On 12/02/2017 10:39 AM, Junk wrote:
i implemented all of the filters yo mentioned and the score went up from 3.5.
to 3.9 on an example spam email i was testing.
I will look further into more filters.
I see lots of spam that is formatted as image and those are not being caught.
What is your MTA? If you are using Postfix then definitely enable
postscreen plus it's weighted RBLs. Then you can combine the power of
multiple RBLs that would normally be too risky to reject on their own to
make them more reliable.
Then you can start experimenting with RBLs at
http://multirbl.valli.org/lookup/ with low weights and slowly bump them
up as you find ones that are helpful for your particular mail flow.
Here is my current list:
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.[10;14]*9
zen.spamhaus.org=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.5*7
zen.spamhaus.org=127.0.0.[4..7]*7
b.barracudacentral.org=127.0.0.2*7
zen.spamhaus.org=127.0.0.3*7
dnsbl.inps.de=127.0.0.2*7
hostkarma.junkemailfilter.com=127.0.0.2*4
dnsbl.sorbs.net=127.0.0.7*4
bl.spamcop.net=127.0.0.2*4
bl.spameatingmonkey.net=127.0.0.[2;3]*4
dnsrbl.swinog.ch=127.0.0.3*4
ix.dnsbl.manitu.net=127.0.0.2*4
psbl.surriel.com=127.0.0.2*4
bl.mailspike.net=127.0.0.[10;11;12]*4
bl.mailspike.net=127.0.0.2*4
ubl.unsubscore.com=127.0.0.2*4
zen.spamhaus.org=127.0.0.2*3
dnsbl-1.uceprotect.net=127.0.0.2*2
dnsbl.sorbs.net=127.0.0.6*3
dnsbl.sorbs.net=127.0.0.9*2
dnsbl.sorbs.net=127.0.0.8*2
score.senderscore.com=127.0.4.[0..29]*2
hostkarma.junkemailfilter.com=127.0.0.4*2
all.spamrats.com=127.0.0.38*2
bl.nszones.com=127.0.0.[2;3]*1
dnsbl-2.uceprotect.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.4*1
score.senderscore.com=127.0.4.[30..69]*1
all.spamrats.com=127.0.0.38*2
bl.nszones.com=127.0.0.[2;3]*1
dnsbl-2.uceprotect.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.4*1
score.senderscore.com=127.0.4.[30..69]*1
dnsbl.sorbs.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.1.2*1
dnsbl.sorbs.net=127.0.0.15*1
ips.backscatterer.org=127.0.0.2*1
bl.nszones.com=127.0.0.5*-1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
ips.whitelisted.org=127.0.0.2*-2
safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].0*-2
dnswl.inps.de=127.0.[0;1].[2..10]*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
- Setup postwhite with Postfix to bypass major/trusted senders so you
don't reject too much with the above RBL lists.
- Enable basic DNS check in Postfix main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
...,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unauth_destination,
reject_unverified_recipient,
reject_unknown_reverse_client_hostname,
reject_unknown_sender_domain,
reject_unlisted_sender,
reject_unlisted_recipient,
...,
- Enable greylisting if you can. It really does work, especially
helpful with zero-hour spammers from compromised accounts that are very
difficult to block. It is possible to deploy it slowly so users don't
notice a delay.
- Enable Postfix rate limiting.
- Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can
use. OpenDMARC with some custom rules can give Spamassassin basic DMARC
support.
header DMARC_PASS Authentication-Results =~ /your-server-here;
dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.01
header DMARC_FAIL Authentication-Results =~ /your-server-here;
dmarc=fail/
describe DMARC_FAIL DMARC check failed
score DMARC_FAIL 0.01
header DMARC_NONE Authentication-Results =~ /your-server-here;
dmarc=none/
describe DMARC_NONE DMARC check neutral
score DMARC_NONE 0.01
header DMARC_FAIL_REJECT Authentication-Results =~ /your-server-here;
dmarc=fail \(p=reject/
describe DMARC_FAIL_REJECT DMARC check failed and the sending domains
says to reject this message
score DMARC_FAIL_REJECT 8.2
- Consider slightly bumping up the scores on FREEMAIL* rules this these
are often sources of abuse.
- Add DecodeShortURLs.pm and DecodeShortURLs.cf
- Enable Lashback RBL in SA /etc/mail/spamassassin/lashback.cf:
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_LASHBACK eval:check_rbl('lashback',
'ubl.unsubscore.com.')
describe __RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
tflags __RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK eval:check_rbl_sub('lashback',
'127.0.0.2')
describe RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK 1.2
tflags RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK_LASTEXT eval:check_rbl('lashback-lastexternal',
'ubl.unsubscore.com.')
describe RCVD_IN_LASHBACK_LASTEXT Last external is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK_LASTEXT 2.2
tflags RCVD_IN_LASHBACK_LASTEXT net
endif
- Make sure that DCC, Razor, and Pyzor are installed and there are hits
in your mail logs.
- Properly train your Bayesian DB with spam first then ham second.
- Have a huge list of whitelist_auth and whitelist_from_rcvd entries for
trusted senders which allows me to bump up many scores without causing
false positives on them.
On Dec 1, 2017, at 5:05 PM, Kevin Miller <[email protected]> wrote:
There's a number of rulesets that I use - many are mentioned here in this list
and discussed so a look at the archives will probably be helpful.
KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
Hashcash
HashBL
SEM - spameatingmonkey.net
To mention just a few...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
-----Original Message-----
From: Junk [mailto:[email protected]]
Sent: Friday, December 01, 2017 1:36 PM
To: Kevin Miller
Cc: [email protected]
Subject: RE: FIlter
Do you know any additional lists that could be added in addition to:
- built ones
- http://wiki.junkemailfilter.com
- razors
I have the spam score set to above to be 100% spam as i noticed what is below
5% sometimes falls into not a spam email.
--
David Jones
