I am using sendmail.
> On Dec 2, 2017, at 12:33 PM, David Jones <[email protected]> wrote: > >> On 12/02/2017 10:39 AM, Junk wrote: >> i implemented all of the filters yo mentioned and the score went up from >> 3.5. to 3.9 on an example spam email i was testing. >> I will look further into more filters. >> I see lots of spam that is formatted as image and those are not being caught. > > What is your MTA? If you are using Postfix then definitely enable postscreen > plus it's weighted RBLs. Then you can combine the power of multiple RBLs > that would normally be too risky to reject on their own to make them more > reliable. > > Then you can start experimenting with RBLs at > http://multirbl.valli.org/lookup/ with low weights and slowly bump them up as > you find ones that are helpful for your particular mail flow. Here is my > current list: > > postscreen_dnsbl_sites = > dnsbl.sorbs.net=127.0.0.[10;14]*9 > zen.spamhaus.org=127.0.0.[10;11]*8 > dnsbl.sorbs.net=127.0.0.5*7 > zen.spamhaus.org=127.0.0.[4..7]*7 > b.barracudacentral.org=127.0.0.2*7 > zen.spamhaus.org=127.0.0.3*7 > dnsbl.inps.de=127.0.0.2*7 > hostkarma.junkemailfilter.com=127.0.0.2*4 > dnsbl.sorbs.net=127.0.0.7*4 > bl.spamcop.net=127.0.0.2*4 > bl.spameatingmonkey.net=127.0.0.[2;3]*4 > dnsrbl.swinog.ch=127.0.0.3*4 > ix.dnsbl.manitu.net=127.0.0.2*4 > psbl.surriel.com=127.0.0.2*4 > bl.mailspike.net=127.0.0.[10;11;12]*4 > bl.mailspike.net=127.0.0.2*4 > ubl.unsubscore.com=127.0.0.2*4 > zen.spamhaus.org=127.0.0.2*3 > dnsbl-1.uceprotect.net=127.0.0.2*2 > dnsbl.sorbs.net=127.0.0.6*3 > dnsbl.sorbs.net=127.0.0.9*2 > dnsbl.sorbs.net=127.0.0.8*2 > score.senderscore.com=127.0.4.[0..29]*2 > hostkarma.junkemailfilter.com=127.0.0.4*2 > all.spamrats.com=127.0.0.38*2 > bl.nszones.com=127.0.0.[2;3]*1 > dnsbl-2.uceprotect.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.4*1 > score.senderscore.com=127.0.4.[30..69]*1 > all.spamrats.com=127.0.0.38*2 > bl.nszones.com=127.0.0.[2;3]*1 > dnsbl-2.uceprotect.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.4*1 > score.senderscore.com=127.0.4.[30..69]*1 > dnsbl.sorbs.net=127.0.0.3*1 > hostkarma.junkemailfilter.com=127.0.1.2*1 > dnsbl.sorbs.net=127.0.0.15*1 > ips.backscatterer.org=127.0.0.2*1 > bl.nszones.com=127.0.0.5*-1 > wl.mailspike.net=127.0.0.[18;19;20]*-2 > hostkarma.junkemailfilter.com=127.0.0.1*-2 > ips.whitelisted.org=127.0.0.2*-2 > safe.dnsbl.sorbs.net=127.0.[0..255].0*-2 > list.dnswl.org=127.0.[0..255].0*-2 > dnswl.inps.de=127.0.[0;1].[2..10]*-2 > list.dnswl.org=127.0.[0..255].1*-3 > list.dnswl.org=127.0.[0..255].2*-4 > list.dnswl.org=127.0.[0..255].3*-5 > > - Setup postwhite with Postfix to bypass major/trusted senders so you don't > reject too much with the above RBL lists. > > - Enable basic DNS check in Postfix main.cf: > > smtpd_recipient_restrictions = > permit_mynetworks, > ..., > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_non_fqdn_hostname, > reject_invalid_hostname, > reject_unauth_destination, > reject_unverified_recipient, > reject_unknown_reverse_client_hostname, > reject_unknown_sender_domain, > reject_unlisted_sender, > reject_unlisted_recipient, > ..., > > > - Enable greylisting if you can. It really does work, especially helpful > with zero-hour spammers from compromised accounts that are very difficult to > block. It