How to disable rules : HFILTER_*

364 views
Skip to first unread message

Sophie Loe

unread,
Jun 19, 2018, 5:53:20 PM6/19/18
to rspamd@googlegroups com
Hi folks,

How can I disable the rules HFILTER_*? They don’t work well with legitimate received from yahoo.com .be and .fr mail shots for us.


e.g
HFILTER_HELO_BADIP(4.50)[10.mo173.mail-out.ovh.net,1];
HFILTER_HOSTNAME_UNKNOWN(2.50)[]

I guess something like this, but I am unsure of the file name.
# cat local.d/hfilter.conf
enabled = false;


This is based on a previous rule disable attempt:
# cat local.d/ip_score.conf 
enabled = false;


Best, 
Sophie



Toxa

unread,
Jun 21, 2018, 11:06:12 AM6/21/18
to rspamd
Could you show some examples of HFILTER_* you get for legitimate yahoo.* e-mails?
I have no problem with yahoo.com and yahoo.fr

Sophie Loe

unread,
Jun 21, 2018, 12:24:12 PM6/21/18
to Toxa, rspamd@googlegroups com
Yes, here you go. With anonymised headers.

Delivered-To: REDA...@example.co.uk
Received: from mx10.example.co.uk
by mx10 (Dovecot) with LMTP id REDACTED
for <REDA...@example.co.uk>; Sun, 17 Jun 2018 21:17:23 +0000
Received: from sonic318-30.consmr.mail.ne1.yahoo.com (unknown [66.163.186.92])
by mx10.example.co.uk (Postfix) with ESMTPS id 0BD7A3C
for <ju...@example.co.uk>; Sun, 17 Jun 2018 21:17:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=echoe; t=REDACTED; bh=REDACTED/REDACTED=; h=References:In-Reply-To:From:To:List-Id:List-Unsubscribe:Date:Subject:Reply-To:From:Subject; b=REDACTED+REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED
Received: from sonic.gate.mail.ne1.yahoo.com by sonic318.consmr.mail.ne1.yahoo.com with HTTP; Sun, 17 Jun 2018 21:17:19 +0000
X-Yahoo-Newman-Id: 11859516-m28303
Received: (qmail 26709 invoked by uid 102); 17 Jun 2018 21:17:03 -0000
Received: from unknown (HELO mtaq2.grp.bf1.yahoo.com) (10.201.224.240)
  by m3.grp.bf1.yahoo.com with SMTP; 17 Jun 2018 21:17:03 -0000
Received: (qmail 14903 invoked from network); 17 Jun 2018 21:17:03 -0000
Received: from unknown (HELO mta4000.groups.mail.ne1.yahoo.com) (10.222.143.200)
  by mtaq2.grp.bf1.yahoo.com with SMTP; 17 Jun 2018 21:17:03 -0000
Received-SPF: softfail (transitioning domain of msn.com does not designate 98.137.70.89 as permitted sender)
X-YMailISG: REDACTED
X-Originating-IP: [98.137.70.89]
Received: from 127.0.0.1  (EHLO sonic322-26.consmr.mail.gq1.yahoo.com) (98.137.70.89)
  by mta4000.groups.mail.ne1.yahoo.com with SMTPS; Sun, 17 Jun 2018 21:17:02 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=echoe; t=REDACTED; bh=/REDACTED+kbTqaExXBrho=; h=Date:References:In-Reply-To:Subject:From:Reply-To:To:From:Subject; b=REDACTED/REDACTED++REDACTED=
Received: from sonic.gate.mail.ne1.yahoo.com by sonic322.consmr.mail.gq1.yahoo.com with HTTP; Sun, 17 Jun 2018 21:17:00 +0000
Received: from [127.0.0.1] by gapi16.grp.bf1.yahoo.com with NNFMP; 17 Jun 2018 21:16:59 -0000
X-Sender: REDA...@msn.com
X-Apparently-To: REDACT...@yahoogroups.com
X-Received: (qmail 60000 invoked by uid 102); 17 Jun 2018 20:57:50 -0000
X-Received: from unknown (HELO mtaq2.grp.bf1.yahoo.com) (10.201.224.240)
  by m13.grp.bf1.yahoo.com with SMTP; 17 Jun 2018 20:57:50 -0000
X-Received: (qmail 3425 invoked from network); 17 Jun 2018 20:57:50 -0000
X-Received: from unknown (HELO mta4003.groups.mail.ne1.yahoo.com) (10.221.10.34)
  by mtaq2.grp.bf1.yahoo.com with SMTP; 17 Jun 2018 20:57:50 -0000
X-Original-Return-Path: <REDA...@msn.com>
X-Received-SPF: pass (domain of msn.com designates 40.92.4.17 as permitted sender)
X-YMailISG: REDACTED
Authentication-Results: mta4003.groups.mail.ne1.yahoo.com  from=msn.com; domainkeys=neutral (no sig);  from=msn.com; dkim=pass (ok)
X-Received: from 127.0.0.1  (EHLO NAM02-CY1-obe.outbound.protection.outlook.com) (40.92.4.17)
  by mta4003.groups.mail.ne1.yahoo.com with SMTPS; Sun, 17 Jun 2018 20:57:49 +0000
X-Received: from CY1NAM02FT058.eop-nam02.prod.protection.outlook.com
 (10.152.74.55) by CY1NAM02HT160.eop-nam02.prod.protection.outlook.com
 (10.152.74.90) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.863.11; Sun, 17
 Jun 2018 20:57:48 +0000
X-Received: from YTXPR01MB0207.CANPRD01.PROD.OUTLOOK.COM (10.152.74.51) by
