spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <djo...@ena.com>
Subject Re: FIlter
Date Sat, 02 Dec 2017 18:33:02 GMT
On 12/02/2017 10:39 AM, Junk wrote:
> i implemented all of the filters yo mentioned and the score went up from 3.5. to 3.9
on an example spam email i was testing.
> I will look further into more filters.
> I see lots of spam that is formatted as image and those are not being caught.
> 
> 

What is your MTA?  If you are using Postfix then definitely enable 
postscreen plus it's weighted RBLs.  Then you can combine the power of 
multiple RBLs that would normally be too risky to reject on their own to 
make them more reliable.

Then you can start experimenting with RBLs at 
http://multirbl.valli.org/lookup/ with low weights and slowly bump them 
up as you find ones that are helpful for your particular mail flow. 
Here is my current list:

postscreen_dnsbl_sites =
   dnsbl.sorbs.net=127.0.0.[10;14]*9
   zen.spamhaus.org=127.0.0.[10;11]*8
   dnsbl.sorbs.net=127.0.0.5*7
   zen.spamhaus.org=127.0.0.[4..7]*7
   b.barracudacentral.org=127.0.0.2*7
   zen.spamhaus.org=127.0.0.3*7
   dnsbl.inps.de=127.0.0.2*7
   hostkarma.junkemailfilter.com=127.0.0.2*4
   dnsbl.sorbs.net=127.0.0.7*4
   bl.spamcop.net=127.0.0.2*4
   bl.spameatingmonkey.net=127.0.0.[2;3]*4
   dnsrbl.swinog.ch=127.0.0.3*4
   ix.dnsbl.manitu.net=127.0.0.2*4
   psbl.surriel.com=127.0.0.2*4
   bl.mailspike.net=127.0.0.[10;11;12]*4
   bl.mailspike.net=127.0.0.2*4
   ubl.unsubscore.com=127.0.0.2*4
   zen.spamhaus.org=127.0.0.2*3
   dnsbl-1.uceprotect.net=127.0.0.2*2
   dnsbl.sorbs.net=127.0.0.6*3
   dnsbl.sorbs.net=127.0.0.9*2
   dnsbl.sorbs.net=127.0.0.8*2
   score.senderscore.com=127.0.4.[0..29]*2
   hostkarma.junkemailfilter.com=127.0.0.4*2
   all.spamrats.com=127.0.0.38*2
   bl.nszones.com=127.0.0.[2;3]*1
   dnsbl-2.uceprotect.net=127.0.0.2*1
   dnsbl.sorbs.net=127.0.0.2*1
   dnsbl.sorbs.net=127.0.0.4*1
   score.senderscore.com=127.0.4.[30..69]*1
   all.spamrats.com=127.0.0.38*2
   bl.nszones.com=127.0.0.[2;3]*1
   dnsbl-2.uceprotect.net=127.0.0.2*1
   dnsbl.sorbs.net=127.0.0.2*1
   dnsbl.sorbs.net=127.0.0.4*1
   score.senderscore.com=127.0.4.[30..69]*1
   dnsbl.sorbs.net=127.0.0.3*1
   hostkarma.junkemailfilter.com=127.0.1.2*1
   dnsbl.sorbs.net=127.0.0.15*1
   ips.backscatterer.org=127.0.0.2*1
   bl.nszones.com=127.0.0.5*-1
   wl.mailspike.net=127.0.0.[18;19;20]*-2
   hostkarma.junkemailfilter.com=127.0.0.1*-2
   ips.whitelisted.org=127.0.0.2*-2
   safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
   list.dnswl.org=127.0.[0..255].0*-2
   dnswl.inps.de=127.0.[0;1].[2..10]*-2
   list.dnswl.org=127.0.[0..255].1*-3
   list.dnswl.org=127.0.[0..255].2*-4
   list.dnswl.org=127.0.[0..255].3*-5

- Setup postwhite with Postfix to bypass major/trusted senders so you 
don't reject too much with the above RBL lists.

