Rspamd is the best solution we have for managing spam, and that’s… kind of terrifying.
Consider the first symbol, URI_COUNT_ODD. The description reads “Odd number of URIs in multipart/alternative message.” The message has an odd number of pieces. Why is that important, though? Rspamd does not say. You must derive the deeper meaning from your understanding of the protocols and tools. In this case, this is an HTML message. HTML messages should have one MIME part for the text version, and another part for the HTML version. This particular message also has an attachment, so that’s a third part. A virus might also send a message with a plain version, an HTML version, and an executable attachment. The URI_COUNT_ODD test can’t tell the difference between my message and a virus payload. This is only mildly suspicious, and is worth one point.
I’m still pushing to get a first draft of Run Your Own Mail Server done in the next couple weeks. You sponsoring the book will not make me finish it any more quickly, but it will get your name in the back of the book.