spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <djo...@ena.com>
Subject Re: improving detection to cloudmark-like levels?
Date Thu, 19 Oct 2017 12:06:09 GMT
On 10/19/2017 04:18 AM, Jari Fredriksson wrote:
> David Jones kirjoitti 13.10.2017 14:16:
>> On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
>>> I don't use Kam.cf <http://Kam.cf> as it is very prone to false=20
>>> positives and way too aggressively scored by default. I'm pretty happy=
> =20
>>> with my current setup with 3.4.1 though.
>>> =20
>> =20
>> If you are happy with your SA accuracy, don't change a thing.  :)
>> Have you tried the KAM.cf lately?
> 
> Indeed I have. This just came today:
> 
> X-Spam-Report:
>      * 0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
>      * [mail99.sea21.rsgsv.net TXT:v=3Dspf1]
>      [ip4:148.105.12.99 include:spf.mandrillapp.com]
>      [?all]
>      * 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
>      * [URIs: forward-to-friend.com]
>      * -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record
>      * [148.105.12.99 listed in iadb.isipp.com]
>      * -0.0 RCVD_IN_IADB_LISTED RBL: Participates in the IADB system
>      * -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record
>      * -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID=20
> record
>      * -0.1 RCVD_IN_IADB_DK RBL: IADB: Sender publishes Domain Keys=20
> record
>      * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at=20
> http://www.dnswl.org/, no
>      * trust
>      * [148.105.12.99 listed in list.dnswl.org]
>      * 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level=20
> mail
>      * domains are different
>      * -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay=
> =20
> domain
>      * 1.0 HTML_MESSAGE BODY: HTML included in message
>      * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
>      * [score: 0.0000]
>      * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or=20
> identical to
>      * background
>      * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76=20
> chars
>      * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not=20
> necessarily
>      * valid
>      * 10 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,=20
> =2Ebid &
>      * .link TLD Abuse
>      * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
>      * 0.0 KAM_SHORT Use of a URL Shortener for very short URL
> 
> The mail is ham from sourceforge.net. I'm able to deliver the post to=20
> KAM if he is willing to look at it.

You should consider changing the default scores of RCVD_IN_IADB_RDNS, 
RCVD_IN_IADB_DK, and RCVD_IN_IADB_LISTED to -2.0 or lower.  I have the 
shortcircuit plugin enabled with this config:

shortcircuit ALL_TRUSTED off

shortcircuit USER_IN_WHITELIST on
priority     USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on

shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on

score RCVD_IN_RP_CERTIFIED -100
score RCVD_IN_RP_SAFE -10
score RCVD_IN_DNSWL_HI -10
score RCVD_IN_IADB_LISTED -100
score RCVD_IN_IADB_SPF -10
score RCVD_IN_IADB_DK -10
score RCVD_IN_IADB_RDNS -10
score RCVD_IN_IADB_SENDERID -10
score RCVD_IN_IADB_OPTIN -10

This eliminates content-based rules like KAM.cf firing for trusted 
senders.  You don't have to go as far as I did with shortcircuit'ing 
them but even setting a -2.0  or -4.0 score for those RCVD_IN_* rules 
above could help with trusted senders and save a lot of your time.

> 
> Hit points like 10 points for this issue BAD_TLD are just killing my=20
> system, which will report to spamcop, razor and pyzor without manual=20
> intervention :(
> 
> False positives are usually nonexistent with my setup, and this can not=20
> be taken into production.
> 
> br. jarif
> 
> 
>> =20
>> KAM.cf does have high scores when you first look at it but if you have
>> other SA add-ons that subtract points for being "good", then the high
>> KAM.cf scores complement things well.  Also, I am using MailScanner
>> and the default block score is 6.0 which helps a bit too.  My custom
>> rule scores tend to be high on both ends.
>> =20
>>> 12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail"=20
>>> <kevin.mcgrail@mcgrail.com> kirjoitti:
>>>  >On 10/12/2017 9:25 AM, AJ Weber wrote:
>>>  >> I'm open to new rules, plug-ins, etc.=C2=A0 Spam volume is only 
>>> gett=
> ing
>>>  >> worse, and these spammers are getting more creative.
>>>  >
>>>  >Hi AJ,
>>>  >
>>>  >I have to say that 3.3.0 is pretty old.=C2=A0 I'd look to run a newer
>>>  >version, invest some time into researching a few RBLs and consider
>>>  >adding my KAM.cf <http://KAM.cf> file.
>>>  >
>>>  >Regards,
>>>  >KAM
> 
> --=20
> jarif@iki.fi


-- 
David Jones

Mime
View raw message