Configuring specific exceptions for phising module
312 views
Skip to first unread message
Thomas Leuxner
Feb 17, 2017, 3:48:06 AM2/17/17
to rsp...@googlegroups.com
Hi,
I'd like to implement an override/exclusion to account for Amazon mails failing the phishing module but couldn't find an example. The phishing test seems to be the straw that breaks the camel's back:
Feb 17 07:19:31 nihlus rspamd[32257]: <d75964>; task; accept_socket: accepted connection from 127.0.0.1 port 54027, task ptr: 00007FC55F43C7C0
Feb 17 07:19:31 nihlus rspamd[32257]: <d75964>; task; rspamd_message_parse: loaded message; id: <0102015a4ab9b72b-6111b60d-de31...@eu-west-1.amazonses.com>; queue-id: <3vPjXz0Bsdz1l>; size: 123446; checksum: <37
07481a22925fa8c6a7f7e662530ee5>
Feb 17 07:19:36 nihlus rspamd[32257]: <d75964>; bayes; inv_chi_square: exp overflow
Feb 17 07:19:36 nihlus rspamd[32257]: <d75964>; task; rspamd_task_write_log: id: <0102015a4ab9b72b-6111b60d-de31...@eu-west-1.amazonses.com>, qid: <3vPjXz0Bsdz1l>, ip: 54.240.0.238, from: <201702170619296562117c981d48ec...@bounces.buyvip.com>, (default: F (add header): [6.36/15.00] [PHISHING(3.75){buyvip.de->buyvip.com;},BAYES_HAM(-3.00){100.00%;},HFILTER_URL_ONLY(2.20){},R_SUSPICIOUS_IMAGES(1.51){},HTML_SHORT_LINK_IMG_2(1.00){},URI_COUNT_ODD(1.00){},FORGED_SENDER(0.30){},R_DKIM_ALLOW(-0.20){buyvip.com;amazonses.com;},R_SPF_ALLOW(-0.20){+ip4:54.240.0.0/18;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ONCE_RECEIVED(0.10){},DMARC_NA(0.00){buyvip.com;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){amazon-buyv...@buyvip.com;201702170619296562117c981d48ec...@bounces.buyvip.com;},RCPT_COUNT_1(0.00){},RCVD_COUNT_1(0.00){},RCVD_IN_DNSWL_NONE(0.00){238.0.240.54.list.dnswl.org : 127.0.15.0;},RWL_MAILSPIKE_EXCELLENT(0.00){238.0.240.54.rep.mailspike.net : 127.0.0.20;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 123446, time: 5007.973ms real, 32.992ms virtual, dns req: 55, digest: <3707481a22925fa8c6a7f7e662530ee5>, rcpts: <t...@leuxner.net>, mime_rcpt: <t...@leuxner.net>
Feb 17 07:19:36 nihlus rspamd[32257]: <d75964>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 270 regexps total, 93 regexps cached, 0B bytes scanned using pcre, 120.91k bytes scanned total
Here's the part of the message that seems to trigger this score:
<td align=3D"left" style=3D"padding: 9px 6px 3px" class=3D"copyri=
ght-iOS">=C2=A9 2010-2017 Amazon.com, Inc. oder Tochtergesellschaften. <a h=
ref=3D"https://de.buyvip.com/r?C=3D1YJ9S1EQGZC3P&K=3DA3K81A1SNCOS9T&R=3D1Z7=
ZRNTYDMXWK&T=3DC&U=3Dhttp%3A%2F%2Fde.buyvip.com%2Fref%3Dpe_180791_177309971=
_qdcprg%3Fsrc%3Demail&A=3DL2OUFQNQQQSYFM8AGBPK13NSX6KA&H=3DEAOHC9UM6FLO35UA=
LKGFIUBLIM8A&ref_=3Dpe_180791_177309971_qdcprg" style=3D"color: #3b3434; te=
xt-decoration: underline">www.buyvip.de</a></td>
I'd be glad if someone could share an example how to write an exception for these mails (rspamd 1.4.4).
