On 3/15/12 10:44 PM, Eric Shubert wrote:
On 03/15/2012 03:23 PM, Casey Price wrote:
_*SPAMDYKE -- Gateway1:
*_
#dns-blacklist-entry=zombie.dnsbl.sorbs.net
#dns-blacklist-entry=dul.dnsbl.sorbs.net
#dns-blacklist-entry=bogons.cymru.com
#dns-blacklist-entry=zen.spamhaus.org
I have zen.spamhaus.org enabled. That's the best RBL in my experience.
I just enabled this one my primary gateway, so we'll see how it does. I
have immediately begun to notice alot of RBL entries the the logs after
turning this on, so I'll see if anyone starts complaining.
dns-blacklist-entry=bl.spamcop.net
#Graylist settings
graylist-dir=/var/spamdyke/graylist
graylist-level=always-create-dir
graylist-max-secs=2678400
graylist-min-secs=120
greeting-delay-secs=5
idle-timeout-secs=60
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
local-domains-file=/var/qmail/control/rcpthosts
log-level=info
log-target=stderr
max-recipients=50
#policy-url=http://my.policy.explanation.url/
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns
#reject-ip-in-cc-rdns
You should enable reject-ip-in-cc-rdns unless you have a lot of email
outside of the US. I use the setting, and don't seem to have any
problem receiving from legit senders in other countries.
I do have several customers in Europe, and a few in South America - so I
need to ensure that they won't have any issues. Do you think it would
still be safe to enable this one?
reject-missing-sender-mx
#reject-unresolvable-rdns
This is a big one to enable. This stops a lot of spam, and you'll
rarely find a legit domain with unconfigured rDNS. When that happens,
you can whitelist the domain as an interim measure, while you contact
the mail admin for the domain and the problem is resolved. A legit
sender who is blocked as a result of this rule won't get through to
gmail and many others either. They'll be glad to get it fixed.
I'll enable this one after a day or two of testing with zen.spamhaus.org
enabled and see how things go. I know you'll be right about this
one...several months back when I briefly enabled this option it was
helping to block 90% of all mail, but I received complaints, and now
that I've gotten a bit more experience under my belt, I'll just
whitelist the domains in question and contact their admins like you
suggested.
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem
---------------------------------------------------------------------------
_*SPAMASSASSIN -- vCluster1:
*_
ok_locales all
skip_rbl_checks 1
required_score 5
I use 3.7, which seems to rarely get a false positive.
report_safe 0
rewrite_header Subject ***SPAM***
use_pyzor 1
use_razor2 1
use_dcc 1
use_auto_whitelist 1
bayes_path /home/vpopmail/.spamassassin/bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1
bayes_auto_learn_threshold_spam 6.5
I use 5.5.
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_expire 1
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
score FH_DATE_PAST_20XX 0.0
score DATE_IN_FUTURE_96_XX 3.9
score UNWANTED_LANGUAGE_BODY 6.0
score SORTED_RECIPS 2.0
score RCVD_ILLEGAL_IP 1.3
score NO_DNS_FOR_FROM 1.0
score RAZOR2_CHECK 3.0
score RAZOR2_CF_RANGE_51_100 3.5
score RAZOR2_CF_RANGE_E4_51_100 3.5
score RAZOR2_CF_RANGE_E8_51_100 3.5
score PYZOR_CHECK 2.0
score DCC_CHECK 3.5
score RCVD_IN_SBL 2.6
score RCVD_IN_DSBL 2.6
score RCVD_IN_NJABL_PROXY 1.000
score RCVD_IN_SORBS_HTTP 2.6
score RCVD_IN_SORBS_MISC 2.6
score RCVD_IN_BL_SPAMCOP_NET 0
score RCVD_IN_MAPS_RBL 0
score RCVD_IN_MAPS_DUL 0
score RCVD_IN_MAPS_RSS 0
score RCVD_IN_MAPS_NML 0
score URIBL_AB_SURBL 3.3
score URIBL_JP_SURBL 3.3
score URIBL_OB_SURBL 3.6
score URIBL_PH_SURBL 3.2
score URIBL_SBL 2.0
score URIBL_SC_SURBL 3.6
score URIBL_WS_SURBL 2.5
#######################################################
#################### Custom Rules ##################
#######################################################
header LOCAL_DEMONSTRATION_FROM From =~ /rolex\.com/i
score LOCAL_DEMONSTRATION_FROM 1.1
------------------------------------------------------------------------------
My dad is using Outlook 2010 with IMAP, so it created a ".Junk E-mail"
folder, and I symlinked this to ".Junk". I ran the qtp-clean-spam
script, and modified the cron job to use .Junk instead of .Spam, but I'm
not so sure that it is actually doing anything.
