Migration SpamAssassin to Rspamd
1,656 views
Skip to first unread message
Emanuel Gonzalez
Apr 20, 2018, 12:09:32 PM4/20/18
to rspamd
The truth is that I can not understand the documentation and my work is getting complicated, I almost do not receive help in my questions, it becomes very difficult.
My idea is to migrate the antispam of my server towards Rspamd, at present I use spamassassin.
According to the documentation, to connect exim I must add the following rule:
spamd_address = x.x.x.x 11333 variant=rspamd
Inside the exim configuration I have these rules
deny malware = */defer_ok
message = This message contains a virus ($malware_name).
deny message = SPAM Scan ($spam_score_int)
spam = nobody:true/defer_ok
condition = ${if >{$spam_score_int}{500}{1}{0}}
deny message = Content Policy HELO required before MAIL
condition = ${if eq{$sender_helo_name}{}}
logwrite = Content Policy HELO required before MAIL
deny message = Content Policy Restriction: Messages without From header are not permitted.
condition = ${if eq{$header_from:}{}}
logwrite = Content Policy Restriction: Messages without From header are not permitted.
deny message = Content Policy Restriction: Multiple from addresses are not accepted here.
condition = ${if match{$header_from:}{@.+@.+@}}
logwrite = Content Policy Restriction: Multiple from addresses are not accepted here.
accept
To explain my scenario better, the rspamd service would be installed on a remote server, it would not be working locally.
My problem is that I can not understand how to configure Rspamd to connect with exim.
Where should I indicate the connection parameters? in which file?
worker-controller.inc
worker-normal.inc
worker-proxy.inc
the documentation of the following link does not help much: https://rspamd.com/doc/integration.html
Could anyone help me please.
My idea is to migrate the antispam of my server towards Rspamd, at present I use spamassassin.
According to the documentation, to connect exim I must add the following rule:
spamd_address = x.x.x.x 11333 variant=rspamd
Inside the exim configuration I have these rules
deny malware = */defer_ok
message = This message contains a virus ($malware_name).
deny message = SPAM Scan ($spam_score_int)
spam = nobody:true/defer_ok
condition = ${if >{$spam_score_int}{500}{1}{0}}
deny message = Content Policy HELO required before MAIL
condition = ${if eq{$sender_helo_name}{}}
logwrite = Content Policy HELO required before MAIL
deny message = Content Policy Restriction: Messages without From header are not permitted.
condition = ${if eq{$header_from:}{}}
logwrite = Content Policy Restriction: Messages without From header are not permitted.
deny message = Content Policy Restriction: Multiple from addresses are not accepted here.
condition = ${if match{$header_from:}{@.+@.+@}}
logwrite = Content Policy Restriction: Multiple from addresses are not accepted here.
accept
To explain my scenario better, the rspamd service would be installed on a remote server, it would not be working locally.
My problem is that I can not understand how to configure Rspamd to connect with exim.
Where should I indicate the connection parameters? in which file?
worker-controller.inc
worker-normal.inc
worker-proxy.inc
the documentation of the following link does not help much: https://rspamd.com/doc/integration.html
Could anyone help me please.
Dave Jones
Apr 22, 2018, 2:29:36 PM4/22/18
to Emanuel Gonzalez, rspamd
My experience so far after a few weeks is Rspamd takes a lot of trial and error to figure out the configuration layout/structure to put files properly formatted in the local.d and override.d directories. Rspamd also does not have some features implemented yet that SA does.
I am running SA and Rspamd side-by-side where rspamd is a "second opinion" only to add/subtract a small amount to SA's score. So far rspamd has some potential but it's not ready for taking over a mature, well-tuned SA platform.
Rspamd does have a few extra features/modules that SA doesn't have and I am trying to take advantage of them in SA. I am not sure if some of these extra features provide enough extra value from a well-tuned MTA which should be blocking the majority of the easy spam where SA/rspamd only need to detect and block a very small percentage of what makes it past the MTA checks primarily based on content.
You still have to train your Bayesian database _well_ then increase the scores on both ends for the BAYES_HAM and BAYES_SPAM hits. This is the best thing you can do for rspamd's content checking.
I do like how you can setup a multimap rule based on the subject header then simply add lines to the map file with complex regex to detect odd patterns of spammer subjects. This part is much nicer than how you have to do it in SA.
Dave
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/rspamd.
Vsevolod Stakhov
Apr 22, 2018, 3:12:05 PM4/22/18
to Dave Jones, Emanuel Gonzalez, rspamd
On 22.04.2018 19:29, Dave Jones wrote:
> My experience so far after a few weeks is Rspamd takes a lot of trial
> and error to figure out the configuration layout/structure to put files
> properly formatted in the local.d and override.d directories.