 CY1NAM02FT058.mail.protection.outlook.com (10.152.74.149) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.20.863.11 via Frontend Transport; Sun, 17 Jun 2018 20:57:48 +0000
 ([fe80::432:50d2:a3fe:bc4]) by YTXPR01MB0207.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::432:50d2:a3fe:bc4%2]) with mapi id 15.20.0863.016; Sun, 17 Jun 2018
 20:57:48 +0000
Thread-Topic: [REDACTEDclub] Group Inactivity
Thread-Index: AQHUBjxMOvQT64K5ZEG4fS07tmkp3qRk7ziW
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:9REDACTED;SizeAsReceived:REDACTED;Count:REDACTED
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [REDACTED/REDACTED]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;CY1NAM02HT160;7:w4LzfaOK7/REDACTED x-incomingheadercount: REDACTED
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED)(REDACTED);SRVR:REDACTED;
x-ms-traffictypediagnostic: REDACTED:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(444000031);SRVR:CY1NAM02HT160;BCL:0;PCL:0;RULEID:;SRVR:REDACTED;
x-forefront-prvs: REDACTED
x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(189003)(199004)(6346003)(59450400001)(53546011)(7696005)(76176011)(6506007)(8936002)(97736004)(19627405001)(99286004)(102836004)(26005)(81156014)(2351001)(105586002)(236005)(20460500001)(45080400002)(104016004)(106356001)(9686003)(33656002)(14454004)(486006)(2501003)(82202002)(733005)(606006)(5250100002)(6436002)(6916009)(11346002)(74316002)(446003)(5660300001)(2900100001)(476003)(68736007)(18926415007)(25786009)(3280700002)(18950595002)(6246003)(3660700001)(54896002)(6306002)(8676002)(86362001)(5640700003)(18926405002)(55016002)(229853002)(16372002)(19623405001);DIR:OUT;SFP:1901;SCL:1;SRVR:CY1NAM02HT160;H:YTXPR01MB0207.CANPRD01.PROD.OUTLOOK.COM;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:;
X-received-spf: None (protection.outlook.com: msn.com does not designate
 permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=REDA...@msn.com
x-microsoft-antispam-message-info: REDACTED-REDACTED
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: REDACTED-2c10-REDACTED-REDACTED-REDACTED
X-MS-Exchange-CrossTenant-Network-Message-Id: REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2018 20:57:48.1194
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: REDACTED-REDACTED-REDACTED-REDACTED-REDACTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1REDACTED
X-Originating-IP: 10.REDACTED.REDACTED.REDACTED
X-Yahoo-Profile: REDACTED
From: "Tawny Porter REDA...@msn.com [REDACTEDclub]" <REDACT...@yahoogroups.com>
X-Original-From: FIRST LAST <REDA...@msn.com>
X-eGroups-Approved-By: REDACTED via web; 17 Jun 2018 21:16:59 -0000
MIME-Version: 1.0
Delivered-To: mailing list REDACT...@yahoogroups.com
Precedence: bulk
Date: Sun, 17 Jun 2018 20:57:48 +0000
Subject: ***SPAM*** Re: [REDACTEDclub] Group Inactivity
X-Yahoo-Newman-Property: groups-email-REDACTED
Content-Type: multipart/alternative;
 boundary="_000_YTXP-REDACTED-CANP_"
X-Spamd-Bar: ++++++
X-Spam-Level: ******
X-Rspamd-Server: mx10
Authentication-Results: mx10.example.co.uk;
dkim=pass header.d=yahoogroups.com;
dkim=fail header.d=yahoogroups.com;
dmarc=pass (policy=none) header.from=yahoogroups.com;
X-Rspamd-Queue-Id: 0BD7A3C
X-Spamd-Result: default: False [6.88 / 12.00];
DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
RCVD_COUNT_SEVEN(0.00)[9];
HTML_SHORT_LINK_IMG_2(1.00)[];
DKIM_TRACE(0.00)[yahoogroups.com:+,yahoogroups.com:-];
TO_DN_NONE(0.00)[];
PRECEDENCE_BULK(0.00)[];
R_DKIM_ALLOW(-0.20)[yahoogroups.com];
DKIM_MIXED(0.00)[];
DMARC_POLICY_ALLOW(0.00)[yahoogroups.com,none];
R_DKIM_REJECT(0.00)[yahoogroups.com];
ASN(0.00)[asn:36646, ipnet:66.163.184.0/21, country:US];
HAS_LIST_UNSUB(-0.01)[];
MIME_GOOD(-0.10)[multipart/alternative,text/plain];
MX_GOOD(-0.01)[cached: rtn1.groups.a03.yahoodns.net];
BAYES_HAM(-3.00)[100.00%];
FROM_HAS_DN(0.00)[];
FORGED_SENDER_MAILLIST(0.00)[];
FORGED_RECIPIENTS_MAILLIST(0.00)[];
RCVD_IN_DNSWL_NONE(0.00)[92.186.163.66.list.dnswl.org : 127.0.5.0];
FROM_NEQ_DISPLAY_NAME(4.00)[yahoogroups.com,msn.com [REDACTEDclub]];
ARC_NA(0.00)[];
HAS_XOIP(0.00)[];
TO_EQ_FROM(0.00)[];
HFILTER_HOSTNAME_UNKNOWN(2.50)[];
REPLYTO_ADDR_EQ_FROM(0.00)[];
RCVD_TLS_LAST(0.00)[];
MAILLIST(-0.10)[generic];
R_SPF_ALLOW(-0.20)[+ptr:yahoo.com];
HAS_REPLYTO(0.00)[REDACT...@yahoogroups.com];
RCPT_COUNT_ONE(0.00)[1];

