Email Mailbox - Spam configuration ignored by rspamd

Discussion in 'ISPConfig 3 Priority Support' started by clixclix, Sep 17, 2025 at 10:27 AM.

  1. clixclix

    clixclix Member HowtoForge Supporter

    I have a mailbox configured with Spamfilter = "Wants all spam"
    In the Spamfilter Policy I can see for the policy "Wants all spam", inside tab Rspamd, all values set to 999.00
    However, when certain emails are sent to that mailbox, I still see this in email log:
    Code:
    2025-09-16T22:35:03.875733+02:00 m11 postfix/cleanup[2211788]: 5DF9013FF1F63: milter-reject: END-OF-MESSAGE from xxxxxxxxxxxx[185.56.10.124]: 5.7.1 Spam message rejected; from=<no-reply@xxxxxxxxxxxx> to=<info@xxxxxxxxxxx> proto=ESMTP helo=<xxxxxxxxxxxxx>
    and in Rspamd log I see:
    Code:
    2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_task_write_log: id: <[email protected]>, qid: <5DF9013FF1F63>, ip: 185.56.10.124, from: <no-reply@xxxxxxxxxxxxxx>, (default: T (reject): [15.57/15.00] ...................
    How can I debug it?
    Thank you
     
    clixclix, Sep 17, 2025 at 10:27 AM
    #1
  2. pyte

    pyte Well-Known Member HowtoForge Supporter

    Please post the complete line of rspamd. Especially the last part of that message is relevant. You need to check which settings_id is applied to the scan, you can find that at the last part of the scanned message in the rspamd.log.

    Code:
    settings_id: xyz
     
    pyte, Sep 17, 2025 at 1:19 PM
    #2
    clixclix and till like this.
  3. clixclix

    clixclix Member HowtoForge Supporter

    Thanks @pyte, here are the lines of rspamd log regarding such email (I just obfuscated the recipient address):
    Code:
    2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_message_parse: loaded message; id: <[email protected]>; queue-id: <5DF9013FF1F63>; size: 24742; checksum: <f8d2fce015033df4e16d0af1aec3b290>
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_mime_part_detect_language: detected part language: it
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_mime_part_detect_language: detected part language: it
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_check_group_score: maximum group score 8.00 for group headers has been reached, reduce weight of symbol SPOOF_DISPLAY_NAME from 8.00 to 3.00
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_check_group_score: maximum group score 8.00 for group headers has been reached, ignoring symbol MISSING_XM_UA with weight 0.00
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; spf; spf_record_dns_callback: spf error for domain bookingexpert.org: cannot resolve AAAA record for bookingexpert.org: requested record is not found
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; dkim_module_key_handler: stored DKIM key for mail._domainkey.bookingexpert.org in LRU cache for 300 seconds, 636/2000 elements in the cache
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_spf_record_postprocess: increasing ttl from 60 to 300 as it lower than a limit
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_spf_maybe_return: stored SPF record for bookingexpert.org (0x92d48bb39997e5ba) in LRU cache for 300 seconds, 549/2000 elements in the cache
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow asynchronous rule: RBL_SEM(495): 411.99 ms; no idle timer is needed
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow asynchronous rule: SEM_URIBL_FRESH15_UNKNOWN(512): 427.99 ms; no idle timer is needed
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow asynchronous rule: SEM_URIBL_UNKNOWN(505): 431.99 ms; no idle timer is needed
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow synchronous rule: RBL_CALLBACK(589): 431.99 ms; idle timer has already been activated for this scan
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow synchronous rule: NEURAL_CHECK(455): 439.99 ms; idle timer has already been activated for this scan
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; lua; lua_bayes_learn.lua:69: id: <[email protected]>, from: <[email protected]>: can autolearn spam: score 15.57 >= 6, mime_rcpts: <[email protected]>
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow asynchronous rule: HISTORY_SAVE(414): 443.99 ms; no idle timer is needed
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow synchronous rule: MILTER_HEADERS(421): 443.99 ms; idle timer has already been activated for this scan
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; lua; neural.lua:345: skip spam sample to keep spam/ham balance; too many spam samples: 5001
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow asynchronous rule: NEURAL_LEARN(460): 443.99 ms; no idle timer is needed
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow synchronous rule: RATELIMIT_UPDATE(472): 443.99 ms; idle timer has already been activated for this scan
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; finalize_item: slow asynchronous rule: REPLIES_SET(590): 443.99 ms; no idle timer is needed
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_task_write_log: id: <[email protected]>, qid: <5DF9013FF1F63>, ip: 185.56.10.124, from: <[email protected]>, (default: T (reject): [15.57/15.00] [BAYES_SPAM(5.01){99.80%;},REPLYTO_EQ_TO_ADDR(5.00){},SPOOF_DISPLAY_NAME(3.00){bookingexpert.org;xxxxxxxx.it;},RCVD_UNAUTH_PBL(2.00){},NEURAL_SPAM_SHORT(0.46){0.922;},NEURAL_SPAM_LONG(0.10){0.103;},BAD_REP_POLICIES(0.10){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:31034, ipnet:185.56.8.0/22, country:IT;},DKIM_TRACE(0.00){bookingexpert.org:+;},DMARC_POLICY_ALLOW(0.00){bookingexpert.org;quarantine;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_REPLYTO(0.00){[email protected];},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},MISSING_XM_UA(0.00){},PREVIOUSLY_DELIVERED(0.00){[email protected];},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){3;},RCVD_IN_DNSWL_LOW(0.00){185.56.10.124:from;},RCVD_TLS_LAST(0.00){},RECEIVED_SPAMHAUS_PBL(0.00){34.38.109.5:received;},REPLYTO_DOM_NEQ_FROM_DOM(0.00){},R_DKIM_ALLOW(0.00){bookingexpert.org:s=mail;},R_DUMMY(0.00){},R_SPF_ALLOW(0.00){+mx;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 24742, time: 441.788ms, dns req: 58, digest: <f8d2fce015033df4e16d0af1aec3b290>, rcpts: <[email protected]>, mime_rcpts: <[email protected]>
2025-09-16 22:35:03 #2129424(normal) <3cb9e7>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 6 regexps matched, 180 regexps total, 72 regexps cached, 0B scanned using pcre, 30.15KiB scanned total
    In this case, it looks like there's no settings_id parameter. I've found that parameter elsewhere on the same log.
    Thank you.
     
    clixclix, Sep 17, 2025 at 3:31 PM
    #3
  4. pyte

    pyte Well-Known Member HowtoForge Supporter

    Interesting. It seems like no settings id was applied. Can you grep for the recipient address in the /etc/rspamd/local.d/users/ folder?
    Code:
    cd /etc/rspamd/local.d/users/
grep -r "[email protected]"
    Then provide a list of the files that match and run a "cat filename" on them and post the obfuscated output.

    Do you have a spamfilter user "[email protected]" under Spamfilter -> Users / Domain. Can you show the configuration of that?
     
    pyte, Sep 17, 2025 at 4:02 PM
    #4

Share This Page