- Enable basic DNS check in Postfix main.cf:

smtpd_recipient_restrictions =
   permit_mynetworks,
   ...,
   permit_sasl_authenticated,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_non_fqdn_hostname,
   reject_invalid_hostname,
   reject_unauth_destination,
   reject_unverified_recipient,
   reject_unknown_reverse_client_hostname,
   reject_unknown_sender_domain,
   reject_unlisted_sender,
   reject_unlisted_recipient,
   ...,


- Enable greylisting if you can.  It really does work, especially 
helpful with zero-hour spammers from compromised accounts that are very 
difficult to block.  It is possible to deploy it slowly so users don't 
notice a delay.

- Enable Postfix rate limiting.

- Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can 
use.  OpenDMARC with some custom rules can give Spamassassin basic DMARC 
support.

header		DMARC_PASS	Authentication-Results =~ /your-server-here; dmarc=pass/
describe	DMARC_PASS	DMARC check passed
score		DMARC_PASS	-0.01

header		DMARC_FAIL	Authentication-Results =~ /your-server-here; dmarc=fail/
describe	DMARC_FAIL	DMARC check failed
score		DMARC_FAIL	0.01

header		DMARC_NONE	Authentication-Results =~ /your-server-here; dmarc=none/
describe	DMARC_NONE	DMARC check neutral
score		DMARC_NONE	0.01

header		DMARC_FAIL_REJECT	Authentication-Results =~ /your-server-here; 
dmarc=fail \(p=reject/
describe	DMARC_FAIL_REJECT	DMARC check failed and the sending domains 
says to reject this message
score		DMARC_FAIL_REJECT	8.2


- Consider slightly bumping up the scores on FREEMAIL* rules this these 
are often sources of abuse.

- Add DecodeShortURLs.pm and DecodeShortURLs.cf

- Enable Lashback RBL in SA /etc/mail/spamassassin/lashback.cf:

ifplugin Mail::SpamAssassin::Plugin::DNSEval

header		__RCVD_IN_LASHBACK	eval:check_rbl('lashback', 'ubl.unsubscore.com.')
describe	__RCVD_IN_LASHBACK	Received is listed in Lashback 
ubl.unsubscore.com
tflags		__RCVD_IN_LASHBACK	net

header		RCVD_IN_LASHBACK	eval:check_rbl_sub('lashback', '127.0.0.2')
describe	RCVD_IN_LASHBACK	Received is listed in Lashback ubl.unsubscore.com
score		RCVD_IN_LASHBACK	1.2
tflags		RCVD_IN_LASHBACK	net

header		RCVD_IN_LASHBACK_LASTEXT	eval:check_rbl('lashback-lastexternal', 
'ubl.unsubscore.com.')
describe 	RCVD_IN_LASHBACK_LASTEXT	Last external is listed in Lashback 
ubl.unsubscore.com
score		RCVD_IN_LASHBACK_LASTEXT	2.2
tflags		RCVD_IN_LASHBACK_LASTEXT	net

endif

- Make sure that DCC, Razor, and Pyzor are installed and there are hits 
in your mail logs.

- Properly train your Bayesian DB with spam first then ham second.

- Have a huge list of whitelist_auth and whitelist_from_rcvd entries for 
trusted senders which allows me to bump up many scores without causing 
false positives on them.

>> On Dec 1, 2017, at 5:05 PM, Kevin Miller <kevin.miller@juneau.org> wrote:
>>
>> There's a number of rulesets that I use - many are mentioned here in this list and
discussed so a look at the archives will probably be helpful.
>>
>> KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
>> Hashcash
>> HashBL
>> SEM - spameatingmonkey.net
>>
>> To mention just a few...
>>
>>
>> ...Kevin
>> --
>> Kevin Miller
>> Network/email Administrator, CBJ MIS Dept.
>> 155 South Seward Street
>> Juneau, Alaska 99801
>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>>
>>
>> -----Original Message-----
>> From: Junk [mailto:junk@lexoncom.com]
>> Sent: Friday, December 01, 2017 1:36 PM
>> To: Kevin Miller
>> Cc: users@spamassassin.apache.org
>> Subject: RE: FIlter
>>
>> Do  you know any additional lists that could be added in addition to:
>> - built ones
>> - http://wiki.junkemailfilter.com
>> - razors
>>
>> I have the spam score set to above to be 100% spam as i noticed what is below 5%
sometimes falls into not a spam email.
>>
> 

-- 
David Jones

Mime
View raw message