Re: improving detection to cloudmark-like levels?

Thu, 12 Oct 2017 08:20:11 -0700 

On 10/12/2017 09:32 AM, AJ Weber wrote:

On 10/12/2017 10:07 AM, Kevin A. McGrail wrote:

On 10/12/2017 9:25 AM, AJ Weber wrote:
I'm open to new rules, plug-ins, etc. Spam volume is only getting worse, and these spammers are getting more creative. 

Hi AJ,


I have to say that 3.3.0 is pretty old.  I'd look to run a newer 
version, invest some time into researching a few RBLs and consider 
adding my KAM.cf file.

OK, I'll look into the update procs.  I don't see an updated package 
available via yum (CentOS), but maybe I'm not looking in the right place.



I do use an RBL or two, I think "bl.mailspike.net", but I haven't 
figured out how to test that they're working correctly.


Thanks for the quick reply.



I have found that looking at other good configs is very helpful.  Check 
out the Postfix and SpamAssassin settings of these projects for ideas:


https://efa-project.org/
http://www.iredmail.org/


If you run an edge mail filter server, then put as much spam-blocking 
logic (RBLs, DNS checks, SMTP HELO checks, FCrDNS checks, domain 
existance checks) as possible in the MTA configs and let SpamAssassin 
handle a much smaller percentage of mostly clean messages.



If you run Postfix, enable Postscreen and it's RBL weighting along with 
postwhite to bypass major mail providers.  This will allow you to 
combine the power of many RBLs and increase the sensitivity of all RBLs. 
 See this mailing list's archives for many discussions on postscreen 
and adding the senderscore.org RBL.



Make sure you are using a local recursive DNS server and not pointing to 
another DNS server.  Again see the mailing list archives for a lengthy 
discussion on this topic related to URIBL_BLOCKED.



Definitely download the KAM.cf a couple of times a day into your 
/etc/mail/spamassasin directory.  It's a must.


Setup ClamAV with the extra UNOFFICIAL signatures.


Try to implement greylisting if possible.  It can be rolled out in a 
slow, phased approach so that your users don't even notice the delay it 
causes for new senders.  The benefits far outweigh the occasional delay 
in email.  Make sure to exclude Google's mail servers from greylisting.



Add Steve Freegard's DecodeShortURLs.cf plugin by dropping the .pm and 
.cf file in /etc/mail/spamassassin.


https://github.com/smfreegard/DecodeShortURLs/blob/master/DecodeShortURLs.cf


Purchase a subscription to the IVM RBL feed.  If you are filtering mail 
for more than a few mailboxes, it's very valuable and well worth the 
price to save you and your users from dealing with a lot of spam.  See 
https://www.invaluement.com



Add other RBLs to SA like senderscore.org, lashback, mailspike, etc. and 
enable the Shortcircuit plugin in v320.pre:


# cat /etc/mail/spamassassin/lashback.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header          __RCVD_IN_LASHBACK      eval:check_rbl('lashback', 
'ubl.unsubscore.com.')

describe	__RCVD_IN_LASHBACK	Received is listed in Lashback 
ubl.unsubscore.com

tflags          __RCVD_IN_LASHBACK      net

header          RCVD_IN_LASHBACK        eval:check_rbl_sub('lashback', 
'127.0.0.2')
describe        RCVD_IN_LASHBACK        Received is listed in Lashback 
ubl.unsubscore.com
score           RCVD_IN_LASHBACK        0.8
tflags          RCVD_IN_LASHBACK        net


header		RCVD_IN_LASHBACK_LASTEXT	eval:check_rbl('lashback-lastexternal', 
'ubl.unsubscore.com.')
describe 	RCVD_IN_LASHBACK_LASTEXT	Last external is listed in Lashback 
ubl.unsubscore.com

score           RCVD_IN_LASHBACK_LASTEXT        1.2
tflags          RCVD_IN_LASHBACK_LASTEXT        net

