Spam Filter/Content Filter
-
Spam filtering settings have a single Subject tag, for example,
[***SPAM*** Score/Req: _SCORE(0)_/_REQD_] , which is added when the value specified in the "A message is spam if it scores greater or equal to". This is a very limited setup, as it will be fine for one domain, but for another we would like to have a different trigger threshold.Here I have found only one solution using the content filter:
Conditions... If the SPAM FILTER score is equal toActions... Search and replace words within a message header - In the: Subject header...
Search expression: ^
Replace with: [***SPAM*** Score/Req: _SCORE(0)_/_REQD_]
Checkbox Regular expression
However, in this case, _SCORE(0)_/_REQD_are not filled with real values, because they are not in the content filter.
Is there a solution to this issue?
-
Arron Staff
_SCORE(0)_/_REQD_ is not a regular expression.
This will likely need some tweaking as I have not tested it extensively, but the following regular exprssion should get you started.
Score\/Req\: -?\d{1,3}\.\d{1,2}\/\d\.\d\]
It is looking for a score with 1 to 3 digits followed by a decimel and then 1 or 2 more digits.
A site such as regex101.com can help you to generate a regular expression and test the results.
-
We probably didn't understand each other, I meant that, for example, for one domain we want to use "A message is spam if it scores greater or equal to", and for another domain we want to add a header at a different threshold.
For example, for example.com the standard filter works by threshold 10, the line [***SPAM*** Score/Req: 21.3/10.0] should be added to the topic header, and for the domain example-test.com using the content filter for triggering a threshold of more than 7, add the header [***SPAM*** Score/Req: 21.3/7.0]. In your example, I did not understand what exactly is processed by the regular expression, which variables?
-
Arron Staff
I'm sorry, I misunderstood.
I have two rules that I think will accomplish what you are looking for. I set my spam threshold at 5, and then for 1 domain (company.test) increased the threshold to 8.0 using these rules.
I have done a limited amount of testing. Please extensively test these rules before putting them into production.
[Rule033]
RuleName=Per Domain Spam filter (company.test)
Enable=Yes
ThisRuleCondition=All
ProcessQueue=BOTH
Condition01=X-MDAEMON-DELIVER-TO|contains|AND|company.test|
Condition02=body|sa score|AND|>=|8.0|
Action01=header search and replace|"Subject","/5.0]","/8.0","0,0,"
Action02=remove header|"X-Spam-Status",""
Action03=add header|"X-Spam-Status","Yes, score=$SPAMSCORE$ required=8.0"
[Rule034]
RuleName=Remove Spam Subject <8.0 (company.test)
Enable=Yes
ThisRuleCondition=All
ProcessQueue=BOTH
Condition01=X-MDAEMON-DELIVER-TO|contains|AND|company.test|
Condition02=body|sa score|AND|<|8.0|
Action01=header search and replace|"Subject","\[\*\*\*SPAM\*\*\* Score\/Req: -?-?\d{1,3}\.\d{1,2}\/\d{1,2}\.\d{1,2}\](.*)","$1","0,1"
Action02=remove header|"X-Spam-Status",""
Action03=add header|"X-Spam-Status","No, score=$SPAMSCORE$ required=8.0"
Action04=remove header|"X-Spam-Flag",""
Action05=add header|"X-Spam-Flag","NO"
-
I am conducting comprehensive content filter tests, for this I needed to simulate the receipt of spam emails, for this I sent an email with special content, the string XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X, which is recognized as SPAM, however, MDAEMON gives a fixed 7 points 7.0 MDAEMON_OP_SPAM_HIGH MDaemon: spam/phish, how can I change the value that MDAEMON issues for such test emails, for testing, for example, 10 points??
-
Arron Staff
Security | Outbreak Protection, under "Spam should be:" adjust the score field to the desired value.
-
Our spam filter outputs the maximum value for a specific sender's address using Bayesian classification. At the same time, the content of the email is not spam. We tried to fix the situation by copying emails from this sender to \MDaemon\Public Folders\Bayesian Learning.IMAP\Non-Spam.IMAP\. However, emails continue to go into spam, tell me how to legalize this sender without putting him on the list of allowed ones, because someday he may still send spam when hacking credentials.
