Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: rmoria on September 25, 2017, 08:30:55 AM

Title: Spamassissin not doing the work
Post by: rmoria on September 25, 2017, 08:30:55 AM

Hi,

I seem to be getting a lot of spam these days. WBL blocking is on, but i stil get a mails from 'user'@'randomname'.bid / trade / stream .
I do not think something like geoip is going to help since these are not country codes.

I tried setting *.bid etc in my blacklist in horde, but that does not seem to be working (https://forums.contribs.org/index.php?topic=41528.0)
Any other suggestions will be welcome

Title: Re: Spamassissin not doing the work
Post by: ReetP on September 25, 2017, 02:19:15 PM

Quote from: rmoria on September 25, 2017, 08:30:55 AM

Hi,

I seem to be getting a lot of spam these days. WBL blocking is on, but i stil get a mails from 'user'@'randomname'.bid / trade / stream .

Make sure you have the correct format for blacklists as per the Wiki

Quote

I do not think something like geoip is going to help since these are not country codes.

Geoip only checks on the sending host, not the 'from' address. What about your blocklists ?

Check:

Code: [Select]

config show qpsmtpd
Make sure you have some blocklists enabled which may help.

Quote

I tried setting *.bid etc in my blacklist in horde, but that does not seem to be working (https://forums.contribs.org/index.php?topic=41528.0)
Any other suggestions will be welcome

Adding it to Horde only filters for THAT account whilst you are logged in to Webmail.

The other option is using procmail filtering (or Sieve). Check the Wiki for more info.

Title: Re: Spamassissin not doing the work
Post by: Jáder on September 27, 2017, 01:28:36 AM

Hi

I feel you pain! I'm getting +10K e-mail attempting to get delivered on my server.
See this:

Code: [Select]

[root@andorinha new]# ~/SpamCount.sh
Days of logfiles to scan [1]:
1 smeoptimizer 0.004998%
6 dmarc 0.029988%
40 earlytalker 0.19992%
101 badmailfrom 0.504798%
130 naughty 0.64974%
361 spamassassin 1.80428%
547 check_goodrcptto 2.73391%
618 rhsbl 3.08876%
1093 tls 5.46281%
1288 queued 6.43743%
15823 resolvable_fromhost 79.0834%
20008 Total 100%

So last week I started to create CUSTOM RULES for SpamAssassin (SA).
I find out most of my spam was being delivered to GROUPS not users and SA was not efficient dealing with this.

After MUCH research I did two simple changes:
1) change score for some rules
2) created custom rules for SA

I'll post both of them here:

file /etc/mail/spamassassin/jader.cf
is where I created custom rules for SA.

Code: [Select]

header   JADER_BOUNCEA   Message-ID =~  /\@.bounce.\.com\.br/i
score    JADER_BOUNCEA   6.0
describe JADER_BOUNCEA   Header has ?bounce?.com.br

header   JADER_BOUNCE    Message-ID =~  /bounce/i
score    JADER_BOUNCE    6.0
describe JADER_BOUNCE    Header has bounce

header   EMPTY_SUBJECT   Subject =~ /^\s*$/
score    EMPTY_SUBJECT   20.0
describe EMPTY_SUBJECT   Empty Subject not allowed

header   __LISTAS2GRUPOS_UNSUB    List-Unsubscribe =~ /http\:|mailto\:/i
header   __LISTAS2GRUPOS_TO       To =~ /administrativo|antinsect\@|comercial|contratos|operacional|tecnico/i
meta     JADER_LISTAS2GRUPOS      ( __LISTAS2GRUPOS_UNSUB && __LISTAS2GRUPOS_TO )
score    JADER_LISTAS2GRUPOS      8.0
describe JADER_LISTAS2GRUPOS      Listas com opcao de cancelar via Unsubscribe enviadas para grupos internos

body     __IMAILING                /i M.a.i.l.i.n.g/
header   __LISTAS2GRUPOS_TO        To =~ /administrativo|antinsect|comercial|contratos|operacional|tecnico/i
meta     JADER_IMAILING            ( __IMAILING && __LISTAS2GRUPOS_TO )
score    JADER_IMAILING            8.0
describe JADER_IMAILING            Expressao iMailing com pontos e  enviadas para grupos internos


The above rules has comments (sorry in Portuguese, use Google Translator) and just apply to my server (I think!).
They block messages w/o subject or to groups of users and containing the expression List-Unsubscribe . This expression is used by most of "legal" spammers.
I don't care if my users sign in for lists/mailing, but must use their own e-mail! :)

And the second file:

Code: [Select]

