Simonglm: Created page with "Our website uses '''postfix''' as it's MTA (mail transport agent), which also has the ability to forward incoming mails to so called ''MILTERS'' ("mail filters"). One of those..."

2023-02-12T18:49:59Z

Created page with "Our website uses '''postfix''' as it's MTA (mail transport agent), which also has the ability to forward incoming mails to so called ''MILTERS'' ("mail filters"). One of those..."

New page

Our website uses '''postfix''' as it's MTA (mail transport agent), which also has the ability to forward incoming mails to so called ''MILTERS'' ("mail filters").
One of those milters configured on our server is the spam filter '''Rspamd'''.

The WebUI of the service is located at [http://rspamd.muonpi.org rspamd.muonpi.org].
The rspamd service itself is running on <code>localhost:11332</code> with the UI running on <code>localhost:11334</code>.

===Terminology===
''Spam'' is unwanted mail, while ''Ham'' is referring to false positives.

From Wikipedia on [https://en.wikipedia.org/wiki/Spam_(food) Spam (food)]:
<blockquote>Spam has affected popular culture, including a Monty Python skit, which repeated the name many times, leading to its name being borrowed to describe unsolicited electronic messages, especially email.</blockquote>

== Setup ==
Setup and configuration was done according to [https://rspamd.com/doc/integration.html this guide].
Configuration for postfix is rather simple, just add <code>inet:localhost:11332</code> to the <code>smtpd_milters</code> field:

<code>smtpd_milters = unix:/opendkim/opendkim.sock,inet:localhost:11332</code>

== Training the filter==
Rspamd has the ability to learn to better filter spam. The training data is stored using a '''redis''' database.

Training can be done by two different methods: Via the WebUIs ''Scan/Learn'' Section of via the command line interface <code>rspamc</code>.

=== The WebUI===
After logging into the WebUI you can see the status of the filter. On the right hand side, a pie chart shows how many mails have been processed and the portions of rejected or annotated mails.
The Table named ''Bayesian statistics'' shows how many mails have been declared as 'Spam' or as 'Ham'.

Training is done in the '''Scan/Learn''' tab of the WebUI. Paste the raw message source into the text field and click '''Scan message'''.
Below you will see the result of the scan. The 'action' indicates what Rspamd would do if it where to receive that mail.
The symbols listed give the merits on which a message was evaluated.
They can either have a positive or negative value, indicating if their presence indicates if the given message is ''spam'' or ''ham''.

You can tell rspamd to learn from this message by choosing '''Upload Ham''' or '''Upload Spam'''.

=== The CLI ===
Similar to the WebUI, you can check if a given mail is spam or not by calling <code>rspamc suspicious.eml</code>.
After analysis, the found symbols and the collective score is shown.
To train the filter on this suspicious mail call <code>rspamc learn_spam suspicious.eml</code> and <code>rspamc learn_ham suspicious.eml</code> respectively.

== Dovecot CLI: 'doveadm' ==
Since most of the incomming mail is recieved by OSTicket via ''support@muonpi.org'' which does not provide the raw message source in the tickets, <code>doveadm</code> is used to get the message source.

'''NOTE''': This can only be done with superuser permissions and gives full read/write access to '''all''' users mails. So be careful!

Use <code>doveadm search [-u <user>|-A] [-S <socket_path>] <search query></code> to search for mails. See [https://wiki.dovecot.org/Tools/Doveadm/Search wiki.dovecot.org] for command reference and [https://wiki2.dovecot.org/Tools/Doveadm/SearchQuery this page] for ''search_query'' reference.

This one-liner will search and save mails from user <user> which were sent/recieved on the date <YYYY-MM-DD>:<br>
<code>doveadm search -u <user> ON <YYYY-MM-DD> | while read guid uid; do doveadm fetch -u <user> text mailbox-guid $guid uid $uid > $uid.eml; done</code>

Spam filtering - Revision history

Simonglm: Created page with "Our website uses '''postfix''' as it's MTA (mail transport agent), which also has the ability to forward incoming mails to so called ''MILTERS'' ("mail filters"). One of those..."