Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Hi Dianne,

Good to hear from you.

I need the dkim/spf lookup features of SpamAssassin.  procmail will
filter and dump into folders but AFAIK does not do any kind of spf or
dkim verification.  There are stand-along scrips that can do that but
using those are above my pay grade unless someone wants to pipe in (as
in *pipe* the email via procmail somewhere where a dkim/spf script can
run against it and depending on the result, send it to a certain folder.)


On 01/19/2018 10:05 AM, Dianne Skoll wrote:
> On Thu, 18 Jan 2018 16:01:13 -0500
> Chip  wrote:
>
>> I'm tied to a Cpanel/WHM VPS which can't be changed.
> That's a problem.  It's like having someone require you to play
> Hungarian Rhapsody while wearing mittens.  I mean sure... maybe it's
> possible, but why would you try?
>
> Is there no possibility of a filtering machine in front of that box?
> Or as others have said, use procmail which AFAIK works fine with Exim.
>
> Regards,
>
> Dianne.
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Dianne Skoll]

On Thu, 18 Jan 2018 16:01:13 -0500
Chip  wrote:

> I'm tied to a Cpanel/WHM VPS which can't be changed.

That's a problem.  It's like having someone require you to play
Hungarian Rhapsody while wearing mittens.  I mean sure... maybe it's
possible, but why would you try?

Is there no possibility of a filtering machine in front of that box?
Or as others have said, use procmail which AFAIK works fine with Exim.

Regards,

Dianne.

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

yes, everything you say is accurate and correct.

We are not looking for perfection in the gathering of statistics, only
ballpark.

No one will ever open the bogus, phishing emails because the emails are
not attached to a living person.  Once the statistic is collected the
email is automatically deleted.

Think honey pot/greylisting pot that looks at the amount of emails a
never before used email address with a highly unique local-part that is
not attached to a real person and has never been used to send mail on a
domain that is also very unique that only accepts email for a select
whitelist of addresses.

What is the guess that it will be flooded with spam?

That is what we are setting out to ascertain.




On 01/19/2018 09:43 AM, David Jones wrote:
> On 01/19/2018 08:30 AM, Chip wrote:
>> Good question.
>>
>> Saying why I care about spf and dkim but not spam sounds contradictory,
>> I know.
>>
>> The reason is because this project doesn't care if spam arrives, only if
>> the spam or email (even authenticated properly email) is spoofed.
>>
>
> How are you going to determine that?  You need to facter in the
> spamminess to determine if something spoofed or else you will need to
> manually check every email and it's headers.
>
> Spammers can spoof Paypal or Bank Of America using their own domain
> with perfect SPF and DKIM and your system would put it in the pass
> folder.
>
> Also, compromised accounts from normally good domains will have
> passing SPF and DKIM and end up in your pass folder but could be a
> dangerous phishing email.
>

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/19/2018 08:30 AM, Chip wrote:

Good question.

Saying why I care about spf and dkim but not spam sounds contradictory,
I know.

The reason is because this project doesn't care if spam arrives, only if
the spam or email (even authenticated properly email) is spoofed.



How are you going to determine that?  You need to facter in the 
spamminess to determine if something spoofed or else you will need to 
manually check every email and it's headers.


Spammers can spoof Paypal or Bank Of America using their own domain with 
perfect SPF and DKIM and your system would put it in the pass folder.


Also, compromised accounts from normally good domains will have passing 
SPF and DKIM and end up in your pass folder but could be a dangerous 
phishing email.


--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Thank you!  I see that shortcircuit is already enabled in 320!

I think you really hit on something.

Thanks again!

I knew there was a simple answer.

On 01/19/2018 09:35 AM, David Jones wrote:
> On 01/19/2018 08:24 AM, Chip wrote:
>> Ok point take - I should have mentioned earlier that *part* of the
>> reason to stick with SA is because it does spf and dkim checks.  My
>> mistake.
>>
>> Moving on now, David, good suggestions!  Enlighten me about the
>> Shortcirtcuit plugin please.  How does one activate it or use it?
>>
>
> 1. Enable the Shorcircuit plugin simply by uncommenting it in the
> v320.pre like I said below.  This file will be in the same directory
> as your local.cf usually /etc/mail/spamassassin.
>
> 2. I gave the exact 4 lines to put in your local.cf below.
>
> Try this and check your mail logs for a bit.  Play around with SA
> settings in your local.cf and see what happens.  This is how you learn
> SA.  It's taken me years of doing this almost daily to understand how
> SA works and I am not an SA guru like some on this list.
>
>> The manual gives an example as follows, so is it correct to simply
>> put this into my local.cf and let it run?  It looks like it simply
>> activates by adding the line: shortcircuit TEST on.
>>
>>     =over 4
>>
>>    body TEST /test/
>>    describe TEST test rule that scores barely over spam threshold
>>    score TEST 5.5
>>    priority TEST -100
>>    shortcircuit TEST on
>>
>>
>>
>> On 01/19/2018 08:38 AM, David Jones wrote:
>>> On 01/18/2018 05:49 PM, Chip wrote:
 Very well stated.  Bravo!

 The end point here is to examine the email headers that specifically
 refer to dkim and spf signatures.  Based on fail or pass, or some
 combination in concert with the sender's email address, they get moved
 into fail or pass folders.

 That's it!

>>>
>>> Finally we get some details!  :)  This is very simple then:
>>>
>>> 1. Enable the Shortcircuit plugin in v320.pre
>>>
>>> 2. Enable these SPF and DKIM rules to be shortcircuit'd in your
>>> local.cf:
>>>
>>> shortcircuit SPF_PASS on
>>> shortcircuit DKIM_VALID_AU on
>>> score SPF_PASS -100
>>> score DKIM_VALID_AU -100
>>>
>>> 3. Now you should see the SHORTCIRCUIT rule hit in your logs. Setup
>>> a sieve rule to look for those 2 rules above to move them to the
>>> pass folder.  They will always be ham (score very low) and never be
>>> blocked by the "glue" even with the default required_score.
>>>
>>> P.S. Technically, you could just set the 2 scores and not enable the
>>> shortcircuit plugin.  The 2 score lines in the local.cf should do
>>> what you want to do.
>>>
>>
>
>

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/19/2018 08:24 AM, Chip wrote:
Ok point take - I should have mentioned earlier that *part* of the 
reason to stick with SA is because it does spf and dkim checks.  My mistake.


