I found old thread https://www.howtoforge.com/community/threads/rspamd-blacklist-whitelist-support.83049/ where it seems the blaclist entry was applied. I try to debug in similar way, and see no effect of the blacklist entry. User entered blacklist in ISPConfig panel Email | Spamfilter | Blacklist and I added in same place as admin blaclist from the @senderdomain to @localdomain. and remembered to tick Active (which I suspect the user did not do). Admin entry has priority 6, user entry priority 5. I get files created in /etc/rspamd/local.d/users/. so that part works. My guess is the R_DUMMY = 999.0; entry should give the e-mail so high score that it gets rejected? But the same sender got similar spam through after those settings were in place. I examined mail.log and rspamd.log. I can not see the blacklist entry had any effect. Code: root@myhost:/var/log/rspamd# grep 85DD08369B /var/log/mail.log Oct 7 16:04:49 myhost postfix/smtpd[3244]: 85DD08369B: client=alert-email.bark.com[54.246.92.176] Oct 7 16:04:49 myhost postfix/cleanup[3251]: 85DD08369B: message-id=<[email protected]> Oct 7 16:04:50 myhost postfix/qmgr[29063]: 85DD08369B: from=<[email protected]>, size=33207, nrcpt=1 (queue active) Oct 7 16:04:50 myhost postfix/pipe[3218]: 85DD08369B: to=<[email protected]>, relay=dovecot, delay=1.2, delays=1.1/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service) Oct 7 16:04:50 myhost postfix/qmgr[29063]: 85DD08369B: removed Code: root@myhost:/var/log/rspamd# grep 592bc8 rspamd.log 2020-10-07 16:04:49 #27025(normal) <592bc8>; task; rspamd_worker_body_handler: accepted connection from 127.0.0.1 port 41298, task ptr: 00007F478D2530A0 2020-10-07 16:04:49 #27025(normal) <592bc8>; task; rspamd_message_parse: loaded message; id: <[email protected]>; queue-id: <85DD08369B>; size: 32948; checksum: <32ae532edb862f982e973b26122fceaf> 2020-10-07 16:04:49 #27025(normal) <592bc8>; lua; settings.lua:363: <[email protected]> apply static settings ispc_mail_user_126 (id = 2209680280); rcpt matched; priority high 2020-10-07 16:04:49 #27025(normal) <592bc8>; task; lua_task_set_settings: disabled action greylist due to settings 2020-10-07 16:04:50 #27025(normal) <592bc8>; task; rspamd_mime_part_detect_language: detected part language: en 2020-10-07 16:04:50 #27025(normal) <592bc8>; task; rspamd_mime_part_detect_language: detected part language: en 2020-10-07 16:04:50 #27025(normal) <592bc8>; task; dkim_module_key_handler: stored DKIM key for _dkim._domainkey.bark.com in LRU cache for 60 seconds, 1041/2000 elements in the cache 2020-10-07 16:04:50 #27025(normal) <592bc8>; task; rspamd_spf_maybe_return: stored record for mail.bark.com (0xf2548e4118f91b89) in LRU cache for 300 seconds, 1101/2000 elements in the cache 2020-10-07 16:04:50 #27025(normal) <592bc8>; lua; arc.lua:642: cannot read key from /var/lib/rspamd/arc/vauhtisammakko.com.arc.key: Tiedostoa tai hakemistoa ei ole 2020-10-07 16:04:50 #27025(normal) <592bc8>; task; rspamd_task_write_log: id: <[email protected]>, qid: <85DD08369B>, ip: 54.246.92.176, from: <[email protected]>, (default: F (no action): [5.42/6.00] [BAYES_SPAM(5.09){99.99%;},URI_COUNT_ODD(1.00){17;},DMARC_POLICY_ALLOW(-0.50){bark.com;none;},FORGED_SENDER(0.30){[email protected];[email protected];},R_DKIM_ALLOW(-0.20){bark.com:s=_dkim;},R_SPF_ALLOW(-0.20){+ip4:54.246.92.176;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},MANY_INVISIBLE_PARTS(0.05){1;},HAS_LIST_UNSUB(-0.01){},MX_GOOD(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:16509, ipnet:54.246.0.0/17, country:US;},DKIM_TRACE(0.00){bark.com:+;},DWL_DNSWL_NONE(0.00){bark.com:dkim;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){[email protected];[email protected];},MIME_TRACE(0.00){0:+;1:+;2:~;},PREVIOUSLY_DELIVERED(0.00){[email