Help please blocking spam

[ghost]

Hello, I'm new using rspamd and want to know if anyone knows how to block some domain.

There is a domain (let it be "spamdomain.com") that is spamming constantly, and I don't know how to stop it.

I'm using WebUI, and I was reading in your docs https://rspamd.com/doc/modules/multimap.html that multimap and prefilters would help with this, but I'm super noob and don't know where to put it, neither the syntax (I tried to understand the docs, but it was confusing to me). I suspect that the filter that I need is "email:domain", right?

Anyone can give me a hand with this?

Many thanks in advance

[Diman0]

This can be achieved by adding additional symbols to the multimap filter. In this symbol you could indeed reject email using a prefilter.

Step 1 is creating the config file to add the symbol to the multimap filter.
Create the file /mailu/overrides/rspamd/multimap.conf with contents:

#override.d/multimap.conf
local_bl_domain {
  type = "from";
  filter = "email:domain";
  map = "/etc/rspamd/override.d/blacklist.inc";
  score = 14;
  description = "Senders domain part is on the local blacklist";
  group = "local_bl";
  action = "reject";
}

Note that the prefilter " action = "reject";" instructs rspamd to reject the email. The sender will receive a failed delivery notification email that this email was rejected. Another option is too use discord (accept the email and discard it). If you remove " action = "reject";", then the email will get score 14 and will be moved to the spam folder depending on the spam score threshold setting of the user.

Step 2 is to create the blacklist file that will contain the domains to be blocked. You don't have to add the domains yet. This can also be done via the webgui.
Create the file /mailu/overrides/rspamd/blacklist.inc with contents

 #blacklisted domains. ALL emails from these domains are blacklisted!!
 #this file is LIVE reloaded by rspamd. Any changes are EFFECTIVE IMMEDIATELY.
spamdomain.com

Step 3 is to restart rspamd to pick up the new multimap.conf file. If you use docker-compose:

docker-compose scale antispam=0
docker-compose scale antispam=1

Step 4 is too access the webui of rspamd and go to configuration. You should listed here:
"/etc/rspamd/override.d/blacklist.inc Senders domain part is on the local blacklist".
You can click this file to add new domains. Changes are persistent and effective immediately. When you edit the inc files in the overrides folder, the changes will also be effective immediately.

I hope this helps. I plan to create a PR to add this to the FAQ section

[ghost]

This can be achieved by adding additional symbols to the multimap filter. In this symbol you could indeed reject email using a prefilter.

Step 1 is creating the config file to add the symbol to the multimap filter.
Create the file /mailu/overrides/rspamd/multimap.conf with contents:

#override.d/multimap.conf
local_bl_domain {
  type = "from";
  filter = "email:domain";
  map = "/etc/rspamd/override.d/blacklist.inc";
  score = 14;
  description = "Senders domain part is on the local blacklist";
  group = "local_bl";
  action = "reject";
}

Note that the prefilter " action = "reject";" instructs rspamd to reject the email. The sender will receive a failed delivery notification email that this email was rejected. Another option is too use discord (accept the email and discard it). If you remove " action = "reject";", then the email will get score 14 and will be moved to the spam folder depending on the spam score threshold setting of the user.

Step 2 is to create the blacklist file that will contain the domains to be blocked. You don't have to add the domains yet. This can also be done via the webgui.
Create the file /mailu/overrides/rspamd/blacklist.inc with contents

 #blacklisted domains. ALL emails from these domains are blacklisted!!
 #this file is LIVE reloaded by rspamd. Any changes are EFFECTIVE IMMEDIATELY.
spamdomain.com

Step 3 is to restart rspamd to pick up the new multimap.conf file. If you use docker-compose:

docker-compose scale antispam=0
docker-compose scale antispam=1

Step 4 is too access the webui of rspamd and go to configuration. You should listed here:
"/etc/rspamd/override.d/blacklist.inc Senders domain part is on the local blacklist".
You can click this file to add new domains. Changes are persistent and effective immediately. When you edit the inc files in the overrides folder, the changes will also be effective immediately.

I hope this helps. I plan to create a PR to add this to the FAQ section

It worked like a charm!

Many thanks for your help

[Eloque]

Apologies if this is not the right spot to ask, but it's the only place I could find sort of about the same topic;
I want to flag mail containing certain words, if the mail contains that word, add 10 to the score of the mail. But I can't get it to work. I based it of your instructions;

Made a multimap.conf

#override.d/multimap.conf
CONTENT_BLACKLISTED {
  type = "content";
  filter = "full";
  map = "/etc/rspamd/override.d/badwords.map";
  score = 10;
  description = "Mail contains badwords";
}

and a badwords.map

# This file is live reloaded
trialwordforspam

I restart;

docker-compose up -d --scale antispam=0
docker-compose up -d --scale antispam=1

And check if the the config is there;

I then send a mail, containing "trialwordforspam" and the filter goes straight through:

As if the rule isn't triggered at all. What am I missing here?

[fiskhest]

Hi @Eloque, I had the same use case except I wanted to look for a string instead of a word. I couldn't get your example working and I have some different settings for my map, but I'm sharing what is working for me hoping it can be adapted for what you need.

# override.d/multimap.conf
# example: if a mail is received where the string 'unacceptable string'(specified as a regex in the file 'known_spam.map') is present in the body, mail is rejected
KNOWN_SPAM_STRING {
    type = "content";
    filter = "body";
    map = "/etc/rspamd/override.d/known_spam.map";
    prefilter = true;
    action = "reject";
    regexp = true;
}

# override.d/known_spam.map
/unacceptable string/gi

Background/more info described in this blogpost

[FosterG4]

This can be achieved by adding additional symbols to the multimap filter. In this symbol you could indeed reject email using a prefilter.

Step 1 is creating the config file to add the symbol to the multimap filter. Create the file /mailu/overrides/rspamd/multimap.conf with contents:

#override.d/multimap.conf
local_bl_domain {
  type = "from";
  filter = "email:domain";
  map = "/etc/rspamd/override.d/blacklist.inc";
  score = 14;
  description = "Senders domain part is on the local blacklist";
  group = "local_bl";
  action = "reject";
}

Note that the prefilter " action = "reject";" instructs rspamd to reject the email. The sender will receive a failed delivery notification email that this email was rejected. Another option is too use discord (accept the email and discard it). If you remove " action = "reject";", then the email will get score 14 and will be moved to the spam folder depending on the spam score threshold setting of the user.

Step 2 is to create the blacklist file that will contain the domains to be blocked. You don't have to add the domains yet. This can also be done via the webgui. Create the file /mailu/overrides/rspamd/blacklist.inc with contents

 #blacklisted domains. ALL emails from these domains are blacklisted!!
 #this file is LIVE reloaded by rspamd. Any changes are EFFECTIVE IMMEDIATELY.
spamdomain.com

Step 3 is to restart rspamd to pick up the new multimap.conf file. If you use docker-compose:

docker-compose scale antispam=0
docker-compose scale antispam=1

Step 4 is too access the webui of rspamd and go to configuration. You should listed here: "/etc/rspamd/override.d/blacklist.inc Senders domain part is on the local blacklist". You can click this file to add new domains. Changes are persistent and effective immediately. When you edit the inc files in the overrides folder, the changes will also be effective immediately.

I hope this helps. I plan to create a PR to add this to the FAQ section

hi, I tried using this method but the menu on the list doesn't appear