[root@andorinha new]# cat /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
#  Even a SOFT FAIL on SPF marks as SPAM, one HARD FAIL reject message
score SPF_SOFTFAIL 6.000
score SPF_FAIL 14.000

# recomended Score Increases
score RATWARE_MS_HASH 0.000
score RATWARE_OUTLOOK_NONAME 0.000

score BAYES_999 3.800 3.800 3.800 3.800
score BAYES_99 1.000 1.000 1.000 1.000

score SUBJ_ILLEGAL_CHARS 1.000 1.000 1.000 1.000

score FREEMAIL_FORGED_REPLYTO 3.800 3.800 3.800 3.800

score HEADER_FROM_DIFFERENT_DOMAINS 1.000 1.000 1.000 1.000

# Score to reduce the effect of ISIPP/IADB SuretyMail whitelisting
score RCVD_IN_IADB_VOUCHED   0 -0.2 0 -0.2
score RCVD_IN_IADB_DOPTIN    0 -0.2 0 -0.2
score RCVD_IN_IADB_ML_DOPTIN 0 -0.2 0 -0.2
score RCVD_IN_IADB_DK        0 -0.2 0 -0.2
score RCVD_IN_IADB_LISTED    0 -0.2 0 -0.2
score RCVD_IN_IADB_RDNS      0 -0.2 0 -0.2
score RCVD_IN_IADB_SENDERID  0 -0.2 0 -0.2
score RCVD_IN_IADB_SPF       0 -0.2 0 -0.2

# Score to reduce the effect of DNSWL whitelisting
score RCVD_IN_DNSWL_LOW  0 -0.1 0 -0.1
score RCVD_IN_DNSWL_MED  0 -0.1 0 -0.1
score RCVD_IN_DNSWL_HI   0 -0.1 0 -0.1
score RCVD_IN_DNSWL_NONE 0 -0.1 0 -0.1

score RCVD_IN_MSPIKE_H2 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H3 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H4 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_H5 0 -0.1 0 -0.1
score RCVD_IN_MSPIKE_WL 0 -0.1 0 -0.1

This change weight for several lists in SA.
IF a domain publish a SPF record and  verify FAIL, even SOFT FAIL, I add +6 on score, and my spam filter is on 4... so it's a SPAM!
Other lists who garanteed to just have opted-in mail users get a lower score (RCVD_IN*), so that do not affect my filtering.

These TWO modifications changed my problem from 100 non-identified SPAM a day to just below 10!!! A 10 fold reduction!!! WOW!!!

I hope you fix you problem.
Good luck!

Jáder

Title: Re: Spamassissin not doing the work
Post by: gwag on September 27, 2017, 04:33:37 PM

Try "*@*.bid"  it works. and if joe.biden@gmail sends you mail it wont block it.

Title: Re: Spamassissin not doing the work
Post by: gwag on September 27, 2017, 04:35:15 PM

Quote from: gwag on September 27, 2017, 04:33:37 PM

Try "*@*.bid"  it works. and if joe.biden@gmail sends you mail it wont block it.

Code: [Select]

*@*.bid
*@*.club
*@*.download
*@*.faith

Title: Re: Spamassissin not doing the work
Post by: ReetP on September 27, 2017, 06:39:28 PM

Quote from: gwag on September 27, 2017, 04:35:15 PM

Code: [Select]

*@*.bid
*@*.club
*@*.download
*@*.faith

Can you confirm that is in the blacklist panel ?

Title: Re: Spamassissin not doing the work
Post by: Stefano on September 27, 2017, 07:09:16 PM

Can you confirm also that you're using the last version?
Is your SME up to date?

Title: Re: Spamassissin not doing the work
Post by: devtay on September 27, 2017, 07:27:09 PM

I change the default scores too and it goes in cycles. It's a constant work in progress for me to beat back the spam emails. I get lazy sometimes until the users start complaining. Nice job by the way. I'm going to "borrow" some of your changes and see how they go. Thanks for sharing.

What's the chances of getting a copy of your SpamCount.sh file?

I don't like horde or the WBL that is built in so I use spamassassin to kill bad TLD's with:

Code: [Select]

db spamassassin setprop wbl.global *.bid Black
expand-template /etc/mail/spamassassin/local.cf
signal-event email-update

Quote from: Jáder on September 27, 2017, 01:28:36 AM

Code: [Select]

[root@andorinha new]# ~/SpamCount.sh
Days of logfiles to scan [1]:
1 smeoptimizer 0.004998%
6 dmarc 0.029988%
40 earlytalker 0.19992%
101 badmailfrom 0.504798%
130 naughty 0.64974%
361 spamassassin 1.80428%
547 check_goodrcptto 2.73391%
618 rhsbl 3.08876%
1093 tls 5.46281%
1288 queued 6.43743%
15823 resolvable_fromhost 79.0834%
20008 Total 100%


Title: Re: Spamassissin not doing the work
Post by: gwag on September 27, 2017, 08:28:33 PM

Quote from: ReetP on September 27, 2017, 06:39:28 PM

Can you confirm that is in the blacklist panel ?