endif

# cat /etc/mail/spamassassin/senderscore.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval


header		__RCVD_IN_SENDERSCORE_90_100 
eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$')

meta            RCVD_IN_SENDERSCORE_90_100      SPF_PASS && 
__RCVD_IN_SENDERSCORE_90_100
describe        RCVD_IN_SENDERSCORE_90_100      Senderscore.org score of 90 to 
100
score           RCVD_IN_SENDERSCORE_90_100      -1.2
tflags          RCVD_IN_SENDERSCORE_90_100      net


header		__RCVD_IN_SENDERSCORE_80_89 
eval:check_rbl('senderscorer80-lastexternal','score.senderscore.com.','^127\.0\.4\.(8[0-9])$')

meta            RCVD_IN_SENDERSCORE_80_89       SPF_PASS && 
__RCVD_IN_SENDERSCORE_80_89
describe        RCVD_IN_SENDERSCORE_80_89       Senderscore.org score of 80 to 
89
score           RCVD_IN_SENDERSCORE_80_89       -0.2
tflags          RCVD_IN_SENDERSCORE_80_89       net


header		RCVD_IN_SENDERSCORE_70_79 
eval:check_rbl('senderscorer70-lastexternal','score.senderscore.com.','^127\.0\.4\.(7[0-9])$')

describe        RCVD_IN_SENDERSCORE_70_79       Senderscore.org score of 70 to 
79
score           RCVD_IN_SENDERSCORE_70_79       0.2
tflags          RCVD_IN_SENDERSCORE_70_79       net


header		RCVD_IN_SENDERSCORE_60_69 
eval:check_rbl('senderscorer60-lastexternal','score.senderscore.com.','^127\.0\.4\.(6[0-9])$')

describe        RCVD_IN_SENDERSCORE_60_69       Senderscore.org score of 60 to 
69
score           RCVD_IN_SENDERSCORE_60_69       1.2
tflags          RCVD_IN_SENDERSCORE_60_69       net


header		RCVD_IN_SENDERSCORE_50_59 
eval:check_rbl('senderscorer50-lastexternal','score.senderscore.com.','^127\.0\.4\.(5[0-9])$')

describe        RCVD_IN_SENDERSCORE_50_59       Senderscore.org score of 50 to 
59
score           RCVD_IN_SENDERSCORE_50_59       1.8
tflags          RCVD_IN_SENDERSCORE_50_59       net


header		RCVD_IN_SENDERSCORE_30_49 
eval:check_rbl('senderscorer30-lastexternal','score.senderscore.com.','^127\.0\.4\.([3-4][0-9])$')

describe        RCVD_IN_SENDERSCORE_30_49       Senderscore.org score of 30 to 
49
score           RCVD_IN_SENDERSCORE_30_49       2.2
tflags          RCVD_IN_SENDERSCORE_30_49       net


header		RCVD_IN_SENDERSCORE_0_29 
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')

describe        RCVD_IN_SENDERSCORE_0_29        Senderscore.org score of 0 to 29
score           RCVD_IN_SENDERSCORE_0_29        2.8
tflags          RCVD_IN_SENDERSCORE_0_29        net

endif


# cat /etc/mail/spamassassin/mailspike.cf
shortcircuit RCVD_IN_MSPIKE_H5 on

score RCVD_IN_MSPIKE_H4 -2.2
score RCVD_IN_MSPIKE_H3 -1.8
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 0.8
score RCVD_IN_MSPIKE_L4 1.2
score RCVD_IN_MSPIKE_L5 1.8


# cat /etc/mail/spamassassin/shortcircuit.cf
shortcircuit ALL_TRUSTED off

shortcircuit USER_IN_WHITELIST on
priority     USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on

shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on


# grep Shortcircuit /etc/mail/spamassassin/v320.pre
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit


Hope this helps.  Try out these suggestions slowly with low scores and 
ease them up to the highest score you can while maintaining accurate 
results.


--
David Jones






















					Reply via email to