--_000_YTXPR01MB0207D192D68EA637039886F1CE720YTXPR01MB0207CANP_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"


Best, Sophie.


On 21 Jun 2018, at 17:06, Toxa <anton....@gmail.com> wrote:

Could you show some examples of HFILTER_* you get for legitimate yahoo.* e-mails?
I have no problem with yahoo.com and yahoo.fr

--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.

Toxa

unread,
Jun 21, 2018, 12:54:45 PM6/21/18
to rspamd

> Received: from sonic318-30.consmr.mail.ne1.yahoo.com (unknown [66.163.186.92])

Can your server resolve 66.163.186.92?
I'm not an expert of Postfix and it's logging format, but the line above looks like:
Your Server got a connection:
- from 66.163.186.92
- which identified himself (HELO/EHLO) as "sonic318-30.consmr.mail.ne1.yahoo.com"
- but your server couldn't resolve the IP => "unknown"

If your server can't reverse lookup the IPs, it may be the problem.

Sophie Loe

unread,
Jun 21, 2018, 1:02:22 PM6/21/18
to Toxa, rspamd@googlegroups com
Yes it can now:

# host 66.163.186.92
92.186.163.66.in-addr.arpa domain name pointer sonic318-30.consmr.mail.ne1.yahoo.com.

# host sonic318-30.consmr.mail.ne1.yahoo.com
sonic318-30.consmr.mail.ne1.yahoo.com has address 66.163.186.92
sonic318-30.consmr.mail.ne1.yahoo.com mail is handled by 0 .




