Re: Spamassasin not as effective anymore
Am 30.09.2014 um 02:40 schrieb Lorenzo Thurman:
> I looked at those emails again and tried to resolve the sender’s addresses
> (dig -x z.z.z.z). They don’t resolve to
> valid hostnames, which means they should even reach SA. Postfix should reject
> them outright. I’ve changed a couple
> of postfix’s reject_rbl_client settings, put a tail on its log and now I see
> many emails being rejected outright.
> So I’ll take this to the postfix lists. These are the changes I made:
>
> old
> sbl.spamhaus.org
> sbl-xbl.spamhaus.org
>
> new
> reject_rbl_client zen.spamhaus.ord
> reject_rbl_client dns.sorbd.net
reject_unknown_sender_domain
reject_unknown_reverse_client_hostname
BTW:
you should not use "reject_rbl_client" - postscreen
supports weights with different RBLs and so adding
more but not let a single alone block because each
time you add a unconditional RBL you multiply the
possibility of false positives
http://www.postfix.org/POSTSCREEN_README.html
postscreen_cache_retention_time = 7d
postscreen_bare_newline_ttl = 7d
postscreen_greet_ttl = 7d
postscreen_non_smtp_command_ttl = 7d
postscreen_pipelining_ttl= 7d
postscreen_dnsbl_ttl = 10m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait= ${stress?2}${stress:10}s
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10*8
zen.spamhaus.org=127.0.0.[10;11]*8
b.barracudacentral.org*7
dnsbl.inps.de*7
dnsbl.sorbs.net=127.0.0.5*6
zen.spamhaus.org=127.0.0.[4..7]*6
bl.mailspike.net*4
bl.spamcop.net*4
bl.spameatingmonkey.net*4
zen.spamhaus.org=127.0.0.3*4
dnsrbl.swinog.ch*4
zen.spamhaus.org=127.0.0.2*3
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
signature.asc
Description: OpenPGP digital signature
Re: Spamassasin not as effective anymore
On Sep 29, 2014, at 4:58 PM, Mark London wrote: > On 9/29/2014 12:58 PM, Mark London wrote: >> On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote: >>> >>> From: Lorenzo Thurman >>> Date: 9/26/2014 10:59 PM >>> I’ve been using spamassasin for a number of years with excellent results. >>> But, now over the last month or so, it has been scoring spam very low. It >>> still catches most spam, but whereas only about a dozen or so might get >>> through to my inbox in a week, I’m suddenly getting a dozen or so a day. I >>> run sa-update via cron every dat and I have a special mail folder where I >>> place missed spam and run sa-learn against it weekly. I know its an arms >>> race out there fighting spam, but here some sample subject lines with SA's >>> scores that I think should be caught. I know spamassasin looks at a lot >>> more than subject lines, but Does anyone know what I can do to increase >>> spamassasin’s ability to detect spam? My threshold is set to 4.6. >>> >>> "Complete Our Survey, qualify for free-samples" 4.1 >>> "Re: Your Score-Changes on: 09/26/2014*" 2.9 >>> "Weird 30 second trick cURES Diabetes..” 4.1 >>> "Quality Window Replacement Deals” 4.4 >>> "Find a PhD degree online in the specialty field” 2.8 >>> "Your background check is Available online” 2.4 >>> "Perfect vision with one weird trick” 0.0 >> >> What are the From: addresses in those spam emails? We have been recently >> inundated from spam using domains such as .eu and .coThe IP names that >> the spammers are using, are constantly changing, so that the URIBLs are not >> able to keep up with them. you've had to add customized rules that increases >> the spam scores, for emails from these and other domains, that are now >> popular with spammers. > > I meant to say "I've had to add...", not "you've had to add..." > > - Mark > I looked at those emails again and tried to resolve the sender’s addresses (dig -x z.z.z.z). They don’t resolve to valid hostnames, which means they should even reach SA. Postfix should reject them outright. I’ve changed a couple of postfix’s reject_rbl_client settings, put a tail on its log and now I see many emails being rejected outright. So I’ll take this to the postfix lists. These are the changes I made: old sbl.spamhaus.org sbl-xbl.spamhaus.org new reject_rbl_client zen.spamhaus.ord reject_rbl_client dns.sorbd.net Thanks all.
