Clarification of what 'reject' means for spam?
388 views
Skip to first unread message
Dan Swartzendruber
Apr 9, 2016, 10:31:47 AM4/9/16
to rspamd
I got a junk mail that was flagged as 'Action: reject', yet it showed up in my Junk folder anyway (I am using dovecot sieve to redirect messages flagged as spam to Junk). My understanding was that reject meant rmilter would tell postfix to not even accept it, yet it did. Is my understanding wrong? If so, what does reject mean? Thanks!
p.s. here are the symbols:
Results for file: 1460150692.M687786P3403.mailserver,S=4077,W=4165:2, (0.812 seconds)
[Metric: default]
Spam: true
Score: 25.89 / 15.00
Action: reject
Symbol: BAYES_SPAM (3.99)[99.99%]
Symbol: DBL_ABUSE_PHISH (7.50)[suijima.com.dbl.spamhaus.org]
Symbol: HFILTER_HELO_UNKNOWN (2.00)
Symbol: MIME_GOOD (-0.10)[text/plain]
Symbol: MISSING_TO (2.00)
Symbol: PH_SURBL_MULTI (5.50)[suijima.com.multi.surbl.org]
Symbol: R_MISSING_CHARSET (5.00)
Symbol: URIBL_BLOCKED (0.00)[suijima.com.multi.uribl.com]
Message-ID: 20160408230451....@roxannebarksdale.com
Alexander Moisseev
Apr 9, 2016, 11:08:54 AM4/9/16
to rspamd
Your undrestanding is right. You might have
`spamd_never_reject = yes`spamd {
...
spamd_never_reject = yes;
...
}
Dan Swartzendruber
Apr 9, 2016, 11:19:50 AM4/9/16
to rspamd
Interesting. Looking at postfix logs, I saw a few minutes earlier (the actual file in Junk was timestamped 17:24):
Apr 8 17:16:16 mailserver postfix/cleanup[3375]: 2F4E31A0B80: milter-reject: END-OF-MESSAGE from iredmail.druber.com[10.0.0.14]: 4.7.1 Try again later; from=<ma...@roxannebarksdale.com> to=<xxxxx> proto=ESMTP helo=<yyy>
So since this was a non-fatal error from rmilter, the upstream MTA retried at 17:24 and that one went through. Looking for milter-reject in the logs, I see some with this:
Apr 7 01:30:35 mailserver postfix/cleanup[5639]: ED3FF1A099A: milter-reject: END-OF-MESSAGE from xxx[10.0.0.14]: 5.7.1 Spam message rejected; If this is not spam contact abuse; from=<delphine....@yahoo.com> to=<xxx> proto=ESMTP helo=<xxx>
Apr 7 15:28:37 mailserver postfix/cleanup[8778]: D39E21A0B9A: milter-reject: END-OF-MESSAGE from xxx[10.0.0.14]: 5.7.1 Spam message rejected; If this is not spam contact abuse; from=<bounce-64162...@ecmx.sharecomm.org> to=<xxx> proto=ESMTP helo=<xxx>
Apr 8 23:13:42 mailserver postfix/cleanup[3476]: 63FBD1A0B80: milter-reject: END-OF-MESSAGE from xxx[10.0.0.14]: 5.7.1 Spam message rejected; If this is not spam contact abuse; from=<j...@yahoo.co.nz> to=<xxx> proto=ESMTP helo=<xxx>
Those are real rejections. I assume the 4.7.1 are greylisting? Looking at the message in postfix log from 17:16:16, I see:
Apr 8 17:16:16 mailserver rmilter[3328]: spamdscan: scan qid: <2F4E31A0B80>, mid: <20160408230451....@roxannebarksdale.com>, 0.805069, localhost, metric: default: [10.890000 / 15.000000], symbols: MIME_GOOD(-0.10), BAYES_SP\
AM(3.99), MISSING_TO(2.00), URIBL_BLOCKED(0.00), R_MISSING_CHARSET(5.00)
Apr 8 17:16:16 mailserver rmilter[3328]: greylisting_check_hash: greylisted <2F4E31A0B80>: 0 seconds passed (new record), greylisted till 2016-04-08 17:21:15, type: data hash
