Rspamd

Rspamd is an advanced spam filtering system that allows evaluation of messages by a number of rules including regular expressions, statistical analysis and custom services such as URL black lists. Each message is analysed by Rspamd and given a spam score.

According to this spam score and the user’s settings, Rspamd recommends an action for the MTA to apply to the message, for example, to pass, reject or add a header. Rspamd is designed to process hundreds of messages per second simultaneously, and provides a number of useful features.

There are many resources that define policies for different objects in email transfer: for sender’s IP address, for URLs in a message and even for a message itself. For example, a message could be signed by sender using DKIM technology. Another example could be URL filtering: phishing checks or URL DNS blacklists SURBL. Rspamd supports various policy checks:

• SPF checks allow to validate a message’s sender using the policy defined in the DNS record of sender’s domain. You can read about SPF policies here. A number of mail systems support SPF, such as Gmail or Yahoo Mail.
• DKIM policy validates a message’s cryptographic signature against a public key placed in the DNS record of sender’s domain. This method allows to ensure that a message has been received from the specified domain without altering on the path. Rspamd also supports DKIM signing
• DMARC combines DKIM and SPF techniques to define more or less restrictive policies for certain domains. Rspamd can also store data for DMARC reports in Redis database.
• ARC is a relatively new addition to the DKIM signing mechanism allowing to forward signed messages over a chain of trusted relays.
• Whitelists are used to avoid false positive hits for trusted domains that pass other checks, such as DKIM, SPF or DMARC. For example, we should not filter messages from PayPal if they are correctly signed with PayPal domain signature. On the other hand, if they are not signed and DMARC policy defines restrictive rules for DKIM, we should mark this message as spam as it is potentially phishing. Whitelist module provides different modes to perform policy matching and whitelisting or blacklisting of certain combinations of verification results.
• DNS lists allows to estimate reputation of sender’s IP address or network. Rspamd uses a number of DNS lists including such lists as SORBS or SpamHaus. However, Rspamd doesn’t trust ultimately any specific DNS list and does not reject mail based just on this factor. Rspamd also uses white and grey DNS lists to avoid false positive spam hits.
• URL lists are rather similar to DNS black lists but uses URLs in a message to fight spam and phishing. Rspamd has full embedded support of the most popular SURBL lists, such as URIBL and SURBL from SpamHaus.
• Phishing checks are extremely useful to filter phishing messages and protect users from cyber attacks. Rspamd uses sophisticated algorithms to find phished URLs and supports the popular URL redirectors (for example, http://t.co) to avoid false positive hits. Popular phishing databases, such as OpenPhish and PhishTank are also supported.
• Rate limits allow to prevent mass mails to be sent from your own hacked users. This is an extremely useful feature to protect both inbound and outbound mail flows.
• IP reputation plugin allows to adjust reputation for specific IP addresses, networks, autonomous blocks (ASN) and even countries.
• Greylisting is a common method to introduce delay for suspicious messages, as many spammers do not use the fully functional SMTP servers that allow to queue delayed messages. Rspamd implements greylisting internally and can delay messages that has a score higher than certain threshold.
• Replies module is intended to whitelist messages that are reply to our own messages as these messages are likely important for users and false positives are highly undesirable for them.
• Maps module provides a Swiss Knife alike tool that could filter messages based on different attributes: headers, envelope data, sender’s IP and so on. This module is very useful for building custom rules.

Statistical approach includes many useful spam recognition techniques that can learn dynamically from messages being scanned. Rspamd provides different tools that could be learned either manually or automatically and adopt for the actual mail flow.

• Bayes classifier is a tool to classify spam and ham messages. Rspamd uses an advanced algorithm of statistical tokens generation that might achieve better results than the mostly used naive Bayes method.
• Neural network learns from scan results and allows to improve the final score by finding some common patterns of rules that are typical for either spam or ham messages. This module is especially useful for large email systems as it can learn from your own rules and adopt quickly for spam mass mailings.

Rspamd supports the following .deb based distributives:

• Debian bullseye
• Debian buster
• Ubuntu bionic
• Ubuntu focal (since 2.5)
• Ubuntu jammy (since 3.3)

To install the rspamd stable apt repository, please use the following commands:

Optional

sudo apt-get install -y lsb-release wget

CODENAME=`lsb_release -c -s`

sudo mkdir -p /etc/apt/keyrings

wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/rspamd.gpg > /dev/null

echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main" | sudo tee /etc/apt/sources.list.d/rspamd.list

echo "deb-src [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main"  | sudo tee -a /etc/apt/sources.list.d/rspamd.list

sudo apt-get update

sudo apt-get --no-install-recommends install rspamd

Starting with version 1.6, for integrating Rspamd with Postfix, it is recommended to utilize the Rspamd proxy worker in Milter mode, as described in rspamd proxy worker.

Configuring Postfix to scan messages using the milter protocol with the Rspamd daemon is straightforward:

smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332

As you may know an email contains of the header and the body. Your users will only see header information like the subject, the sender, the recipient and the date and time the email was sent. But there is way more information like the router the email travelled or extended headers added by the various mail server on the way to the destination. Such extended headers begin with an “X-“. rspamd can add such headers to help you filter out spam. For that purpose create a new configuration override file at /etc/rspamd/override.d/milter_headers.conf with this content:

sudo vim /etc/rspamd/override.d/milter_headers.conf

extended_spam_headers = true;

As documented it will add these headers:

X-Rspamd-Server: mail
Authentication-Results: dmarc=fail reason="No valid SPF, No valid DKIM" …
X-Rspamd-Queue-Id: C22E55A005B3
X-Spamd-Result: default: False [11.55 / 15.00]
R_PARTS_DIFFER(0.27)[63.4%]
FROM_NO_DN(0.00)[]
RCVD_COUNT_ZERO(0.00)[0]
R_DKIM_NA(0.00)[]
FUZZY_DENIED(12.00)[1:19305c7fdd:1.00:bin,1:35699594fd:0.91:txt]
RBL_SENDERSCORE(2.00)[55.181.23.94.bl.score.senderscore.com]
ARC_NA(0.00)[]
RCPT_COUNT_ONE(0.00)[1]
RCVD_TLS_ALL(0.00)[]
FROM_EQ_ENVFROM(0.00)[]
R_SPF_SOFTFAIL(0.00)[~all]
BAYES_HAM(-2.71)[98.75%]
TO_MATCH_ENVRCPT_ALL(0.00)[]
MIME_GOOD(-0.10)[multipart/related,multipart/alternative,text/plain]
MID_RHS_MATCH_FROM(0.00)[]
ASN(0.00)[asn:16276, ipnet:94.23.0.0/16, country:FR]
TO_DN_NONE(0.00)[]
DMARC_POLICY_SOFTFAIL(0.10)[Chronopost.fr : No valid SPF, No valid DKIM,none]
SUBJECT_ENDS_EXCLAIM(0.00)[]
X-Spam: Yes

Just a quick FYI on disabling rspamd's greylisting module. This is something you will want to go if you run OpenBSD's spamd because it is still the king of first line of defense against spam.

sudo vim /etc/rspamd/local.d/greylist.conf

enabled = false;

Then restart rspamd.

sudo systemctl restart rspamd

• rspamd.com
• rspamd.com
• workaround.org
• mail-archive.com
• rspamd.com