Well, after some years of "configs" in Perl, your mind should be indeed
> My experience so far after a few weeks is Rspamd takes a lot of trial
> and error to figure out the configuration layout/structure to put files
> properly formatted in the local.d and override.d directories.
shifted to treat weirdness as convenience. I had something similar when
used KDB (https://kx.com/kdb-advanced/) - you just start to reject
normal analytical tools (e.g. pandas) just because you can do something
like:
.[p;();,;u@:iasc u@:where not(u:distinct enlist val)in v:$[type key
p:(`)sv tabledir,`sym;get p;0#`]];`sym!(v,u)?val}
But I personally think it is a toxic experience. SA configs are not bad
for writing regular expression rules. Aside that, I found that extremely
hard to do something different.
> Rspamd
> also does not have some features implemented yet that SA does.
> I am running SA and Rspamd side-by-side where rspamd is a "second
> opinion" only to add/subtract a small amount to SA's score. So far
> rspamd has some potential but it's not ready for taking over a mature,
> well-tuned SA platform.
requires some learning curve to be passed. I'm trying to do my best to
make Rspamd's one not so complicated. Nonetheless, from your point of
view it's all weird, difficult and not obvious, but it is not likely
Rspamd issue, it's just your experiences with SA. Local.d/override.d are
excellent to maintain large installations using automatic deployment
(ansible, puppet etc). I can say that as we did something similar for SA
configs and it was a mess.
> Rspamd does have a few extra features/modules that SA doesn't have and I
> am trying to take advantage of them in SA. I am not sure if some of
> these extra features provide enough extra value from a well-tuned MTA
> which should be blocking the majority of the easy spam where SA/rspamd
> only need to detect and block a very small percentage of what makes it
> past the MTA checks primarily based on content.
spam in your MTA? Rspamd can do it much more efficient than MTA as it is
written just for this purpose and I did my best to make it fast. In
fact, I know no MTA that can beat Rspamd in terms of speed. If you want
to filter crap before Data command, then Rspamd provides no-content mode
to do all regexps, spf, reputation and other checks in an efficient matter.
> You still have to train your Bayesian database _well_ then increase the
> scores on both ends for the BAYES_HAM and BAYES_SPAM hits. This is the
> best thing you can do for rspamd's content checking.
not the only one: you have fuzzy checks, URL plugins, regular
expressions (that are blazingly fast due to Hyperscan) and even bloody
neural network on top of it. Aside that, there are hundreds of functions
to do content scan using Lua API.
> I do like how you can setup a multimap rule based on the subject header
> then simply add lines to the map file with complex regex to detect odd
> patterns of spammer subjects. This part is much nicer than how you have
> to do it in SA.
something nicer to configure than in SA.
> <mailto:rspamd+un...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/rspamd
> <https://groups.google.com/group/rspamd>.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "rspamd" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to rspamd+un...@googlegroups.com
>
> --
> You received this message because you are subscribed to the Google
> Groups "rspamd" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:rspamd+un...@googlegroups.com>.
Dave Jones
Apr 22, 2018, 5:43:20 PM4/22/18
to Vsevolod Stakhov, Emanuel Gonzalez, rspamd
On 04/22/2018 02:11 PM, Vsevolod Stakhov wrote:
> On 22.04.2018 19:29, Dave Jones wrote:
>> My experience so far after a few weeks is Rspamd takes a lot of trial
>> and error to figure out the configuration layout/structure to put files
>> properly formatted in the local.d and override.d directories.
>
> Well, after some years of "configs" in Perl, your mind should be indeed
> shifted to treat weirdness as convenience.
I am not even talking about the weirdness of SA's perl rules. I am
> On 22.04.2018 19:29, Dave Jones wrote:
>> My experience so far after a few weeks is Rspamd takes a lot of trial
>> and error to figure out the configuration layout/structure to put files
>> properly formatted in the local.d and override.d directories.
>
> Well, after some years of "configs" in Perl, your mind should be indeed
> shifted to treat weirdness as convenience.
referring to taking general principles of mail filtering and turning
them into something that makes rspamd do what you want/expect.
Rspamd doesn't complain or tell you when you have put settings in the
wrong place. They are just ignored so you have to wait for some
messages to go by that should have triggered some rule/symbol but don't
to know that you didn't do something right.
> I had something similar when
> used KDB (https://kx.com/kdb-advanced/) - you just start to reject
> normal analytical tools (e.g. pandas) just because you can do something
> like:
>
> .[p;();,;u@:iasc u@:where not(u:distinct enlist val)in v:$[type key
> p:(`)sv tabledir,`sym;get p;0#`]];`sym!(v,u)?val}
>
> But I personally think it is a toxic experience. SA configs are not bad
> for writing regular expression rules. Aside that, I found that extremely
> hard to do something different.
>
>> Rspamd
>> also does not have some features implemented yet that SA does.
