On 10/12/2017 09:32 AM, AJ Weber wrote:
On 10/12/2017 10:07 AM, Kevin A. McGrail wrote:
On 10/12/2017 9:25 AM, AJ Weber wrote:
I'm open to new rules, plug-ins, etc. Spam volume is only getting
worse, and these spammers are getting more creative.
Hi AJ,
I have to say that 3.3.0 is pretty old. I'd look to run a newer
version, invest some time into researching a few RBLs and consider
adding my KAM.cf file.
OK, I'll look into the update procs. I don't see an updated package
available via yum (CentOS), but maybe I'm not looking in the right place.
I do use an RBL or two, I think "bl.mailspike.net", but I haven't
figured out how to test that they're working correctly.
Thanks for the quick reply.
I have found that looking at other good configs is very helpful. Check
out the Postfix and SpamAssassin settings of these projects for ideas:
https://efa-project.org/
http://www.iredmail.org/
If you run an edge mail filter server, then put as much spam-blocking
logic (RBLs, DNS checks, SMTP HELO checks, FCrDNS checks, domain
existance checks) as possible in the MTA configs and let SpamAssassin
handle a much smaller percentage of mostly clean messages.
If you run Postfix, enable Postscreen and it's RBL weighting along with
postwhite to bypass major mail providers. This will allow you to
combine the power of many RBLs and increase the sensitivity of all RBLs.
See this mailing list's archives for many discussions on postscreen
and adding the senderscore.org RBL.
Make sure you are using a local recursive DNS server and not pointing to
another DNS server. Again see the mailing list archives for a lengthy
discussion on this topic related to URIBL_BLOCKED.
Definitely download the KAM.cf a couple of times a day into your
/etc/mail/spamassasin directory. It's a must.
Setup ClamAV with the extra UNOFFICIAL signatures.
Try to implement greylisting if possible. It can be rolled out in a
slow, phased approach so that your users don't even notice the delay it
causes for new senders. The benefits far outweigh the occasional delay
in email. Make sure to exclude Google's mail servers from greylisting.
Add Steve Freegard's DecodeShortURLs.cf plugin by dropping the .pm and
.cf file in /etc/mail/spamassassin.
https://github.com/smfreegard/DecodeShortURLs/blob/master/DecodeShortURLs.cf
Purchase a subscription to the IVM RBL feed. If you are filtering mail
for more than a few mailboxes, it's very valuable and well worth the
price to save you and your users from dealing with a lot of spam. See
https://www.invaluement.com
Add other RBLs to SA like senderscore.org, lashback, mailspike, etc. and
enable the Shortcircuit plugin in v320.pre:
# cat /etc/mail/spamassassin/lashback.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_LASHBACK eval:check_rbl('lashback',
'ubl.unsubscore.com.')
describe __RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
tflags __RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK eval:check_rbl_sub('lashback',
'127.0.0.2')
describe RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK 0.8
tflags RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK_LASTEXT eval:check_rbl('lashback-lastexternal',
'ubl.unsubscore.com.')
describe RCVD_IN_LASHBACK_LASTEXT Last external is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK_LASTEXT 1.2
tflags RCVD_IN_LASHBACK_LASTEXT net
endif
# cat /etc/mail/spamassassin/senderscore.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_SENDERSCORE_90_100
eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$')
meta RCVD_IN_SENDERSCORE_90_100 SPF_PASS &&
__RCVD_IN_SENDERSCORE_90_100
describe RCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 to
100
score RCVD_IN_SENDERSCORE_90_100 -1.2
tflags RCVD_IN_SENDERSCORE_90_100 net
header __RCVD_IN_SENDERSCORE_80_89
eval:check_rbl('senderscorer80-lastexternal','score.senderscore.com.','^127\.0\.4\.(8[0-9])$')
meta RCVD_IN_SENDERSCORE_80_89 SPF_PASS &&
__RCVD_IN_SENDERSCORE_80_89
describe RCVD_IN_SENDERSCORE_80_89 Senderscore.org score of 80 to
89
score RCVD_IN_SENDERSCORE_80_89 -0.2
tflags RCVD_IN_SENDERSCORE_80_89 net
header RCVD_IN_SENDERSCORE_70_79
eval:check_rbl('senderscorer70-lastexternal','score.senderscore.com.','^127\.0\.4\.(7[0-9])$')
describe RCVD_IN_SENDERSCORE_70_79 Senderscore.org score of 70 to
79
score RCVD_IN_SENDERSCORE_70_79 0.2
tflags RCVD_IN_SENDERSCORE_70_79 net
header RCVD_IN_SENDERSCORE_60_69
eval:check_rbl('senderscorer60-lastexternal','score.senderscore.com.','^127\.0\.4\.(6[0-9])$')
describe RCVD_IN_SENDERSCORE_60_69 Senderscore.org score of 60 to
69
score RCVD_IN_SENDERSCORE_60_69 1.2
tflags RCVD_IN_SENDERSCORE_60_69 net
header RCVD_IN_SENDERSCORE_50_59
eval:check_rbl('senderscorer50-lastexternal','score.senderscore.com.','^127\.0\.4\.(5[0-9])$')
describe RCVD_IN_SENDERSCORE_50_59 Senderscore.org score of 50 to
59
score RCVD_IN_SENDERSCORE_50_59 1.8
tflags RCVD_IN_SENDERSCORE_50_59 net
header RCVD_IN_SENDERSCORE_30_49
eval:check_rbl('senderscorer30-lastexternal','score.senderscore.com.','^127\.0\.4\.([3-4][0-9])$')
describe RCVD_IN_SENDERSCORE_30_49 Senderscore.org score of 30 to
49
score RCVD_IN_SENDERSCORE_30_49 2.2
tflags RCVD_IN_SENDERSCORE_30_49 net
header RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
describe RCVD_IN_SENDERSCORE_0_29 Senderscore.org score of 0 to 29
score RCVD_IN_SENDERSCORE_0_29 2.8
tflags RCVD_IN_SENDERSCORE_0_29 net
endif
# cat /etc/mail/spamassassin/mailspike.cf
shortcircuit RCVD_IN_MSPIKE_H5 on
score RCVD_IN_MSPIKE_H4 -2.2
score RCVD_IN_MSPIKE_H3 -1.8
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 0.8
score RCVD_IN_MSPIKE_L4 1.2
score RCVD_IN_MSPIKE_L5 1.8
# cat /etc/mail/spamassassin/shortcircuit.cf
shortcircuit ALL_TRUSTED off
shortcircuit USER_IN_WHITELIST on
priority USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on
shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on
# grep Shortcircuit /etc/mail/spamassassin/v320.pre
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
Hope this helps. Try out these suggestions slowly with low scores and
ease them up to the highest score you can while maintaining accurate
results.
--
David Jones