Re: clamav-unofficial-sigs not helping in a spam flood
Am 26.03.2016 um 18:19 schrieb Yves Goergen: Thank you, Bill, for the extensive reply. There are some points in it which I could try, like the greeting delay on port 25. It seems I should really invest in blocking certain attachment types (executables and useless files) and finding a way to teach Bayes from messages. I'm using Maildir so I might find a Junk folder and use that. But that requires that it's maintained properly. If messages are in the wrong category of Maildir folder they might mess it up again... I could do this for my own IMAP account, but other users often just delete spam into the Trash, together with everything else they don't need anymore. hence set up a site-wide bayes only trained by you user-bayes makes most times no sense because it requires that *each user* properly trains a few hundret spam *and* ham to get it enabled at all which won't happen and when it happens most times in abused ways like instead hit unsubscribe mark messages as spam out of some hundret users here i would only trust 3 of them and that not unconditionally by expierience of drag ham samples in the spam folder and after a phone call "seriously?" -> "oh it was a mistake" however, a spamfilter completly without bayes is a joke signature.asc Description: OpenPGP digital signature
Re: clamav-unofficial-sigs not helping in a spam flood
Thank you, Bill, for the extensive reply. There are some points in it which I could try, like the greeting delay on port 25. It seems I should really invest in blocking certain attachment types (executables and useless files) and finding a way to teach Bayes from messages. I'm using Maildir so I might find a Junk folder and use that. But that requires that it's maintained properly. If messages are in the wrong category of Maildir folder they might mess it up again... I could do this for my own IMAP account, but other users often just delete spam into the Trash, together with everything else they don't need anymore. Yves Goergen http://unclassified.software Von: Bill Cole Gesendet: Sa, 2016-03-26 05:56 +0100 On 24 Mar 2016, at 13:50, Yves Goergen wrote: Hello, I'm getting more and more spam every day and SpamAssassin can't handle it. Most of it looks very similar but it isn't filtered out. Have you tried creating local rules for it? I can't share the rules I've created for *some* of these families of malware-connected spam, but because the worst of them (spreading ransomware) are produced programmatically in bulk, they have very strong similarities that make multiline 'rawbody' rules helpful as well as case-sensitive header checks looking for idiosyncratic combinations of uncommon minor details. That's vague on purpose because: spammers are known to change behavior based on posts here and on other, even notionally "private", anti-spam lists; these particular spam genera have morphed over time and so need to be treated as moving targets with regular rule adjustments and additions; and the specific best ruleset I've created for these were done in an environment where they are legally not mine to share, especially in a place where I know spammers look for ways to evade filters, making those rules obsolete faster. I can't speak to the ClamAV issue because I don't use the extra sigs and have come to expect very little of ClamAV. Maybe ask on a ClamAV list? What other solutions are there to improve the detection rate of SpamAssassin? My current spam-to-useful ratio in some mailboxes is somewhere around 10:1. That implies that you are probably underutilizing spam-control measures in your MTA. I manage a diverse set of mail systems running multiple MTAs and in all cases the most effective anti-spam measure against ALL spam is delaying the initial greeting banner, which is a mandatory option for a MTA to be fit for use exposed to the modern Internet. Later in the message you say you use Exim, which I believe has such a feature, but I am not sure of that. The ideal delay to use is a matter of debate because apparently the subtleties of how the delay is done matters, but 5 seconds is usually a reasonable delay to catch most spambots and you don't start to really impair valid mail due to delays until you go above 15s. Close behind a greeting delay, the use of high-accuracy DNSBLs is indispensable: I use Spamhaus Zen (as well as their DROP+EDROP lists in the network layer to simple never see the listed nets) ix.dnsbl.manitu.net, and psbl.surriel.com. Note that you CANNOT safely use many of these in the same ways on outbound mail submitted by your own users and inbound mail for local delivery. The same is true of many of the following measures as well. If you are not strictly segregating initial submission to a suitably configured port 587 MSA for authenticated users so that port 25 SMTP is only inbound mail from relative strangers, your spam control will be harder to do safely or well. Your own authenticated users MIGHT send spam, but some of the tactics that work best before letting SpamAssassin see a message are essentially detection of machines that *should* only be sending mail though an authenticating MSA, not directly to a remote MTA unfamiliar with them. I'm not entirely familiar with the other