Rspamd tuning, R_SPF_NA R_DKIM_NA ?

Discussion in 'ISPConfig 3 Priority Support' started by Taleman, Apr 28, 2021.

Tags:
  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I try tuning rspamd to better detect spams my e-mail server gets. I think increasing spammines for e-mails where sending domaind lacks SPF and message is not DKIM saved would help.
    I found R_SPF_NA and R_DKIM_NA, which I guess mean message does not have SPF/DKIM. I thought I could add one or two spamminess points when that happens.
    But I can not find useful documentation. Only thing search engines find in website rspamd.com is https://rspamd.com/doc/modules/milter_headers.html
    which has one line about R_SPF_NA:
    Code:
      none = "R_SPF_NA";
    That does not help much.
    Does requiering SPF and DKIM nowadays cause problems?
    What values are valid for those "variables" and how to set them?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I tune the scores through the rspamd web UI -> Symbols.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    checking a random message here, it has all of:
    AUTH_NA(1.00){},
    ARC_NA(0.00){},
    DMARC_NA(0.00){sender.tld;},
    RCVD_VIA_SMTP_AUTH(0.00){},
    R_DKIM_NA(0.00){},
    R_SPF_NA(0.00)

    Since that indicates the message did indicate smtp auth in headers, I presume that 'AUTH_NA' refers to no sender/domain related authentication (no arc, dmarc, dkim or spf) - so you might already be getting a bump in score due to those traits (1.00 for AUTH_NA). And it seems to be some combination of those for AUTH_NA, as I see other messages with ARC_NA, DMARC_NA, R_DKIM_NA but not R_SPF_NA, and AUTH_NA does not kick in there.

    As to your question of if it's worth doing, I'll do a quick count in rspamd logs for an indication; this server has a very well trained bayes db (matches won't be perfect, but quite good), so searching for strong bayes match of ham or spam and checking for those symbols, and vice-versa, yields:
    Code:
    # grep BAYES_HAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_HAM.-0 | wc -l   
    21415
    # grep BAYES_HAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_HAM.-0 | grep R_DKIM_NA | wc -l
    992
    # grep BAYES_HAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_HAM.-0 | grep R_SPF_NA | wc -l
    205
    # grep BAYES_HAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_HAM.-0 | grep R_DKIM_NA | grep R_SPF_NA | wc -l
    121
    # grep BAYES_HAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_HAM.-0 | grep AUTH_NA | wc -l
    99
    
    # grep BAYES_SPAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_SPAM.0 | wc -l
    10614
    # grep BAYES_SPAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_SPAM.0 | grep R_DKIM_NA | wc -l
    1044
    # grep BAYES_SPAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_SPAM.0 | grep R_SPF_NA | wc -l
    74
    # grep BAYES_SPAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_SPAM.0 | grep R_DKIM_NA | grep R_SPF_NA | wc -l
    41
    # grep BAYES_SPAM /var/log/rspamd/rspamd.log{,.?} | grep -v BAYES_SPAM.0 | grep AUTH_NA | wc -l
    36
    
    # grep R_DKIM_NA /var/log/rspamd/rspamd.log{,.?} | wc -l
    2883
    # grep R_DKIM_NA /var/log/rspamd/rspamd.log{,.?} | grep BAYES_HAM | grep -v BAYES_HAM.-0 | wc -l
    998
    # grep R_DKIM_NA /var/log/rspamd/rspamd.log{,.?} | grep BAYES_SPAM | grep -v BAYES_SPAM.0 | wc -l
    1045
    # grep R_DKIM_NA /var/log/rspamd/rspamd.log{,.?} | grep AUTH_NA | wc -l
    202
    
    # grep R_SPF_NA /var/log/rspamd/rspamd.log{,.?} | wc -l
    535
    # grep R_SPF_NA /var/log/rspamd/rspamd.log{,.?} | grep BAYES_HAM | grep -v BAYES_HAM.-0 | wc -l
    205
    # grep R_SPF_NA /var/log/rspamd/rspamd.log{,.?} | grep BAYES_SPAM | grep -v BAYES_SPAM.0 | wc -l
    74
    # grep R_SPF_NA /var/log/rspamd/rspamd.log{,.?} | grep AUTH_NA | wc -l
    202
    
    So of messages hitting R_DKIM_AU ~35% are strongly identified as ham, ~36% strongly identified as spam; I wouldn't use that in isolation as a spam indicator. R_SPF_NA seems to be more of a ham indicator than spam.
     
    ahrasis, Taleman and Th0m like this.

Share This Page