>
> Which ones?
>
LOTS_OF_MONEY and DRUGS_ERECTILE
- internal_networks and trusted_networks so the proper Received: header
can be checked against RBLs
- simple globbing in whitelist/blacklists to use existing lists created
for SA (I have thousands of entries)
>> I am running SA and Rspamd side-by-side where rspamd is a "second
>> opinion" only to add/subtract a small amount to SA's score. So far
>> rspamd has some potential but it's not ready for taking over a mature,
>> well-tuned SA platform.
>
> See my first point: it's all about your experience. Both Rspamd and SA
> requires some learning curve to be passed. I'm trying to do my best to
> make Rspamd's one not so complicated. Nonetheless, from your point of
> view it's all weird, difficult and not obvious, but it is not likely
> Rspamd issue, it's just your experiences with SA. Local.d/override.d are
> excellent to maintain large installations using automatic deployment
> (ansible, puppet etc). I can say that as we did something similar for SA
> configs and it was a mess.
>
have figure out the exact filename and format to get rspamd to do what
you want.
>> Rspamd does have a few extra features/modules that SA doesn't have and I
>> am trying to take advantage of them in SA. I am not sure if some of
>> these extra features provide enough extra value from a well-tuned MTA
>> which should be blocking the majority of the easy spam where SA/rspamd
>> only need to detect and block a very small percentage of what makes it
>> past the MTA checks primarily based on content.
>
> I always ask one question in this case: why the fuck you need to filter
> spam in your MTA? Rspamd can do it much more efficient than MTA as it is
> written just for this purpose and I did my best to make it fast. In
> fact, I know no MTA that can beat Rspamd in terms of speed. If you want
> to filter crap before Data command, then Rspamd provides no-content mode
> to do all regexps, spf, reputation and other checks in an efficient matter.
>
rejection codes/messages that can be Google'd by the sender's tech
support. Postfix gives excellent response text that are well documented
and searchable.
Postfix's postscreen with weighted RBLs is the best. Combine the power
of basic DNS checks, 20+ RBLs in postscreen, and postwhite from Github
and you can easily/safely block the majority of spam without SA or rspamd.
>> You still have to train your Bayesian database _well_ then increase the
>> scores on both ends for the BAYES_HAM and BAYES_SPAM hits. This is the
>> best thing you can do for rspamd's content checking.
>
> Bayes is one of the methods to do content checking but it is obviously
> not the only one: you have fuzzy checks, URL plugins, regular
> expressions (that are blazingly fast due to Hyperscan) and even bloody
> neural network on top of it. Aside that, there are hundreds of functions
> to do content scan using Lua API.
>
all of these cool features and how to put them in the proper conf file.
The documentation needs to have a complete listing of all options that
are available in each section/module so we know the structure without
having to trial and error everything for hours to get one new feature
working.
>> I do like how you can setup a multimap rule based on the subject header
>> then simply add lines to the map file with complex regex to detect odd
>> patterns of spammer subjects. This part is much nicer than how you have
>> to do it in SA.
>
> Multimap can do much more than this but I'm glad that you've found
> something nicer to configure than in SA.
>
figure out all of rspamd's power.
Vsevolod Stakhov
Apr 23, 2018, 4:15:51 AM4/23/18
to Dave Jones, Emanuel Gonzalez, rspamd
On 22.04.2018 22:43, Dave Jones wrote:
> On 04/22/2018 02:11 PM, Vsevolod Stakhov wrote:
>> On 22.04.2018 19:29, Dave Jones wrote:
>>> My experience so far after a few weeks is Rspamd takes a lot of trial
>>> and error to figure out the configuration layout/structure to put files
>>> properly formatted in the local.d and override.d directories.
>>
>> Well, after some years of "configs" in Perl, your mind should be indeed
>> shifted to treat weirdness as convenience.
>
> I am not even talking about the weirdness of SA's perl rules. I am
> referring to taking general principles of mail filtering and turning
> them into something that makes rspamd do what you want/expect.
>
> Rspamd doesn't complain or tell you when you have put settings in the
> wrong place. They are just ignored so you have to wait for some
> messages to go by that should have triggered some rule/symbol but don't
> to know that you didn't do something right.
That's not true: you can always do `rspamadm configdump <section>` and
> On 04/22/2018 02:11 PM, Vsevolod Stakhov wrote:
>> On 22.04.2018 19:29, Dave Jones wrote:
>>> My experience so far after a few weeks is Rspamd takes a lot of trial
>>> and error to figure out the configuration layout/structure to put files
>>> properly formatted in the local.d and override.d directories.
>>
>> Well, after some years of "configs" in Perl, your mind should be indeed
>> shifted to treat weirdness as convenience.