options Exim offers for rejecting spam, but right behind the banner delay and DNSBLs for me are refusing mail from hosts that HELO/EHLO badly. Systems differ in what they can do in that area, but where I use this most aggressively (Postfix systems) I reject mail from hosts that HELO in strictly invalid ways that that use idiosyncratically wrong or spammer-associated ways: remote systems claiming one of my names or IP addresses, using a .local name and most unqualified names (with a whitelist for special cases, IP literals, and as a variety of valid names whose owners have said no machine anywhere would ever HELO with the name (e.g. "mail.com") and various "generic address" patterns where the hostname is derived from the client IP. Behind that, rejecting mail from sending IP's with no PTR records is almost entirely safe on the modern net, and it is even getting safer (as more people use it) to require the PTR names to resolve back to the IP of the client machine. On systems where I can, I only check for an existing PTR, but on systems where only the
Re: clamav-unofficial-sigs not helping in a spam flood
Am 26.03.2016 um 05:56 schrieb Bill Cole: That implies that you are probably underutilizing spam-control measures in your MTA. I manage a diverse set of mail systems running multiple MTAs and in all cases the most effective anti-spam measure against ALL spam is delaying the initial greeting banner, which is a mandatory option for a MTA to be fit for use exposed to the modern Internet. Later in the message you say you use Exim, which I believe has such a feature, but I am not sure of that. The ideal delay to use is a matter of debate because apparently the subtleties of how the delay is done matters, but 5 seconds is usually a reasonable delay to catch most spambots and you don't start to really impair valid mail due to delays until you go above 15s 5 is too short - for completly broken but non-spam-clients it's anyways too long (there is a idiot company in austria selling sender verification software to their customers which does pre-greeting after 0.3 seconds and then pretend the sender don't exist) in jannuary 2015 we had a week or so with 25 attenpts per day and by raise the value to RBL rejects dropped down by 80% and changed to "HANGUP" [root@mail-gw:~]$ grep -c "HANGUP after" maillog 223033 [root@mail-gw:~]$ grep -c "HANGUP after 9" maillog 982 [root@mail-gw:~]$ grep -c "HANGUP after 10" maillog 13167 [root@mail-gw:~]$ grep -c "HANGUP after 11" maillog 54190 signature.asc Description: OpenPGP digital signature
Re: clamav-unofficial-sigs not helping in a spam flood
On 24 Mar 2016, at 13:50, Yves Goergen wrote: Hello, I'm getting more and more spam every day and SpamAssassin can't handle it. Most of it looks very similar but it isn't filtered out. Have you tried creating local rules for it? I can't share the rules I've created for *some* of these families of malware-connected spam, but because the worst of them (spreading ransomware) are produced programmatically in bulk, they have very strong similarities that make multiline 'rawbody' rules helpful as well as case-sensitive header checks looking for idiosyncratic combinations of uncommon minor details. That's vague on purpose because: spammers are known to change behavior based on posts here and on other, even notionally "private", anti-spam lists; these particular spam genera have morphed over time and so need to be treated as moving targets with regular rule adjustments and additions; and the specific best ruleset I've created for these were done in an environment where they are legally not mine to share, especially in a place where I know spammers look for ways to evade filters, making those rules obsolete faster. I can't speak to the ClamAV issue because I don't use the extra sigs and have come to expect very little of ClamAV. Maybe ask on a ClamAV list? What other solutions are there to improve the detection rate of SpamAssassin? My current spam-to-useful ratio in some mailboxes is somewhere around 10:1. That implies that you are probably underutilizing spam-control measures in your MTA. I manage a diverse set of mail systems running multiple MTAs and in all cases the most effective anti-spam measure against ALL spam is delaying the initial greeting banner, which is a mandatory option for a MTA to be fit for use exposed to the modern Internet. Later in the message you say you use Exim, which I believe has such a feature, but I am not sure of that. The ideal delay to use is a matter of debate because apparently the subtleties of how the delay is done matters, but 5 seconds is usually a reasonable delay to catch most spambots and you don't start to really impair valid mail due to delays until you go above 15s. Close behind a greeting delay, the use of high-accuracy DNSBLs is indispensable: I use Spamhaus Zen (as well as their DROP+EDROP lists in the network layer to simple never see the listed nets) ix.dnsbl.manitu.net, and psbl.surriel.com. Note that you CANNOT safely use many of these in the same ways on outbound mail submitted by your own users and inbound mail for local delivery. The same is true of many of the following measures as well. If you are not strictly segregating initial submission to a suitably