Apr 8 17:16:16 mailserver rmilter[3328]: greylisting_check_hash: greylisted <2F4E31A0B80>: 0 seconds passed (new record), greylisted till 2016-04-08 17:21:15\
, type: sender, IP, recipients
Apr 8 17:16:16 mailserver rmilter[3328]: mlfi_eom: 2F4E31A0B80: greylisting message according to spamd action
Apr 8 17:16:16 mailserver rmilter[3328]: msg done: 2F4E31A0B80: ip: 10.0.0.14; from: ma...@roxannebarksdale.com; rcpt: <xxx> (1 total); user: unauthorized; spam scan: greylisted, action: add header; virus scan: skipped, spamd greylist; dkim: skipped, spamd greylist
Apr 8 17:16:16 mailserver postfix/cleanup[3375]: 2F4E31A0B80: milter-reject: END-OF-MESSAGE from iredmail.druber.com[10.0.0.14]: 4.7.1 Try again later;
The score is 10.89, but I am using the default metrics, so this should have been accepted and then marked as spam, no? When it was retried at 17:24, it again showed with a score of 10.89, so was flagged as spam and went to Junk folder, yet the symbols indicate a score of 25.89. There are a couple of symbols that do not show in the original scoring, or the message itself. Specifically, DBL_ABUSE_PHISH and PH_SURBL_MULTI. So if I look at the message, I see:
X-Spamd-Result: default: False [10.89 / 15.00]
MIME_GOOD(-0.10)
BAYES_SPAM(3.99)
MISSING_TO(2.00)
URIBL_BLOCKED(0.00)
R_MISSING_CHARSET(5.00)
but rspamc symbols says:
Score: 18.39 / 15.00
Apr 8 17:16:16 mailserver postfix/cleanup[3375]: 2F4E31A0B80: milter-reject: END-OF-MESSAGE from iredmail.druber.com[10.0.0.14]: 4.7.1 Try again later; from=<ma...@roxannebarksdale.com> to=<xxxxx> proto=ESMTP helo=<yyy>
So since this was a non-fatal error from rmilter, the upstream MTA retried at 17:24 and that one went through. Looking for milter-reject in the logs, I see some with this:
Apr 7 01:30:35 mailserver postfix/cleanup[5639]: ED3FF1A099A: milter-reject: END-OF-MESSAGE from xxx[10.0.0.14]: 5.7.1 Spam message rejected; If this is not spam contact abuse; from=<delphine....@yahoo.com> to=<xxx> proto=ESMTP helo=<xxx>
Apr 7 15:28:37 mailserver postfix/cleanup[8778]: D39E21A0B9A: milter-reject: END-OF-MESSAGE from xxx[10.0.0.14]: 5.7.1 Spam message rejected; If this is not spam contact abuse; from=<bounce-64162...@ecmx.sharecomm.org> to=<xxx> proto=ESMTP helo=<xxx>
Apr 8 23:13:42 mailserver postfix/cleanup[3476]: 63FBD1A0B80: milter-reject: END-OF-MESSAGE from xxx[10.0.0.14]: 5.7.1 Spam message rejected; If this is not spam contact abuse; from=<j...@yahoo.co.nz> to=<xxx> proto=ESMTP helo=<xxx>
Those are real rejections. I assume the 4.7.1 are greylisting? Looking at the message in postfix log from 17:16:16, I see:
Apr 8 17:16:16 mailserver rmilter[3328]: spamdscan: scan qid: <2F4E31A0B80>, mid: <20160408230451....@roxannebarksdale.com>, 0.805069, localhost, metric: default: [10.890000 / 15.000000], symbols: MIME_GOOD(-0.10), BAYES_SP\
AM(3.99), MISSING_TO(2.00), URIBL_BLOCKED(0.00), R_MISSING_CHARSET(5.00)
Apr 8 17:16:16 mailserver rmilter[3328]: greylisting_check_hash: greylisted <2F4E31A0B80>: 0 seconds passed (new record), greylisted till 2016-04-08 17:21:15, type: data hash
