We are running spam assassin 3.3.1 with Postfix. So I have added some rules to mark as spam yolasite, wix, etc…. as we have been getting besieged by them. My thing is these rules seem not to be loading. When I do a spamassassin —lint I don’t get any errors. When I do spamassassin —lint -D I get pages of output that I have a hard time sifting through, but nothing more than a warning. Here are the config file contents etc…. Any help would be HUGELY appreciated.
New Rules for our local.cf: # # yolasite.com BAH BYE!!!! body NWU_YOLASITE /yolasite\.com/i describe NWU_YOLASITE yolasite.com hosts LOTS of phishing attacks score NWU_YOLASITE 12 # # jimdo.com BAH BYE!!!! body NWU_JIMDO /jimdo\.com/i describe NWU_JIMDO jimdo.com hosts LOTS of phishing attacks score NWU_JIMDO 12 # # wix.com BAH BYE!!!! body NWU_WIX /wix\.com/i describe NWU_WIX wix.com hosts LOTS of phishing attacks score NWU_WIX 12 # # .ru/ links in the body, pump to a 4 body NWU_RUDOMAIN /\.ru\//i describe NWU_RUDOMAIN ru links in the body are most likely phasing attacks score NWU_RUDOMAIN 3.5 # # Yolasite URI rule uri NWU_URI_YOLASITE /\.yolasite\.com\// describe NWU_URI_YOLASITE yolasite.com hosts LOTS of phishing attacks score NWU_URI_YOLASITE 12 /etc/postfix/master.cf flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # # see recipient_access for spam scanning rules spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -u spamd -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} # AV scan filter (used by content_filter) scan unix - - n - 16 smtp -o smtp_send_xforward_command=yes # For injecting mail back into postfix from clamSMTP 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o smtpd_proxy_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o mynetworks=127.0.0.0/8 -o smtpd_recipient_restrictions=permit_mynetworks,reject Existing /etc/mail/spamassassin/local.cf # use bayesian filtering use_bayes 1 # train bayes bayes_auto_learn 1 bayes_auto_expire 1 # Bayesean database location. Store it in SQL so we can share it between # the two machines, and do per-user bayes bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:spamassassin:db bayes_sql_username $username bayes_sql_password $password # autowhitelist database location. auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList user_awl_dsn DBI:mysql:spamassassin:db user_awl_sql_username $username user_awl_sql_password $password user_awl_sql_table awl # Use Razor2 (newly free!) and Pyzor (always free!). Don't use DCC because it sucks #use_razor2 1 #razor_config /etc/razor/razor-agent.conf use_pyzor 1 pyzor_options --homedir /var/lib/pyzord # don't block apparent backscatter from ourselves # If you are sure you have DNS access set it to "yes". dns_available yes required_hits 5 report_safe 0 clear_headers add_header spam Flag _YESNOCAPS_ add_header all Level _STARS(*)_ add_header all Status _YESNO_, bayes=_BAYES_ score=_SCORE_ required=_REQD_ tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_ rewrite_header Subject [SPAM:_STARS(*)_] internal_networks 10.0.0.0/8 # Yahoo! lists tend to get blocked because they put spam, er, ads in them whitelist_from_rcvd *.mail.mud.yahoo.com *.bullet.scd.yahoo.com # BigPulse for SAS online voting whitelist_from_rcvd *@bigpulse.com *.bigpulse.com ####################### SCORE ADJUSTMENTS ###################### # For default scores have a look at /usr/local/share/spamassassin/50_scores.cf # file. score HTML_IMAGE_RATIO_02 2.5 score HTML_IMAGE_ONLY_04 3.5 score HTML_IMAGE_ONLY_08 3 score DEAR_FRIEND 2 score DEAR_WINNER 2.5 score FORGED_HOTMAIL_RCVD2 2 score UNPARSEABLE_RELAY 0.5 score MPART_ALT_DIFF 0.5 score BAD_CREDIT 2.5 score NORMAL_HTTP_TO_IP 0.75 score SUBJ_ALL_CAPS 2 score EXTRA_MPART_TYPE 1.5 score SARE_EN_A_1XX_1 2.5 score SARE_EN_A_1XX_2 2.5 score MICROSOFT_EXECUTABLE 