tracking: equivalent configs of SpamAssassin & Rspamd

[ghnp5]

Subject

I would like some feedback concerning a use case

Description

It's not clear if we have equivalent configs for these, that apply to rspamd:

# deliver spam messages in the inbox (eventually tagged using SA_SPAM_SUBJECT)
SPAMASSASSIN_SPAM_TO_INBOX=1

# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
# - **0** => KAM disabled
# - 1 => KAM enabled
#
# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
ENABLE_SPAMASSASSIN_KAM=1

# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
MOVE_SPAM_TO_JUNK=0

# add spam info headers if at, or above that level:
SA_TAG=-999.0

# add 'spam detected' headers at that level
SA_TAG2=5.0

# triggers spam evasive actions
SA_KILL=999.0

# add tag to subject if spam detected
# by being empty, "***SPAM*** " (with a space) will be used
SA_SPAM_SUBJECT=undef

I just want to make sure all emails reach the Inbox (and not 100% rejected or moved to Junk), independently of their Spam score, but with Headers added to them.

I see that you allow us to completely override config files, by adding files to override.d, but from what you understand, you already make use of local.d, which is the folder that can be used to override some configs.

So, if I want to update just a few configs, but keeping your changes in local.d, how can I do that, without overriding the whole file in override.d ?

Wouldn't it make more sense that the add-line custom command would add lines to local.d instead of override.d? We already can easily create files in override.d, hence I'm not understanding how add-line is useful.

Thank you very much!

[georglauterbach]

Okay so here's what I found: Like Amavis, Rspamd can integrate SA. We disable the SA module of Rspamd by default, but you can integrate it easily. However, there is a very likely possibility that not everything works. In case of a simple SA setup, everything should be fine though. Also see https://rspamd.com/doc/tutorials/migrate_sa.html#general-spamassassin-rules / https://www.rspamd.com/doc/modules/spamassassin.html! I used this page: https://rspamd.com/doc/tutorials/migrate_sa.html which you definitely want to read!

[georglauterbach]

So, if I want to update just a few configs, but keeping your changes in local.d, how can I do that, without overriding the whole file in override.d?

This is a misunderstanding, but I guess the docs I've written could explain it a bit better. Here is the article from the Rspamd FAQ: https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories. You can see that if you have:

# contents of file.conf in local.d
lol = troll
foo = bar

and

# contents of file.conf in override.d
lol = 42

the you config in the end will look like this:

ini = 42
foo = bar

Basically, it's not a complete file override, but a forced override of the parts in the file :) I hope this clears up this part of the issue. This also clears up:

Wouldn't it make more sense that the add-line custom command would add lines to local.d instead of override.d? We already can easily create files in override.d, hence I'm not understanding how add-line is useful.

[georglauterbach]

I'll post later today what the migrated SA rules would look like for Rspamd.

[ghnp5]

Hey

Thanks very much!!! I'll have a better read of all this.

Just about this:

Basically, it's not a complete file override, but a forced override of the parts in the file :)

Thanks for clarifying!

Seems I misunderstood what rspamd documentation tried to say here:
https://rspamd.com/doc/tutorials/writing_rules.html

With this approach, you can either modify or add to the existing settings in the Rspamd configuration (using local.d) or completely override them (using override.d).

But great, if it works incrementally, then! :)

[georglauterbach]

Here is what custom-commands.conf could look like:

# `SPAMASSASSIN_SPAM_TO_INBOX=1` has no equivalent but is configured implicitly here
# There is no KAM for Rspamd (ENABLE_SPAMASSASSIN_KAM=1)

# add spam info headers if at, or above that level: (SA_TAG=-999.0)
# This is already enabled by default (`extended_spam_headers = true;`)!
set-option-for-module milter_headers extended_spam_headers true

# add 'spam detected' headers at that level (SA_TAG2=5.0)
set-option-for-module actions add_header 5

# triggers spam evasive actions (SA_KILL=999.0)
set-option-for-module actions reject null

# add tag to subject if spam detected
# by being empty, "***SPAM*** " (with a space) will be used (SA_SPAM_SUBJECT=undef)
set-option-for-module actions subject ""

I have not tested or verified these settings myself though!

