Rules by email address not working anymore [Solved]

An update applied within the last couple months seems to have stopped my rules by email address from working properly. Allowed Email addresses such as ltsmall.com are marked as spam and blocked addresses such as kabeerconsulting.com are getting through without any problem. I’ve tried deleting them and re-adding and then rebooting the server but no change. Any body else seeing this behavior or have an idea how to troubleshoot? this used to work for me.
I do see the addresses in /etc/rspamd/whitelist_from_domains.map

NethServer Version: 7.6.1810
Module: email rspamd version 1.8.2

Step 0: understand what lead the messages to be marked as spam. So, please, look into headers and rspamd logs.

I did some tests. You don’t have to put the hostname of the sender server, but you have to add the domain of emails into “Accept from” email page. So you have to add what there is after @
Check this.

@happnatious1 did you heck @federico.ballarini’s hint?

I cleared all history and re-added everything so I’ll have to wait till it happens again before I can check the logs.

The situation is slightly improved after re-entering email and block addresses. An email from ltsmall.com which is in my allow list came through without being marked as spam.
however, softwareadvice.com which is in my block list is still getting though.

Here is the nethserver mail log:
Feb 21 11:10:02 server rspamd[88684]: <707544>; proxy; rspamd_task_write_log: id: <1295117654.-902937994.1550765396157.JavaMail.root@sjmas03.marketo.org>, qid: <1235B41AB3AC>, ip: 199.15.215.88, from: <882-NZG-493.0.64326.0.0.60333.9.20895065@em-sj-77.mktomail.com>, (default: F (no action): [-3.13/20.00] [BAYES_HAM(-2.94){99.76%;},IP_SCORE(-1.12){ipnet: 199.15.215.0/24(-3.75), asn: 53580(-2.15), country: US(0.30);},HTML_SHORT_LINK_IMG_2(1.00){},FORGED_SENDER(0.30){reviews@softwareadvice.com;882-NZG-493.0.64326.0.0.60333.9.20895065@em-sj-77.mktomail.com;},R_DKIM_ALLOW(-0.20){softwareadvice.com:s=m2;mktroute.com:s=m1;},R_SPF_ALLOW(-0.20){+ip4:199.15.212.0/22;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ZERO_FONT(0.10){1;},MANY_INVISIBLE_PARTS(0.05){1;},HAS_LIST_UNSUB(-0.01){},MX_GOOD(-0.01){cached: em-sj-77.mktomail.com;},ASN(0.00){asn:53580, ipnet:199.15.215.0/24, country:US;},DKIM_TRACE(0.00){softwareadvice.com:+;mktroute.com:+;},DMARC_NA(0.00){softwareadvice.com;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){reviews@softwareadvice.com;882-NZG-493.0.64326.0.0.60333.9.20895065@em-sj-77.mktomail.com;},HAS_REPLYTO(0.00){reviews@softwareadvice.com;},MIME_TRACE(0.00){0:+;1:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},REPLYTO_ADDR_EQ_FROM(0.00){},SUBJECT_HAS_EXCLAIM(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 22227, time: 5451.008ms real, 25.906ms virtual, dns req: 65, digest: <e83cbb4cc403d1752cb008f817e576b7>, rcpts: <user@domain.net>, mime_rcpts: <user@domain.net> Feb 21 11:10:02 server rspamd[88684]: <707544>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 181 regexps total, 94 regexps cached, 0B bytes scanned using pcre, 30.37k bytes scanned total

Could you post a screen of your rules and a screen of Rspamd inteface with the entry of softwareadvice ?

Thanks for your help.

list.png620×509 26.7 KB

rules.png637×926 81.3 KB

Please post also screenshot of history in rspamd with a detail of mail from softwareadvice

I think this is what you’re looking for.

BAYES_HAM (-2.941868) [99.76%]
IP_SCORE (-1.119022) [ipnet: 199.15.215.0/24(-3.75), asn: 53580(-2.15), country: US(0.30)]
HTML_SHORT_LINK_IMG_2 (1)
FORGED_SENDER (0.3) [reviews@softwareadvice.com,882-NZG-493.0.64326.0.0.60333.9.20895065@em-sj-77.mktomail.com]
R_SPF_ALLOW (-0.2) [+ip4:199.15.212.0/22]
R_DKIM_ALLOW (-0.2) [softwareadvice.com:s=m2,mktroute.com:s=m1]
ZERO_FONT (0.1) [1]
MIME_GOOD (-0.1) [multipart/alternative,text/plain]
MANY_INVISIBLE_PARTS (0.05) [1]
MX_GOOD (-0.01) [cached: em-sj-77.mktomail.com]
HAS_LIST_UNSUB (-0.01)
FROM_NEQ_ENVFROM (0) [reviews@softwareadvice.com,882-NZG-493.0.64326.0.0.60333.9.20895065@em-sj-77.mktomail.com]
DKIM_TRACE (0) [softwareadvice.com:+,mktroute.com:+]
HAS_REPLYTO (0) [reviews@softwareadvice.com]
MIME_TRACE (0) [0:+,1:+]
RCVD_TLS_LAST (0)
SUBJECT_HAS_EXCLAIM (0)
DMARC_NA (0) [softwareadvice.com]
REPLYTO_ADDR_EQ_FROM (0)
FROM_HAS_DN (0)
TO_DN_NONE (0)
RCPT_COUNT_ONE (0) [1]
TO_MATCH_ENVRCPT_ALL (0)
RCVD_COUNT_TWO (0) [2]
ASN (0) [asn:53580, ipnet:199.15.215.0/24, country:US]

What do you see into Envelope/Form field?

I’m by no means an expert in this stuff but should I be blocking mktroute.com and not softwareadvise.com?

at least “also” mktroute.com. Who seems to be part of Marketo marketing services.

Yes. You have to block the real sender address. I think it should be mktroute.com

I understand, thank you all for your help.
I would think that finding softwareadvice.com anywhere in the header would cause rspamd to reject it, after some googling this is clearly not the case and will require a better understanding of email headers on my part.

Thanks again for the help I’ll mark it solved.

Softwareadvice.com just sent me another email, it appears they are un-blockable as they will just keep changing the helo response.

Received: from [10.0.87.249] ([10.0.87.249:54863] helo=sjmas01.marketo.org) by sjmta15.marketo.org (envelope-from <reviews@softwareadvice.com>) (ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTP id 6A/2B-01011-D6E9E7C5; Tue, 05 Mar 2019 10:06:05 -0600

You could use Learn section of rSpamd, putting the raw message into the raw spam source frame.
Also, into rspamd you can see why it has passed over spam section.

Is the raw message the full source which contains header/body etc…