configured port 587 MSA for authenticated users so that port 25 SMTP is only inbound mail from relative strangers, your spam control will be harder to do safely or well. Your own authenticated users MIGHT send spam, but some of the tactics that work best before letting SpamAssassin see a message are essentially detection of machines that *should* only be sending mail though an authenticating MSA, not directly to a remote MTA unfamiliar with them. I'm not entirely familiar with the other options Exim offers for rejecting spam, but right behind the banner delay and DNSBLs for me are refusing mail from hosts that HELO/EHLO badly. Systems differ in what they can do in that area, but where I use this most aggressively (Postfix systems) I reject mail from hosts that HELO in strictly invalid ways that that use idiosyncratically wrong or spammer-associated ways: remote systems claiming one of my names or IP addresses, using a .local name and most unqualified names (with a whitelist for special cases, IP literals, and as a variety of valid names whose owners have said no machine anywhere would ever HELO with the name (e.g. "mail.com") and various "generic address" patterns where the hostname is derived from the client IP. Behind that, rejecting mail from sending IP's with no PTR records is almost entirely safe on the modern net, and it is even getting safer (as more people use it) to require the PTR names to resolve back to the IP of the client machine. On systems where I can, I only check for an existing PTR, but on systems where only the stronger check is available, the rejections of valid mail have been declining over the last few years and the legit systems who keep that problem for more than a few days are quite rare. As a result, the mail systems I run reject mail at RCPT time and in some cases at connect time from 50-90% of all of their SMTP connections. So only 10-50% of potential mail is even seen by SpamAssassin or any other message content filter This makes it feasible to do more expensive filtering in SA (such as AWL or TxRep, Bayes, complex local rules, and URIBLs) because SA is spared from seeing the bulk of the worst stuff. That's close to the point of abandoning e-mail and reverting to telephone and snailmail.
Re: clamav-unofficial-sigs not helping in a spam flood
Yves, > I'm getting more and more spam every day and SpamAssassin can't handle > it. Most of it looks very similar but it isn't filtered out. Is your version of SA recent enought? > I've set up clamav-unofficial-sigs recently by installing the Ubuntu Even if it may pick-up some spam, clamav, official or not, firstly target viruses, not spam. Don't blame it for not doing what it is not supposed to do. > Does grey-listing still work today? Is there an easy way to enable it in > either SpamAssassin or Exim? I don't want to fiddle around with > databases and such for days in a running system. Greylisting is definitely a very powerful tool if you (and your users) accept that a mail may take one hour to be delivered (which is nothing unexepected given the way SMTP protocol is designed). Greylisting must be installed at the MTA (exim) level, to refuse the mail when the other end tries to connect first. But as I use postfix, i am not sure how it is being done with exim. Best regards, Olivier
Re: clamav-unofficial-sigs not helping in a spam flood
I've looked into the logs and they say /var/lib/clamav, and the downloaded files are also located there. Sanesecurity also shows up in the logs, so I guess it is really installed. clamd is set up just normally with the Ubuntu package, nothing unusual. Exim checks that daemon for incoming mail and rejects a message every now and then as a result. So Exim and clamav are connected. It's just that Sanesecurity doesn't seem to catch anything. Yves Goergen http://unclassified.software Von: Bowie Bailey Gesendet: Do, 2016-03-24 20:05 +0100 On 3/24/2016 2:45 PM, Yves Goergen wrote: The Bayes filter has never worked for me, but I can't train it either. This is a multi-user server and I can't put every single message I get manually into some script to teach it. It's not practical. And while Thunderbird has a Junk toolbar button it doesn't report back to the server. So that's not usable. Switching from Exim to Postfix with all the configuration that hangs at it is way too much work. It's probably easier to switch from Linux+Exim to Windows with a complete mail solution that includes a working spam filter out of the box. I have the impression that the often-recommended sanesecurity data which is included in clamav-unofficial-sigs doesn't help at all. I can't see any difference between before and after its installation. It sounds like you may not have the Sanesecurity databases in the right spot. They should be catching a fair amount of junk. Check your clamd install by grepping the logfiles to see where clamd is reading the databases from. $ grep 'Reading databases' maillog Mar 24 14:56:28 mailserver clamd[7431]: Reading databases from /usr/local/share/clamav Then make sure your Sanesecurity databases are being put in that directory. If that doesn't work, you may need to give us more detail on exactly how you are calling Clam so we can figure out exactly what is going wrong.