[ghnp5]

Thanks very much!!

Seems to be close to what I have.

Since you said that I can have the files in override.d, I've prepared these files:

milter_headers.conf

# https://rspamd.com/doc/modules/milter_headers.html

# Add "extended Rspamd headers" (enables x-spamd-result, x-rspamd-server & x-rspamd-queue-id routines)
extended_spam_headers = true;

# List of headers to be enabled for authenticated users (default empty)
authenticated_headers = ["authentication-results"];

# Set false to always add headers for authenticated users (default true)
skip_authenticated = false;

--

actions.conf

# https://rspamd.com/doc/quickstart.html#overriding-symbols-scores-and-actions-thresholds

reject = 999; # Reject when reaching this score

add_header = 5; # Add header when reaching this score

# greylist = 999; # Apply greylisting when reaching this score (will emit `soft reject action`)

subject = "";

I added this last line now.

It's probably safer to use reject = 999 than null, as I haven't seen the documentation saying that null works there. (I can't find much about actions.conf, other than what is in the Quick Start !

Thank you very much!!

I'll try to test this later.

Have to be careful, every time I upgrade the mail servers!!
And have to regenerate the DKIM keys as well, once I enable rspamd.

[ghnp5]

Alright, I see reject = null; suggested here - https://serverfault.com/questions/912318/do-not-reject-mails-with-rspamd-1-7

Anyway - I tried both "999" and "null", and I'm getting the Gtube Pattern rejected :(

email@mydomain.com: host mail.mydomain.com[123.1.1.123] said: 554
5.7.1 Gtube pattern (in reply to end of DATA command)

--

And in the Docker logs:

May 11 14:17:06 server postfix/cleanup[3194]: CE4296046A: milter-reject: END-OF-MESSAGE from mail.otherdomain.com[1.2.3.4]: 5.7.1 Gtube pattern; from=test@otherdomain.com to=email@mydomain.com proto=ESMTP helo=<mail.otherdomain.com>

@georglauterbach

[georglauterbach]

GTUBE will always be rejected, no matter what - this is expected (and fine IMO). The same should not hold for other emails though.

But there is an issue when using ClamAV: I think that when Clam detects a virus, the email is rejected too. I think there is currently no way of disabling that in Rspamd (even though I am not sure whether you really want to have a mail which contains a virus... ClamAV is pretty good at these things).

[ghnp5]

Thank you very much.

So - I've just tested sending an "obviously spammy" email.

It contains "Buy V****", "Congratulations!!", a money amount in USD, "click the link", "Dear sir or madam".

If I send to a mailbox that is still on SpamAssassin, I get this:

X-Spam-Flag: YES
X-Spam-Score: 10.201
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.201 tagged_above=-999 required=5
	tests=[BAYES_50=0.8, DEAR_SOMETHING=1.973, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	DRUGS_ERECTILE=1.994, HTML_MESSAGE=0.001, KAM_SEXSUBJECT=2,
	KAM_VIAGRA1=3, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SERGIO_SUBJECT_VIAGRA01=0.001,
	SPF_PASS=-0.001, SUBJ_BUY=0.639, T_SCC_BODY_TEXT_LINE=-0.01,
	URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
	URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no