2 score US_DOLLARS_3 1.5 # this rule is broken score FH_DATE_PAST_20XX 0.1 # these tests are good, but be careful about turning up the scores # for the lower ones score ADVANCE_FEE_2 1.75 score ADVANCE_FEE_3 3.75 score ADVANCE_FEE_4 4.25 # these catch a lot of animated-GIF stock spam score SARE_GIF_ATTACH 2 score SARE_GIF_STOX 2.5 # crank up checksum systems -- that's been manually verified as spam score PYZOR_CHECK 5 score RAZOR2_CHECK 6 score DIGEST_MULTIPLE 2 # hit > 1 checksum system # bayesian scores score BAYES_00 -1.5 score BAYES_05 -0.5 score BAYES_20 0.25 score BAYES_40 0.75 score BAYES_50 1 score BAYES_60 1.5 score BAYES_80 2 score BAYES_95 3 score BAYES_99 3.5 # these are hitting *a lot* on spam. If your message contains a blacklisted # URL, you're toast. score URIBL_BLACK 12 score URIBL_SBL 12 score URIBL_JP_SURBL 12 score URIBL_OB_SURBL 12 score URIBL_WS_SURBL 12 score URIBL_SC_SURBL 12 score URIBL_AB_SURBL 12 # false positives on messages in Chinese, Japanese, and other languages # that don't delineate words with spaces score TVD_SPACE_RATIO 0.1 # lots of FPs recently -- no idea why. score EMPTY_MESSAGE 0.1 ################################################ # CUSTOM RULES # ################################################ # DEAR_FRIEND is good, but some people send to "Dear good friend", etc. body NWU_DEAR_X_FRIEND /^\s*Dear \w+ Friend\b/i describe NWU_DEAR_X_FRIEND Dear *** Friend -- catches adjectives in between score NWU_DEAR_X_FRIEND 1.5 # replace the normal "big money" rule with several that are more sensitive score BILLION_DOLLARS 0 # big money with more than just a space between body NWU_BILLION_DOLLARS_OBFU_SPACE /[bm]illion.{0,5}dollar/i describe NWU_BILLION_DOLLARS_OBFU_SPACE Talks about lots of money score NWU_BILLION_DOLLARS_OBFU_SPACE 1 # big money match with country name body NWU_BILLION_US_DOLLARS /[bm]illion.?(U\.S\.|US|United States).?dollar/i describe NWU_BILLION_US_DOLLARS Talks about lots of American money score NWU_BILLION_US_DOLLARS 1 # british big money match body NWU_BILLION_POUNDS /[bm]illion.pound/i describe NWU_BILLION_POUNDS Talks about lots of British money score NWU_BILLION_POUNDS 0.5 # british big money match body NWU_BILLION_GB_POUNDS /([bm]illion|thousand).?(british|great.britain).?pound/i describe NWU_BILLION_GB_POUNDS Talks about lots of British money score NWU_BILLION_GB_POUNDS 1 # canadian medication body NWU_CANADIAN_MEDS /canadian (med|medication)s?/i describe NWU_CANADIAN_MEDS Canadian medication, meds, etc. score NWU_CANADIAN_MEDS 1.5 # mentions the CAN-SPAM act, a pretty good sign that they ARE-SPAM body NWU_CAN_SPAM /can.spam act/i describe NWU_CAN_SPAM Mentions the CAN-SPAM Act score NWU_CAN_SPAM 2 # sending server has no PTR record header NWU_RCVD_INVALID_PTR2 Received =~ /from \S+ \(unknown / describe NWU_RCVD_INVALID_PTR2 Server in "Received" header has no PTR score NWU_RCVD_INVALID_PTR2 1.5 # sender isn't sure if you're male or female -- used a lot in 409s body NWU_SIR_MADAM /sir.{0,4}madam/i describe NWU_SIR_MADAM Sender addresses letter to "Sir/Madam", "Sir or Madam", or other with obfuscated separator score NWU_SIR_MADAM 1 # from yahoo.com.blah (i.e., foreign Yahoo! account) header NWU_FOREIGN_YAHOO From =~ /\@yahoo(?:\.com?)?\.