Moving on now, David, good suggestions!  Enlighten me about the 
Shortcirtcuit plugin please.  How does one activate it or use it?




1. Enable the Shorcircuit plugin simply by uncommenting it in the 
v320.pre like I said below.  This file will be in the same directory as 
your local.cf usually /etc/mail/spamassassin.


2. I gave the exact 4 lines to put in your local.cf below.

Try this and check your mail logs for a bit.  Play around with SA 
settings in your local.cf and see what happens.  This is how you learn 
SA.  It's taken me years of doing this almost daily to understand how SA 
works and I am not an SA guru like some on this list.


The manual gives an example as follows, so is it correct to simply put 
this into my local.cf and let it run?  It looks like it simply activates 
by adding the line: shortcircuit TEST on.


=over 4

   body TEST /test/
   describe TEST test rule that scores barely over spam threshold
   score TEST 5.5
   priority TEST -100
   shortcircuit TEST on



On 01/19/2018 08:38 AM, David Jones wrote:

On 01/18/2018 05:49 PM, Chip wrote:

Very well stated.  Bravo!

The end point here is to examine the email headers that specifically
refer to dkim and spf signatures.  Based on fail or pass, or some
combination in concert with the sender's email address, they get moved
into fail or pass folders.

That's it!



Finally we get some details!  :)  This is very simple then:

1. Enable the Shortcircuit plugin in v320.pre

2. Enable these SPF and DKIM rules to be shortcircuit'd in your local.cf:

shortcircuit SPF_PASS on
shortcircuit DKIM_VALID_AU on
score SPF_PASS -100
score DKIM_VALID_AU -100

3. Now you should see the SHORTCIRCUIT rule hit in your logs. Setup a 
sieve rule to look for those 2 rules above to move them to the pass 
folder.  They will always be ham (score very low) and never be blocked 
by the "glue" even with the default required_score.


P.S. Technically, you could just set the 2 scores and not enable the 
shortcircuit plugin.  The 2 score lines in the local.cf should do what 
you want to do.







--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Good question.

Saying why I care about spf and dkim but not spam sounds contradictory,
I know.

The reason is because this project doesn't care if spam arrives, only if
the spam or email (even authenticated properly email) is spoofed. 

We are doing checks on senders and the likelihood of a spoofed from
email address/domain together with an authentic spf and/or dkim is
*less* likely than a spoofed from email address without any spf/dkim. 
Collecting statistics, I guess you could say.



On 01/19/2018 09:07 AM, RW wrote:
> On Thu, 18 Jan 2018 18:49:52 -0500
> Chip wrote:
>
>> Very well stated.  Bravo!
>>
>> The end point here is to examine the email headers that specifically
>> refer to dkim and spf signatures.  Based on fail or pass, or some
>> combination in concert with the sender's email address, they get moved
>> into fail or pass folders.
> ...
>> But that is with spamassassin still identifying spam, which is
>> unnecessary in this case as this project will never attract spam - I
>> know that is hard to believe in, but it won't.
>
> Then why do you care about spf and dkim? 
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Ok point take - I should have mentioned earlier that *part* of the
reason to stick with SA is because it does spf and dkim checks.  My mistake.

Moving on now, David, good suggestions!  Enlighten me about the
Shortcirtcuit plugin please.  How does one activate it or use it?

The manual gives an example as follows, so is it correct to simply put
this into my local.cf and let it run?  It looks like it simply activates
by adding the line: shortcircuit TEST on.

=over 4

  body TEST /test/
  describe TEST test rule that scores barely over spam threshold
  score TEST 5.5
  priority TEST -100
  shortcircuit TEST on



On 01/19/2018 08:38 AM, David Jones wrote:
> On 01/18/2018 05:49 PM, Chip wrote:
>> Very well stated.  Bravo!
>>
>> The end point here is to examine the email headers that specifically
>> refer to dkim and spf signatures.  Based on fail or pass, or some
>> combination in concert with the sender's email address, they get moved
>> into fail or pass folders.
>>
>> That's it!
>>
>
> Finally we get some details!  :)  This is very simple then:
>
> 1. Enable the Shortcircuit plugin in v320.pre
>
> 2. Enable these SPF and DKIM rules to be shortcircuit'd in your local.cf:
>
> shortcircuit SPF_PASS on
> shortcircuit DKIM_VALID_AU on
> score SPF_PASS -100
> score DKIM_VALID_AU -100
>
> 3. Now you should see the SHORTCIRCUIT rule hit in your logs.  Setup a
> sieve rule to look for those 2 rules above to move them to the pass
> folder.  They will always be ham (score very low) and never be blocked
> by the "glue" even with the default required_score.
>
> P.S. Technically, you could just set the 2 scores and not enable the
> shortcircuit plugin.  The 2 score lines in the local.cf should do what
> you want to do.
>

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/19/2018 08:07 AM, RW wrote:

On Thu, 18 Jan 2018 18:49:52 -0500
Chip wrote:


Very well stated.  Bravo!

The end point here is to examine the email headers that specifically
refer to dkim and spf signatures.  Based on fail or pass, or some
combination in concert with the sender's email address, they get moved
into fail or pass folders.

...

But that is with spamassassin still identifying spam, which is
unnecessary in this case as this project will never attract spam - I
know that is hard to believe in, but it won't.



Then why do you care about spf and dkim?



Never say never.  If you have some emails addresses out there that have 
been around for a few years, then they will get on spammer's lists in 
various ways.


Also, these emails being delivered to your cpanel VPS need to be direct 
deliveries, not forwards or bcc's in order to correctly identify SPF and 
DKIM.  This means you must have a test domain or two in your control to 
point the MX records directly to this VPS.  This on it's own could 
attract spam.  Trust me.  The spammers have ways of finding mail server 
IPs and which domains are accepted by them so they can start dictionary 
spam attacks.  If you have a catchall mailbox setup, it will definitely 
get spam.  Even regular/single mailboxes will get spam if the VPS is 
open on port 25 to the Internet.