_*Here is the output from sa-stats:
*_
[root@vcluster1 spamassassin]# sa-stats
Email: 1048 Autolearn: 302 AvgScore: 4.50 AvgScanTime: 6.41 sec
Spam: 404 Autolearn: 302 AvgScore: 8.27 AvgScanTime: 6.15 sec
Ham: 644 Autolearn: 0 AvgScore: 2.13 AvgScanTime: 6.58 sec
Time Spent Running SA: 1.87 hours
Time Spent Processing Spam: 0.69 hours
Time Spent Processing Ham: 1.18 hours
TOP SPAM RULES FIRED
----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
----------------------------------------------------------------------
1 RDNS_NONE 399 98.66 98.76 98.60
This shows that having spamdyke block unresolvable rDNS will give you
much better results.
2 HTML_MESSAGE 366 91.60 90.59 92.24
3 URIBL_BLACK 356 59.26 88.12 41.15
4 MIME_HTML_ONLY 295 54.77 73.02 43.32
5 URIBL_JP_SURBL 186 18.32 46.04 0.93
6 DK_SIGNED 166 41.41 41.09 41.61
7 URIBL_WS_SURBL 110 12.02 27.23 2.48
8 DK_VERIFIED 103 28.05 25.50 29.66
9 AWL 77 16.22 19.06 14.44
10 URIBL_SBL 67 6.39 16.58 0.00
11 DATE_IN_FUTURE_12_24 47 4.48 11.63 0.00
12 URIBL_RHS_DOB 47 8.40 11.63 6.37
13 HTML_FONT_LOW_CONTRAST 46 9.26 11.39 7.92
14 SARE_UNSUB38 42 6.30 10.40 3.73
15 HTML_IMAGE_ONLY_28 39 5.63 9.65 3.11
16 SARE_URI_LET_DIG_PIC 39 4.01 9.65 0.47
17 MISSING_MID 38 4.58 9.41 1.55
18 HTML_IMAGE_RATIO_02 34 8.02 8.42 7.76
19 URIBL_AB_SURBL 33 3.15 8.17 0.00
20 HTML_MIME_NO_HTML_TAG 32 3.53 7.92 0.78
----------------------------------------------------------------------
TOP HAM RULES FIRED
----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
----------------------------------------------------------------------
1 RDNS_NONE 635 98.66 98.76 98.60
2 HTML_MESSAGE 594 91.60 90.59 92.24
3 MIME_HTML_ONLY 279 54.77 73.02 43.32
4 DK_SIGNED 268 41.41 41.09 41.61
5 URIBL_BLACK 265 59.26 88.12 41.15
6 DK_VERIFIED 191 28.05 25.50 29.66
7 AWL 93 16.22 19.06 14.44
8 DK_POLICY_TESTING 57 8.11 6.93 8.85
9 SARE_UNI 55 7.25 5.20 8.54
10 HTML_FONT_LOW_CONTRAST 51 9.26 11.39 7.92
11 MPART_ALT_DIFF 51 5.73 2.23 7.92
12 HTML_IMAGE_RATIO_02 50 8.02 8.42 7.76
13 MIME_HTML_MOSTLY 45 5.25 2.48 6.99
14 URIBL_RHS_DOB 41 8.40 11.63 6.37
15 HTML_IMAGE_RATIO_04 40 4.58 1.98 6.21
16 HTML_IMAGE_RATIO_06 34 3.63 0.99 5.28
17 SARE_UNSUB38 24 6.30 10.40 3.73
18 SARE_UN7 23 4.58 6.19 3.57
19 URIBL_GREY 23 2.29 0.25 3.57
20 HTML_EXTRA_CLOSE 22 2.77 1.73 3.42
----------------------------------------------------------------------
Also, I'm running Dovecot 2.0.11, and the latest version of the
qmail-toaster packages.
Thanks!
I think the little tweaks of spamdyke will help immensely. I also
expect that the changes to rule scoring that you've made probably
aren't doing much for you. I typically don't spend much time trying to
tweak SA scoring, as I don't think it's productive.
Thanks Eric! I appreciate it! Anyone else that has any recommendations
for SA & spamdyke tuning, please chime in.
Casey Price
Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com <http://www.smileglobal.com>
Follow us on Twitter <https://twitter.com/#%21/SmileInternet>
Find us on Facebook <https://www.facebook.com/smileglobal>