Detected as spam 👍🏼

--

However, if I send to the mailbox that was upgraded to rspamd,

X-Spamd-Result: default: False [-0.40 / 5.00];
	AUTOGEN_PHP_SPAMMY(1.00)[];
	ARC_ALLOW(-1.00)[zohomail.eu:s=zohoarc:i=1];
	R_SPF_ALLOW(-0.20)[+ip4:123.1.1.123/24];
	R_DKIM_ALLOW(-0.20)[anondomain1.com:s=zmail];
	ONCE_RECEIVED(0.10)[];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:2639, ipnet:123.1.1.123/24, country:US];
	RCVD_COUNT_ONE(0.00)[1];
	MID_RHS_MATCH_FROM(0.00)[];
	SUBJECT_ENDS_EXCLAIM(0.00)[];
	HAS_PHPMAILER_SIG(0.00)[];
	DKIM_TRACE(0.00)[anondomain1.com:+];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	DMARC_NA(0.00)[anondomain1.com];
	REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	TO_DN_NONE(0.00)[];
	HAS_REPLYTO(0.00)[test@dasdasd222.com]
X-Rspamd-Server: mysrv.domain1.com
X-Rspamd-Action: no action
X-Rspamd-Queue-Id: EE2AA60050

The score is even negative!!

Is this because I need to train the model first, or so?

I was hoping there would be an already trained model, or a "blacklist" like SpamAssassin has, such as KAM, that we can keep updating automatically to catch new Spam emails.

Thanks!

[ghnp5]

(and btw @georglauterbach, just sponsored you for the second time (with a different profile) - big thanks for all you do)

[vstakhov]

So - I've just tested sending an "obviously spammy" email.

It contains "Buy V****", "Congratulations!!", a money amount in USD, "click the link", "Dear sir or madam".

This sort of messages is an easy catch for SA but is a blind spot for Rspamd. The reason for that is that they are filtered by a set of regular expressions from KAM and other sources. These regular expressions are good in filtering of the obvious spam but they are resource greedy and are somehow producing false positives. Rspamd support the vast majority of the SA constructions but not all of them. It is probably worth to invest some time and resources into porting some of the useful rules from KAM/SA stock rules to Rspamd.

[georglauterbach]

(and btw @georglauterbach, just sponsored you for the second time (with a different profile) - big thanks for all you do)

Thank you very much! For me as a student, this helps a lot!! I am very grateful ❤️

[georglauterbach]

@vstakhov confirmed my initial guess that this may not be Rspamd's stronghold as of now. What I can see from the extended headers, KAM is adding a lot of score for wording, etc., and Rspamd takes into account ARC (subtracting from the score), etc.

But I think we could improve the situation, ether by doing something like KAM: a separate list that Rspamd can include; or (preferably) what @vstakhov proposed, to port some more rules from KAM/SA to Rspamd.

@vstakhov could you give me a starting direction where to add these rules in Rspamd? I can try to look up which rules KAM applied. Maybe we can work out a solution.

[ghnp5]

could you give me a starting direction where to add these rules in Rspamd?

This is probably the way:
https://rspamd.com/doc/tutorials/migrate_sa.html

spamassassin {
	sa_main = "/etc/spamassassin/conf.d/*";
	sa_local = "/etc/spamassassin/local.cf";
}

Also: https://rspamd.com/doc/modules/spamassassin.html

Then we can just try to keep them updated.

Not sure if sa-update works when SpamAssassin is working through rspamd

[georglauterbach]

I think Rspamd already applies many rules that SA applies in a similar fashion ("many SA rules are already implemented natively in Rspamd so you won’t get any benefit from including such rules from SA.").

The score is mainly created by the KAM rules. We'd need to deal with KAM if I interpret the data correctly.

[ghnp5]

Btw,

A few messages above, this was suggested:

set-option-for-module actions subject ""

If we do this, the WHOLE subject will become empty, I believe.

We need to add %s as per the very bottom of this page: https://rspamd.com/doc/configuration/metrics.html

subject - string value that replaces the message’s subject if the rewrite subject action is applied. Original subject can be included with %s. Message score can be filled using %d extension.

I have this now, in my actions.conf:

reject = null; # reject message
discard = null; # silently discard a message
quarantine = null; # push a message to quarantine (must be supported by MTA)
greylist = null; # apply greylisting (will emit `soft reject action`)
soft_reject = null; # temporarily delay message (this is used, for instance, to greylist or ratelimit messages)

add_header = 5; # add header to indicate spam
rewrite_subject = 5;
subject = "* %s";

[georglauterbach]

You're correct: %s is required! Sorry for the initial wrong information.