>
> I am not even talking about the weirdness of SA's perl rules. I am
> referring to taking general principles of mail filtering and turning
> them into something that makes rspamd do what you want/expect.
>
> Rspamd doesn't complain or tell you when you have put settings in the
> wrong place. They are just ignored so you have to wait for some
> messages to go by that should have triggered some rule/symbol but don't
> to know that you didn't do something right.
check what's going on. We lack semantics checks indeed but it is not
true that Rspamd doesn't tell you about your configuration.
>> I had something similar when
>> used KDB (https://kx.com/kdb-advanced/) - you just start to reject
>> normal analytical tools (e.g. pandas) just because you can do something
>> like:
>>
>> .[p;();,;u@:iasc u@:where not(u:distinct enlist val)in v:$[type key
>> p:(`)sv tabledir,`sym;get p;0#`]];`sym!(v,u)?val}
>>
>> But I personally think it is a toxic experience. SA configs are not bad
>> for writing regular expression rules. Aside that, I found that extremely
>> hard to do something different.
>>
>>> Rspamd
>>> also does not have some features implemented yet that SA does.
>>
>> Which ones?
>>
>
> - Many of the content rules that block obvious spam like SA's
> LOTS_OF_MONEY and DRUGS_ERECTILE
> - internal_networks and trusted_networks so the proper Received: header
> can be checked against RBLs
ridiculous setup with one MTA that accepts connection and a set of MTAs
that do spam filtering and if you do not use XCLIENT then yes, you need
to parse some Received headers to get the real ip.
I consider it as a bad practice and thus do not support in Rspamd.
> - simple globbing in whitelist/blacklists to use existing lists created
> for SA (I have thousands of entries)
automatically converted to ordinary perl regular expressions on load.
other DNS requests) from MTA level to Nginx + policy server which was
also responsible for weighted balancing of SMTP requests. DNS resolving
in Postfix is extremely inefficient: we have seen more than couple of
thousands processes spinning on a single MX waiting for DNS replies. It
was terrible. Please do not advice to use MTA in this role: it is an
awful practice. In case of SA you had no choice then to use MTA for
these purposes as SA is even slower in the vast majority of the cases...
But Rspamd story is completely different.
>>> You still have to train your Bayesian database _well_ then increase the
>>> scores on both ends for the BAYES_HAM and BAYES_SPAM hits. This is the
>>> best thing you can do for rspamd's content checking.
>>
>> Bayes is one of the methods to do content checking but it is obviously
>> not the only one: you have fuzzy checks, URL plugins, regular
>> expressions (that are blazingly fast due to Hyperscan) and even bloody
>> neural network on top of it. Aside that, there are hundreds of functions
>> to do content scan using Lua API.
>>
>
> Those of us that didn't write the rspamd code have to learn how to use
> all of these cool features and how to put them in the proper conf file.
> The documentation needs to have a complete listing of all options that
> are available in each section/module so we know the structure without
> having to trial and error everything for hours to get one new feature
> working.
Lua functions and objects are also fully documented. There is even
`rspamadm confighelp` that shows a brief help for many parts of the
configuration. What else do you need?
>>> I do like how you can setup a multimap rule based on the subject header
>>> then simply add lines to the map file with complex regex to detect odd
>>> patterns of spammer subjects. This part is much nicer than how you have
>>> to do it in SA.
>>
>> Multimap can do much more than this but I'm glad that you've found
>> something nicer to configure than in SA.
>>
>
> I am sure it's very powerful but I am having to fumble my way around to
> figure out all of rspamd's power.
them you can merely find in some mailing list or IRC archives. But the
truth here is that all rspamd.com content is the open source repository
where everybody is able to contribute their pull requests to improve the
documentation.
Emanuel Gonzalez
Apr 23, 2018, 7:15:21 AM4/23/18
to Vsevolod Stakhov, Dave Jones, rspamd
my problem is that I am not able to make ANYTHING work!
For example, inside the folder /etc/rspamd/override.d I have left the file spamassassin.conf and it does not read the configurations.
spamassassin {
ruleset = "/etc/mail/spamassassin/local.cf";
}
any ideas?For example, inside the folder /etc/rspamd/override.d I have left the file spamassassin.conf and it does not read the configurations.
spamassassin {
ruleset = "/etc/mail/spamassassin/local.cf";
}
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
Vsevolod Stakhov
Apr 23, 2018, 7:23:43 AM4/23/18
to Emanuel Gonzalez, Dave Jones, rspamd
https://rspamd.com/doc/faq.html#rspamd-still-does-not-work-as-expected
In fact, Rspamd can detect and report these errors automatically:
2018-04-23 12:22:34.58518 #10641(main) lua; lua_cfg_transform.lua:309:
nested section: section { section { ... } }, it is likely a
configuration error
I think you just don't read neither documentation nor error logs.
