Koozali.org: home of the SME Server

block spam by subject?

Offline compdoc

  • ****
  • 211
  • +0/-0
block spam by subject?
« on: May 27, 2012, 06:23:42 PM »
I'm getting emails with the following subject lines. Surely, there is a way to block these based on the drug names?


Subject:   Brand*Xanax%make}

Subject:   Brand*Valium$get}

Subject:   Like(Xanax$fine}

Subject:   Brand^Hydrocodone+get}


Offline compdoc

  • ****
  • 211
  • +0/-0
Re: block spam by subject?
« Reply #1 on: May 30, 2012, 02:58:42 AM »
Figured it out. I can block by words in the subject line, or in both the subject line and body of the email. Upper and lower case is ignored.

Create a file:

/etc/mail/spamassassin/drug-subjects.cf

In the file, use the following rules to match words in both subject line and email body:

body MY_CIALIS_RULE /cialis/i
body MY_HYDROCODONE_RULE /hydrocodone/i

score MY_CIALIS_RULE 10
score MY_HYDROCODONE_RULE 10


Then type the command:

signal-event email-update


After a few hours, you can check that your rules are being used with the command:

cat /var/log/spamd/current | grep MY_


You can adjust the score up or down to suit. Scores can range from 0.1 to 50 or more, however anything higher than 20 makes little sense.

If you want to check only the subject line, (and ignore words in the body) use the following rules instead:

header MY_CIALIS_RULE  Subject =~ /cialis/i
header MY_HYDROCODONE_RULE  Subject =~ /hydrocodone/i

score MY_CIALIS_RULE 10
score MY_HYDROCODONE_RULE 10


Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: block spam by subject?
« Reply #2 on: May 30, 2012, 10:13:34 AM »
you are trying to empty an ocean with a teaspoon..

please, post the output of

Code: [Select]
config show qpsmtpd

and give us more info about your setup (server and gateway, ecc)

Thank you

Offline compdoc

  • ****
  • 211
  • +0/-0
Re: block spam by subject?
« Reply #3 on: May 30, 2012, 02:26:36 PM »
No, its all good. The existing rules do not seem to search for words embedded in a string. Or at least they are not scoring the words high enough.

DNSBL and RHSBL are not helpful with these few annoying emails. But Ive got them blocked now.
« Last Edit: May 30, 2012, 02:29:24 PM by compdoc »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: block spam by subject?
« Reply #4 on: May 30, 2012, 02:29:44 PM »
DNSBL and RHSBL arent helpful with these few annoying emails.

I disagree, but if you are confortable with your setup..

"ubi maior, minor cessat"

Offline compdoc

  • ****
  • 211
  • +0/-0
Re: block spam by subject?
« Reply #5 on: June 08, 2013, 09:29:29 PM »
you are trying to empty an ocean with a teaspoon..

You were sure right about that. The amount of spam that was making it through spamassassin for both myself and a customer, has been on ongoing problem. But lately, it was getting out of hand. There is no way to screen enough words or phrases to block it all.

I enable Bayes to store a local database of scores, and once it learns enough ham/spam scores it does a pretty good job of judging spam. The problem is, SME's spamassassin seems to be ignoring Bayes. The highest Bayes score of BAYES_99 (meaning near 100% certainty) was having no effect on the total score.  But not only Bayes hits were being ignored...

I decided to take the last 30 spam messages that made it to my mailbox, and see what hits spamassassin assigned to them. These were the most common:

Code: [Select]
BAYES_40
BAYES_50
BAYES_60
BAYES_80
BAYES_95
BAYES_99
DCC_CHECK
DEAR_SOMETHING
DIET_1
DIGEST_MULTIPLE
DKIM_ADSP_NXDOMAIN
DKIM_SIGNED
FB_GET_MEDS
FREEMAIL_FROM
HTML_EXTRA_CLOSE
HTML_IMAGE_ONLY_08
HTML_IMAGE_RATIO_04
HTML_IMAGE_RATIO_06
HTML_MESSAGE
HTML_SHORT_LINK_IMG_1
LOTS_OF_MONEY
MIME_HTML_ONLY
MIME_HTML_ONLY_MULTI
MPART_ALT_DIFF
PYZOR_CHECK
RAZOR2_CF_RANGE_51_100
RAZOR2_CF_RANGE_E8_51_100
RAZOR2_CHECK
RCVD_ILLEGAL_IP
RCVD_IN_BL_SPAMCOP_NET
RCVD_IN_SORBS_WEB
SPF_FAIL
SPF_NEUTRAL
SPF_PASS
SPF_SOFTFAIL
SUBJ_YOUR_FAMILY
SUBJECT_NEEDS_ENCODING
T_DKIM_INVALID
T_FRT_CONTACT
URIBL_BLOCKED
URIBL_DBL_REDIR
URIBL_DBL_SPAM
URIBL_JP_SURBL

All the spam had multiple hits from the list above and yet still made it to my inbox. Then a few days ago I found a discussion online that mentioned adjusting the scores for some of these hits, which lead me to the solution. Spamassassin wasn't scoring these hits high enough so I needed to score them higher. I created a file named:

/etc/e-smith/templates-custom/etc/mail/spamassassin/minimum.cf

Not all of the hits in the list above are clear indicators of spam, so after researching I only placed the following in the file minimum.cf :

Code: [Select]
# minimum.cf

score BAYES_99 5
score BAYES_95 4
score BAYES_80 3
score BAYES_60 2

score DIET_1 2
score DCC_CHECK 3
score PYZOR_CHECK 3
score RAZOR2_CHECK 3
score RAZOR2_CF_RANGE_51_100 2
score RAZOR2_CF_RANGE_E8_51_100 2

score RCVD_IN_BL_SPAMCOP_NET 5
score RCVD_IN_SORBS_WEB 5
score URIBL_BLOCKED 5
score URIBL_BLACK 5
score URIBL_DBL_SPAM 5
score URIBL_WS_SURBL 5
score URIBL_JP_SURBL 5

Then the following commands:

Code: [Select]

$ expand-template /etc/mail/spamassassin/minimum.cf
$ signal-event email-update


And presto chango! - no more spam in my inbox.

Of course, if you don't enable Bayes or DCC as I have done, then setting their scores higher wont be useful to you. However, if you examine the spamassassin hits in your own received spam, you can customize minimum.cf to suit your own needs.