Regards
Thomas
I'd like to implement an override/exclusion to account for Amazon mails failing the phishing module but couldn't find an example. The phishing test seems to be the straw that breaks the camel's back:
Feb 17 07:19:31 nihlus rspamd[32257]: <d75964>; task; accept_socket: accepted connection from 127.0.0.1 port 54027, task ptr: 00007FC55F43C7C0
Feb 17 07:19:31 nihlus rspamd[32257]: <d75964>; task; rspamd_message_parse: loaded message; id: <0102015a4ab9b72b-6111b60d-de31...@eu-west-1.amazonses.com>; queue-id: <3vPjXz0Bsdz1l>; size: 123446; checksum: <37
07481a22925fa8c6a7f7e662530ee5>
Feb 17 07:19:36 nihlus rspamd[32257]: <d75964>; bayes; inv_chi_square: exp overflow
Feb 17 07:19:36 nihlus rspamd[32257]: <d75964>; task; rspamd_task_write_log: id: <0102015a4ab9b72b-6111b60d-de31...@eu-west-1.amazonses.com>, qid: <3vPjXz0Bsdz1l>, ip: 54.240.0.238, from: <201702170619296562117c981d48ec...@bounces.buyvip.com>, (default: F (add header): [6.36/15.00] [PHISHING(3.75){buyvip.de->buyvip.com;},BAYES_HAM(-3.00){100.00%;},HFILTER_URL_ONLY(2.20){},R_SUSPICIOUS_IMAGES(1.51){},HTML_SHORT_LINK_IMG_2(1.00){},URI_COUNT_ODD(1.00){},FORGED_SENDER(0.30){},R_DKIM_ALLOW(-0.20){buyvip.com;amazonses.com;},R_SPF_ALLOW(-0.20){+ip4:54.240.0.0/18;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ONCE_RECEIVED(0.10){},DMARC_NA(0.00){buyvip.com;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){amazon-buyv...@buyvip.com;201702170619296562117c981d48ec...@bounces.buyvip.com;},RCPT_COUNT_1(0.00){},RCVD_COUNT_1(0.00){},RCVD_IN_DNSWL_NONE(0.00){238.0.240.54.list.dnswl.org : 127.0.15.0;},RWL_MAILSPIKE_EXCELLENT(0.00){238.0.240.54.rep.mailspike.net : 127.0.0.20;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 123446, time: 5007.973ms real, 32.992ms virtual, dns req: 55, digest: <3707481a22925fa8c6a7f7e662530ee5>, rcpts: <t...@leuxner.net>, mime_rcpt: <t...@leuxner.net>
Feb 17 07:19:36 nihlus rspamd[32257]: <d75964>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 270 regexps total, 93 regexps cached, 0B bytes scanned using pcre, 120.91k bytes scanned total
Here's the part of the message that seems to trigger this score:
<td align=3D"left" style=3D"padding: 9px 6px 3px" class=3D"copyri=
ght-iOS">=C2=A9 2010-2017 Amazon.com, Inc. oder Tochtergesellschaften. <a h=
ref=3D"https://de.buyvip.com/r?C=3D1YJ9S1EQGZC3P&K=3DA3K81A1SNCOS9T&R=3D1Z7=
ZRNTYDMXWK&T=3DC&U=3Dhttp%3A%2F%2Fde.buyvip.com%2Fref%3Dpe_180791_177309971=
_qdcprg%3Fsrc%3Demail&A=3DL2OUFQNQQQSYFM8AGBPK13NSX6KA&H=3DEAOHC9UM6FLO35UA=
LKGFIUBLIM8A&ref_=3Dpe_180791_177309971_qdcprg" style=3D"color: #3b3434; te=
xt-decoration: underline">www.buyvip.de</a></td>
I'd be glad if someone could share an example how to write an exception for these mails (rspamd 1.4.4).
Regards
Thomas
Thomas Leuxner
Mar 15, 2017, 4:17:32 AM3/15/17
to rsp...@googlegroups.com
* Thomas Leuxner <t...@leuxner.net> 2017.02.17 09:47:
I have worked around this using the whitelist module to make its appearance in 1.5.3. Since this module is depending on DKIM, I'd expect use cases where an in-moodule exclusion mechanism would be favorable over DKIM-Whitelisting.
Regards
Thomas
I have worked around this using the whitelist module to make its appearance in 1.5.3. Since this module is depending on DKIM, I'd expect use cases where an in-moodule exclusion mechanism would be favorable over DKIM-Whitelisting.