--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[RW]

On Thu, 18 Jan 2018 18:49:52 -0500
Chip wrote:

> Very well stated.  Bravo!
> 
> The end point here is to examine the email headers that specifically
> refer to dkim and spf signatures.  Based on fail or pass, or some
> combination in concert with the sender's email address, they get moved
> into fail or pass folders.
...
> But that is with spamassassin still identifying spam, which is
> unnecessary in this case as this project will never attract spam - I
> know that is hard to believe in, but it won't.


Then why do you care about spf and dkim? 

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/18/2018 05:49 PM, Chip wrote:

Very well stated.  Bravo!

The end point here is to examine the email headers that specifically
refer to dkim and spf signatures.  Based on fail or pass, or some
combination in concert with the sender's email address, they get moved
into fail or pass folders.

That's it!



Finally we get some details!  :)  This is very simple then:

1. Enable the Shortcircuit plugin in v320.pre

2. Enable these SPF and DKIM rules to be shortcircuit'd in your local.cf:

shortcircuit SPF_PASS on
shortcircuit DKIM_VALID_AU on
score SPF_PASS -100
score DKIM_VALID_AU -100

3. Now you should see the SHORTCIRCUIT rule hit in your logs.  Setup a 
sieve rule to look for those 2 rules above to move them to the pass 
folder.  They will always be ham (score very low) and never be blocked 
by the "glue" even with the default required_score.


P.S. Technically, you could just set the 2 scores and not enable the 
shortcircuit plugin.  The 2 score lines in the local.cf should do what 
you want to do.


--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Alex Woick]

Chip schrieb am 19.01.2018 um 00:49:

The end point here is to examine the email headers that specifically
refer to dkim and spf signatures.  Based on fail or pass, or some
combination in concert with the sender's email address, they get moved
into fail or pass folders.

The right thing to do this is not SpamAssassin. Dkim and spf are 
designed to reject mail at mta level that does not pass validation. 
SpamAssassin is meant to only process mail that has not been rejected at 
mta level. Usually, you are able to reject 80 percent and more spam 
right at mta level by using block lists, smtp validation rules, dkim, 
spf and others. You never even accept them, so you don't need to 
classify them, so you don't have to move them to some spam folder, so 
you don't need to manually verify and delete them. It simply doesn't 
reach your system.


If you only want to handle the dkim and spf aspect of mail delivery, 
install a spf policy daemon into your mail server and install a dkim 
milter into your mail server. I can only tell about CentOS with postfix, 
and here I do this:


For spf:
install spf policy daemon:
$ yum install pypolicyd-spf (from epel repository)

called from postfix main.cf (the last line does the spf check)
smtpd_recipient_restrictions =
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  check_recipient_access hash:/etc/postfix/recipient_access,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client b.barracudacentral.org,
  check_policy_service unix:private/policyd-spf

For dkim:
Install opendkim milter:
$ yum install opendkim (from epel repository)

called from postfix main.cf:
smtpd_milters =
  unix:/var/run/opendkim-postfix/sock

I skipped the actual configurations of pypolicyd-spf and opendkim, but I 
can provide it if you are interested.


This is light-weight in comparison to SpamAssassin and they are "install 
and configure once and it works forever" pieces of software, while 
SpamAssassin is something you have to actively maintain to keep it in 
good working shape.


I cannot tell how this could work together with your cpanel, because I 
never used some administration panel. Such panels limit you to do only 
what is provided by the panel. To get more into the system the panel 
supports is painful or not possible - exactly the problem you are 
currently fighting.

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Exactly!

That is why I want to stick with SA because it does know how to do spf
and dkim checks whereas other systems don't unless we install software
to do that. 

On 01/18/2018 07:31 PM, Alan Hodgson wrote:
> On Thu, 2018-01-18 at 18:49 -0500, Chip wrote:
>> Very well stated.  Bravo!
>>
>> The end point here is to examine the email headers that specifically
>> refer to dkim and spf signatures.  Based on fail or pass, or some
>> combination in concert with the sender's email address, they get moved
>> into fail or pass folders.
>>
>> That's it!
>>
>
> If that's literally all you want to do, then have SpamAssassin score
> every message at +50 with a generic local rule, and whitelist_from_spf
> or whitelist_from_dkim the ones you want to keep. SA knows how to do
> SPF and DKIM.
>
> Then dump anything that passes SA into the pass folder, everything
> else into fail.

Re: Turn OFF SA spam filtering but keep ON header examination

[Alan Hodgson]

On Thu, 2018-01-18 at 18:49 -0500, Chip wrote:
> Very well stated.  Bravo!
> 
> The end point here is to examine the email headers that specifically
> refer to dkim and spf signatures.  Based on fail or pass, or some
> combination in concert with the sender's email address, they get moved
> into fail or pass folders.
> 
> That's it!
> 

If that's literally all you want to do, then have SpamAssassin score
every message at +50 with a generic local rule, and whitelist_from_spf
or whitelist_from_dkim the ones you want to keep. SA knows how to do
SPF and DKIM.

Then dump anything that passes SA into the pass folder, everything else
into fail.

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Very well stated.  Bravo!

The end point here is to examine the email headers that specifically
refer to dkim and spf signatures.  Based on fail or pass, or some
combination in concert with the sender's email address, they get moved
into fail or pass folders.

That's it!

I know there are other methods for doing this - procmail, mimedefang,
sieve, etc. etc. etc., but I'm somewhat limited in using those because
although they might be intrinsically better for this, they do not play
well with the cpane/WHM VPS I use and to which I am married because
there are other features of the cpanel/WHM which come into play with
this project, that are attractive and not available in a home-grown smtp
server box.

So using what I have rather than jumping ship and starting from scratch
is preferable.

I have played a bit with the local.cf and see that I can move into
folders depending in the outcome of the examination of the headers.  But
that is with spamassassin still identifying spam, which is unnecessary
in this case as this project will never attract spam - I know that is
hard to believe in, but it won't.

