Rspamd: (whitelist the Received: header) very high IP_SCORE at our ISPs IP

mail2
rspamd

(Uwe) #1

NethServer Version: 7.5.1804 (final)
Module: rspamd
Hello,
very much incoming emails get a high spam score because of this line:
IP_SCORE(4.18)[ip: (8.72), ipnet: 212.87.32.0/19(6.96), asn: 12512(4.35), country: DE(0.87)];
This IP belongs to our ISP, they are receiving our mails as primary MX and send them to us.
What can I do to avoid this?
As all incoming mails are going through their mailserver, I think I can’t just whitelist their IP.
Received: from mavas2.cbxnet.de (mavas2.cbxnet.de [212.87.33.79])
Regards
Uwe


(Michael Kicks) #2

I do not have access to rSpamd test installation and webgui.
There’s a whitelist module available into project… But im’ not sure if it allows a hostname or address to bypass the check.


(Stéphane de Labrusse) #3

Some ideas, cons and pro for each one

In fact a mail server is always about reputation and the IP of your isp is compromised because they send or have sent a lot of spams…I have had the same problem with 1&1 some time ago. You cannot do more, even any anti spam on the earth could reject or are rejecting their email.

  • Does it is possible to be the first MX to your server, second to your ISP.
  • you could disable the IP_SCORE but it for all emails
  • you could try to allow mavas2.cbxnet.de in the mail menu/tab filter but not sure it works (normally it check the From: header

(Stéphane de Labrusse) #4

better idea from https://rspamd.com/doc/modules/multimap.html#received-filters

make a file /etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/20Receivers

WHITELIST_RECEIVED_FROM \{
    type = "received";
    map = [
        "\$\{CONFDIR\}/whitelist_received_from.map",
    ];
    prefilter = true;
    filter = "from_hostname";
    action = "accept";
    description = "Accepted list of WHITELIST_RECEIVED_FROM";
    symbol = "WHITELIST_RECEIVED_FROM";
\}
  • make a file with your hostname whitelist in /etc/rspamd/whitelist_received_from.map
  • signal-event nethserver-mail-filter-save

I did not test but if from_hostname does not do the trick you could test with

  • from_ip - IP address as provided by a peer
  • real_hostname - hostname as resolved by MTA
  • real_ip - IP as resolved by PTR request of MTA
  • by_hostname - MTA hostname
  • tld:from_hostname - extract eSLD part from peer-provided hostname
  • tld:real_hostname - extract eSLD part from MTA-verified hostname

(Stéphane de Labrusse) #5

In fact we should use

put in the map : cbxnet.de

eSLD (exact second level domain), here it is cbxnet.de

whatever send by any smtp servers of cbxnet.de (understand *.cbxnet.de) could be whitelisted and accepted without more verification

this should/could be a valid NFR for me

what do you think @davidep

this what I have from outlook.com

Received: from VI1PR03MB4318.eurprd03.prod.outlook.com
...
X-Spamd-Result: default: False [0.00 / 19.90];
	 ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US];
	 WHITELIST_RECEIVED_FROM(0.00)[outlook.com]

(Davide Principi) #6

IIUC you want to whitelist the SMTP server by host name suffix.

I think we can help @hinzberlin to set up a template custom at first so he can validate the setup. I’d wait if others are interested in the same feature. The second step is implementing a prop. Only if it becomes widely adopted add it to the (cockpit) UI


(Stéphane de Labrusse) #7

the prop is not needed IMO, if we do not want to create an UI (yet), we could create a map in /var/lib/rspamd, writable by the rspamd UI


(Davide Principi) #8

Nice idea! Is it compatible with our backup/restore procedures?


(Stéphane de Labrusse) #9
# cat  /etc/backup-data.d/nethserver-mail-filter.include 
/var/lib/rspamd
/var/lib/redis/rspamd

it should :slight_smile:


(Davide Principi) #10

Is it just a matter of touching a file then edit it from rspamd UI?

We can document it…


(Stéphane de Labrusse) #11

We could also create a map to whitelist the IP of your isp in IP_score, maybe a better way but you must know all ips.

The pro is that all cheks are made again spam score


(Uwe) #12

Hello Stéphane,
thank you, I will try this " multimap.conf/20Receivers" and will use
filter = “from_hostname”;

I’m afraid I do not understand the rest of your and Davides messages but I think they weren’t for me.
BTW: you’re very active at night!
Regards
Uwe


(Stéphane de Labrusse) #13

In that case the hostname used must be exact…do you know all ips used by your isp ?


(Uwe) #14

yes, there are 2 IPs, 2 servers sending email, mavas2 and mavas3.


(Stéphane de Labrusse) #15

Other question…can you change the mx and receive first the email, probably the best simple way ?


(Uwe) #16

I could, but the goal is that the ISP does some prefiltering and we are not hammered by illegal SMTP requests. Our Firewall just lets the ISP send us Email.


(Stéphane de Labrusse) #17

If we accept all emails from your isp we do not check more the emails…it might be better to

Stop ip_score check
Or whitelist ip of your isp
Or ask them to unblacklist their ip


(Uwe) #18

Where do I “Stop ip_score check” ?
Where do I “Or whitelist ip of my isp”?


(Stéphane de Labrusse) #19

Let me check, not in front of my laptop


(Stéphane de Labrusse) #20

make a file /etc/rspamd/override.d/ip_score.conf

# cat /etc/rspamd/override.d/ip_score.conf
enabled = false;

restart rspamd : systemctl restart rspamd

quite useless, you cannot figure all IP of your ISP

make a file /etc/rspamd/override.d/ip_score.conf

# cat /etc/rspamd/override.d/ip_score.conf
whitelist = "file:///var/lib/rspamd/IP_whitelisted";

restart rspamd : systemctl restart rspamd

go to rspamd UI and open the relevant map IP_whitelisted