On 12/02/2017 09:03 PM, Junk wrote:
I am using sendmail.
It's pretty easy to switch from sendmail to Postfix so I highly
recommend it. Once you see how powerful Postfix is with all of its
built-in features and flexibility, you will be very glad you switched.
Basic/high-level steps (Google for specific details on your particular
OS version):
1. /etc/postfix/main.cf - relay_domains
2. /etc/postfix/transport
3. Integrate Spamassassin into Postfix
4. Run 'postmap /etc/postfix/transport' to make transport.db
5. Switch the MTA from sendmail to Postfix in the OS.
6. Stop sendmail
7. Start postfix
8. Watch your maillog
9. Start tuning Postfix by enabling postscreen in the master.cf then the
postscreen_dnsbl_sites in the main.cf. Don't forget to estart postfix.
10. Watch your maillog for spam being rejected and smile
On Dec 2, 2017, at 12:33 PM, David Jones <[email protected]> wrote:
On 12/02/2017 10:39 AM, Junk wrote:
i implemented all of the filters yo mentioned and the score went up from 3.5.
to 3.9 on an example spam email i was testing.
I will look further into more filters.
I see lots of spam that is formatted as image and those are not being caught.
What is your MTA? If you are using Postfix then definitely enable postscreen
plus it's weighted RBLs. Then you can combine the power of multiple RBLs that
would normally be too risky to reject on their own to make them more reliable.
Then you can start experimenting with RBLs at http://multirbl.valli.org/lookup/
with low weights and slowly bump them up as you find ones that are helpful for
your particular mail flow. Here is my current list:
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.[10;14]*9
zen.spamhaus.org=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.5*7
zen.spamhaus.org=127.0.0.[4..7]*7
b.barracudacentral.org=127.0.0.2*7
zen.spamhaus.org=127.0.0.3*7
dnsbl.inps.de=127.0.0.2*7
hostkarma.junkemailfilter.com=127.0.0.2*4
dnsbl.sorbs.net=127.0.0.7*4
bl.spamcop.net=127.0.0.2*4
bl.spameatingmonkey.net=127.0.0.[2;3]*4
dnsrbl.swinog.ch=127.0.0.3*4
ix.dnsbl.manitu.net=127.0.0.2*4
psbl.surriel.com=127.0.0.2*4
bl.mailspike.net=127.0.0.[10;11;12]*4
bl.mailspike.net=127.0.0.2*4
ubl.unsubscore.com=127.0.0.2*4
zen.spamhaus.org=127.0.0.2*3
dnsbl-1.uceprotect.net=127.0.0.2*2
dnsbl.sorbs.net=127.0.0.6*3
dnsbl.sorbs.net=127.0.0.9*2
dnsbl.sorbs.net=127.0.0.8*2
score.senderscore.com=127.0.4.[0..29]*2
hostkarma.junkemailfilter.com=127.0.0.4*2
all.spamrats.com=127.0.0.38*2
bl.nszones.com=127.0.0.[2;3]*1
dnsbl-2.uceprotect.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.4*1
score.senderscore.com=127.0.4.[30..69]*1
all.spamrats.com=127.0.0.38*2
bl.nszones.com=127.0.0.[2;3]*1
dnsbl-2.uceprotect.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.4*1
score.senderscore.com=127.0.4.[30..69]*1
dnsbl.sorbs.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.1.2*1
dnsbl.sorbs.net=127.0.0.15*1
ips.backscatterer.org=127.0.0.2*1
bl.nszones.com=127.0.0.5*-1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
ips.whitelisted.org=127.0.0.2*-2
safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].0*-2
dnswl.inps.de=127.0.[0;1].[2..10]*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
- Setup postwhite with Postfix to bypass major/trusted senders so you don't
reject too much with the above RBL lists.
- Enable basic DNS check in Postfix main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
...,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unauth_destination,
reject_unverified_recipient,
reject_unknown_reverse_client_hostname,
reject_unknown_sender_domain,
reject_unlisted_sender,
reject_unlisted_recipient,
...,
- Enable greylisting if you can. It really does work, especially helpful with
zero-hour spammers from compromised accounts that are very difficult to block.
It is possible to deploy it slowly so users don't notice a delay.
- Enable Postfix rate limiting.
- Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can use.
OpenDMARC with some custom rules can give Spamassassin basic DMARC support.
header DMARC_PASS Authentication-Results =~ /your-server-here;
dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.01
header DMARC_FAIL Authentication-Results =~ /your-server-here;
dmarc=fail/
describe DMARC_FAIL DMARC check failed
score DMARC_FAIL 0.01
header DMARC_NONE Authentication-Results =~ /your-server-here;
dmarc=none/
describe DMARC_NONE DMARC check neutral
score DMARC_NONE 0.01
header DMARC_FAIL_REJECT Authentication-Results =~ /your-server-here;
dmarc=fail \(p=reject/
describe DMARC_FAIL_REJECT DMARC check failed and the sending domains
says to reject this message
score DMARC_FAIL_REJECT 8.2
- Consider slightly bumping up the scores on FREEMAIL* rules this these are
often sources of abuse.
- Add DecodeShortURLs.pm and DecodeShortURLs.cf
- Enable Lashback RBL in SA /etc/mail/spamassassin/lashback.cf:
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_LASHBACK eval:check_rbl('lashback',
'ubl.unsubscore.com.')
describe __RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
tflags __RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK eval:check_rbl_sub('lashback', '127.0.0.2')
describe RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK 1.2
tflags RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK_LASTEXT
eval:check_rbl('lashback-lastexternal', 'ubl.unsubscore.com.')
describe RCVD_IN_LASHBACK_LASTEXT Last external is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK_LASTEXT 2.2
tflags RCVD_IN_LASHBACK_LASTEXT net
endif
- Make sure that DCC, Razor, and Pyzor are installed and there are hits in your
mail logs.
- Properly train your Bayesian DB with spam first then ham second.
- Have a huge list of whitelist_auth and whitelist_from_rcvd entries for
trusted senders which allows me to bump up many scores without causing false
positives on them.
On Dec 1, 2017, at 5:05 PM, Kevin Miller <[email protected]> wrote:
There's a number of rulesets that I use - many are mentioned here in this list
and discussed so a look at the archives will probably be helpful.
KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
Hashcash
HashBL
SEM - spameatingmonkey.net
To mention just a few...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
-----Original Message-----
From: Junk [mailto:[email protected]]
Sent: Friday, December 01, 2017 1:36 PM
To: Kevin Miller
Cc: [email protected]
Subject: RE: FIlter
Do you know any additional lists that could be added in addition to:
- built ones
- http://wiki.junkemailfilter.com
- razors
I have the spam score set to above to be 100% spam as i noticed what is below
5% sometimes falls into not a spam email.
--
David Jones
--
David Jones