RE: Spamassasin not as effective anymore
From: Mark London [mailto:m...@psfc.mit.edu] Sent: Monday, September 29, 2014 2:59 PM To: users@spamassassin.apache.org Subject: Re: Spamassasin not as effective anymore On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org<mailto:users-digest-h...@spamassassin.apache.org> wrote: From: Lorenzo Thurman <mailto:lore...@thethurmans.com> Date: 9/26/2014 10:59 PM I've been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I'm suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin's ability to detect spam? My threshold is set to 4.6. "Complete Our Survey, qualify for free-samples" 4.1 "Re: Your Score-Changes on: 09/26/2014*" 2.9 "Weird 30 second trick cURES Diabetes.." 4.1 "Quality Window Replacement Deals" 4.4 "Find a PhD degree online in the specialty field" 2.8 "Your background check is Available online" 2.4 "Perfect vision with one weird trick" 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. I meant to say "I've had to add...", not "you've had to add..." - Mark We have also seen an increase in unmarked spam (from 95% to maybe 20%). Last night I did a dump of my bayes DB, which was 10 months since we reset it and started the training process again with 3k know spams and 1k known hams and we're hitting 95% again. It seems that enough hammy looking ones got trained automagically and the snowball effect happened. YMMV Gary
Re: Spamassasin not as effective anymore
On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-help@spamassassin.apache.orgwrote: From: Lorenzo Thurman Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. "Complete Our Survey, qualify for free-samples" 4.1 "Re: Your Score-Changes on: 09/26/2014*" 2.9 "Weird 30 second trick cURES Diabetes..” 4.1 "Quality Window Replacement Deals” 4.4 "Find a PhD degree online in the specialty field” 2.8 "Your background check is Available online” 2.4 "Perfect vision with one weird trick” 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. I meant to say "I've had to add...", not "you've had to add..." - Mark
Re: Spamassasin not as effective anymore
On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote: From: Lorenzo Thurman Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. "Complete Our Survey, qualify for free-samples" 4.1 "Re: Your Score-Changes on: 09/26/2014*" 2.9 "Weird 30 second trick cURES Diabetes..” 4.1 "Quality Window Replacement Deals” 4.4 "Find a PhD degree online in the specialty field” 2.8 "Your background check is Available online” 2.4 "Perfect vision with one weird trick” 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .co The IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. Mark London
Re: Spamassasin not as effective anymore
On 09/29/2014 05:27 PM, Lorenzo Thurman wrote: I’ve created a paste bin with a couple of sample emails here: http://pastebin.com/KfYrGMm8 reject_rbl_client sbl-xbl.spamhaus.org, replace this with zen.spamhaus.org reject_rbl_client cbl.abuseat.org, This is included in ZEn - remove. reject_rbl_client multi.uribl.com, URIBL doesn't list sender IPs - remove this. reject_rbl_client dsn.rfc-ignorant.org, OBSOLETE- DEAD - REMOVE reject_rbl_client list.dsbl.org, OBSOLETE- DEAD - REMOVE My DNS forwards queries. I hope this is enough. YOu should let your DNS do the resolving without forwarding to a third party outside your control SA reports show no SURBL/DBL/URIBL hits - do you see any hits in your maillogs? On Sep 27, 2014, at 7:02 AM, Axb wrote: On 09/27/2014 04:59 AM, Lorenzo Thurman wrote: I’ve be using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. "Complete Our Survey, qualify for free-samples" 4.1 "Re: Your Score-Changes on: 09/26/2014*" 2.9 "Weird 30 second trick cURES Diabetes..” 4.1 "Quality Window Replacement Deals” 4.4 "Find a PhD degree online in the specialty field” 2.8 "Your background check is Available online” 2.4 "Perfect vision with one weird trick” 0.0 Please try to reply the questions below so others get a better picture of your setup/issue. - Please post missed spam samples in pastebin.com - do not post samples to mailing list - What SA version are you using - How are using SA? (amavis, milter, Mailscanner, procmail, Fuglu, etc, etc) - Are you using SA in a PC/notebook? or on a server? - What plugins are you using? (Razor, Pyzor, DCC, etc) - Are you using a local, non forwarding, DNS resolver/caching server ? Axb
Re: Spamassasin not as effective anymore