On 23.04.2018 12:15, Emanuel Gonzalez wrote:
> my problem is that I am not able to make ANYTHING work!
>
> For example, inside the folder /etc/rspamd/override.d I have left the
> file spamassassin.conf and it does not read the configurations.
>
> spamassassin {
> ruleset = "/etc/mail/spamassassin/local.cf <http://local.cf>";
> <mailto:vsev...@highsecure.ru>>:
> truth here is that all rspamd.com <http://rspamd.com> content is the
> send an email to rspamd+un...@googlegroups.com
> <mailto:rspamd%2Bunsu...@googlegroups.com>.
> <mailto:rspamd+un...@googlegroups.com>.
In fact, Rspamd can detect and report these errors automatically:
2018-04-23 12:22:34.58518 #10641(main) lua; lua_cfg_transform.lua:309:
nested section: section { section { ... } }, it is likely a
configuration error
I think you just don't read neither documentation nor error logs.
On 23.04.2018 12:15, Emanuel Gonzalez wrote:
> my problem is that I am not able to make ANYTHING work!
>
> For example, inside the folder /etc/rspamd/override.d I have left the
> file spamassassin.conf and it does not read the configurations.
>
> spamassassin {
> <mailto:vsev...@highsecure.ru>>:
> open source repository
> where everybody is able to contribute their pull requests to improve the
> documentation.
>
> >>> Dave
> >>>
> >>> On Fri, Apr 20, 2018 at 11:09 AM, Emanuel Gonzalez
> <ema...@gmail.com <mailto:ema...@gmail.com>
> where everybody is able to contribute their pull requests to improve the
> documentation.
>
> >>> Dave
> >>>
> >>> On Fri, Apr 20, 2018 at 11:09 AM, Emanuel Gonzalez
> <ema...@gmail.com <mailto:ema...@gmail.com>
> <mailto:rspamd%2Bunsu...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/rspamd
> <https://groups.google.com/group/rspamd>.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "rspamd" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to rspamd+un...@googlegroups.com
>
> --
> You received this message because you are subscribed to the Google
> Groups "rspamd" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:rspamd+un...@googlegroups.com>.
Sophie Loe
Apr 29, 2018, 4:56:05 PM4/29/18
to rspamd
One thing missing here is the wealth of information, guides and support from the SA mailing list. Many people use SA and it is very well maintained.
Rulesets abound the Internet, and I have hundreds of my own written rules specific to my own installation that block specific mail: I have not found how to write my own rules for rspamd. With SA I could write a quick rule to poison pill something, or meta it with other sources. I'd be so pleased to find the rspamd equivilent documentation on how to do this.
Rspamd has great potential and I have a set up of it. Looks good out of the box.
Vsevolod Stakhov
Apr 29, 2018, 5:34:36 PM4/29/18
to Sophie Loe, rspamd
On 29.04.2018 21:56, Sophie Loe wrote:
> One thing missing here is the wealth of information, guides and support
> from the SA mailing list. Many people use SA and it is very well
> maintained.
Many people use Rspamd and it is very well maintained.
> One thing missing here is the wealth of information, guides and support
> from the SA mailing list. Many people use SA and it is very well
> maintained.
> Rulesets abound the Internet, and I have hundreds of my own written
> rules specific to my own installation that block specific mail: I have
> not found how to write my own rules for rspamd. With SA I could write a
> quick rule to poison pill something, or meta it with other sources. I'd
> be so pleased to find the rspamd equivilent documentation on how to do this.
are many contributors and users who do that. There is more than enough
of documentation about how to write rules, composites, regular
expressions and Lua plugins in Rspamd of one wants that.
Dave Jones
Apr 29, 2018, 6:53:45 PM4/29/18
to Vsevolod Stakhov, Sophie Loe, rspamd
The existing documentation that I have been using is lacking fundamentals. It assumes that you understand the very flexible UCL and how to layer settings in files under local.d/overrride.d. I still contend that there needs to be a full dictionary of all settings and what levels in the UCL they should be put in.
Many people are going to come to Rspamd from SA so a few more examples of how to transition would be helpful. For example, I am currently fumbling through local.d/multimap.conf to setup my own Subject rules. I like the simplicity of the .map file but I am not having any luck with custom scores:
[ro...@smtp07.nsvltn local.d]# cat multimap.conf
SUBJECT_SPAM {
type = "header";
header = "subject";
map = "file://$LOCAL_CONFDIR/local.d/subject.map";
regexp = true;
score = 4.2;
}
[ro...@smtp07.nsvltn local.d]# cat subject.map
/^(Fwd|Fw|Re): (for|to) \w+ \w+$/ SUBJECT_SPAM_FAKE_FWD_RE_TWO_WORDS:6.2
/^(Fwd|Fw|Re):? \w+$/ SUBJECT_SPAM_FAKE_FWD_RE_ONE_WORD:4.2
/^(Fw|RE) ?\(\d\): / SUBJECT_SPAM_SUSPICIOUS_FWD_RE:4.2
/^Apologize for the mistake$/ SUBJECT_SPAM_APOLOGIZE_MISTAKE:10.2
/^(Invitation|Cancelled): Dear Valued Customer,/ SUBJECT_SPAM_CANCELLED_PAYMENT:10.2
/^Hey$/ SUBJECT_SPAM_ONLY_HEY:4.2
Why do my custom rules score 0.00? What am I doing wrong? This is another example of the documentation not being complete enough causing me to trial and error taking hours.
