the foot?

If so, I will only leave this permissive filter for a few days, waiting for the invoices that were rejected (several dozens) to be sent back to us.

Thanks!

4

For what is worth, I do think.
For better or for worse, if the interest of the sender is to being receipt, the due diligence must be done. If it’s imperative to receive messages from that source IMVHO a person with enough preminency for pretend that can put that on writing… With time and date.

1 Like
5

you just accept to not inspect anymore any messages of this sender, whatever what you receive, ransomware, virus and more

I still continue to think the DNS is badly registered, spf states what IP must be used to send the email and what to do if the email is not received from the IP set in DNS registar.

1 Like
6

@stephdl @pike

Just to ask, but first a little more information:

Using mxtoolbox.com - SPF Record Lookup, I found this IPs

v=spf1 ip4:159.16.1.14 ip4:159.16.1.17 ip4:159.16.1.15 ip4:159.16.1.18 ip4:159.16.1.16 ip4:159.16.1.23 ip4:159.16.244.47 ip4:159.16.244.48 ip4:159.16.244.52 ip4:159.16.244.56 ip4:159.16.1.19 include:spf.protection.outlook.com -all

The mail source, show this IPs (159.16.6.20 and 10.7.7.67)

  1. Received: from mailcfe03.cfe.gob.mx (gateway [10.0.1.1])
  2. Received: from pfgit01.cfemex.com (Unknown_Domain [159.16.6.20])
    by mailcfe03.cfe.gob.mx (smtpcfeOut.cfe.gob.mx) with SMTP id AE.EE.52711.EE31A246; Sun, 2 >Apr 2023 18:46:54 -0500 (CDT)
  3. Received: from PROMAIL01 (unknown [10.7.7.67])
  • Does the administrator need to add the displayed IPs to the SPF?

And to clarify a little, in point 1); that IP is from my gateway/firewall/dmz, then…

  • Is my gateway (ip) interfering with rspamd’s logic?
  • I doubt it myself. If not, why do emails arrive from other well configured domains?

With your answers, I hope to be able to inform that company of the problem.

Thanks!

To avoid shooting myself in the foot. I choose to relax a bit the symbols in rspamd, at least the mail will not be rejected, but hopefully will go to spam.

7

If you change the symbols values you do it it globally for everybody. You just need to add this domain in whitelist

1 Like
8

See email_protection_resources [NethServer Wiki]

-all means fail
~all means softfail

1 Like
9

@mre as you stated at first topic…

The issue seems related to the service provider. If it’s your job to follow the issue and provide solution, ok, otherwise… would you accept from a customer the directives on how to configure your/your company systems?

Should not. Unless the gateway don’t mess up with sender, receiver, envelop and so more.

Because they are configured correctly. Or better: in a way that rSpamD consider reliable for the current configuration.

Few years ago a company told me they wanted to receive everything. Server, antispam, antivirus should allow all traffic no matter what. I try to politely suggest that this arrangement could be for several reason far from optimal. 4 ransomwares and 3 months later they change their mind, took also something like 4 months for provide all good ham for train bayesian filter.

There are several degrees of acceptance for messages, but far form transforming in reality, sometimes is more a question of company policy rather than technical decision; in 2023 I consider a correctly configured SPF (no matter what’s written inside) mandatory, not a nice to have.

1 Like
10

I forgot to add this too:

v=DMARC1; p=reject; adkim=s; aspf=s; fo=1; ri=3600; pct=100; rua=mailto:dmarc_rua@cfe.mx; ruf=mailto:dmarc_ruf@cfe.mx

In the end; I will choose to relax the symbol for the moment, hoping that the mail will go to the junk; at least from there I will be able to retrieve it (?).

But I see that two of their mails have just arrived, one arrived well (sure from a server correctly added to their dns) and the usual one was rejected.

image
image833×132 12.7 KB

image

I don’t think that energy company has a communication channel, but I will tell the interested parties maybe they know how.

Thanks @stephdl @pike