Sophie Loe

unread,
Jun 25, 2018, 4:31:39 PM6/25/18
to rspamd@googlegroups com
Hi, 

Electrabel in Belgium also gets caught on HFILTER_ ( amongst others)  

Postfix won’t look up the reverse DNS, so I guess postfix config error somewhere, which is odd because I have the defaults set for this:
# postconf |grep smtpd_peername_lookup
smtpd_peername_lookup = yes


It's off to this postfix mailing list for me.


Best regards.




---

Delivered-To: AN...@example.co.uk
Received: from mx10.example.co.uk
by mx10 (Dovecot) with LMTP id byNNLBo8MVunZQAAQEGcbA
for <AN...@example.co.uk>; Mon, 25 Jun 2018 19:01:46 +0000
Received: from emailer112-148.emv2.net (unknown [81.92.112.148])
by mx10.example.co.uk (Postfix) with ESMTP id C55F33C
for <AN...@example.co.uk>; Mon, 25 Jun 2018 19:01:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=emv; d=trc1.engie-electrabel.com;
 h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:List-Unsubscribe:List-Id; i=em...@trc1.engie-electrabel.com;
 bh=77zxQyKGXtHMNw2lteQDlNFY/Fc=;
 b=BJiPJ+DJI2kd+DMiUu38e/R3nLLzxPg3hbknoAIzYaYyi+yzouRpvyzZpeDsMQJv2OK//VG87Gr7
   LbHTtzv6gHahy37DXcsmyDWLblVwSWY2mmCTcGbBTwaRDGW/+wCqTxSU/skaY2j1/7FQ5BVGg090
   K1zgvOg6iC+7zbUoFSQ=
Received: by emailer112-148.emv2.net id h64u1g16758h for <AN...@example.co.uk>; Mon, 25 Jun 2018 21:01:43 +0200 (envelope-from <em...@trc1.engie-electrabel.com>)
Date: Mon, 25 Jun 2018 21:01:43 +0200 (CEST)
From: ENGIE Electrabel <em...@trc1.engie-electrabel.com>
Subject: =?UTF-8?Q?=2A=2A=2ASPAM=2A=2A=2A_Votre_fact?= =?UTF-8?Q?ure_d=E2=80=99acompte_du_23_j?= =?UTF-8?Q?uin_2018?=
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-EMV-CampagneId: 7949982$
X-EMV-MemberId: 51322809408$
List-Id: <1101030826.11.1.1.list-id.trc1.engie-electrabel.com>
X-Spamd-Bar: +++++++
X-Spam-Level: *******
X-Rspamd-Server: mx10
Authentication-Results: mx10.example.co.uk;
dkim=pass header.d=trc1.engie-electrabel.com;
dmarc=pass (policy=none) header.from=trc1.engie-electrabel.com;
X-Rspamd-Queue-Id: C55F33C
X-Spamd-Result: default: False [7.03 / 14.00];
ARC_NA(0.00)[];
HTML_SHORT_LINK_IMG_2(1.00)[];
DKIM_TRACE(0.00)[trc1.engie-electrabel.com:+];
FROM_HAS_DN(0.00)[];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
PHISHING(4.00)[engie-electrabel.be->engie-electrabel.com];
FROM_EQ_ENVFROM(0.00)[];
PREVIOUSLY_DELIVERED(0.00)[AN...@example.co.uk];
RCVD_NO_TLS_LAST(0.00)[];
HAS_LIST_UNSUB(-0.01)[];
DMARC_POLICY_ALLOW(-0.25)[trc1.engie-electrabel.com,none];
TO_MATCH_ENVRCPT_ALL(0.00)[];
R_DKIM_ALLOW(-0.20)[trc1.engie-electrabel.com];
MID_RHS_MATCH_FROM(0.00)[];
HAS_REPLYTO(0.00)[no-reply....@engie.com];
MX_GOOD(-0.01)[smtp2.emv2.com];
MIME_HTML_ONLY(0.20)[];
RCVD_COUNT_TWO(0.00)[2];
RCPT_COUNT_ONE(0.00)[1];
R_SPF_ALLOW(-0.20)[+ip4:81.92.112.0/22];
ASN(0.00)[asn:39905, ipnet:81.92.112.0/20, country:FR];
RCVD_IN_DNSWL_NONE(0.00)[148.112.92.81.list.dnswl.org : 127.0.15.0];
TO_DN_NONE(0.00)[];
HFILTER_HOSTNAME_UNKNOWN(2.50)[]
Reply all
Reply to author
Forward
0 new messages