On 10/19/2017 04:18 AM, Jari Fredriksson wrote:
David Jones kirjoitti 13.10.2017 14:16:
On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
I don't use Kam.cf <http://Kam.cf> as it is very prone to false=20
positives and way too aggressively scored by default. I'm pretty happy=
=20
with my current setup with 3.4.1 though.
=20
=20
If you are happy with your SA accuracy, don't change a thing. :)
Have you tried the KAM.cf lately?
Indeed I have. This just came today:
X-Spam-Report:
* 0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
* [mail99.sea21.rsgsv.net TXT:v=3Dspf1]
[ip4:148.105.12.99 include:spf.mandrillapp.com]
[?all]
* 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
* [URIs: forward-to-friend.com]
* -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record
* [148.105.12.99 listed in iadb.isipp.com]
* -0.0 RCVD_IN_IADB_LISTED RBL: Participates in the IADB system
* -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record
* -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID=20
record
* -0.1 RCVD_IN_IADB_DK RBL: IADB: Sender publishes Domain Keys=20
record
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at=20
http://www.dnswl.org/, no
* trust
* [148.105.12.99 listed in list.dnswl.org]
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level=20
mail
* domains are different
* -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay=
=20
domain
* 1.0 HTML_MESSAGE BODY: HTML included in message
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or=20
identical to
* background
* 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76=20
chars
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not=20
necessarily
* valid
* 10 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,=20
=2Ebid &
* .link TLD Abuse
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
* 0.0 KAM_SHORT Use of a URL Shortener for very short URL
The mail is ham from sourceforge.net. I'm able to deliver the post to=20
KAM if he is willing to look at it.
You should consider changing the default scores of RCVD_IN_IADB_RDNS,
RCVD_IN_IADB_DK, and RCVD_IN_IADB_LISTED to -2.0 or lower. I have the
shortcircuit plugin enabled with this config:
shortcircuit ALL_TRUSTED off
shortcircuit USER_IN_WHITELIST on
priority USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on
shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on
score RCVD_IN_RP_CERTIFIED -100
score RCVD_IN_RP_SAFE -10
score RCVD_IN_DNSWL_HI -10
score RCVD_IN_IADB_LISTED -100
score RCVD_IN_IADB_SPF -10
score RCVD_IN_IADB_DK -10
score RCVD_IN_IADB_RDNS -10
score RCVD_IN_IADB_SENDERID -10
score RCVD_IN_IADB_OPTIN -10
This eliminates content-based rules like KAM.cf firing for trusted
senders. You don't have to go as far as I did with shortcircuit'ing
them but even setting a -2.0 or -4.0 score for those RCVD_IN_* rules
above could help with trusted senders and save a lot of your time.
Hit points like 10 points for this issue BAD_TLD are just killing my=20
system, which will report to spamcop, razor and pyzor without manual=20
intervention :(
False positives are usually nonexistent with my setup, and this can not=20
be taken into production.
br. jarif
=20
KAM.cf does have high scores when you first look at it but if you have
other SA add-ons that subtract points for being "good", then the high
KAM.cf scores complement things well. Also, I am using MailScanner
and the default block score is 6.0 which helps a bit too. My custom
rule scores tend to be high on both ends.
=20
12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail"=20
<kevin.mcgr...@mcgrail.com> kirjoitti:
>On 10/12/2017 9:25 AM, AJ Weber wrote:
>> I'm open to new rules, plug-ins, etc.=C2=A0 Spam volume is only
gett=
ing
>> worse, and these spammers are getting more creative.
>
>Hi AJ,
>
>I have to say that 3.3.0 is pretty old.=C2=A0 I'd look to run a newer
>version, invest some time into researching a few RBLs and consider
>adding my KAM.cf <http://KAM.cf> file.
>
>Regards,
>KAM
--=20
ja...@iki.fi
--
David Jones