is possible to deploy it slowly so users don't notice a delay. > > - Enable Postfix rate limiting. > > - Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can use. > OpenDMARC with some custom rules can give Spamassassin basic DMARC support. > > header DMARC_PASS Authentication-Results =~ /your-server-here; > dmarc=pass/ > describe DMARC_PASS DMARC check passed > score DMARC_PASS -0.01 > > header DMARC_FAIL Authentication-Results =~ /your-server-here; > dmarc=fail/ > describe DMARC_FAIL DMARC check failed > score DMARC_FAIL 0.01 > > header DMARC_NONE Authentication-Results =~ /your-server-here; > dmarc=none/ > describe DMARC_NONE DMARC check neutral > score DMARC_NONE 0.01 > > header DMARC_FAIL_REJECT Authentication-Results =~ > /your-server-here; dmarc=fail \(p=reject/ > describe DMARC_FAIL_REJECT DMARC check failed and the sending domains > says to reject this message > score DMARC_FAIL_REJECT 8.2 > > > - Consider slightly bumping up the scores on FREEMAIL* rules this these are > often sources of abuse. > > - Add DecodeShortURLs.pm and DecodeShortURLs.cf > > - Enable Lashback RBL in SA /etc/mail/spamassassin/lashback.cf: > > ifplugin Mail::SpamAssassin::Plugin::DNSEval > > header __RCVD_IN_LASHBACK eval:check_rbl('lashback', > 'ubl.unsubscore.com.') > describe __RCVD_IN_LASHBACK Received is listed in Lashback > ubl.unsubscore.com > tflags __RCVD_IN_LASHBACK net > > header RCVD_IN_LASHBACK eval:check_rbl_sub('lashback', '127.0.0.2') > describe RCVD_IN_LASHBACK Received is listed in Lashback > ubl.unsubscore.com > score RCVD_IN_LASHBACK 1.2 > tflags RCVD_IN_LASHBACK net > > header RCVD_IN_LASHBACK_LASTEXT > eval:check_rbl('lashback-lastexternal', 'ubl.unsubscore.com.') > describe RCVD_IN_LASHBACK_LASTEXT Last external is listed in Lashback > ubl.unsubscore.com > score RCVD_IN_LASHBACK_LASTEXT 2.2 > tflags RCVD_IN_LASHBACK_LASTEXT net > > endif > > - Make sure that DCC, Razor, and Pyzor are installed and there are hits in > your mail logs. > > - Properly train your Bayesian DB with spam first then ham second. > > - Have a huge list of whitelist_auth and whitelist_from_rcvd entries for > trusted senders which allows me to bump up many scores without causing false > positives on them. > >>> On Dec 1, 2017, at 5:05 PM, Kevin Miller <[email protected]> wrote: >>> >>> There's a number of rulesets that I use - many are mentioned here in this >>> list and discussed so a look at the archives will probably be helpful. >>> >>> KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf >>> Hashcash >>> HashBL >>> SEM - spameatingmonkey.net >>> >>> To mention just a few... >>> >>> >>> ...Kevin >>> -- >>> Kevin Miller >>> Network/email Administrator, CBJ MIS Dept. >>> 155 South Seward Street >>> Juneau, Alaska 99801 >>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 >>> >>> >>> -----Original Message----- >>> From: Junk [mailto:[email protected]] >>> Sent: Friday, December 01, 2017 1:36 PM >>> To: Kevin Miller >>> Cc: [email protected] >>> Subject: RE: FIlter >>> >>> Do you know any additional lists that could be added in addition to: >>> - built ones >>> - http://wiki.junkemailfilter.com >>> - razors >>> >>> I have the spam score set to above to be 100% spam as i noticed what is >>> below 5% sometimes falls into not a spam email. >>> > > -- > David Jones