So the method of using Spam Assassins built in regex procedures for
examining emails is attractive.




On 01/18/2018 06:24 PM, Alex Woick wrote:
> Chip schrieb am 18.01.2018 um 23:43:
>> yes I'm starting to see that.  I may need to build a box specifically
>> suited for this using procmail.  I had hoped that I could stay with
>> the VPS.
>>
>> Nevertheless, I've heard two contradictory pieces of advise here and
>> would like to know which is correct or most-near correct.
>>
>> I'm sure there are instances where both pieces of advise work.
>>
>> someone said change the local.cf to a score of 999 which (I think) means
>> that it will override all other spam detection rules.
>>
>> And then another person suggested to remove all the bundled rules.
> I think it isn't clear what your final goal is. What is the goal you
> want to achieve, how should the result look like?
>
> SpamAssassin is something that is inserted into the flow of mail,
> usually on a mailserver, and does nothing else than read each mail
> that is piped through it and add some headers to each mail. That's it.
> It adds headers that tell how that mail was classified by
> SpamAssassin: spam or not spam.
>
> Then, some process that comes after SpamAssassin is able to read these
> headers and perform some action upon the mail: for example, it could
> move mails to a "junk" folder that were classified as spam and can
> leave other mail alone. If you don't implement such process, no action
> will be done.
>
> How SpamAssassin does the classification is determined by the rules
> that come with it. It will do analysis of headers, analysis of text
> and may consult remote services like spamcop.
>
> Each rule returns a score. A positive score means the rule says this
> is an indication for spam, and a negative score means the rule says
> this is an indication for non-spam (ham). All scores are added, and if
> the value is above 5, SpamAssassin classifies this mail as spam. If it
> is below 5, it classifies the mail not as spam. If you raise this
> threshold to 999, SpamAssassin will simply declare no mail as spam any
> more, because there are probably never enough matching spam rules that
> add up above 999. So doing this is somewhat pointless, and so I get
> back to my initial question: what is the result for your users that
> you want to produce after your project is finished?
>
> If you want SpamAssassin classify and mark mail but take no action,
> simply fold SpamAssassin into your mail server and let it do the
> classification. Each mail will get the SpamAssassin headers but will
> be delivered as before. But you can examine the classification by
> examining the headers of the mails in your mail reader. If you and
> your users find the classification is fine, you can do the next step
> and implement actions on the classification.
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Alex Woick]

Chip schrieb am 18.01.2018 um 23:43:

yes I'm starting to see that.  I may need to build a box specifically
suited for this using procmail.  I had hoped that I could stay with the VPS.

Nevertheless, I've heard two contradictory pieces of advise here and
would like to know which is correct or most-near correct.

I'm sure there are instances where both pieces of advise work.

someone said change the local.cf to a score of 999 which (I think) means
that it will override all other spam detection rules.

And then another person suggested to remove all the bundled rules.
I think it isn't clear what your final goal is. What is the goal you 
want to achieve, how should the result look like?


SpamAssassin is something that is inserted into the flow of mail, 
usually on a mailserver, and does nothing else than read each mail that 
is piped through it and add some headers to each mail. That's it. It 
adds headers that tell how that mail was classified by SpamAssassin: 
spam or not spam.


Then, some process that comes after SpamAssassin is able to read these 
headers and perform some action upon the mail: for example, it could 
move mails to a "junk" folder that were classified as spam and can leave 
other mail alone. If you don't implement such process, no action will be 
done.


How SpamAssassin does the classification is determined by the rules that 
come with it. It will do analysis of headers, analysis of text and may 
consult remote services like spamcop.


Each rule returns a score. A positive score means the rule says this is 
an indication for spam, and a negative score means the rule says this is 
an indication for non-spam (ham). All scores are added, and if the value 
is above 5, SpamAssassin classifies this mail as spam. If it is below 5, 
it classifies the mail not as spam. If you raise this threshold to 999, 
SpamAssassin will simply declare no mail as spam any more, because there 
are probably never enough matching spam rules that add up above 999. So 
doing this is somewhat pointless, and so I get back to my initial 
question: what is the result for your users that you want to produce 
after your project is finished?


If you want SpamAssassin classify and mark mail but take no action, 
simply fold SpamAssassin into your mail server and let it do the 
classification. Each mail will get the SpamAssassin headers but will be 
delivered as before. But you can examine the classification by examining 
the headers of the mails in your mail reader. If you and your users find 
the classification is fine, you can do the next step and implement 
actions on the classification.

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Thanks for pointing out Sieve.  I'll look into that.

It's nice in that it acts on the last procedure - or right before
delivery to the mail folder after all the other dirty work has been done.

thanks.

On 01/18/2018 05:55 PM, Larry Rosenman wrote:
> On Thu, Jan 18, 2018 at 05:43:04PM -0500, Chip wrote:
>> yes I'm starting to see that.  I may need to build a box specifically
>> suited for this using procmail.  I had hoped that I could stay with the VPS.
>>
> I'd look at using sieve instead.  Procmail has had some issues and not well
> maintained.
>
> (My opinion FWIW)

Re: Turn OFF SA spam filtering but keep ON header examination

[Larry Rosenman]

On Thu, Jan 18, 2018 at 05:43:04PM -0500, Chip wrote:
> yes I'm starting to see that.  I may need to build a box specifically
> suited for this using procmail.  I had hoped that I could stay with the VPS.
> 

I'd look at using sieve instead.  Procmail has had some issues and not well
maintained.

(My opinion FWIW)
-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

yes I'm starting to see that.  I may need to build a box specifically
suited for this using procmail.  I had hoped that I could stay with the VPS.

Nevertheless, I've heard two contradictory pieces of advise here and
would like to know which is correct or most-near correct.

I'm sure there are instances where both pieces of advise work.

someone said change the local.cf to a score of 999 which (I think) means
that it will override all other spam detection rules.

And then another person suggested to remove all the bundled rules.

This difference of opinion could be attributed to my lack of clarity,
inexperience and what I need.

I don't want detection of spam however, when I look at the rules in
SpamAssassin (regex expressions, for example) for acting on header
information, they are easier to write than procmail or other methods, so
I wanted to stick with spamassassin since I have some basic knowledge of
regex.