(from rspamd.log)
SUBJECT_SPAM_SUSPICIOUS_FWD_RE(0.00){Fw (1): Ed Nieten;}
Dave
> <mailto:rspamd+unsubscribe@googlegroups.com>.> an email to rspamd+unsubscribe@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "rspamd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rspamd+unsubscribe@googlegroups.com.
Sophie Lo
Apr 30, 2018, 1:26:50 AM4/30/18
to Vsevolod Stakhov, Sophie Loe, rspamd
Morning,
I meant when compared with the installed base of SA. e.g I started using rspamd after using SA for 8 years.
I agree that there are many contributors for rspamd, but I think there are even more for SA because it has been around longer. This is not to say one is better than the other.
Best, Sophie
Sent from a mobile. Excuse my brevity.
I meant when compared with the installed base of SA. e.g I started using rspamd after using SA for 8 years.
I agree that there are many contributors for rspamd, but I think there are even more for SA because it has been around longer. This is not to say one is better than the other.
Sent from a mobile. Excuse my brevity.
Vsevolod Stakhov
Apr 30, 2018, 8:35:46 AM4/30/18
to Dave Jones, Sophie Loe, rspamd
On 29.04.2018 23:53, Dave Jones wrote:
> The existing documentation that I have been using is lacking
> fundamentals. It assumes that you understand the very flexible UCL
UCL syntax is described here: https://rspamd.com/doc/configuration/ucl.html
> The existing documentation that I have been using is lacking
> fundamentals. It assumes that you understand the very flexible UCL
> and
> how to layer settings in files under local.d/overrride.d. I still
> contend that there needs to be a full dictionary of all settings and
> what levels in the UCL they should be put in.
Some modules lack that so far, but I have no time to fulfill those gaps
usually.
score = runtime_score * static_score
Runtime score is a concept used to express confidence. For example, you
have IP reputation and it changes in range [-1;1] smoothly. Then you
tell that static score for IP reputation is 3.0. Hence,
score = runtime_score * static_score = 0.5 * 3.0 = 1.5
And you don't need to define something like
IP_SCORE_TOO_FUCKING_BAD
IP_SCORE_FUCKING_BAD
IP_SCORE_BAD
and so on to achieve this distinction.
In your case you have totally different case. Multimap module gets
**RUNTIME** score from the map. However, static scores for those symbols
are not defined and is assumed to be equal to zero.
In theory, multimap can handle that in a more wise way. On the other
hand, it breaks different runtime stats as Rspamd assumes that all
symbols are explicitly defined. Maps derived definition is implicit by
nature as maps are loaded and reloaded dynamically without touching the
main config.
So another option is to move those scores to the static configuration.
Sophie Lo
Apr 30, 2018, 9:23:25 AM4/30/18
to Vsevolod Stakhov, Dave Jones, Sophie Loe, rspamd
Thanks.
Had a look, and maybe I'll skip that. ;)
Had a look, and maybe I'll skip that. ;)
On April 30, 2018 2:35:32 PM CEST, Vsevolod Stakhov <vsev...@highsecure.ru> wrote:
On 29.04.2018 23:53, Dave Jones wrote:The existing documentation that I have been using is lacking
fundamentals. It assumes that you understand the very flexible UCL
UCL syntax is described here: https://rspamd.com/doc/configuration/ucl.htmland
how to layer settings in files under local.d/overrride.d. I still
contend that there needs to be a full dictionary of all settings and
what levels in the UCL they should be put in.
