DMARC quarantine overrides a higher score?

Philip Paeps

unread,

Sep 3, 2018, 7:50:55 AM9/3/18

to rspamd

I just noticed this email in my logs:

2018-09-03 11:39:11 #3549(rspamd_proxy) <f30984>; proxy; rspamd_task_write_log: id: <undef>, qid: <423nzx6mHTz3TVw>, ip: 46.254.231.234, from: <update....@irs.gov>, (default: F (add header): [6.00/15.00] [FUZZY_DENIED(12.00){1:476622b450:1.00:bin;},FORGED_OUTLOOK_HTML(5.00){},R_BAD_CTE_7BIT(3.50){7bit;},FORGED_MUA_OUTLOOK(3.00){},RCVD_HELO_USER(3.00){},RECEIVED_SPAMHAUS_XBL(3.00){148.249.250.103.ELIDED.zen.dq.spamhaus.net : 127.0.0.4;},SUBJ_ALL_CAPS(3.00){49;},HFILTER_HOSTNAME_UNKNOWN(2.50){},MISSING_MID(2.50){},FORGED_OUTLOOK_TAGS(2.10){},MISSING_TO(2.00){},NEURAL_SPAM_SHORT(2.00){1.000;0;},RBL_SENDERSCORE(2.00){234.231.254.46.bl.score.senderscore.com;},RBL_VIRUSFREE_BOTNET(2.00){234.231.254.46.bip.virusfree.cz : 127.0.0.2;},DMARC_POLICY_QUARANTINE(1.50){irs.gov : No valid SPF, No valid DKIM;quarantine;},DATE_IN_PAST(1.00){},RECEIVED_SPAMHAUS_CSS(1.00){148.249.250.103.ELIDED.zen.dq.spamhaus.net : 127.0.0.3;},R_NO_SPACE_IN_FROM(1.00){},R_SPF_FAIL(1.00){-all;},MIME_HTML_ONLY(0.20){},MIME_GOOD(-0.10){multipart/mixed;},IP_SCORE(0.00){country: FR(0.02);},ARC_NA(0.00){},ASN(0.00){asn:25540, ipnet:46.254.224.0/21, country:FR;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_REPLYTO(0.00){update....@irs.gov;},HAS_X_PRIO_THREE(0.00){3;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},RCVD_VIA_SMTP_AUTH(0.00){},REPLYTO_ADDR_EQ_FROM(0.00){},R_DKIM_NA(0.00){}]), len: 701004, time: 937.015ms real, 10.821ms virtual, dns req: 35, digest: <a054075060d529640f6d219fc2fdcc5c>, rcpts: <ELIDED>

The total score for this message is well over the threshold for 'reject' but it only got 'add header'. It looks like the DMARC quarantine setting caused that.

Is that intended behaviour?

My local.d/dmarc.conf file has:

actions = {
  quarantine = "add_header";
  reject = "reject";
}

I would have expected this message to be rejected rather than quarantined because of the number of points it picked up.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Vsevolod Stakhov

unread,

Sep 3, 2018, 11:31:33 AM9/3/18

to Philip Paeps, rspamd

https://rspamd.com/doc/faq.html#why-do-i-have-zero-score-for-a-spam-message

Short-circuit rules basically bypass all other rules. This is also true
for your case (as Rspamd cannot guarantee that DMARC plugin can observe
all other rules - they are all executed simultaneously).

Philip Paeps

unread,

Sep 3, 2018, 1:33:31 PM9/3/18

to rspamd

On 2018-09-03 17:31:03 (+0200), Vsevolod Stakhov wrote:
> On 03/09/2018 12:50, Philip Paeps wrote:
>> I just noticed this email in my logs:
>>

>> [...]

>>
>> The total score for this message is well over the threshold for
>> 'reject' but it only got 'add header'. It looks like the DMARC
>> quarantine setting caused that.
>>
>> Is that intended behaviour?
>>
>> My local.d/dmarc.conf file has:
>>
>> |actions = { quarantine = "add_header"; reject = "reject"; } |
>>
>> I would have expected this message to be rejected rather than
>> quarantined because of the number of points it picked up.
>
> https://rspamd.com/doc/faq.html#why-do-i-have-zero-score-for-a-spam-message
>
> Short-circuit rules basically bypass all other rules. This is also
> true for your case (as Rspamd cannot guarantee that DMARC plugin can
> observe all other rules - they are all executed simultaneously).

Oh. That makes sense. Thank you.

I'll keep an eye on how often this kind of thing happens. I may tinker
with the weights of the dmarc fail rules instead of short-circuiting
them.

Thanks!

Reply all

Reply to author

Forward