Rspamd quarantine feature

rspamd

(Rob Bosch) #1

I realy like the rspamd module. It gives great insight in the email traffic and the amount of junk I receive every day.
However, at the moment rspamd seems to send blocked mails to /dev/null
Ultimately I would like to be able to decide myself if a clocked mail should be unblocked or not. In such a case, it would be a nice feature if rspamd sends the blocked mails to some kind of quarantine section where mails can be unblocked manually.
I don’t know if this is possible?
I did find a small project on github that might do the trick: https://github.com/sys4/rspamd-quarantine


How to use quarantine function if nethserver is a mail gateway?
(Rob Bosch) #2

Bumping… Would it be possible to give mplement such a feature?. I think it would be quite valuable to be able to allow false positives to be delivered by human interaction


(Stéphane de Labrusse) #3

googling on this topic, will report back later, FYI the hard work is the UI of course. Once implemented, people will ask for a comfortable way to display the email quarantined !


(Davide Principi) #4

Nope: rspamd does not accept the message with a permanent error when it’s sure the message is spam. If unsure the message is delivered into the Junk mail folder. By experience false positives are rare and most of the times are caused by wrong mail server configuration.

@robb why would you prefer a boring human classification job over an automated one that works pretty well?


(Stéphane de Labrusse) #5

well…I think we could have a low level effort to implement it

in /etc/rspamd/modules.d/metadata_exporter.conf

metadata_exporter {

  # Refer to https://rspamd.com/doc/modules/metadata_exporter.html for information on configuration
  rules {
    # This rule sends an e-Mail alert over SMTP containing message metadata
    #     # when it sees a rejected mail from an authenticated user
             QUARANTINE {
                   backend = "send_mail";
                         smtp = "127.0.0.1";
                               mail_to = "spam@domain.org";
                               mail_from = "spam@domain.org";
                               helo = "mail.domain.org";
                               selector = "is_spam"; # could be "is_reject"
                               formatter = "default";
      }
             NOTICE_ADMIN {
                   backend = "send_mail";
                         smtp = "127.0.0.1";
                           mail_to = "postmaster@domain.org";
                           mail_from = "spam@domain.org";
                           helo = "mail.domain.org";
                           selector = "is_spam"; # could be "is_reject"
                           formatter = "email_alert";
      }
  }

be sure that spam@domain.org is whitelisted in rspamd user (EMAIL: filter tab), else you will have a bomb loop back

after that spam@domain.org will receive emails quarantined (use the webmail or imap account to browse them)and postmaster a notice that an email is quarantined

what do you think @all


(Stéphane de Labrusse) #6

Answering myself, I thought we could at least notify the sysadmin about email rejection.


(Rob Bosch) #7

Because i want to be able to override an algoritm because I am able to think and an algorithm only knows yes or no based on a set of rules. IMO sometimes you want something blocked that is allowed within that scope, and sometimes you want something allowed that is blocked within those rules… Never trust algorithms… :wink:


(Stéphane de Labrusse) #8

at least when you start to set your email server it makes you more confident


(Gabriel GHEORGHIU) #9

Very useful, IMO.
Look how is implemented this in the UTM that I am using.
Time to time I check this email account or, when somebody tell me that an email was not received.

PS:

I think we must give more attention to the email section of the NS.
It is an important part of business activity and could make difference against other distro.
A powerful email server will be a big “+”.


(Stéphane de Labrusse) #10

For now what I received as spam this night is really instructive :smiley:

do you want to see my boobs and so…


(Gabriel GHEORGHIU) #11

:joy::joy::joy:


(Davide Principi) #12

In my opinion trust is something that can be given or not, a yes/no variable, a boolean condition.

If you don’t trust the spam filter I’d ask: why? Why do you have false positives? What kind of message is classified as spam but is not? Do you have any log trace?

Instead, I wouldn’t implement a feature that every day requires a someone’s effort: it’s likely to become boring and to be ignored. Furthermore it can create end-user privacy issues. I prefer to trust anti-spam algorithms!

Isn’t that what already happens when a message is moved by the user from Inbox to Junk and from Junk to Inbox? The Bayes filters are trained by such decisions and mitigate future errors.


(Rob Bosch) #13

At the risk of going offtopic here, let’s take it a step further: What if an algorithm is going to decide the clasical situation of a train going bananas. At one point there is a split of tracks. If the train goes on, 100 people in the train will die since the train will crash from a bridge that is a mile further and can’t handle the 160km/h train.
You are at the side of the track and you are able to switch the train to the other track BUT, on the “safe” track there are 5 people that can’t get off fast enough, so they will be crushed by the train.
What will you do? Make the train switch tracks and kill 5 people or let the train pass on the same track and crash into the bridge?
IMO dilemma’s like this, should NEVER be decided by an algorithm. It is the same for AI “Killer Robots”. As soon algorithms are given the power to decide without the option to override them by a human, we enter a VERY shady and IMO undesirable situation.
I don’t want to put a spamfilter on the same level as AI, but still. The example is more an exaggerated way to explain my problem with not having the option to manually override a decision made by an algorithm.


(Gabriel GHEORGHIU) #14

The algorithm decided as an email is spam and is not delivered to destination because the IP from where the email was send is in blacklists. That is OK. The algorithm works. But the email is “good” and must to be delivered. So:

IMO!


(Davide Principi) #15

So the problem could be: do I trust blacklists or not?

  • If I trust blacklists it’s up to the sender to de-list himself: he receives a message like “you’re blacklisted, take action please
  • If I don’t trust (and disable) blacklists I’ll probably receive more spam messages and viruses to filter manually…

(Rob Bosch) #16

I think it is not that black and white. Especially the grey areas, you need to be able to take action yourself, by either allowing a specific post, or marking another post as spam.
I doubt the spamfilter will ever be 100% reliable. For those mails that are false positives or false negatives, I want the option for manual override. Nothing more, nothing less…


(Davide Principi) #17

If we implement a quarantine: what are the automated thresholds that decide if to go in quarantine or not? Can we trust that decision?

What is the Junk mail folder lacking? Isn’t that a manual override mechanism? We already have it!

I still don’t get what is the advantage of a quarantine queue over the current implementation… Isn’t that system-wide Junk? Doesn’t it lead to a privacy issue?


(Gabriel GHEORGHIU) #18

I gave this example from my “daily issues”.
You are right. All of this were made to help us.
But I have a lot of customers who has issues with their email servers. Of course, this is their problem. But they send us many orders by email and these orders are blocked by our protection systems. Sometimes, after few days, they call us and tell that their orders send by email, was not processed. When I check the spam email account I find the issue. I am the guy who tell them where was the problem.
I prefer to have this feature. For my business, not for their business.
Truth is somewhere in the middle.


(Davide Principi) #19

Thank you for sharing a real use case!

Before sending all the world to quarantine: can you whitelist their server IPs, or the sender domain/addresses?

By their side they should switch to a good-reputation ISP or to someone that knows how to run a mail server… In the end, if someone is blacklisted he has a general problem with ANY mail server on the Earth… :thinking:


(Gabriel GHEORGHIU) #20

With pleasure!
That’s why we’re here! To help each other!

Yes! I do this often!

  1. … or to someone that knows how to run a mail server…
  2. In the end, if someone is blacklisted he has a general problem with ANY mail server on the Earth…