I get FORGED_RECIPIENTS and a rejected email for all Mailman emails

1,886 views
Skip to first unread message

Silvian Cretu

unread,
Oct 4, 2017, 5:50:36 PM10/4/17
to rspamd
Hi guys,
I started using rspamd about a week ago and everything is perfect. With a single exception: it seems all emails coming from mailing lists are being marked as spam ( FORGED_RECIPIENTS(14.00) ) and rejected. My email domain is darian.ro. It happens for both external mailing lists:

2017-10-04 10:29:37 #19453(normal) <cda581>; task; rspamd_message_parse: loaded message; id: <mailman.1015.150709...@cmediere.ro>; queue-id: <B39514D20102>; size: 13253; checksum: <93a97c258949216c15ed5bfe0b813851>
2017-10-04 10:29:37 #19453(normal) <cda581>; task; fuzzy_generate_commands: <mailman.1015.150709...@cmediere.ro>, part is shorter than 1000 bytes: 288 (144 * 2.00 bytes), skip fuzzy check
2017-10-04 10:29:38 #19453(normal) <cda581>; task; rspamd_task_write_log: id: <mailman.1015.150709...@cmediere.ro>, qid: <B39514D20102>, ip: 5.2.137.243, from: <mediator...@cmediere.ro>, (default: T (reject): [18.40/15.00] [FORGED_RECIPIENTS(14.00){},FORGED_SENDER(2.10){},CTYPE_MIXED_BOGUS(1.00){},MID_CONTAINS_FROM(1.00){},R_DKIM_REJECT(1.00){cmediere.ro;},MAILLIST(-0.20){mailman;},R_DKIM_ALLOW(-0.20){cmediere.ro;},R_SPF_ALLOW(-0.20){+a;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},ARC_NA(0.00){},ASN(0.00){asn:8708, ipnet:5.2.128.0/17, country:RO;},DMARC_NA(0.00){cmediere.ro;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){medi...@cmediere.ro;mediator...@cmediere.ro;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_FIVE(0.00){6;},RCVD_IN_DNSWL_NONE(0.00){243.137.2.5.list.dnswl.org : 127.0.10.0;},RCVD_TLS_LAST(0.00){},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00){}]), len: 13253, time: 1368.000ms real, 47.691ms virtual, dns req: 92, digest: <93a97c258949216c15ed5bfe0b813851>, rcpts: <ax...@darian.ro,ax...@darian.ro>, mime_rcpt: <medi...@cmediere.ro>

And for internal mailing lists:

2017-10-04 10:42:52 #19453(normal) <7de5a3>; task; rspamd_task_write_log: id: <003001d33ce4$68aa5600$39ff0200$@darian.ro>, qid: <6A1064D20102>, ip: ::1, from: <tax-b...@darian.ro>, (default: T (reject): [16.90/15.00] [FORGED_RECIPIENTS(14.00){},FORGED_SENDER(2.10){},CTYPE_MIXED_BOGUS(1.00){},MAILLIST(-0.20){mailman;},MIME_BASE64_TEXT(0.10){},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},ARC_NA(0.00){},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){fx...@darian.ro;tax-b...@darian.ro;},MID_RHS_MATCH_FROM(0.00){},PREVIOUSLY_DELIVERED(0.00){t...@darian.ro;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){3;},RCVD_NO_TLS_LAST(0.00){},RCVD_VIA_SMTP_AUTH(0.00){},TO_DN_NONE(0.00){},TO_DOM_EQ_FROM_DOM(0.00){}]), len: 6319, time: 196.000ms real, 16.567ms virtual, dns req: 8, digest: <e92074bd9a8b318a0bd549a21ec06a80>, rcpts: <ox...@darian.ro,ax...@darian.ro,gx...@darian.ro,ax...@darian.ro,fx...@darian.ro,mx...@darian.ro,lx...@darian.ro,ox...@darian.ro,...>, mime_rcpt: <t...@darian.ro>

(I've put Xs in my email addresses for obfuscation)

My system: Ubuntu 14.04, postfix 2.11.0, rspamd 1.6.4.

Thank you for any help you can provide!

Andrew Lewis

unread,
Oct 5, 2017, 5:14:58 AM10/5/17
to rsp...@googlegroups.com

Hi,

> I started using rspamd about a week ago and everything is perfect. With a
> single exception: it seems all emails coming from mailing lists are being
> marked as spam ( FORGED_RECIPIENTS(14.00) ) and rejected. My email domain
> is darian.ro. It happens for both external mailing lists:

Did you rescore this symbol? Default weight is 2. I don't see that it
should be able to fire multiple times. In case that *was* the issue
setting `one_shot` for this symbol in the metric would help.

> FORGED_RECIPIENTS(14.00),MAILLIST(-0.20){mailman;}

Composite in the default configuration replaces these symbols with
FORGED_RECIPIENTS_MAILLIST. Not apparent why this doesn't happen for
you.

Best,
-AL.

Silvian Cretu

unread,
Oct 9, 2017, 5:06:43 PM10/9/17
to rspamd
Hi,
Indeed, default weight is set to 2:

# rspamadm configdump > rspamdadmin.configdump
# grep 'FORGED_RECIPIENTS {' /root/rspamdadmin.configdump -A3
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }
--
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }
--
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }
--
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }
--
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }
--
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }
--
                FORGED_RECIPIENTS {
                    weight = 2.0;
                    description = "Recipients are not the same as RCPT TO: mail command";
                }

Now... I don't know how to check if it was triggered more than once. But I don't think it was triggered more than once, because I would see values other than 14 in the logs... and I only see 14...

What do you mean by "Composite in the default configuration replaces these symbols with FORGED_RECIPIENTS_MAILLIST. Not apparent why this doesn't happen for you. " ? Thanks!

Silvian Cretu

unread,
Oct 9, 2017, 5:09:16 PM10/9/17
to rspamd
Looking at my response I see grep caught 7 instances of 'FORGED_RECIPIENTS {'... 7*2 = 14... Hmmm...

Silvian Cretu

unread,
Oct 10, 2017, 3:51:17 AM10/10/17
to rspamd
I ran:

# rspamadm configtest
2017-10-10 10:22:24 #23371(configtest) <63w8gb>; cfg; rspamd_rcl_composite_handler: composite FORGED_RECIPIENTS_MAILLIST is redefined
2017-10-10 10:22:24 #23371(configtest) <63w8gb>; cfg; rspamd_rcl_composite_handler: composite FORGED_SENDER_MAILLIST is redefined
2017-10-10 10:22:24 #23371(configtest) <63w8gb>; cfg; rspamd_rcl_composite_handler: composite FORGED_SENDER_FORWARDING is redefined
2017-10-10 10:22:24 #23371(configtest) <63w8gb>; cfg; rspamd_rcl_composite_handler: composite SPF_FAIL_FORWARDING is redefined                                                                                                                     
2017-10-10 10:22:24 #23371(configtest) <63w8gb>; cfg; rspamd_rcl_composite_handler: composite DMARC_POLICY_ALLOW_WITH_FAILURES is redefined                                                                                                        
2017-10-10 10:22:24 #23371(configtest) <63w8gb>; cfg; rspamd_rcl_composite_handler: composite FORGED_RECIPIENTS_FORWARDING is redefined                                                                                                            


And saw the above mentioned warnings and many others... too many to paste them here... I've re-organised my config files (removed the /etc/rspamd/rspamd.conf.override and replaced it with several /etc/rspamd/local.d/*.inc and /etc/rspamd/local.d/*.conf files) to get rid of these warnings.
Everything seems to be OK now. Thanks!
Reply all
Reply to author
Forward
0 new messages