protected];},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_IN_DNSWL_NONE(0.00){54.246.92.176:from;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_VERYGOOD(0.00){54.246.92.176:from;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 32948, time: 701.152ms, dns req: 47, digest: <32ae532edb862f982e973b26122fceaf>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>, settings_id: ispc_mail_user_126 2020-10-07 16:04:50 #27025(normal) <592bc8>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 184 regexps total, 64 regexps cached, 0B scanned using pcre, 44.72KiB scanned total root@myhost:/var/log/rspamd# This same sender started 1st October, sends several spams daily and each from a different IP-address. Not massive, but user just likes to get those e-mails blacklisted. OS Debian 9.x, ISPConfig 3.1.15p3. rspamd: Installed: 2.5-156~stretch
Yes, that's indeed the intended mechanism to achieve blacklisting. Did you have a look into the rspamd web interface to see if you can find anything about this email? Beside that, maybe use the postfix blacklist instead temporarily until we find out what#s wrong with the Rspamd blacklisting.
RSpamd web does show these e-mails. This morning I managed to get them rejected by increasing symbol BAYES_SPAM to 12, rspamd history showed these e-mails had spam probability over 99,5%. That seems to cause other e-mails also getting rejected, and they may have been ham. So this is not perfect but works for now. This user case would be better solved if blacklisting of this one sender or sender domain worked. User set that up himself and then complained to me when it did not work. I'll examine that postfix blacklist, if it works I could restore BAYES_SPAM to original value.
Could you please grep for the mentioned domain AND the specific email address that the mails get sent to inside the rspamd user directory? The rspamd configs are not additive. So the first match for the specific domain/mail address with the highest score will be used. In addition have you checked if rspamd was correctly restarted since then? Some times on a lot of user config entries the simple "reload" does not work and rspamd needs a restart.
Code: /etc/rspamd/local.d/users# grep bark.com * global_wblist_4.conf: from = "@bark.com"; spamfilter_wblist_642.conf: from = "[email protected]"; spamfilter_wblist_643.conf: from = "@bark.com"; rspamd.service was reloaded several times yesterday and this morning. I restarted it just now just in case. I'll send PM, some things I do not want to publish.
Ie. with the highest priority? I did a simple blacklist test as well and yesterday I didn't get blocked, as I had expected to - in retrying my test today, I am blocked. I didn't change the blacklist entries, but possibly/likely rspamd was restarted or something else differed. Maybe I just messed up my test yesterday, but I did see mail from my blacklisted domain being delivered in the logs, so I think I did it right. FWIW, my blacklist entry was for the @domain.com (because the gui doesn't allow setting to a specific user - I'm guessing that's in mind for the future?): Code: # cat /etc/rspamd/local.d/users/spamfilter_wblist_2.conf spamfilter_wblist-2 { priority = 26; from = "@blacklistme.com"; rcpt = "@domain.com"; apply { R_DUMMY = 999.0; actions { reject = 0.2; "add header" = 0.1; greylist = 0.1; "rewrite subject" = 0.1; } } And my user account also has a file there: Code: # cat /etc/rspamd/local.d/users/jesse_domain.com.conf ispc_mail_user_1 { priority = 20; rcpt = "[email protected]"; apply { CLAM_VIRUS = 1010; JUST_EICAR = 1010; actions { "rewrite subject" = 6; reject = 10; greylist = null; } }
I added the sender domain to Postfix Blacklist, that does work like @till suggested. Unfortunately ordinary user can not add things to Postfix Blacklist so I have to do it as admin.