rspamadm confighelp
Some modules lack that so far, but I have no time to fulfill those gaps
usually.Many people are going to come to Rspamd from SA so a few more examples
of how to transition would be helpful. For example, I am currently
fumbling through local.d/multimap.conf to setup my own Subject rules. I
like the simplicity of the .map file but I am not having any luck with
custom scores:
[ro...@smtp07.nsvltn local.d]# cat multimap.conf
SUBJECT_SPAM {
type = "header";
header = "subject";
map
Vsevolod Stakhov
Apr 30, 2018, 11:49:58 AM4/30/18
to Dave Jones, Sophie Loe, rspamd
On 29.04.2018 23:53, Dave Jones wrote:
> Many people are going to come to Rspamd from SA so a few more examples
> of how to transition would be helpful. For example, I am currently
> fumbling through local.d/multimap.conf to setup my own Subject rules. I
> like the simplicity of the .map file but I am not having any luck with
> custom scores:
>
> [ro...@smtp07.nsvltn local.d]# cat multimap.conf
> SUBJECT_SPAM {
> type = "header";
> header = "subject";
> map = "file://$LOCAL_CONFDIR/local.d/subject.map";
> regexp = true;
> score = 4.2;
> }
>
> [ro...@smtp07.nsvltn local.d]# cat subject.map
> /^(Fwd|Fw|Re): (for|to) \w+ \w+$/ SUBJECT_SPAM_FAKE_FWD_RE_TWO_WORDS:6.2
> /^(Fwd|Fw|Re):? \w+$/ SUBJECT_SPAM_FAKE_FWD_RE_ONE_WORD:4.2
> /^(Fw|RE) ?\(\d\): / SUBJECT_SPAM_SUSPICIOUS_FWD_RE:4.2
> /^Apologize for the mistake$/ SUBJECT_SPAM_APOLOGIZE_MISTAKE:10.2
> /^(Invitation|Cancelled): Dear Valued Customer,/
> SUBJECT_SPAM_CANCELLED_PAYMENT:10.2
> /^Hey$/ SUBJECT_SPAM_ONLY_HEY:4.2
>
> Why do my custom rules score 0.00? What am I doing wrong? This is
> another example of the documentation not being complete enough causing
> me to trial and error taking hours.
In fact, I've decided to fix it in
> of how to transition would be helpful. For example, I am currently
> fumbling through local.d/multimap.conf to setup my own Subject rules. I
> like the simplicity of the .map file but I am not having any luck with
> custom scores:
>
> [ro...@smtp07.nsvltn local.d]# cat multimap.conf
> SUBJECT_SPAM {
> type = "header";
> header = "subject";
> map = "file://$LOCAL_CONFDIR/local.d/subject.map";
> regexp = true;
> score = 4.2;
> }
>
> [ro...@smtp07.nsvltn local.d]# cat subject.map
> /^(Fwd|Fw|Re): (for|to) \w+ \w+$/ SUBJECT_SPAM_FAKE_FWD_RE_TWO_WORDS:6.2
> /^(Fwd|Fw|Re):? \w+$/ SUBJECT_SPAM_FAKE_FWD_RE_ONE_WORD:4.2
> /^(Fw|RE) ?\(\d\): / SUBJECT_SPAM_SUSPICIOUS_FWD_RE:4.2
> /^Apologize for the mistake$/ SUBJECT_SPAM_APOLOGIZE_MISTAKE:10.2
> /^(Invitation|Cancelled): Dear Valued Customer,/
> SUBJECT_SPAM_CANCELLED_PAYMENT:10.2
> /^Hey$/ SUBJECT_SPAM_ONLY_HEY:4.2
>
> Why do my custom rules score 0.00? What am I doing wrong? This is
> another example of the documentation not being complete enough causing
> me to trial and error taking hours.
https://github.com/vstakhov/rspamd/commit/92cfb7f3b92813736ff949028366f989b5e5f8b1
Emanuel Gonzalez
May 2, 2018, 1:50:21 PM5/2/18
to Dave Jones, rspamd
i'm back.!! ja
In rspamd, in the path /etc/rspamd/local.d, i copy the file: spamassassin.conf with this config:spamassassin {
ruleset = "/etc/mail/spamassassin/local.cf";
match_limit = 100k;
pcre_only = ["RULE1", "__RULE2"];
alpha = 0.1
}
header FROM_HAS_VIARGA_1 From =~ /viagra/i
header SUBJECT_HAS_VIAGRA_1 Subject =~ /viagra/i
header SUBJECT_HAS_VIAGRA_2 Subject =~ /Vig\@ra/i
header SUBJECT_HAS_VIAGRA_3 Subject =~ /Wiag\@r/i
header SUBJECT_HAS_VIAGRA_4 Subject =~ /Vi\@gar/i
header SUBJECT_HAS_VIAGRA_5 Subject =~ /Vigar\@/i
header SUBJECT_HAS_VIAGRA_6 Subject =~ /Wiagria/i
header SUBJECT_HAS_VIAGRA_7 Subject =~ /Viag\@r/i
header SUBJECT_HAS_VIAGRA_8 Subject =~ /Vaigr\@/i
I think rspamd are not reading the spamassassin configuration file.
Dave Jones
May 2, 2018, 3:45:41 PM5/2/18
to Emanuel Gonzalez, rsp...@googlegroups.com
You should do that using the rspamd multimap module which another thing that will take some time to trial and error to figure out what to use since it's very flexible. The rspam documentation doesn't have an example for a simple blacklist based on the envelope-from and/or From: header like the SA blacklist_from does.
