Rspam 0 score

[aronmal]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I have gotten an email in my mailbox which I suspect has a virus in it. I got quarantine@localhost notifications 2 before and 1 after. So I suspect they are all pretty much the same. When I checked rspamd, I noticed the mail that got through has a score of 0 which makes me wonder how.

Logs:

Mail that got through:

mailcow-rspamd  | 2024-04-04 01:26:34 #48(normal) <3f36e4>; task; rspamd_task_write_log: id: <8424eb3eca0e242f0ca27bd024e06a60464fe3f4@baldur-garten.de>, qid: <CAEDB26283D5>, ip: 89.113.158.36, from: <info1@baldur-garten.de>, (default: F (no action): [0.00/15.00] []), len: 36844, time: 3.211ms, dns req: 0, digest: <3fecd00b293839d42303acbe8a2a8d7d>, rcpts: <postmaster@<domain-censored>>, mime_rcpts: <postmaster@<domain-censored>>, forced: no action "whitelisting postmaster smtp rcpt"; score=nan (set by Unknown lua)

Mail that was caught:

mailcow-rspamd  | 2024-04-04 04:11:04 #48(normal) <adfbbd>; task; fuzzy_insert_result: found fuzzy hash(txt) 26adfb24823a82ec8c46fbfb51e5ab9063f99b03abf154bc1d21838af127dd8b73885cdb493bf6947fbe5f5bfd8994e57c5672c7e8002bf8f4356a90dd9d4d6b (5a9608dab973f53e3505ce9e493ca7d35c0b5f722c54be014ebf9f8f90407f61be1bf4c32f6d33d6f965dd3249cefb3ad4d30bc689dfcc143a1349a92953af86 requested) with weight: 0.72, probability 0.68, in list: FUZZY_DENIED:1; added on 02.04.2024 01:54:37 GMT
mailcow-rspamd  | 2024-04-04 04:11:08 #48(normal) <adfbbd>; lua; once_received.lua:52: error looking up 57.149.113.89.in-addr.arpa: server fail
mailcow-rspamd  | 2024-04-04 04:11:08 #48(normal) <adfbbd>; task; rspamd_task_write_log: id: <aac28b20d4103a35862c65ce9a5f7097c9bd@baldur-garten.de>, qid: <B752F2628FDC>, ip: 89.113.149.57, from: <info1@baldur-garten.de>, (default: T (reject): [2031.90/15.00] [VIRUS_FOUND(2000.00){},FUZZY_DENIED(8.71){1:26adfb2482:0.68:txt;},HFILTER_HOSTNAME_UNKNOWN(8.50){},LEAKED_PASSWORD_SCAM(7.00){},BAYES_SPAM(4.50){100.00%;},RBL_SPAMHAUS_PBL(2.00){89.113.149.57:from;},RDNS_NONE(1.00){},BAD_WORDS(0.20){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ONCE_RECEIVED(0.10){},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){<domain-censored>:s=dkim:i=1;},ASN(0.00){asn:16345, ipnet:89.113.144.0/21, country:RU;},BCC(0.00){},BITCOIN_ADDR(0.00){35envEaG4HdZpTB73xbkYYrsqKk5mCDJXC;},DBL_FAIL(0.00){baldur-garten.de:server fail;},DMARC_NA(0.00){baldur-garten.de;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_REPLYTO(0.00){info1@baldur-garten.de;},LEAKED_PASSWORD_SCAM_RE(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},MISSING_XM_UA(0.00){},RBL_SORBS_FAIL(0.00){89.113.149.57:server fail;},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){<domain-censored>;},RCVD_COUNT_ZERO(0.00){0;},RDNS_DNSFAIL(0.00){},REPLYTO_EQ_FROM(0.00){},R_DKIM_NA(0.00){},R_SPF_NEUTRAL(0.00){?all;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 36841, time: 5167.773ms, dns req: 33, digest: <4f8d07213d2950296ddc40d108a9ba0c>, rcpts: <team@<domain-censored>>, mime_rcpts: <team@<domain-censored>>

Steps to reproduce:

I just got these spam mails.

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Unraid 1.12.9

Server/VM specifications:

enough

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

no

Docker version:

24.0.9

docker-compose version or docker compose version:

v2.21.0

mailcow version:

2024-02

Reverse proxy:

Nginx

Logs of git diff:

-

Logs of iptables -L -vn:

-

Logs of ip6tables -L -vn:

-

Logs of iptables -L -vn -t nat:

-

Logs of ip6tables -L -vn -t nat:

a

DNS check:

-

[aronmal]

Here a screenshot:

I know this can't be reproduced, and I don't think there will be any actions by this report. But I still wanted to inform about this incident, in case other may also be affected by this rspamd 'outage'.

Feel free to close this issue if the given information are likely insufficient to find a root cause.

[mstilkerich]

Hi, my guess: Mails to postmaster are not filtered as the postmaster address should be contactable in case of delivery issues, including being filtered by the spam filter. At least this is common practice.

[aronmal]

Hey, thanks for the response. I guess the approach makes sense. But on the other hand, by that I suspect the 'postmaster@' is more vulnerable to such an attack?

Is there a way to further protect in case of such an attack, beside the mail clients preventing to display images?

rspamd is showing a hash for the virus, is there a way too look it up to find out what kind of virus was send?