Paul Matthews wrote:
> Hi there,
>
> I've just installed spam assassin and it's working okay, but some spam is
> still getting in, I only have like 3 rules at the moment that I added in,
Care to specify which ones?
> is there a list of pretty safe rules out there that I could just copy into
> my local.cf SA file?
Well, I usually don't copy rules into my local.cf, I copy whole rulefiles at a
time. (SA will parse all the .cf files in /etc/mail/spamassassin, not just
local.cf. So all you need to do is download the .cf files).
In general, I would suggest not adding on ANY rules to start with. Only use the
default set for a little bit, to get a feel for what works for you,
Also, make sure you've got Net::DNS installed. The SA default ruleset has a LOT
of very powerful rules that depend on DNS.
As for add-ons' I get good results from the following rulesets from SARE. After
running a bit with the default set, these would be good add-ons to start with.
70_sare_adult.cf
70_sare_evilnum0.cf
70_sare_genlsubj0.cf
70_sare_html0.cf
70_sare_obfu0.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_stocks.cf
70_sare_uri0.cf
99_FVGT_Tripwire.cf
99_sare_fraud_post25x.cf
I strongly suggest not using sa-blacklist.cf or sa-blacklist-uri.cf unless you
have a LOT (more than 4GB) of ram. Both of these are SEVERE memory hogs.
I also make use of a modified version of the rules for uribl.com's add-on uribl:
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 1.5
# note: grey is an informational rule. It OFTEN matches nonspam.
# in fact, it tends to match more nonspam than spam. (S/O's are
# in the 0.55-0.30 range)
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.001
>
>