[georglauterbach]

What just came to my mind: I use Abusix, which I documented as well. It is doing a great job at providing better spam scores, in addition to the already existing blocklists.

---

But what we're mainly concerned about here is scanning of dubious words, phrases, etc. I found this documentation page, but I lack the time to dig more into this. I'd like to wait for @vstakhov's opinion on how we should proceed here.

---

Just FYI: I'm starting my thesis at university now, so I lack the time to take on any bigger projects for now. If there are any questions, or you need help with a specific case, don't hesitate to ping me though :D

[ghnp5]

Thank you very much for the suggestion.

I need to focus on something else right now, too, but whenever I can, I'll try to get the SpamAssassin rules included in rspamd.

I got a few emails marked as Spam already. rspamd does work, with the rules it has. I guess SA just helps a bit more, with those KAM rules.
Nothing urgent, so.

Good luck with your thesis!!!

[williamdes]

FYI: rspamd/rspamd#3990
I had to add local.d/settings.conf or rspamd would mark as spam outbound emails.
And since I configured email rewrite it got me in trouble..

# Disable some checks for authenticated users
# See: https://github.com/rspamd/rspamd/discussions/3990
authenticated {
    priority = high;
    authenticated = yes;
    apply {
        groups_enabled = ["policies", "dkim", "spf"];# Disable content checking and other rules
    }
}

[georglauterbach]

Checking outbound emails is actually intended, but I'd agree that we need to communicate this, maybe even provide the recipe for disabling it. I will provide a PR.

[williamdes]

Checking outbound emails is actually intended, but I'd agree that we need to communicate this, maybe even provide the recipe for disabling it. I will provide a PR.

Thanks, I will gladly review it. Compared with spamassasin, we should disable this by default. I really think it can be harmful

[georglauterbach]

I will need to come up with a solution for #3804. This will probably involve SA_SPAM_SUBJECT. We're now at a point where Rspamd and SA are both well-integrated. The PR that closes #3804 will then probably also close this issue.

[georglauterbach]

Posting this here too for visibility: It was noted that there is no equivalent of SA_KILL in conjunction with SPAMASSASSIN_SPAM_TO_INBOX. This is because IMO this is really useless - just set reject = 100; in Rspamd's configuration. This way, no e-mail will be rejected if that's what you're after.

[ghnp5]

just set reject = 100; in Rspamd's configuration. This way, no e-mail will be rejected if that's what you're after.

Thanks!

What I have at the moment is this:

reject = null; # reject message

I know it was confusing when I was reading the documentation (mailserver and rspamd) at the time, and ended up figuring out that null was the best for me.

I'm not very confident about changing this now :-D I'll have to see if I can find what my understanding was at the time.

But it makes sense to change to "100" or "999", I guess.

[georglauterbach]

I actually think you should stick with null; I didn't think of this at the time but when I recently disabled rewrite_subject I used null as well.

I'll add an entry to the docs.

[ghnp5]

@georglauterbach - thank you!!

About this issue (#3323) in specific, is there any plan to implement ENABLE_SPAMASSASSIN_KAM=1 into rspamd as well?

I'm not sure how I'd keep it updated. I used to have a cron that ran sa-update regularly.

Many thanks!

[georglauterbach]

@georglauterbach - thank you!!

You're welcome :)

About this issue (#3323) in specific, is there any plan to implement ENABLE_SPAMASSASSIN_KAM=1 into rspamd as well?

No, there are no such plans. I'd rather like to keep SA and Rspamd a bit separated in this concern, which is a decision related to maintainability.

I'm not sure how I'd keep it updated. I used to have a cron that ran sa-update regularly.

I think users that are willing to integrate SA into Rspamd are very welcome to add a tutorial to our documentation though :) If you get it working, feel free to open a documentation PR that updates our docs so other users can benefit as well 🚀