\w\w$/i describe NWU_FOREIGN_YAHOO Sender address is from foreign Yahoo! account score NWU_FOREIGN_YAHOO 1.5 # claims you have no financial obligation body NWU_NO_OBLIGATION /no (financial)? obligation/i describe NWU_NO_OBLIGATION Claims you have no (financial) obligation score NWU_NO_OBLIGATION 1.5 # if a message hits FORGED_OUTLOOK_HTML, it's pretty much guaranteed to hit # FORGED_MUA_OUTLOOK. That means that one rule (basically) is worth 7 points, # which is way too much. Don't punish these messages that badly. meta NWU_FORGED_OUTLOOK FORGED_OUTLOOK_HTML && FORGED_MUA_OUTLOOK describe NWU_FORGED_OUTLOOK Message hit 2 redundant Outlook rules score NWU_FORGED_OUTLOOK -3 # a lot of image spam is sent as multipart/related instead of multipart/mixed header NWU_MULTIPART_RELATED Content-Type =~ /multipart\/related;/ describe NWU_MULTIPART_RELATED Stock messages with image attachments score NWU_MULTIPART_RELATED 0.5 # mentions Lincoln, Omaha, or Nebraska body NWU_LOCAL_PLACES /Lincoln|Omaha|Nebraska/i describe NWU_LOCAL_PLACES Mentions Lincoln, Omaha, or Nebraska score NWU_LOCAL_PLACES -5 # lets you know that you're a winner body NWU_WINNER_NOTIFY /winner notification/i describe NWU_WINNER_NOTIFY Lets you know that you are a winner score NWU_WINNER_NOTIFY 0.75 # French lottery (thank you, French colonialism in Africa) body NWU_FRENCH_LOTTERY /tombola|loterie/i describe NWU_FRENCH_LOTTERY Message about a lottery in French score NWU_FRENCH_LOTTERY 0.5 # "add .com after the dot" body NWU_OBFU_DOMAIN1 /\bwww[^a-z].{0,30}(?:Replace.{1,4}\bwith\b|\badd\b(?:com|net|org)\b|\bafter dot\b)/i describe NWU_OBFU_DOMAIN1 Obfuscated domain and request to fix it score NWU_OBFU_DOMAIN1 1.5 # block nasty phishing attempt body NWU_REFUSES_TO_UPDATE /Account (user|owner)s? that refuses? to update (their|his.{0,4}her) account/ describe NWU_REFUSES_TO_UDPATE Common text from many phishing attempts score NWU_REFUSES_TO_UPDATE 5 # broken outlook forgery header _NWU_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ score _NWU_MSGID_OUTLOOK_888 0.1 header _NWU_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/ score _NWU_OUTLOOK_MUA 0.1 meta NWU_RATWARE_MSGID _NWU_MSGID_OUTLOOK_888 && _NWU_OUTLOOK_MUA describe NWU_RATWARE_MSGID Ratware Message-Id score NWU_RATWARE_MSGID 3 header NWU_FREE_REPLY_TO Reply-To =~ /\@(gmail\.com|hotmail\.co[\.m]|yahoo\.co[\.m]|live\.com|mcom.com)/i describe NWU_FREE_REPLY_TO Message has a Reply-To at a popular free mail host score NWU_FREE_REPLY_TO 3 header NWU_DOMAIN_FORGERY X-Domain-Forgery =~ /Yes/ describe NWU_DOMAIN_FORGERY Sender forged our domain in the envelope sender score NWU_DOMAIN_FORGERY 3 # phishers often use "surport" instead of "support" in their email addresses header NWU_FROM_SURPORT From =~ /surport/i describe NWU_FROM_SURPORT Messages has From: including "surport" score NWU_FROM_SURPORT 1 header NWU_REPLY_TO_SURPORT Reply-To =~ /surport/i describe NWU_REPLY_TO_SURPORT Messages has Reply-To: including "surport" score NWU_REPLY_TO_SURPORT 2 header NWU_DOMAIN_FORGERY X-NWU-Sender-Karma =~ /hi/ describe NWU_DOMAIN_FORGERY Sender is on many whitelists/address books score NWU_DOMAIN_FORGERY -3 header NWU_DOMAIN_FORGERY X-NWU-Sender-Karma =~ /med/ describe NWU_DOMAIN_FORGERY Sender is on some whitelists/address books score NWU_DOMAIN_FORGERY -1 header NWU_DOMAIN_FORGERY X-NWU-Sender-Karma =~ /low/ describe NWU_DOMAIN_FORGERY Sender is on a mix of whitelists/blacklists score NWU_DOMAIN_FORGERY 0.1 header NWU_DOMAIN_FORGERY X-NWU-Sender-Karma =~ /none/ describe NWU_DOMAIN_FORGERY Sender is on many blacklists score NWU_DOMAIN_FORGERY 1 header NWU_DOMAIN_FORGERY X-NWU-Domain-Karma =~ /hi/ describe NWU_DOMAIN_FORGERY Domain is on many whitelists/address books score NWU_DOMAIN_FORGERY -1 header NWU_DOMAIN_FORGERY X-NWU-Domain-Karma =~ /med/ describe NWU_DOMAIN_FORGERY Domain is on some whitelists/address books score NWU_DOMAIN_FORGERY -0.5 header NWU_DOMAIN_FORGERY X-NWU-Domain-Karma =~ /low/ describe NWU_DOMAIN_FORGERY Domain is on a mix of whitelists/blacklists score NWU_DOMAIN_FORGERY 0.1 header NWU_DOMAIN_FORGERY X-NWU-Domain-Karma =~ /none/ describe NWU_DOMAIN_FORGERY Domain is on many blacklists score NWU_DOMAIN_FORGERY 0.5 Chris Brandstetter System Administrator Nebraska Wesleyan University ⌘
signature.asc
Description: Message signed with OpenPGP using GPGMail