If, setting local.cf spam detection to 999 stops the detection of, and
acting on, spam, that would work.

I would simply write some rules for modifying the subject and deal with
the sorting elsewhere.

I will try that unless someone sees this as not working.








On 01/18/2018 05:34 PM, Noel wrote:
> On 1/18/2018 2:09 PM, Chip wrote:
>> Newbie excited to use the features of SpamAssassin for a new project
>> that needs to flag inbound email for sorting into folders  (this can be
>> done via cpanel-level filtering) based on keywords in headers (header
>> search by SA).
>>
>> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
>> SpamAssassin version 3.4.1 running on Perl version 5.10.1.
>>
>> I would like to TURN OFF any and all Spam Identification features and
>> only leave behind SpamAssassin's examination of headers and subsequent
>> Subject modification based on keywords in headers (such as keywords in
>> DKIM or SPF, etc)
> Basically all the rules included with SpamAssassin are for spam
> identification, and header modification is based on detecting mail
> as spam.
>
> I think SA is poorly suited for your stated purpose of sorting mail
> by header keywords.
>
> If you really really wanted to use SA for this project, you would
> need to *remove* all the bundled rules and then add your own header
> parsing rules in local.cf, and then SA only knows how to modify the
> subject with a spam tag or not at all.
>
> This seems like more trouble than it's worth for an end product that
> doesn't suit your needs very well.  There are other established ways
> to sort mail with userland imap filters, procmail, seive, etc.
>
>
> Good luck.
>
>
>
>
>   -- Noel Jones
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Noel]

On 1/18/2018 2:09 PM, Chip wrote:
> Newbie excited to use the features of SpamAssassin for a new project
> that needs to flag inbound email for sorting into folders  (this can be
> done via cpanel-level filtering) based on keywords in headers (header
> search by SA).
>
> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
> SpamAssassin version 3.4.1 running on Perl version 5.10.1.
>
> I would like to TURN OFF any and all Spam Identification features and
> only leave behind SpamAssassin's examination of headers and subsequent
> Subject modification based on keywords in headers (such as keywords in
> DKIM or SPF, etc)

Basically all the rules included with SpamAssassin are for spam
identification, and header modification is based on detecting mail
as spam.

I think SA is poorly suited for your stated purpose of sorting mail
by header keywords.

If you really really wanted to use SA for this project, you would
need to *remove* all the bundled rules and then add your own header
parsing rules in local.cf, and then SA only knows how to modify the
subject with a spam tag or not at all.

This seems like more trouble than it's worth for an end product that
doesn't suit your needs very well.  There are other established ways
to sort mail with userland imap filters, procmail, seive, etc.


Good luck.




  -- Noel Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Yes I read the basic configuration.

Did you read my initial request in which I said I was a newbie?

Reading the "basic configuration" has no bearing on the other parts of
my inquiry.  Perhaps you didn't read that as well?

Where I said this was a VPS with several domains?  And that there where
many, many files contributing to the SpamAssassin rules functions and
operation?

Did you read that?

The basic configuration is just that - basic.  I have no idea based on
the numerous rules set discovered if the basic configuration will play
nicely with a VPS with many domains and user preferences.

I would prefer that you do not respond to my inquiries any longer as I
consider you to be somewhat of a harasser.

Please just exit the virtual door and stay away from my inbox.

Thank you.


On 01/18/2018 05:20 PM, Reindl Harald wrote:
>
>
> Am 18.01.2018 um 23:17 schrieb Chip:
>> Thank you, Sir.
>>
>> So in my local.cf there is a commented-out rule as follows:
>>
>> #   Set the threshold at which a message is considered spam (default:
>> 5.0)
>> #
>> # required_score 5.0
>>
>> setting that required to 999 will over ride the standard rules system
>> wide?
>
> it will set the value "required_score" form 5 to 999
>
> did you even read that:
> https://wiki.apache.org/spamassassin/BasicConfiguration
>
>> On 01/18/2018 05:11 PM, David Jones wrote:
>>> On 01/18/2018 04:00 PM, Chip wrote:
 Find this tidbit of information how to find the rules that are loaded
 with spam assassin:

 spamassassin --lint -D 2>&1 | grep 'config: read file'

 I see many, many lines of files.

 I don't see myself going into all those files and replacing a score of
 whatever with a 999 or 0.

 There must be a simpler solution to turning off rules than
 individually
 editing each ruleset.

>>>
>>> You can easily grep and sed the output of the lint command above to
>>> generate "score RULE 0.0" and append it to the local.cf.  But I am
>>> pretty sure this is not want you are wanting to do as it wouldn't be
>>> very useful.
>>>
 And in the local.cf there are NO rules.

 So I'm back to zero here.
>>>
>>> What specifically are you trying to do? You may want to leave all
>>> rules active and simply add some new custom rules to local.cf for your
>>> custom needs.
>>>
>>> If you don't want to block anything and just want to collect as much
>>> spam and ham as possible, then set the "required_score 999" in your
>>> local.cf
>
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Thank you, Sir.

So in my local.cf there is a commented-out rule as follows:

#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0

setting that required to 999 will over ride the standard rules system wide?

On 01/18/2018 05:11 PM, David Jones wrote:
> On 01/18/2018 04:00 PM, Chip wrote:
>> Find this tidbit of information how to find the rules that are loaded
>> with spam assassin:
>>
>> spamassassin --lint -D 2>&1 | grep 'config: read file'
>>
>> I see many, many lines of files.
>>
>> I don't see myself going into all those files and replacing a score of
>> whatever with a 999 or 0.
>>
>> There must be a simpler solution to turning off rules than individually
>> editing each ruleset.
>>
>
> You can easily grep and sed the output of the lint command above to
> generate "score RULE 0.0" and append it to the local.cf.  But I am
> pretty sure this is not want you are wanting to do as it wouldn't be
> very useful.
>
>> And in the local.cf there are NO rules.
>>
>> So I'm back to zero here.
>
> What specifically are you trying to do? You may want to leave all
> rules active and simply add some new custom rules to local.cf for your
> custom needs.
>
> If you don't want to block anything and just want to collect as much
> spam and ham as possible, then set the "required_score 999" in your
> local.cf.
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

How better to figure other than asking here?