I’ve created a paste bin with a couple of sample emails here: http://pastebin.com/KfYrGMm8 I’m running spam assassin on a my Mail server Ubuntu 14.04. I use postfix as my MTA. Spamassasin is at 3.4.0, with razor and I have these recipient restrictions set in postfix: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, permit My DNS forwards queries. I hope this is enough. Thanks On Sep 27, 2014, at 7:02 AM, Axb wrote: > On 09/27/2014 04:59 AM, Lorenzo Thurman wrote: >> I’ve be using spamassasin for a number of years with excellent results. But, >> now over the last month or so, it has been scoring spam very low. It still >> catches most spam, but whereas only about a dozen or so might get through to >> my inbox in a week, I’m suddenly getting a dozen or so a day. I run >> sa-update via cron every dat and I have a special mail folder where I place >> missed spam and run sa-learn against it weekly. I know its an arms race out >> there fighting spam, but here some sample subject lines with SA's scores >> that I think should be caught. I know spamassasin looks at a lot more than >> subject lines, but Does anyone know what I can do to increase spamassasin’s >> ability to detect spam? My threshold is set to 4.6. >> >> "Complete Our Survey, qualify for free-samples" 4.1 >> "Re: Your Score-Changes on: 09/26/2014*" 2.9 >> "Weird 30 second trick cURES Diabetes..” 4.1 >> "Quality Window Replacement Deals” 4.4 >> "Find a PhD degree online in the specialty field” 2.8 >> "Your background check is Available online” 2.4 >> "Perfect vision with one weird trick” 0.0 >> > > Please try to reply the questions below so others get a better picture of > your setup/issue. > > - Please post missed spam samples in pastebin.com - do not post samples to > mailing list > > - What SA version are you using > > - How are using SA? > (amavis, milter, Mailscanner, procmail, Fuglu, etc, etc) > > - Are you using SA in a PC/notebook? or on a server? > > - What plugins are you using? > (Razor, Pyzor, DCC, etc) > > - Are you using a local, non forwarding, DNS resolver/caching server ? > > Axb >
Re: Spamassasin not as effective anymore
I’ve be using spamassasin for a number of years with excellent results. I recently updated my SA version to 3.4.0_13 and found that it caught much more than it had been. It’s not enough to run sa-update, you need to keep the install version up to date as well. Just updated SA to 3.4.0 on CentOS 6 using: http://copr.fedoraproject.org/coprs/kevin/spamassassin-el/ which seems to be a neat re-package of FC21's spamassassin for EL5 and EL6. Kevin is a Fedora project person responsible for spamassassin, so he should know what he's doing :) Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: Spamassasin not as effective anymore
On 28 Sep 2014, at 12:41 , Jason Haar wrote: > On 29/09/14 04:11, LuKreme wrote: >> I recently updated my SA version to 3.4.0_13 and found that it caught >> much more than it had been. It’s not enough to run sa-update, you need >> to keep the install version up to date as well. > > What is 3.4.0_13? That’s the version reported by ports. Normally that means something like “Version 3.4.0 patch 13.” -- A good friend will come and bail you out of jail but a true friend will be sitting next to you saying, "Dang, that was fun."
Re: Spamassasin not as effective anymore
On Mon, 29 Sep 2014 07:41:57 +1300 Jason Haar wrote: > On 29/09/14 04:11, LuKreme wrote: > > I recently updated my SA version to 3.4.0_13 and found that it > > caught much more than it had been. It?s not enough to run > > sa-update, you need to keep the install version up to date as well. > > What is 3.4.0_13? The version on the home website is still 3.4.0? Is > it true there were some bugfixes fixed since that corrected some > scoring issues? Pretty sure we'd all like to be running the "current" > release The _13 is the FreeBSD port revision number
Re: Spamassasin not as effective anymore
On 29/09/14 04:11, LuKreme wrote: > I recently updated my SA version to 3.4.0_13 and found that it caught > much more than it had been. It’s not enough to run sa-update, you need > to keep the install version up to date as well. What is 3.4.0_13? The version on the home website is still 3.4.0? Is it true there were some bugfixes fixed since that corrected some scoring issues? Pretty sure we'd all like to be running the "current" release -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Spamassasin not as effective anymore
On 26 Sep 2014, at 20:59 , Lorenzo Thurman wrote: > I’ve be using spamassasin for a number of years with excellent results. I recently updated my SA version to 3.4.0_13 and found that it caught much more than it had been. It’s not enough to run sa-update, you need to keep the install version up to date as well. -- Hard work pays off in the future. Laziness pays off now.
Re: Spamassasin not as effective anymore
On 09/27/2014 04:59 AM, Lorenzo Thurman wrote: I’ve be using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. "Complete Our Survey, qualify for free-samples" 4.1 "Re: Your Score-Changes on: 09/26/2014*" 2.9 "Weird 30 second trick cURES Diabetes..” 4.1 "Quality Window Replacement Deals” 4.4 "Find a PhD degree online in the specialty field” 2.8 "Your background check is Available online” 2.4 "Perfect vision with one weird trick” 0.0 Please try to reply the questions below so others get a better picture of your setup/issue. - Please post missed spam samples in pastebin.com - do not post samples to mailing list - What SA version are you using - How are using SA? (amavis, milter, Mailscanner, procmail, Fuglu, etc, etc) - Are you using SA in a PC/notebook? or on a server? - What plugins are you using? (Razor, Pyzor, DCC, etc) - Are you using a local, non forwarding, DNS resolver/caching server ? Axb