X-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record * 1.6 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5160] * 7.0 MDAEMON_OP_SPAM_HIGH MDaemon: spam/phish * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block * for more information. * [URI: cdek.ru] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors * in HTML * 3.0 LONG_HEX_URI Very long purely hexadecimal URI
-
Arron Staff
The message is being flagged by Outbreak Protection as spam. This is adding 7 points to the spam score. Forward the message as an attachment to spamfp@mdaemon.com. You will not receive a response. The message will be processed and sent to Data443, our OutBreak Protection provider and they will adjust as needed. If you are still having issues, you can also adjust the score by going to Security / OutBreak Protection.
The second issue is a URI in the messsage, which is matching the LONG_HEX_URI rule. Is there a long URI in the message that is hexadecimal? Adjusting this URI would also help. If the sender cannot or will not change the URI, you can adjust the score applied by your MDaemon by editing the \MDaemon\SpamAssassin\rules\local.cf file using a tool such as Notepad++. Do NOT use Notepad.exe. Scroll to the bottom of the text, create a new line and add something like this:
score LONG_HEX_URI 2.0
2.0 is the score that will be assigned, you can set it to any reasonable value that you'd like.
Save the file and then restart MDaemon.
-
@Arron
Forward the message as an attachment to spamfp@mdaemon.com.
I sent an email on 10/31/2024, but at the moment, the emails from the example continue to receive 7 spam points.
7.0 MDAEMON_OP_SPAM_HIGH MDaemon: spam/phish
-
Arron Staff
Can you add the sender to the SPF/DKIM approved list? (Security / Security Manager / Approved)
Can you add the sender to the spam filter allow list? (Security / Spam Filter / Allow LIst (by sender))
Can you adjust the score assigned by Outbreak Protection by going to Security / Outbreak Protection.
You may also be able to adjust the spamassassin rules to be more granular, I'd need to see an X-MDOP header from a message with the issue to know for sure. If you are intested please post the header.
-
@Arron
X-MDOP-RefID: str=0001.0A682F1A.6731DB1C.0050,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 (_st=1 _vt=0 _iwf=0)
other X-MDOP headers are missing
-
Arron Staff
I would need to see the X-MDOP header for a message that was incorrectly flagged. The message that this MDOP header came from was not flagged by Outbreak Protection.
-
I have attached an example md50000006736.eml inFile Request from Arron Caruth at MDaemon Technologies, Ltd
-
Arron Staff
I have not been able to find the file that you uploaded. Can you upload it using this link?
https://mdaemon.sharefile.com/r-rc3922c1eed334d4dbf5e34f0bd04ccd6
If that is the same link you used before, something didn't work right as I don't see the file being uploaded.
-
@Arron, I uploaded it again, the first time I didn't press the button "Upload"(
-
Arron Staff
By default, when MDaemon scores messages based on the results of Outbreak Protection it scores messages that classify as "bulk" spam the same as spam. In most cases this does not cause issues. In this case, the message in question is being classified as "bulk" spam so to work around the issue, we can customize the SpamAssassin rules. To do this, edit the MDaemon\SpamAssassin\Rules\Local.cf file using something like NotePad++. Do not use notepad.exe.
Add the following 2 rules to your local.cf file:
header MDAEMON_OP_SPAM_BULK X-MDOP-RefID =~ /\b_st=[3]/i
describe MDAEMON_OP_SPAM_BULK MDaemon: spam/phish
score MDAEMON_OP_SPAM_BULK 3.0header MDAEMON_OP_SPAM_HIGH X-MDOP-RefID =~ /\b_st=[4]/i
describe MDAEMON_OP_SPAM_HIGH MDaemon: spam/phish
score MDAEMON_OP_SPAM_HIGH 7.0You can set the scores to any value you like in the local.cf file. However, once you make this change, editing the score in the MDaemon UI by going to Security / Outbreak Protection will no longer work.
Once you are done editing the local.cf file, save the file and restart MDSpamd.exe.