Re: clamav-unofficial-sigs not helping in a spam flood
Yves Goergen wrote: > The Bayes filter has never worked for me, but I can't train it either. Per-user Bayes is VERY good - stock SA3.3.2 with a mostly-autolearn-based Bayes lets through maybe three or four spams a week on my personal server/account (out of several hundred per day). Systemwide Bayes can be nearly as good. What do you mean by "I can't train it either"? > This is a multi-user server and I can't put every single message I get > manually into some script to teach it. It's not practical. "Practical" is a matter of scripting regular operations and getting into a new routine. If you can move messages from folder A to folder B on an IMAP server, you can feed those into Bayes as spam or nonspam. You can either run sa-learn on the server directly against the folder, or use an IMAP-based script like http://www.deepnet.cx/~kdeugau/spamtools/imap-learn. I have had this script running from cron to feed the Bayes DB based on two folders in a junk mail reporting account for a number of years; it works quite well. Customers can use the "Report as spam" function in our Horde/IMP instance, or the addon "Report as junk" function in our Roundcube instance; those reports have the attached message stripped on delivery and filed in a "to-sort" folder. Anyone can also just forward a message as an attachment from any regular mail client. I sort those reported messages, and the script learns them. I don't autodelete the freshly learned mail; I've never seen the point since Bayes tracks which messages it's learned from. I'll admit it's taken a while to reach the point where the process runs fairly smoothly. There's some additional followup I also do to extract relay IP and URI information from the spam to feed to a local DNSBL; the scripts I use are substantially as on https://secure.deepnet.cx/trac/dnsbl. (There are probably a couple of minor enhancements I've added to production I haven't committed to SVN yet.) Aside from some of the details of the workflow, I've used much of the same process across several generations of mail systems, starting with a small system that peaked at about 450 users, using a Berkeley DB shared Bayes. A good initial training message set and early feedback is important in getting it going. > I have the impression that the often-recommended sanesecurity data which > is included in clamav-unofficial-sigs doesn't help at all. I can't see > any difference between before and after its installation. We've been catching between a third and half or so of the ".js-downloader-in-a-.zip" virusmail in SpamAssassin, mainly based on Bayes hits. -kgd
Re: clamav-unofficial-sigs not helping in a spam flood
Am 24.03.2016 um 20:05 schrieb Bowie Bailey: It sounds like you may not have the Sanesecurity databases in the right spot. They should be catching a fair amount of junk. Check your clamd install by grepping the logfiles to see where clamd is reading the databases from. $ grep 'Reading databases' maillog Mar 24 14:56:28 mailserver clamd[7431]: Reading databases from /usr/local/share/clamav Then make sure your Sanesecurity databases are being put in that directory. and make sure the config allows them OfficialDatabaseOnly no however, that's a topic for the clamav-list and has nothing to do with SA signature.asc Description: OpenPGP digital signature
Re: clamav-unofficial-sigs not helping in a spam flood
On 3/24/2016 2:45 PM, Yves Goergen wrote: The Bayes filter has never worked for me, but I can't train it either. This is a multi-user server and I can't put every single message I get manually into some script to teach it. It's not practical. And while Thunderbird has a Junk toolbar button it doesn't report back to the server. So that's not usable. Switching from Exim to Postfix with all the configuration that hangs at it is way too much work. It's probably easier to switch from Linux+Exim to Windows with a complete mail solution that includes a working spam filter out of the box. I have the impression that the often-recommended sanesecurity data which is included in clamav-unofficial-sigs doesn't help at all. I can't see any difference between before and after its installation. It sounds like you may not have the Sanesecurity databases in the right spot. They should be catching a fair amount of junk. Check your clamd install by grepping the logfiles to see where clamd is reading the databases from. $ grep 'Reading databases' maillog Mar 24 14:56:28 mailserver clamd[7431]: Reading databases from /usr/local/share/clamav Then make sure your Sanesecurity databases are being put in that directory. If that doesn't work, you may need to give us more detail on exactly how you are calling Clam so we can figure out exactly what is going wrong. -- Bowie
