spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <>
Subject Re: FIlter
Date Sat, 02 Dec 2017 18:33:02 GMT
On 12/02/2017 10:39 AM, Junk wrote:
> i implemented all of the filters yo mentioned and the score went up from 3.5. to 3.9
on an example spam email i was testing.
> I will look further into more filters.
> I see lots of spam that is formatted as image and those are not being caught.

What is your MTA?  If you are using Postfix then definitely enable 
postscreen plus it's weighted RBLs.  Then you can combine the power of 
multiple RBLs that would normally be too risky to reject on their own to 
make them more reliable.

Then you can start experimenting with RBLs at with low weights and slowly bump them 
up as you find ones that are helpful for your particular mail flow. 
Here is my current list:

postscreen_dnsbl_sites =[10;14]*9[10;11]*8*7[4..7]*7*7*7*7*4*4*4[2;3]*4*4*4*4[10;11;12]*4*4*4*3*2*3*2*2[0..29]*2*2*2[2;3]*1*1*1*1[30..69]*1*2[2;3]*1*1*1*1[30..69]*1*1*1*1*1*-1[18;19;20]*-2*-2*-2[0..255].0*-2[0..255].0*-2[0;1].[2..10]*-2[0..255].1*-3[0..255].2*-4[0..255].3*-5

- Setup postwhite with Postfix to bypass major/trusted senders so you 
don't reject too much with the above RBL lists.

- Enable basic DNS check in Postfix

smtpd_recipient_restrictions =

- Enable greylisting if you can.  It really does work, especially 
helpful with zero-hour spammers from compromised accounts that are very 
difficult to block.  It is possible to deploy it slowly so users don't 
notice a delay.

- Enable Postfix rate limiting.

- Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can 
use.  OpenDMARC with some custom rules can give Spamassassin basic DMARC 

header		DMARC_PASS	Authentication-Results =~ /your-server-here; dmarc=pass/
describe	DMARC_PASS	DMARC check passed
score		DMARC_PASS	-0.01

header		DMARC_FAIL	Authentication-Results =~ /your-server-here; dmarc=fail/
describe	DMARC_FAIL	DMARC check failed
score		DMARC_FAIL	0.01

header		DMARC_NONE	Authentication-Results =~ /your-server-here; dmarc=none/
describe	DMARC_NONE	DMARC check neutral
score		DMARC_NONE	0.01

header		DMARC_FAIL_REJECT	Authentication-Results =~ /your-server-here; 
dmarc=fail \(p=reject/
describe	DMARC_FAIL_REJECT	DMARC check failed and the sending domains 
says to reject this message

- Consider slightly bumping up the scores on FREEMAIL* rules this these 
are often sources of abuse.

- Add and

- Enable Lashback RBL in SA /etc/mail/spamassassin/

ifplugin Mail::SpamAssassin::Plugin::DNSEval

header		__RCVD_IN_LASHBACK	eval:check_rbl('lashback', '')
describe	__RCVD_IN_LASHBACK	Received is listed in Lashback
tflags		__RCVD_IN_LASHBACK	net

header		RCVD_IN_LASHBACK	eval:check_rbl_sub('lashback', '')
describe	RCVD_IN_LASHBACK	Received is listed in Lashback
tflags		RCVD_IN_LASHBACK	net

header		RCVD_IN_LASHBACK_LASTEXT	eval:check_rbl('lashback-lastexternal', 
describe 	RCVD_IN_LASHBACK_LASTEXT	Last external is listed in Lashback


- Make sure that DCC, Razor, and Pyzor are installed and there are hits 
in your mail logs.

- Properly train your Bayesian DB with spam first then ham second.

- Have a huge list of whitelist_auth and whitelist_from_rcvd entries for 
trusted senders which allows me to bump up many scores without causing 
false positives on them.

>> On Dec 1, 2017, at 5:05 PM, Kevin Miller <> wrote:
>> There's a number of rulesets that I use - many are mentioned here in this list and
discussed so a look at the archives will probably be helpful.
>> KAM -
>> Hashcash
>> HashBL
>> SEM -
>> To mention just a few...
>> ...Kevin
>> --
>> Kevin Miller
>> Network/email Administrator, CBJ MIS Dept.
>> 155 South Seward Street
>> Juneau, Alaska 99801
>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>> -----Original Message-----
>> From: Junk []
>> Sent: Friday, December 01, 2017 1:36 PM
>> To: Kevin Miller
>> Cc:
>> Subject: RE: FIlter
>> Do  you know any additional lists that could be added in addition to:
>> - built ones
>> -
>> - razors
>> I have the spam score set to above to be 100% spam as i noticed what is below 5%
sometimes falls into not a spam email.

David Jones

View raw message