I setup spamdyke to block .top and many other TLDs where mostly spam came from. Unfortunately, I had to remove them, and now have to rely on content analysis with the use of *BL's.
With setting up pattern matching, in efforts to future proof blocking, it will catch legit email that use characters to form tables (happens occasionally). The only thing I could think of was to set individual scores lower, but high meta scores. I appreciate the options for postfix, but I do not run that on incoming mail servers. Infinite Systems Charles Amstutz | Systems Administrator charl...@infinitesys.com 402.477.2474 134 S 13th Street, Suite 302 | Lincoln, NE 68508 -----Original Message----- From: David Jones [mailto:djo...@ena.com] Sent: Friday, July 7, 2017 11:15 AM To: Charles Amstutz <charl...@infinitesys.com>; 'users@spamassassin.apache.org' <users@spamassassin.apache.org> Subject: Re: Random word spams and wiki spams On 07/07/2017 11:04 AM, Charles Amstutz wrote: > Thank you everyone for the suggestions, I will look into it. One thing > I've noticed is that sometimes it takes a day for any *BL's to pick up > some of the spam, and by that time, the run could be done. Greylisting > isn't an option. It sometimes feels like always reactive vs pro-active > in filtering. For example, I try to block the old runs of "Ford > Warranties", write a few rules, then never receive them again :) > > This is a slight over exaggeration, but close. > No. I completely understand. A couple of years ago I was doing the same thing always reacting to new spam campaigns. It took a lot of my time and I never felt like I was winning those one-day battles. Now I have tuned my MTA (Postfix with postscreen) to reject the majority of junk before it ever reaches SA. See the archives for these Postscreen weighted RBLs if you are running Postfix. With about 24 RBLs including invaluement, I am able to be aggressive with many RBLs adding up to a block threshold of 8 in postscreen. On the other side of this, you have to setup postwhite to whitelist major mail providers like comcast.net, aol, google, yahoo.com, etc. and let SA score them. Now I rarely get any reports of spam getting through unless it's from a compromised account. These will always be difficult to block for zero-hour spam campaigns from botnets. Also, setup the KAM.cf rules and extra signatures for ClamAV from Sanesecurity. These often help with new spam campaigns. I can post which signature DBs I am using if that would be helpful. -- Dave