Re: clamav-unofficial-sigs not helping in a spam flood
Am 24.03.2016 um 19:45 schrieb Yves Goergen: The Bayes filter has never worked for me, but I can't train it either. This is a multi-user server and I can't put every single message I get manually into some script to teach it. It's not practical. And while Thunderbird has a Junk toolbar button it doesn't report back to the server. So that's not usable. nonsense - site-wide bayes for several servers, some hundret users and shared with another company with their own users here nobody enforces a per-user bayes, but if you complain about bad spam scanning and not capable or willing to setup bayes i can't take you serious how do you imagine to have a filter working in time and proper without knowing your mailflow your response sounds like "i don't want to invest any time but expect perfect working things" Switching from Exim to Postfix with all the configuration that hangs at it is way too much work. It's probably easier to switch from Linux+Exim to Windows with a complete mail solution that includes a working spam filter out of the box. so live with the results or search something doing the ame RBL scoring for exim I have the impression that the often-recommended sanesecurity data which is included in clamav-unofficial-sigs doesn't help at all. I can't see any difference between before and after its installation. looks like nobody including you knows your setup, sanesceurity sigs surely blocks a large amount of spam even in our setup where postfix / spamassassin kill most crap long before the last ressort SA Am 24.03.2016 um 18:50 schrieb Yves Goergen: I'm getting more and more spam every day and SpamAssassin can't handle it. Most of it looks very similar but it isn't filtered out. I've set up clamav-unofficial-sigs recently by installing the Ubuntu package. My MTA is configured so that anything detected by clamav is declared a virus and rejected immediately. I also get a report of virus-rejected mails. But it doesn't catch a single message. Maybe one out of a hundred in a week. How can I verify that the clamav-unofficial-sigs package is set up properly? Or is it not useful in these situations with today's spam? a well trained SA (bayes) and custom body/subject rules kill most to all spam - in fact a proper setup is using many RBL balcklists with scoring and combined DNSWL also socred and so most unk don't make it to the smtpd daemin What other solutions are there to improve the detection rate of SpamAssassin? My current spam-to-useful ratio in some mailboxes is somewhere around 10:1. That's close to the point of abandoning e-mail and reverting to telephone and snailmail. The rate of spam phone calls is a lot lower, and that's not considering the filter. train your bayes proper Examples of the subjects from the recent days: FW: Order RF#391032 Document2 FW: Payment Receipt Sixt Invoice: 6502444876 from 24.03.2016 Attached document(s) FW: Payment Details - [223434] Image9876411149045.pdf Voicemail from 07730881627 <07730881627> 00:00:24 FW: Order Status #022412 FW: Payment #092161 FW: Confirmation #388194 train your bayes and write scored subject rules All of the messages have attachments, but I can't block all attachments completely. Does grey-listing still work today? Is there an easy way to enable it in either SpamAssassin or Exim? I don't want to fiddle around with databases and such for days in a running system get rid auf exim, with postfix and the config below 99% of all junk don't make it to a smtpd process at all, a large part hangs up after 10 seconds and is killed by "postscreen_greet_wait" and the rest hits enough dnsbl to get a score of 8 while backed with enough whitelists postscreen_dnsbl_ttl = 90s postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:11}s postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*6 dnsbl.sorbs.net=127.0.0.7*4 hostkarma.junkemailfilter.com=127.0.0.2*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 score.senderscore.com=127.0.4.[0..20]*2 dnsbl.sorbs.net=127.0.0.9*2 bl.spamcannibal.org=127.0.0.2*2 dnsbl-1.uceprotect.net=127.0.0.2*2 score.senderscore.com=127.0.4.[0..69]*2 all.spamrats.com=127.0.0.38*2 dnsbl-2.uceprotect.net=127.0.0.2*1
