How do I make sure that the spam filter is working?

Joe · July 3, 2021, 7:12pm

Hello,

I have a question about spam filtering with rspamd on the servers with DirectAdmin.
Before I activated the spam filter, some mails were marked with ‘SPAM’ in the subject. Since I enabled the spam filter (with ‘Send the spam to the user’s spam folder’ and subject rewriting) this doesn’t happen anymore and changing the subject doesn’t seem to work either.

Since I realize that this could just be coincidence my question now would be if there is a way to check the functionality of the spam filter or the spam score?

The threshold is set to 5 and still mail with a ‘Spamtally: Final spam score: 96’ header is not marked/moved. Is ‘Spamtally’ the header that contains the value to which the threshold should be applied to?

Kind regards,
Joe

Jarland · July 3, 2021, 7:12pm

Great question!

So the “SPAM” in the subject without that setting enabled is a bug, and one that has been persisting for me for quite a bit. However, enabling rspamd in the control panel will opt you out of that bug so there is at least a reasonable workaround (even if you don’t enable any setting that causes you to perform any action on email deemed to be spam). You can re-enable the subject rewrite there, but most prefer not to have it.

The SpamTally header is indeed not rspamd and is a more simplistic system that works alongside it above the level of your user settings. The one that your settings relate to will be X-Spam-Score. It may not be present when the email is under the threshold set in your rspamd settings.

You should see SpamTally scores up to 149, a 150 score is the drop point for that. These are really large scores on very few tests like “No reverse DNS = 100” and “SPF pass = -30.” You won’t be able to manipulate those.

Jarland · July 3, 2021, 7:12pm

That appears to have slipped in during a restart. Honestly I’m okay with you not having any messages tagged as spam. As long as you’re not missing legitimate messages. In some ways our filtering is inferior to Google’s and in other ways it might be superior. I’m actually doing daily log audits and identifying, then attacking, inbound spam. Remember that I’m working against real humans, these spammers aren’t AI. They’ve learned how to get past me not just by degrees of success, but with total success. It’s a constant back and forth. When I’m right, they’re blocked. When I’m wrong, they’re probably in your inbox.

Joe · July 3, 2021, 7:13pm

Thanks for the quick response. Is there any way to see the X-Spam score (or other values useful for debug purposes) in the header even if it does not reach the threshold?

Will the functionality of the spam filter be affected if I set a forwarder address as a catch-all address so that multiple users get these mails?
(for example catch-all is set to forward@example.org and forward@example.org forwards to user1@example.org and user2@example.org).

Jarland · December 19, 2021, 6:30am

Also good questions. Currently there is no way to see the X-Spam-Score header unless it meets your threshold set in rspamd settings. Now, you could set that threshold low, set it to deliver to inbox, and then use sieve filters (Use Roundcube at servername/webmail > Settings > Filters to create true, LDA-level server side filters) to then manipulate what is done with the email if it matched a particular threshold.

Catchall should be okay. There is an edge case where a static forwarder without a matching account can cause unexpected behavior, better to explain that where Discourse won’t demolish formatting: PrivateBin (mxrouteapps.com)

Jarland · November 13, 2021, 8:35pm

Can’t say anything nonspecific at this point. Rspamd is on and works, so anything more would need to be a specific log audit.

Jarland · November 28, 2021, 8:30pm

I see rspamd working on Shadow. If a message exceeds the globally configured size (5MB) it won’t be scanned (to limit memory usage). Sometimes rspamd is restarted for config changes and a few messages might leak through during it.

alex1 · November 28, 2021, 8:30pm

Thanks for the prompt response. This is really not that urgent (so do enjoy your weekend), has been like this for ever since.
Message size of the message above is 5.5KB, so well below the limit.
Another example would be message ID Op+VCf9N3mCSCQAAamG25A from July 1st. Also 5.5KB; Same error-message: “No, spam_score was empty, meaning rspamd failed to scan the message”

In fact I never had a message tagged as spam at all. Do I need to do anything beyond enabling (and configuring thresholds etc) rspamd in the DirectAdmin?

Joe · December 19, 2021, 6:30am

I have set the threshold to 0 as a test and still spam mails I receive do not contain an X-Spam-Score header. Mails that fail the SPF check should definitely have a positive X-Spam-Score, right? What I could find was a header in the format “X-Spam-Bar: ++++++++++++”.

In a single mail I saw “X-Spam-Status: No, spam_score was empty, meaning rspamd failed to scan the message”.

Overall, I am very confused as not a single mail has been tagged/moved since the spam filter was activated. Whereas before at least some mails were tagged correctly. However, I also can’t tell if the spam in question is simply getting past the filter as false positives.

alex1 · July 3, 2021, 7:13pm

Hi @Jarland apologies for hijacking this old question.
Am seeing exactly the same behavior on shadow.

Have tried activating and deactivating spam filtering, but did not change anything.
One recent message that has this problem for example has the local ID: qJIGD6od4GBXKgAAamG25A
(Message ID is 003c01d77016$075cd4b6$745de69f@aoarvkx)

Would be great if you could have a look at that. Happy to help debug as well.

Alex