Regards
Thomas
Andrew Lewis
Mar 15, 2017, 6:47:48 AM3/15/17
to rsp...@googlegroups.com
Hi Thomas,
> I have worked around this using the whitelist module to make its
> appearance in 1.5.3. Since this module is depending on DKIM, I'd
> expect use cases where an in-moodule exclusion mechanism would be
> favorable over DKIM-Whitelisting.
There are some possibilities to deal with this:
(general)
1) Settings module: https://rspamd.com/doc/configuration/settings.html
2) Custom conditions:
https://rspamd.com/doc/faq.html#how-can-i-disable-some-rspamd-rules-safely
(specific)
3) Add domains to phishing module's `redirector_domains`:
https://rspamd.com/doc/modules/phishing.html
Best,
-AL.
> I have worked around this using the whitelist module to make its
> appearance in 1.5.3. Since this module is depending on DKIM, I'd
> expect use cases where an in-moodule exclusion mechanism would be
> favorable over DKIM-Whitelisting.
(general)
1) Settings module: https://rspamd.com/doc/configuration/settings.html
2) Custom conditions:
https://rspamd.com/doc/faq.html#how-can-i-disable-some-rspamd-rules-safely
(specific)
3) Add domains to phishing module's `redirector_domains`:
https://rspamd.com/doc/modules/phishing.html
Best,
-AL.
Thomas Leuxner
Mar 16, 2017, 4:02:07 AM3/16/17
to rsp...@googlegroups.com
* Andrew Lewis <rspam...@judo.za.org> 2017.03.15 11:47:
> (specific)
> 3) Add domains to phishing module's `redirector_domains`:
> https://rspamd.com/doc/modules/phishing.html
Hi Andy,
this looks like the best option for my case. Maybe the conf files can be harmonized going forward. I have put the whitelists in the DB dir, but the phishing module seems to expect the includes in local.d (per default). Ideally I'd like to have the includes in one or the other, but consistent without using an override.
So something like this should do the trick:
"$LOCAL_CONFDIR/local.d/redirectors.inc:LOCAL_REDIRECTOR_FALSE"
+ "${DBDIR}/redirectors.inc.local",
$ grep '\(DBDIR\).*inc' modules.d/*
modules.d/mime_types.conf: "${DBDIR}/mime_types.inc.local"
modules.d/surbl.conf: "${DBDIR}/surbl-whitelist.inc.local"
modules.d/surbl.conf: "${DBDIR}/2tld.inc.local"
modules.d/whitelist.conf: "${DBDIR}/spf_whitelist.inc.local",
modules.d/whitelist.conf: "${DBDIR}/dkim_whitelist.inc.local",
modules.d/whitelist.conf: "${DBDIR}/spf_dkim_whitelist.inc.local",
modules.d/whitelist.conf: "${DBDIR}/dmarc_whitelist.inc.local",
Regards
Thomas
> (specific)
> 3) Add domains to phishing module's `redirector_domains`:
> https://rspamd.com/doc/modules/phishing.html
this looks like the best option for my case. Maybe the conf files can be harmonized going forward. I have put the whitelists in the DB dir, but the phishing module seems to expect the includes in local.d (per default). Ideally I'd like to have the includes in one or the other, but consistent without using an override.
So something like this should do the trick:
"$LOCAL_CONFDIR/local.d/redirectors.inc:LOCAL_REDIRECTOR_FALSE"
+ "${DBDIR}/redirectors.inc.local",
$ grep '\(DBDIR\).*inc' modules.d/*
modules.d/mime_types.conf: "${DBDIR}/mime_types.inc.local"
modules.d/surbl.conf: "${DBDIR}/surbl-whitelist.inc.local"
modules.d/surbl.conf: "${DBDIR}/2tld.inc.local"
modules.d/whitelist.conf: "${DBDIR}/spf_whitelist.inc.local",
modules.d/whitelist.conf: "${DBDIR}/dkim_whitelist.inc.local",
modules.d/whitelist.conf: "${DBDIR}/spf_dkim_whitelist.inc.local",
modules.d/whitelist.conf: "${DBDIR}/dmarc_whitelist.inc.local",
Regards
Thomas
Reply all
Reply to author
Forward
0 new messages