How do I make sure that the spam filter is working?

Hello,

I have a question about spam filtering with rspamd on the servers with DirectAdmin.
Before I activated the spam filter, some mails were marked with ‘SPAM’ in the subject. Since I enabled the spam filter (with ‘Send the spam to the user’s spam folder’ and subject rewriting) this doesn’t happen anymore and changing the subject doesn’t seem to work either.

Since I realize that this could just be coincidence my question now would be if there is a way to check the functionality of the spam filter or the spam score?

The threshold is set to 5 and still mail with a ‘Spamtally: Final spam score: 96’ header is not marked/moved. Is ‘Spamtally’ the header that contains the value to which the threshold should be applied to?

Kind regards,
Joe

Great question!

So the “SPAM” in the subject without that setting enabled is a bug, and one that has been persisting for me for quite a bit. However, enabling rspamd in the control panel will opt you out of that bug so there is at least a reasonable workaround (even if you don’t enable any setting that causes you to perform any action on email deemed to be spam). You can re-enable the subject rewrite there, but most prefer not to have it.

The SpamTally header is indeed not rspamd and is a more simplistic system that works alongside it above the level of your user settings. The one that your settings relate to will be X-Spam-Score. It may not be present when the email is under the threshold set in your rspamd settings.

You should see SpamTally scores up to 149, a 150 score is the drop point for that. These are really large scores on very few tests like “No reverse DNS = 100” and “SPF pass = -30.” You won’t be able to manipulate those.

Thanks for the quick response. Is there any way to see the X-Spam score (or other values useful for debug purposes) in the header even if it does not reach the threshold?

Will the functionality of the spam filter be affected if I set a forwarder address as a catch-all address so that multiple users get these mails?
(for example catch-all is set to forward@example.org and forward@example.org forwards to user1@example.org and user2@example.org).

Also good questions. Currently there is no way to see the X-Spam-Score header unless it meets your thireshold set in rspamd settings. Now, you could set that threshold low, set it to deliver to inbox, and then use sieve filters (Use Roundcube at servername/webmail > Settings > Filters to create true, LDA-level server side filters) to then manipulate what is done with the email if it matched a particular threshold.

Catchall should be okay. There is an edge case where a static forwarder without a matching account can cause unexpected behavior, better to explain that where Discourse won’t demolish formatting: PrivateBin (mxrouteapps.com)

Can’t say anything nonspecific at this point. Rspamd is on and works, so anything more would need to be a specific log audit.

I have set the threshold to 0 as a test and still spam mails I receive do not contain an X-Spam-Score header. Mails that fail the SPF check should definitely have a positive X-Spam-Score, right? What I could find was a header in the format “X-Spam-Bar: ++++++++++++”.

In a single mail I saw “X-Spam-Status: No, spam_score was empty, meaning rspamd failed to scan the message”.

Overall, I am very confused as not a single mail has been tagged/moved since the spam filter was activated. Whereas before at least some mails were tagged correctly. However, I also can’t tell if the spam in question is simply getting past the filter as false positives.