Hi
I feel you pain! I'm getting +10K e-mail attempting to get delivered on my server.
See this:
[root@andorinha new]# ~/SpamCount.sh
Days of logfiles to scan [1]:
1 smeoptimizer 0.004998%
6 dmarc 0.029988%
40 earlytalker 0.19992%
101 badmailfrom 0.504798%
130 naughty 0.64974%
361 spamassassin 1.80428%
547 check_goodrcptto 2.73391%
618 rhsbl 3.08876%
1093 tls 5.46281%
1288 queued 6.43743%
15823 resolvable_fromhost 79.0834%
20008 Total 100%
So last week I started to create CUSTOM RULES for SpamAssassin (SA).
I find out most of my spam was being delivered to GROUPS not users and SA was not efficient dealing with this.
After MUCH research I did two simple changes:
1) change score for some rules
2) created custom rules for SA
I'll post both of them here:
file
/etc/mail/spamassassin/jader.cf
is where I created custom rules for SA.
header JADER_BOUNCEA Message-ID =~ /\@.bounce.\.com\.br/i
score JADER_BOUNCEA 6.0
describe JADER_BOUNCEA Header has ?bounce?.com.br
header JADER_BOUNCE Message-ID =~ /bounce/i
score JADER_BOUNCE 6.0
describe JADER_BOUNCE Header has bounce
header EMPTY_SUBJECT Subject =~ /^\s*$/
score EMPTY_SUBJECT 20.0
describe EMPTY_SUBJECT Empty Subject not allowed
header __LISTAS2GRUPOS_UNSUB List-Unsubscribe =~ /http\:|mailto\:/i
header __LISTAS2GRUPOS_TO To =~ /administrativo|antinsect\@|comercial|contratos|operacional|tecnico/i
meta JADER_LISTAS2GRUPOS ( __LISTAS2GRUPOS_UNSUB && __LISTAS2GRUPOS_TO )
score JADER_LISTAS2GRUPOS 8.0
describe JADER_LISTAS2GRUPOS Listas com opcao de cancelar via Unsubscribe enviadas para grupos internos
body __IMAILING /i M.a.i.l.i.n.g/
header __LISTAS2GRUPOS_TO To =~ /administrativo|antinsect|comercial|contratos|operacional|tecnico/i
meta JADER_IMAILING ( __IMAILING && __LISTAS2GRUPOS_TO )
score JADER_IMAILING 8.0
describe JADER_IMAILING Expressao iMailing com pontos e enviadas para grupos internos
The above rules has comments (sorry in Portuguese, use Google Translator) and just apply to my server (I think!).
They block messages w/o subject or to groups of users and containing the expression List-Unsubscribe . This expression is used by most of "legal" spammers.
I don't care if my users sign in for lists/mailing, but must use their own e-mail!
And the second file:
[root@andorinha new]# cat /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
# Even a SOFT FAIL on SPF marks as SPAM, one HARD FAIL reject message
score SPF_SOFTFAIL 6.000
score SPF_FAIL 14.000
# recomended Score Increases
score RATWARE_MS_HASH 0.000
score RATWARE_OUTLOOK_NONAME 0.000
score BAYES_999 3.800 3.800 3.800 3.800
score BAYES_99 1.000 1.000 1.000 1.000
score SUBJ_ILLEGAL_CHARS 1.000 1.000 1.000 1.000
score FREEMAIL_FORGED_REPLYTO 3.800 3.800 3.800 3.800
score HEADER_FROM_DIFFERENT_DOMAINS 1.000 1.000 1.000 1.000
# Score to reduce the effect of ISIPP/IADB SuretyMail whitelisting
score RCVD_IN_IADB_VOUCHED 0 -0.2 0 -0.2
score RCVD_IN_IADB_DOPTIN 0 -0.2 0 -0.2
score RCVD_IN_IADB_ML_DOPTIN 0 -0.2 0 -0.2
score RCVD_IN_IADB_DK 0 -0.2 0 -0.2
score RCVD_IN_IADB_LISTED 0 -0.2 0 -0.2
score RCVD_IN_IADB_RDNS 0 -0.2 0 -0.2
score RCVD_IN_IADB_SENDERID 0 -0.2 0 -0.2
score RCVD_IN_IADB_SPF 0 -0.2 0 -0.2
# Score to reduce the effect of DNSWL whitelisting
score RCVD_IN_DNSWL_LOW 0 -0.1 0 -0.1
score RCVD_IN_DNSWL_MED 0 -0.1 0 -0.1
score RCVD_IN_DNSWL_HI 0 -0.1 0 -0.1
score RCVD_IN_DNSWL_NONE 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H2 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H3 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H4 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H5 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_WL 0 -0.1 0 -0.1
This change weight for several lists in SA.
IF a domain publish a SPF record and verify FAIL, even SOFT FAIL, I add +6 on score, and my spam filter is on 4... so it's a SPAM!
Other lists who garanteed to just have opted-in mail users get a lower score (RCVD_IN*), so that do not affect my filtering.
These TWO modifications changed my problem from 100 non-identified SPAM a day to just below 10!!! A 10 fold reduction!!! WOW!!!
I hope you fix you problem.
Good luck!
Jáder
18 Replies
6147 Views