Ummm.  Isn't that what this mailing list is about?

People helping others?

I guess I'm at the wrong place.

I'm not asking someone to do my work for me.

I'm asking for some advise from people who know more than me without
them getting sarcastic or insinuating that I'm lazy.

I'm pretty sure there are a number of people on this list who CAN answer
a simple question about turning off filtering and perhaps give some
cogent advise.

How would you suggest I "need to figure out basically how spamassassin
works?"

Go out and read books?  Hire someone?  Search the internet?  Google?

I thought I came to the place where people with more experience than
myself could offer up some sage advise without being sarcastic or
insinuating that I am lazy.

I don't need "experts" to lead me down a dark road and abandon me and
then tell me I'm lost.

So if you can't simply offer some honest, good, informative advise then
please buzz off.

On 01/18/2018 05:07 PM, Reindl Harald wrote:
>
>
> Am 18.01.2018 um 23:00 schrieb Chip:
>> Find this tidbit of information how to find the rules that are loaded
>> with spam assassin:
>>
>> spamassassin --lint -D 2>&1 | grep 'config: read file'
>>
>> I see many, many lines of files.
>>
>> I don't see myself going into all those files and replacing a score of
>> whatever with a 999 or 0.
>>
>> There must be a simpler solution to turning off rules than individually
>> editing each ruleset.
>>
>> And in the local.cf there are NO rules.
>>
>> So I'm back to zero here
>
> "local.cf" is not supposed to contain anything - it's *your* local
> configuration for overrides - you really need to figure out basically
> how spamassassin works not just "i am at zero, do the work of reading
> manpages and google around how i set it up" outsourced to a mailing list
>

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/18/2018 04:00 PM, Chip wrote:

Find this tidbit of information how to find the rules that are loaded
with spam assassin:

spamassassin --lint -D 2>&1 | grep 'config: read file'

I see many, many lines of files.

I don't see myself going into all those files and replacing a score of
whatever with a 999 or 0.

There must be a simpler solution to turning off rules than individually
editing each ruleset.



You can easily grep and sed the output of the lint command above to 
generate "score RULE 0.0" and append it to the local.cf.  But I am 
pretty sure this is not want you are wanting to do as it wouldn't be 
very useful.



And in the local.cf there are NO rules.

So I'm back to zero here.


What specifically are you trying to do? You may want to leave all rules 
active and simply add some new custom rules to local.cf for your custom 
needs.


If you don't want to block anything and just want to collect as much 
spam and ham as possible, then set the "required_score 999" in your 
local.cf.


--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Find this tidbit of information how to find the rules that are loaded
with spam assassin:

spamassassin --lint -D 2>&1 | grep 'config: read file'

I see many, many lines of files.

I don't see myself going into all those files and replacing a score of
whatever with a 999 or 0.

There must be a simpler solution to turning off rules than individually
editing each ruleset.

And in the local.cf there are NO rules.

So I'm back to zero here.

On 01/18/2018 04:08 PM, David Jones wrote:
> On 01/18/2018 03:01 PM, Chip wrote:
>> Thank you Shanew for the suggestion.
>>
>> I'm tied to a Cpanel/WHM VPS which can't be changed.  Give that there
>> are some restrictions such as the use of Exim.  Exim apparently does not
>> play nice with mimedefang and only partially nice with procmail - at
>> least as I've tested it.  I would actually prefer to use procmail, but
>> it is a bit of heavy lifting to learn.
>>
>> The good part of Cpanel/WHM is that it has filters easily employed on a
>> per email account basis that triggers off the subject line for
>> allocating the email to specific folders.  I just need a way to change
>> the subject via SA based on what SA finds in the headers.
>>
>> SA does change the subject (I know, I know, changing the content of an
>> email is considered a no-no but in this case we are not talking about
>> legalities).  In this specific use it's just for internal sorting of
>> email into specific folders as appropriate based on a subject line that
>> SA will create based on it's examination of the headers, and the sorting
>> happens on a per account basis by /etc/vfilters created by Cpanel/WHM in
>> an easy-to-use gui interface.
>>
>>
>
> Keep in mind that changing the Subject will break DKIM checks on any
> downstream mail filters but if your SA instance is the "last stop"
> then it won't be a problem.
>
>>
>> On 01/18/2018 03:51 PM, sha...@shanew.net wrote:
>>> I can't help but think that you'd be better of using something like
>>> procmail, maildrop (part of Courier), or sieve if want you want is
>>> sorting without all the overhead of checking for spam.
>>>
>>> But maybe I'm not understanding what you want to accomplish...
>>>
>>> On Thu, 18 Jan 2018, Chip wrote:
>>>
 Newbie excited to use the features of SpamAssassin for a new project
 that needs to flag inbound email for sorting into folders  (this
 can be
 done via cpanel-level filtering) based on keywords in headers (header
 search by SA).

 This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
 SpamAssassin version 3.4.1 running on Perl version 5.10.1.

 I would like to TURN OFF any and all Spam Identification features and
 only leave behind SpamAssassin's examination of headers and subsequent
 Subject modification based on keywords in headers (such as keywords in
 DKIM or SPF, etc)

 1) Can this be done, and;

 2) What tweaks need to be made to SA in its configuration files to
 make
 it happen, and;

 3) what else is recommended here.

 Thank you.

>>>
>>
>
>

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Looking in my setup I see local.cf attached to many virtfs as in:

/home/virtfs/domain-name/etc/mail/spamassassin/local.cf

as well as in:

/etc/mail/spamassassin/local.cf

When I open these files there are very little rules so can't really see
what I must change here?

This is a VPS with about 10 domains.



