Hosting multiple websites often involves dealing with persistent SPAM originating from valid-looking email addresses, often with proper SPF and DKIM setup, which makes detection more difficult. These SPAM messages frequently target each domain, follow up repeatedly, and tend to fly under the radar since they haven’t been widely flagged as SPAM yet. Many of these addresses are likely disposable, adding to the challenge. The constant influx of SPAM hampers productivity and security, especially when unsolicited solicitations keep following up despite no reply — creating an endless cycle.
This ongoing barrage not only disrupts workflow but also poses security risks, as SPAM can carry malicious links or malware. Overall, SPAM becomes a major headache for website hosts which highlights the importance of effective email filtering solutions. Personally, I believe SPAM should be blocked at the email server level, not just within the email client, to better streamline the SPAM filtering process.
Previously, I’ve written how easy it is to set up a full working email service easily which includes SPAM filtering – RSPAMD. You can read the details under: https://kennethbspringer.au/2023/12/21/linux-email-services/
Introducing RSPAMD
[RSPAMD] is an open-source, high-performance SPAM filtering system designed to protect email servers from unwanted messages, including SPAM, phishing, and malware.
It was developed initially by Andrey Shpirt and the broader open-source community, RSPAMD was created to provide a fast, flexible, and efficient alternative to traditional SPAM filters. Over the years, it has gained popularity for its modular architecture, machine learning capabilities, and reputation-based analysis, making it highly effective at identifying malicious or unwanted emails while minimizing false positives.
And the best bit is that RSPAMD is freely available under the GNU General Public License (GPL), allowing users to deploy, modify, and distribute the software without cost. Its open-source nature makes it suitable for both personal and commercial use, enabling organisations of all sizes to enhance their email security infrastructure without licensing fees. Overall, RSPAMD helps organisations maintain a secure, reliable email environment, protecting users and sensitive information from email-based threats.
How RSPAMD blocks SPAM
RSPAMD detects spam using a combination of advanced techniques and multiple layers of analysis to accurately identify unwanted emails. It basically utilises:
- Reputation Checks: RSPAMD evaluates the reputation of sender IP addresses and domains using various reputation databases. If an IP or domain has a poor reputation, the message is more likely to be flagged as spam.
- Header and Body Analysis: It examines email headers and content for typical spam indicators, such as suspicious keywords, unusual formatting, or known spam patterns.
- Machine Learning: RSPAMD employs machine learning algorithms trained on large datasets of spam and legitimate emails to improve detection accuracy over time.
- DNS-based Blacklists (DNSBL): It checks if the sender’s IP address appears on known blacklists, which list sources of spam.
- Heuristic Rules: RSPAMD applies customisable rules based on common spam characteristics, like excessive links, specific phrases, or malformed messages.
- Authentication Checks: It verifies SPF, DKIM, and DMARC records to ensure the email is properly authenticated, which helps distinguish legitimate messages from spoofed ones.
- Statistical Scoring: Each of these analyses contributes to a score; if the total score exceeds a certain threshold, the email is marked as spam.
By combining these methods, RSPAMD provides a highly effective and adaptable spam detection system, reducing false positives and ensuring legitimate emails are delivered while unwanted messages are filtered out.
What about “Straight to Blacklist”!!!???
While RSPAMD is fantastic in trying to reduce SPAM, it does have limitations. One notable drawback is that it does not provide an easy, straightforward way to blacklist specific email addresses or domains for complete blocking.
Although administrators can set custom rules and scores, implementing a simple, user-friendly method to permanently block senders or domains often requires manual configuration or additional integration, making it less convenient for quickly blocking persistent or problematic senders. Let’s show how to easily add some customised rules to RSPAMD to block emails or domains permanently.
Configuring RSPAMD
I am assuming that you have RSPAMD fully operational and functions well. In my case RSPAMD is running within 
[Docker] and if you’re not using Docker you can tweak the scripts etc as needed.
Setting up the Regex Mapping Rules
You will need to create an entry in the custom rules for the multimap configuration. It probably is going to be in the ./override.d/multimap.conf or ./local.d/multimap.conf locations which should have an entry:
CUSTOM_REGEX_FROM {
type = "from";
map = "/var/lib/rspamd/custom_regex_from.map";
regexp = true;
}Rejecting Email or Domain for RSPAMD
You can set up rejecting email of domain for RSPAMD via the script something like block_email_or_domain.sh:
#!/bin/bash
# Usage: ./block_email_or_domain.sh email@example.com or domain.com
ENTRY="$1"
CONTAINER="YOUR_DOCKER_CONTAINER"
MAP_FILE="YOUR_RSPAMD_MAP_FILE"
BLOCKING_RULES="YOUR_RULES_TO_WHAT_SHOULD_HAPPEN"
if [ -z "$ENTRY" ]; then
echo "Usage: $0 email@example.com or domain.com"
exit 1
fi
# Check if the script is running as root
if [ "$EUID" -ne 0 ]; then
echo "Error: Please run this script with sudo or as root."
exit 1
fi
# Determine pattern based on input
if [[ "$ENTRY" == *"@"* ]]; then
# Exact email
PATTERN="^${ENTRY}$"
elif [[ "$ENTRY" == *"."* ]]; then
# Domain
PATTERN=".*@${ENTRY}$"
else
# Fallback as domain
PATTERN=".*@${ENTRY}$"
fi
# Append pattern with the rule and score suffix if not already present
# Check if pattern already exists
if ! docker exec -i "$CONTAINER" sh -c "grep -qx '$PATTERN' $MAP_FILE"; then
# Add the pattern with the rule suffix
NEW_ENTRY="${PATTERN} ${BLOCKING_RULES}"
docker exec -i "$CONTAINER" sh -c "echo '$NEW_ENTRY' >> $MAP_FILE"
# Reload Rspamd
docker exec "$CONTAINER" sh -c "kill -HUP \$(pidof rspamd)"
echo "Added pattern '$NEW_ENTRY' to $MAP_FILE and reloaded rspamd."
else
echo "Pattern '$PATTERN' already exists in $MAP_FILE."
fiNote in the script it will detect if you’re blocking by email or domain name and set up the appropriate regex pattern match for this. For our case, I’ve set up the “BLOCKING_RULES” to completely reject the email.
Considering we’re using Docker, we need to restart RSPAMD to load up the new configuration changes. Unfortunately, I could not find a way to force RSPAMD to reload the configurations and opted to forcibly restart RSPAMD simply by killing it.
Instantly blacklisted — No questions asked!
Now if you get any SPAM and do not wish to wait for the RSPAMD to eventually detect the SPAM you can instantly blacklist an email or domain.
To block an email from seo@example_seo_services.com you can simply run:
sudo ./block_email_or_domain.sh seo@example_seo_services.com
Or to completely block the entire domain you can simply run:
sudo ./block_email_or_domain.sh example_seo_services.com
Undoing blacklisting
If you wish to undo a blacklisted email or domain name you can simply delete the entries added to your map file – MAP_FILE and hand the reigns back to RSPAMD to determine what to do with the emails.