Re: clamav-unofficial-sigs not helping in a spam flood
The Bayes filter has never worked for me, but I can't train it either. This is a multi-user server and I can't put every single message I get manually into some script to teach it. It's not practical. And while Thunderbird has a Junk toolbar button it doesn't report back to the server. So that's not usable. Switching from Exim to Postfix with all the configuration that hangs at it is way too much work. It's probably easier to switch from Linux+Exim to Windows with a complete mail solution that includes a working spam filter out of the box. I have the impression that the often-recommended sanesecurity data which is included in clamav-unofficial-sigs doesn't help at all. I can't see any difference between before and after its installation. Yves Goergen http://unclassified.software Von: Reindl Harald Gesendet: Do, 2016-03-24 19:06 +0100 Am 24.03.2016 um 18:50 schrieb Yves Goergen: I'm getting more and more spam every day and SpamAssassin can't handle it. Most of it looks very similar but it isn't filtered out. I've set up clamav-unofficial-sigs recently by installing the Ubuntu package. My MTA is configured so that anything detected by clamav is declared a virus and rejected immediately. I also get a report of virus-rejected mails. But it doesn't catch a single message. Maybe one out of a hundred in a week. How can I verify that the clamav-unofficial-sigs package is set up properly? Or is it not useful in these situations with today's spam? a well trained SA (bayes) and custom body/subject rules kill most to all spam - in fact a proper setup is using many RBL balcklists with scoring and combined DNSWL also socred and so most unk don't make it to the smtpd daemin What other solutions are there to improve the detection rate of SpamAssassin? My current spam-to-useful ratio in some mailboxes is somewhere around 10:1. That's close to the point of abandoning e-mail and reverting to telephone and snailmail. The rate of spam phone calls is a lot lower, and that's not considering the filter. train your bayes proper Examples of the subjects from the recent days: FW: Order RF#391032 Document2 FW: Payment Receipt Sixt Invoice: 6502444876 from 24.03.2016 Attached document(s) FW: Payment Details - [223434] Image9876411149045.pdf Voicemail from 07730881627 <07730881627> 00:00:24 FW: Order Status #022412 FW: Payment #092161 FW: Confirmation #388194 train your bayes and write scored subject rules All of the messages have attachments, but I can't block all attachments completely. Does grey-listing still work today? Is there an easy way to enable it in either SpamAssassin or Exim? I don't want to fiddle around with databases and such for days in a running system get rid auf exim, with postfix and the config below 99% of all junk don't make it to a smtpd process at all, a large part hangs up after 10 seconds and is killed by "postscreen_greet_wait" and the rest hits enough dnsbl to get a score of 8 while backed with enough whitelists postscreen_dnsbl_ttl = 90s postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:11}s postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*6 dnsbl.sorbs.net=127.0.0.7*4 hostkarma.junkemailfilter.com=127.0.0.2*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 score.senderscore.com=127.0.4.[0..20]*2 dnsbl.sorbs.net=127.0.0.9*2 bl.spamcannibal.org=127.0.0.2*2 dnsbl-1.uceprotect.net=127.0.0.2*2 score.senderscore.com=127.0.4.[0..69]*2 all.spamrats.com=127.0.0.38*2 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 dnsbl.sorbs.net=127.0.0.3*1 bl.nszones.com=127.0.0.[2;3]*1 hostkarma.junkemailfilter.com=127.0.1.2*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 score.senderscore.com=127.0.4.[90..100]*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5
Re: clamav-unofficial-sigs not helping in a spam flood