On 01/18/2018 04:08 PM, David Jones wrote:
> On 01/18/2018 03:01 PM, Chip wrote:
>> Thank you Shanew for the suggestion.
>>
>> I'm tied to a Cpanel/WHM VPS which can't be changed.  Give that there
>> are some restrictions such as the use of Exim.  Exim apparently does not
>> play nice with mimedefang and only partially nice with procmail - at
>> least as I've tested it.  I would actually prefer to use procmail, but
>> it is a bit of heavy lifting to learn.
>>
>> The good part of Cpanel/WHM is that it has filters easily employed on a
>> per email account basis that triggers off the subject line for
>> allocating the email to specific folders.  I just need a way to change
>> the subject via SA based on what SA finds in the headers.
>>
>> SA does change the subject (I know, I know, changing the content of an
>> email is considered a no-no but in this case we are not talking about
>> legalities).  In this specific use it's just for internal sorting of
>> email into specific folders as appropriate based on a subject line that
>> SA will create based on it's examination of the headers, and the sorting
>> happens on a per account basis by /etc/vfilters created by Cpanel/WHM in
>> an easy-to-use gui interface.
>>
>>
>
> Keep in mind that changing the Subject will break DKIM checks on any
> downstream mail filters but if your SA instance is the "last stop"
> then it won't be a problem.
>
>>
>> On 01/18/2018 03:51 PM, sha...@shanew.net wrote:
>>> I can't help but think that you'd be better of using something like
>>> procmail, maildrop (part of Courier), or sieve if want you want is
>>> sorting without all the overhead of checking for spam.
>>>
>>> But maybe I'm not understanding what you want to accomplish...
>>>
>>> On Thu, 18 Jan 2018, Chip wrote:
>>>
 Newbie excited to use the features of SpamAssassin for a new project
 that needs to flag inbound email for sorting into folders  (this
 can be
 done via cpanel-level filtering) based on keywords in headers (header
 search by SA).

 This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
 SpamAssassin version 3.4.1 running on Perl version 5.10.1.

 I would like to TURN OFF any and all Spam Identification features and
 only leave behind SpamAssassin's examination of headers and subsequent
 Subject modification based on keywords in headers (such as keywords in
 DKIM or SPF, etc)

 1) Can this be done, and;

 2) What tweaks need to be made to SA in its configuration files to
 make
 it happen, and;

 3) what else is recommended here.

 Thank you.

>>>
>>
>
>

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/18/2018 03:01 PM, Chip wrote:

Thank you Shanew for the suggestion.

I'm tied to a Cpanel/WHM VPS which can't be changed.  Give that there
are some restrictions such as the use of Exim.  Exim apparently does not
play nice with mimedefang and only partially nice with procmail - at
least as I've tested it.  I would actually prefer to use procmail, but
it is a bit of heavy lifting to learn.

The good part of Cpanel/WHM is that it has filters easily employed on a
per email account basis that triggers off the subject line for
allocating the email to specific folders.  I just need a way to change
the subject via SA based on what SA finds in the headers.

SA does change the subject (I know, I know, changing the content of an
email is considered a no-no but in this case we are not talking about
legalities).  In this specific use it's just for internal sorting of
email into specific folders as appropriate based on a subject line that
SA will create based on it's examination of the headers, and the sorting
happens on a per account basis by /etc/vfilters created by Cpanel/WHM in
an easy-to-use gui interface.




Keep in mind that changing the Subject will break DKIM checks on any 
downstream mail filters but if your SA instance is the "last stop" then 
it won't be a problem.




On 01/18/2018 03:51 PM, sha...@shanew.net wrote:

I can't help but think that you'd be better of using something like
procmail, maildrop (part of Courier), or sieve if want you want is
sorting without all the overhead of checking for spam.

But maybe I'm not understanding what you want to accomplish...

On Thu, 18 Jan 2018, Chip wrote:


Newbie excited to use the features of SpamAssassin for a new project
that needs to flag inbound email for sorting into folders  (this can be
done via cpanel-level filtering) based on keywords in headers (header
search by SA).

This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
SpamAssassin version 3.4.1 running on Perl version 5.10.1.

I would like to TURN OFF any and all Spam Identification features and
only leave behind SpamAssassin's examination of headers and subsequent
Subject modification based on keywords in headers (such as keywords in
DKIM or SPF, etc)

1) Can this be done, and;

2) What tweaks need to be made to SA in its configuration files to make
it happen, and;

3) what else is recommended here.

Thank you.








--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

Thank you Shanew for the suggestion.

I'm tied to a Cpanel/WHM VPS which can't be changed.  Give that there
are some restrictions such as the use of Exim.  Exim apparently does not
play nice with mimedefang and only partially nice with procmail - at
least as I've tested it.  I would actually prefer to use procmail, but
it is a bit of heavy lifting to learn.

The good part of Cpanel/WHM is that it has filters easily employed on a
per email account basis that triggers off the subject line for
allocating the email to specific folders.  I just need a way to change
the subject via SA based on what SA finds in the headers. 

SA does change the subject (I know, I know, changing the content of an
email is considered a no-no but in this case we are not talking about
legalities).  In this specific use it's just for internal sorting of
email into specific folders as appropriate based on a subject line that
SA will create based on it's examination of the headers, and the sorting
happens on a per account basis by /etc/vfilters created by Cpanel/WHM in
an easy-to-use gui interface.



On 01/18/2018 03:51 PM, sha...@shanew.net wrote:
> I can't help but think that you'd be better of using something like
> procmail, maildrop (part of Courier), or sieve if want you want is
> sorting without all the overhead of checking for spam.
>
> But maybe I'm not understanding what you want to accomplish...
>
> On Thu, 18 Jan 2018, Chip wrote:
>
>> Newbie excited to use the features of SpamAssassin for a new project
>> that needs to flag inbound email for sorting into folders  (this can be
>> done via cpanel-level filtering) based on keywords in headers (header
>> search by SA).
>>
>> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
>> SpamAssassin version 3.4.1 running on Perl version 5.10.1.
>>
>> I would like to TURN OFF any and all Spam Identification features and
>> only leave behind SpamAssassin's examination of headers and subsequent
>> Subject modification based on keywords in headers (such as keywords in
>> DKIM or SPF, etc)
>>
>> 1) Can this be done, and;
>>
>> 2) What tweaks need to be made to SA in its configuration files to make
>> it happen, and;
>>
>> 3) what else is recommended here.
>>
>> Thank you.
>>
>

Re: Turn OFF SA spam filtering but keep ON header examination

[shanew]

I can't help but think that you'd be better of using something like
procmail, maildrop (part of Courier), or sieve if want you want is
sorting without all the overhead of checking for spam.