Apr 8 17:16:16 mailserver rmilter[3328]: greylisting_check_hash: greylisted <2F4E31A0B80>: 0 seconds passed (new record), greylisted till 2016-04-08 17:21:15\
, type: sender, IP, recipients
Apr 8 17:16:16 mailserver rmilter[3328]: mlfi_eom: 2F4E31A0B80: greylisting message according to spamd action
Apr 8 17:16:16 mailserver rmilter[3328]: msg done: 2F4E31A0B80: ip: 10.0.0.14; from: ma...@roxannebarksdale.com; rcpt: <xxx> (1 total); user: unauthorized; spam scan: greylisted, action: add header; virus scan: skipped, spamd greylist; dkim: skipped, spamd greylist
Apr 8 17:16:16 mailserver postfix/cleanup[3375]: 2F4E31A0B80: milter-reject: END-OF-MESSAGE from iredmail.druber.com[10.0.0.14]: 4.7.1 Try again later;
The score is 10.89, but I am using the default metrics, so this should have been accepted and then marked as spam, no? When it was retried at 17:24, it again showed with a score of 10.89, so was flagged as spam and went to Junk folder, yet the symbols indicate a score of 25.89. There are a couple of symbols that do not show in the original scoring, or the message itself. Specifically, DBL_ABUSE_PHISH and PH_SURBL_MULTI. So if I look at the message, I see:
X-Spamd-Result: default: False [10.89 / 15.00]
MIME_GOOD(-0.10)
BAYES_SPAM(3.99)
MISSING_TO(2.00)
URIBL_BLOCKED(0.00)
R_MISSING_CHARSET(5.00)
but rspamc symbols says:
Score: 18.39 / 15.00
Action: reject
Symbol: BAYES_SPAM (3.99)[99.99%]
Symbol: HFILTER_HELO_UNKNOWN (2.00)
Symbol: MIME_GOOD (-0.10)[text/plain]
Symbol: MISSING_TO (2.00)
Symbol: PH_SURBL_MULTI (5.50)[suijima.com.multi.surbl.org]
Symbol: R_MISSING_CHARSET (5.00)
Symbol: URIBL_BLOCKED (0.00)[suijima.com.multi.uribl.com]
Symbol: MIME_GOOD (-0.10)[text/plain]
Symbol: MISSING_TO (2.00)
Symbol: PH_SURBL_MULTI (5.50)[suijima.com.multi.surbl.org]
Symbol: R_MISSING_CHARSET (5.00)
Symbol: URIBL_BLOCKED (0.00)[suijima.com.multi.uribl.com]
Just a bit ago, the score was 25.89. I infer that 'rspamc symbols' is dynamically checking things that could be changing? If so, this was all as expected? The only thing then I don't understand is why the first time it got greylisted when the score was 10.89? As I said, I am using the default metrics, so greylist is 4, probable spam is 6 and reject is 15.
Dan Swartzendruber
Apr 9, 2016, 11:22:28 AM4/9/16
to rspamd
Apologies for not noticing the discrepancy between the file and 'rspamc symbols' until you replied. No, I am not doing the never reject thing - this seems to have been totally because the score changed between when the message was delivered (yesterday afternoon) and when I checked the score just a bit ago.
Alexander Moisseev
Apr 9, 2016, 12:19:21 PM4/9/16
to rspamd
- Rmilter passes to rspamd some SMTP session parameters that never stored in the message header. When you scan the message with `rspamc` these parameters are unavailable, so you'll always get different score.
- Yes, things could be changing. DNS block lists, rspamd.com fuzzy storage are changing, your own fuzzy and bayes classifiers could be learned (or autolearned), some tests couldn't be completed due to timeouts.
Reply all
Reply to author
Forward
0 new messages