On Wed, May 2, 2018 at 2:02 PM, Emanuel Gonzalez <ema...@gmail.com> wrote:
Perfect.!! but the blacklist not work:
2018-05-02 15:53:29 #13734(main) <hnsan1>; cfg; rspamd_init_lua_filters: init lua module spamassassin
2018-05-02 15:59:57 #14224(main) <hnsan1>; lua; spamassassin.lua:1597: loaded 0 freemail domains definitions
2018-05-02 15:59:57 #14224(main) <hnsan1>; lua; spamassassin.lua:1600: loaded 0 blacklist/whitelist elements
/etc/mail/spamassassin/blacklist
blacklist_from ema...@gmail.com
2018-05-02 16:00:33 1fDwzR-00054Q-Mo DKIM test passed (address=ema...@gmail.com domain=gmail.com), good signature.
2018-05-02 16:00:33 1fDwzR-00054Q-Mo DKIM: d=gmail.com s=20161025 c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2018-05-02 16:00:35 1fDwzR-00054Q-Mo <= ema...@gmail.com H=mail-wm0-f48.google.com [74.125.82.48] P=esmtps X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no K S=3436 id=CAGUDtnm9gqhJSaWj_hMq4d8n+p+2qAGN1j=bU4n8L8ddgp3SAg@mail.gmail.com
2018-05-02 16:00:36 1fDwzR-00054Q-Mo => dovecot4 <dove...@maxwelldovecot.tk> R=virtual_user T=virtual_userdelivery
2018-05-02 16:00:36 1fDwzR-00054Q-Mo Completedmail recieved okany help?2018-05-02 15:42 GMT-03:00 Dave Jones <da...@jonesol.com>:If you look closely at the modules.d/spamassassin.conf you will see that the include local.d/spamassassin.conf is already in the spamassassin section/level of the UCL so you just put all of the settings at the "top" level of the file like:
ruleset = "/etc/mail/spamassassin/local.cf";
match_limit = 100k;
pcre_only = ["RULE1", "__RULE2"];
alpha = 0.1
This is what I am referring to as being non-intuitive for new users of rspamd and how their is no warnings or errors logged into the rspamd.log when you put settings outside of the correct place/level. They are silently ignored.
Emanuel Gonzalez
May 3, 2018, 1:46:22 PM5/3/18
to rspamd
Is it possible to assign a predefined score to a group of symbols?
MKT_DOMAIN_BKL {
<------>type = "header";
<------>header = "Message-ID";
<------>map = "file:///etc/rspamd/local.d/mkt_domains_bkl.map.inc";
<------>regexp = true;
<------>symbols = ["MKT_DOMAIN_1", "MKT_DOMAIN_2"];
<------>description = "MKT DOMAIN";
<------>score = 50.0;
}
or should I modify the symbol in to the metrics.conf file?
Symbol: MKT_DOMAIN_1(0.00)
mkt_domains_bkl.map.inc
/tstes\.net/i MKT_DOMAIN_1
/mtaes\.net/i MKT_DOMAIN_2
MKT_DOMAIN_BKL {
<------>type = "header";
<------>header = "Message-ID";
<------>map = "file:///etc/rspamd/local.d/mkt_domains_bkl.map.inc";
<------>regexp = true;
<------>symbols = ["MKT_DOMAIN_1", "MKT_DOMAIN_2"];
<------>description = "MKT DOMAIN";
<------>score = 50.0;
}
or should I modify the symbol in to the metrics.conf file?
email header:
Symbol: MKT_DOMAIN_1(0.00)
mkt_domains_bkl.map.inc
/tstes\.net/i MKT_DOMAIN_1
/mtaes\.net/i MKT_DOMAIN_2
2018-04-22 15:29 GMT-03:00 Dave Jones <da...@jonesol.com>:
Emanuel Gonzalez
May 10, 2018, 2:58:58 PM5/10/18
to Dave Jones, rspamd
I read the rspam documentation, the service is work fine, but not scan the attachment into the mail.
In the exim configure i set this:spamd_address = 168.181.185.235 11333 variant=rspamd
attachments_only = false;
symbol = "CLAM_VIRUS";
action = "reject";
type = "clamav";
servers = "127.0.0.1:3310";
for default exim internet connect with sophie sophos, any ideas for this? in the exim logs i see this error, i not add any parameter from sophie antivirus.
malware acl condition: sophie /var/run/sophie : unable to connect to UNIX socket (/var/run/sophie): No such file or directory
2018-04-22 15:29 GMT-03:00 Dave Jones <da...@jonesol.com>:
Reply all
Reply to author
Forward
0 new messages