But maybe I'm not understanding what you want to accomplish...

On Thu, 18 Jan 2018, Chip wrote:


Newbie excited to use the features of SpamAssassin for a new project
that needs to flag inbound email for sorting into folders  (this can be
done via cpanel-level filtering) based on keywords in headers (header
search by SA).

This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
SpamAssassin version 3.4.1 running on Perl version 5.10.1.

I would like to TURN OFF any and all Spam Identification features and
only leave behind SpamAssassin's examination of headers and subsequent
Subject modification based on keywords in headers (such as keywords in
DKIM or SPF, etc)

1) Can this be done, and;

2) What tweaks need to be made to SA in its configuration files to make
it happen, and;

3) what else is recommended here.

Thank you.



--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/18/2018 02:33 PM, Chip wrote:

That sounds doable.  If I score everything 0 or 999 will things be
overwritten in local.cf on update or elsewhere?



The local.cf is yours to update and does not get touched by upgrades or 
ruleset updates.



What you are suggesting sounds like a reasonable course of action.


Sounds like you need to play with SA for a bit to understand how it 
works then setup MDA rules to sort into folders.


Keep in mind, SA doesn't actually block anything.  It just creates a 
score and whatever calls SA (known as the glue often on this mailing 
list) is responsible for taking action based on that score or rule hits.


What is your glue?  amavisd?  That's where you need to start and then do 
some reading on the documentation for that glue.  All of them will have 
a score required for blocking that usually takes the SA default of 5.0 
or maybe 6.0 like MailScanner.  If you set that required score to 999 
then nothing will be blocked by the glue to let everything in for sorting.




On 01/18/2018 03:29 PM, David Jones wrote:

On 01/18/2018 02:09 PM, Chip wrote:

Newbie excited to use the features of SpamAssassin for a new project
that needs to flag inbound email for sorting into folders  (this can be
done via cpanel-level filtering) based on keywords in headers (header
search by SA).

This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
SpamAssassin version 3.4.1 running on Perl version 5.10.1.

I would like to TURN OFF any and all Spam Identification features and
only leave behind SpamAssassin's examination of headers and subsequent
Subject modification based on keywords in headers (such as keywords in
DKIM or SPF, etc)

1) Can this be done, and;

2) What tweaks need to be made to SA in its configuration files to make
it happen, and;

3) what else is recommended here.

Thank you.



Not exactly sure what you want to disable but setting a score of 0
will disable a rule.  You may need to gather up a list of all rules
and score most of them 0 in your local.cf.

You might just set the required score to 999 in whatever is launching
spamassassin so it doesn't block anything.  Then have MDA (Dovecot
sieve) rules to sort into folders based on hits in the X-Spam-Status
header.

I do something similar for my spamassassin masscheck box where I
intentionally let down my defenses at the MTA not using any RBLs and
then sort messages into a Ham or Spam folder based on score and rule
hits.





--
David Jones

Re: Turn OFF SA spam filtering but keep ON header examination

[Chip]

That sounds doable.  If I score everything 0 or 999 will things be
overwritten in local.cf on update or elsewhere?

What you are suggesting sounds like a reasonable course of action.

On 01/18/2018 03:29 PM, David Jones wrote:
> On 01/18/2018 02:09 PM, Chip wrote:
>> Newbie excited to use the features of SpamAssassin for a new project
>> that needs to flag inbound email for sorting into folders  (this can be
>> done via cpanel-level filtering) based on keywords in headers (header
>> search by SA).
>>
>> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
>> SpamAssassin version 3.4.1 running on Perl version 5.10.1.
>>
>> I would like to TURN OFF any and all Spam Identification features and
>> only leave behind SpamAssassin's examination of headers and subsequent
>> Subject modification based on keywords in headers (such as keywords in
>> DKIM or SPF, etc)
>>
>> 1) Can this be done, and;
>>
>> 2) What tweaks need to be made to SA in its configuration files to make
>> it happen, and;
>>
>> 3) what else is recommended here.
>>
>> Thank you.
>>
>
> Not exactly sure what you want to disable but setting a score of 0
> will disable a rule.  You may need to gather up a list of all rules
> and score most of them 0 in your local.cf.
>
> You might just set the required score to 999 in whatever is launching
> spamassassin so it doesn't block anything.  Then have MDA (Dovecot
> sieve) rules to sort into folders based on hits in the X-Spam-Status
> header.
>
> I do something similar for my spamassassin masscheck box where I
> intentionally let down my defenses at the MTA not using any RBLs and
> then sort messages into a Ham or Spam folder based on score and rule
> hits.
>

Re: Turn OFF SA spam filtering but keep ON header examination

[David Jones]

On 01/18/2018 02:09 PM, Chip wrote:

Newbie excited to use the features of SpamAssassin for a new project
that needs to flag inbound email for sorting into folders  (this can be
done via cpanel-level filtering) based on keywords in headers (header
search by SA).

This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and
SpamAssassin version 3.4.1 running on Perl version 5.10.1.

I would like to TURN OFF any and all Spam Identification features and
only leave behind SpamAssassin's examination of headers and subsequent
Subject modification based on keywords in headers (such as keywords in
DKIM or SPF, etc)

1) Can this be done, and;

2) What tweaks need to be made to SA in its configuration files to make
it happen, and;

3) what else is recommended here.

Thank you.



Not exactly sure what you want to disable but setting a score of 0 will 
disable a rule.  You may need to gather up a list of all rules and score 
most of them 0 in your local.cf.


You might just set the required score to 999 in whatever is launching 
spamassassin so it doesn't block anything.  Then have MDA (Dovecot 
sieve) rules to sort into folders based on hits in the X-Spam-Status header.


I do something similar for my spamassassin masscheck box where I 
intentionally let down my defenses at the MTA not using any RBLs and 
then sort messages into a Ham or Spam folder based on score and rule hits.


--
David Jones