Am 24.03.2016 um 18:50 schrieb Yves Goergen: I'm getting more and more spam every day and SpamAssassin can't handle it. Most of it looks very similar but it isn't filtered out. I've set up clamav-unofficial-sigs recently by installing the Ubuntu package. My MTA is configured so that anything detected by clamav is declared a virus and rejected immediately. I also get a report of virus-rejected mails. But it doesn't catch a single message. Maybe one out of a hundred in a week. How can I verify that the clamav-unofficial-sigs package is set up properly? Or is it not useful in these situations with today's spam? a well trained SA (bayes) and custom body/subject rules kill most to all spam - in fact a proper setup is using many RBL balcklists with scoring and combined DNSWL also socred and so most unk don't make it to the smtpd daemin What other solutions are there to improve the detection rate of SpamAssassin? My current spam-to-useful ratio in some mailboxes is somewhere around 10:1. That's close to the point of abandoning e-mail and reverting to telephone and snailmail. The rate of spam phone calls is a lot lower, and that's not considering the filter. train your bayes proper Examples of the subjects from the recent days: FW: Order RF#391032 Document2 FW: Payment Receipt Sixt Invoice: 6502444876 from 24.03.2016 Attached document(s) FW: Payment Details - [223434] Image9876411149045.pdf Voicemail from 07730881627 <07730881627> 00:00:24 FW: Order Status #022412 FW: Payment #092161 FW: Confirmation #388194 train your bayes and write scored subject rules All of the messages have attachments, but I can't block all attachments completely. Does grey-listing still work today? Is there an easy way to enable it in either SpamAssassin or Exim? I don't want to fiddle around with databases and such for days in a running system get rid auf exim, with postfix and the config below 99% of all junk don't make it to a smtpd process at all, a large part hangs up after 10 seconds and is killed by "postscreen_greet_wait" and the rest hits enough dnsbl to get a score of 8 while backed with enough whitelists postscreen_dnsbl_ttl = 90s postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:11}s postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*6 dnsbl.sorbs.net=127.0.0.7*4 hostkarma.junkemailfilter.com=127.0.0.2*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 score.senderscore.com=127.0.4.[0..20]*2 dnsbl.sorbs.net=127.0.0.9*2 bl.spamcannibal.org=127.0.0.2*2 dnsbl-1.uceprotect.net=127.0.0.2*2 score.senderscore.com=127.0.4.[0..69]*2 all.spamrats.com=127.0.0.38*2 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 dnsbl.sorbs.net=127.0.0.3*1 bl.nszones.com=127.0.0.[2;3]*1 hostkarma.junkemailfilter.com=127.0.1.2*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 score.senderscore.com=127.0.4.[90..100]*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 signature.asc Description: OpenPGP digital signature
clamav-unofficial-sigs not helping in a spam flood
Hello, I'm getting more and more spam every day and SpamAssassin can't handle it. Most of it looks very similar but it isn't filtered out. I've set up clamav-unofficial-sigs recently by installing the Ubuntu package. My MTA is configured so that anything detected by clamav is declared a virus and rejected immediately. I also get a report of virus-rejected mails. But it doesn't catch a single message. Maybe one out of a hundred in a week. How can I verify that the clamav-unofficial-sigs package is set up properly? Or is it not useful in these situations with today's spam? What other solutions are there to improve the detection rate of SpamAssassin? My current spam-to-useful ratio in some mailboxes is somewhere around 10:1. That's close to the point of abandoning e-mail and reverting to telephone and snailmail. The rate of spam phone calls is a lot lower, and that's not considering the filter. Examples of the subjects from the recent days: FW: Order RF#391032 Document2 FW: Payment Receipt Sixt Invoice: 6502444876 from 24.03.2016 Attached document(s) FW: Payment Details - [223434] Image9876411149045.pdf Voicemail from 07730881627 <07730881627> 00:00:24 FW: Order Status #022412 FW: Payment #092161 FW: Confirmation #388194 All of the messages have attachments, but I can't block all attachments completely. Does grey-listing still work today? Is there an easy way to enable it in either SpamAssassin or Exim? I don't want to fiddle around with databases and such for days in a running system. Yves Goergen http://unclassified.software