Actually in the E-mail WBL panel
in the qmail badmailfrom I have this according to qsmtp logs i believe this is stopping it.  "uiwbi.bid         badmailfrom   901   Your envelope sender is in my badmailfrom list   msg denied before queue"

Code: [Select]

@.*\.bid$
@.*\.club$
@.*\.cricket$
@.*\.download$
@.*\.faith$
I do have this in WBL panel but I'm sure its redundant.

Code: [Select]

*@*.bid
*@*.club
*@*.download
etc...

Title: Re: Spamassissin not doing the work
Post by: rmoria on September 28, 2017, 02:25:45 PM

I made a file customspamrules.cf in /etc/mail/spamassassin

Code: [Select]

header CHECK_FROM_ADRES_FOR_BID         From =~ /\.bid/i
describe CHECK_FROM_ADRES_FOR_BID       No trust for \.bid top domain
score CHECK_FROM_ADRES_FOR_BID          10.0

header CHECK_FROM_ADRES_FOR_TRADE       From =~ /\.trade/i
describe CHECK_FROM_ADRES_FOR_TRADE     No trust for \.trade top domain
score CHECK_FROM_ADRES_FOR_TRADE        10.0

header CHECK_FROM_ADRES_FOR_STREAM      From =~ /\.stream/i
describe CHECK_FROM_ADRES_FOR_STREAM    No trust fot \.stream top domain
score CHECK_FROM_ADRES_FOR_STREAM       10.0
Mail from these domains is now tagged as spam and gets sorted in junkmail folder

Title: Re: Spamassissin not doing the work
Post by: Stefano on September 28, 2017, 02:27:15 PM

Please, take some time to answer to my question, thank you

Title: Re: Spamassissin not doing the work
Post by: rmoria on September 28, 2017, 02:29:06 PM

If it was directed at me: SME 9.2 up-to-date

Title: Re: Spamassissin not doing the work
Post by: Stefano on September 28, 2017, 02:29:59 PM

and what about smeserver-wbl?

Title: Re: Spamassissin not doing the work
Post by: rmoria on September 28, 2017, 02:35:46 PM

e-mail rbl:

dnsbl : active
DNSBL Zones (qpsmtpd RBLList)	bl.spamcop.net dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net psbl.surriel.com zen.spamhaus.org
RHSBL status: acitve
RHSBL (qpsmtpd SBLList)	multi.surbl.org black.uribl.com rhsbl.sorbs.net

Title: Re: Spamassissin not doing the work
Post by: Stefano on September 28, 2017, 02:36:50 PM

so, aren't you using smeserver-wbl contrib?

Code: [Select]

rpm -qa | grep smeserver-wbl


Title: Re: Spamassissin not doing the work
Post by: rmoria on September 28, 2017, 02:38:06 PM

smeserver-wbl-0.3.0-17.el6.sme.noarch

Title: Re: Spamassissin not doing the work
Post by: Stefano on September 28, 2017, 02:43:11 PM

ok.. you'd really use the wbl panel to block domains since the first email transaction.. using SpamAssassin will discard your email after you downloaded the email itself.

Title: Re: Spamassissin not doing the work
Post by: rmoria on September 28, 2017, 02:50:51 PM

I now have both (wbl panel and customspamrule).

Title: Re: Spamassissin not doing the work
Post by: Jáder on September 29, 2017, 01:17:25 AM

Quote from: devtay on September 27, 2017, 07:27:09 PM

What's the chances of getting a copy of your SpamCount.sh file?

I got it from wiki page and create a shell. It´s here:

[root@andorinha ~]# cat SpamCount.sh
if [ -z $DAYS ]; then DAYS=1; fi; echo -n "Days of logfiles to scan [$DAYS]: "; read NEWDAYS; if [ $NEWDAYS ]; then DAYS=$NEWDAYS; fi; awk -F"[\t]" ' /logterse/ { svc=$6; count[svc]++; count["Total"]++; }  END  { for (j in count) print count[j] "\t" j "\t" expr count[j]/count["Total"]*100"%" ; }' $(find /var/log/qpsmtpd /var/log/sqpsmtpd -ctime -$DAYS -type f) |sort -n