Good morning, for the past few weeks, I've been having a problem with very poor spam detection by rspamd on both of my mail servers. Automatic training is working. The database contains over 12,000 spam and ham patterns. I've already reset the database and retrained about 4,000 spam emails. Despite this, clear spam emails are still getting through unimpeded. I'm using the following real-time blackhole lists: zen.spamhaus.org, b.barracudacentral.org, bl.spamcop.net, and dnsbl.sorbs.net. I'm using a local DNS server. What can I check or change to ensure that spam is detected correctly again? Best regards, Thomas
You greatly underestimate how much work it is to fight spam effectively. There is no one solution fits all here. Rspamd gives you a very flexible and fast system to implement different rules and techniques to fight spam, but it is a platform that you need to tailor to your own needs. No one can tell you "do xyz" to improve your spam detection. What you need to do is to make yourself familiar with rspamds documentation, analyze spam that hits you and implement rules that work for your environment.
I understand that. We operate ten email servers. And on the three servers running rspamd, the detection rate has deteriorated significantly in recent weeks, without any changes being made. The detection rate is sometimes zero. Even emails that were previously trained to recognize the spammers are being delivered.
Then it might be that the Bayes server learned something wrong. Use Rspamd GUI to investigate which scores are assigned from which subsystem of Rspamd for emails that were not filtered.
If you operate at a scale of 10 mailserver you should really reconsider how you lay out your infrastructure. You should at least think about setting up a Redis Sentinel with multiple nodes and let rspamd share the following: Bayesian Statistics Neural Network Models Greylisting Ratelimiting Reputation And at that scale might consider moving the rspamd workers out entirely and only use rspamd proxy on each mailserver. Just my 2 cents
We use a Proxmox Mail Gateway on two servers and achieve a very good filtering rate. It would be a good idea to route the emails from the other servers through it as well and to disable spam filtering on the ispconfig servers.
Instead of rerouting the email, I would check why you are no longer getting good filtering results and fix the issue, rather than working around it. Maybe the mail nodes can't perform RBL lookups anymore due to a DNS misconfiguration, or maybe someone whitelisted and disabled spam filtering, or you might have an issue with the Bayes DB. But you should be able to find the reason by looking at the email headers and in the Rspamd GUI.
Yes, that would be preferable too. But where do I start? I don't see anything unusual in the log files. The local DNS server is working. No queries are being blocked. I've already deleted the learned emails (spam and spam) and re-trained about 4,000 spam emails. It seems like the filter isn't even there. The mailboxes are set to "trigger happy" or "normal". Regards Thomas
Use rspamd GUI and email headers to check which scores got applied to the spam emails that come through.
