Thx I willl look at it. I started with send mail and for used to it so i would have to read more about postfix etc.
> On Dec 3, 2017, at 7:42 AM, David Jones <[email protected]> wrote: > >> On 12/02/2017 09:03 PM, Junk wrote: >> I am using sendmail. > > It's pretty easy to switch from sendmail to Postfix so I highly recommend it. > Once you see how powerful Postfix is with all of its built-in features and > flexibility, you will be very glad you switched. > > Basic/high-level steps (Google for specific details on your particular OS > version): > > 1. /etc/postfix/main.cf - relay_domains > 2. /etc/postfix/transport > 3. Integrate Spamassassin into Postfix > 4. Run 'postmap /etc/postfix/transport' to make transport.db > 5. Switch the MTA from sendmail to Postfix in the OS. > 6. Stop sendmail > 7. Start postfix > 8. Watch your maillog > 9. Start tuning Postfix by enabling postscreen in the master.cf then the > postscreen_dnsbl_sites in the main.cf. Don't forget to estart postfix. > 10. Watch your maillog for spam being rejected and smile > >>>> On Dec 2, 2017, at 12:33 PM, David Jones <[email protected]> wrote: >>>> >>>> On 12/02/2017 10:39 AM, Junk wrote: >>>> i implemented all of the filters yo mentioned and the score went up from >>>> 3.5. to 3.9 on an example spam email i was testing. >>>> I will look further into more filters. >>>> I see lots of spam that is formatted as image and those are not being >>>> caught. >>> >>> What is your MTA? If you are using Postfix then definitely enable >>> postscreen plus it's weighted RBLs. Then you can combine the power of >>> multiple RBLs that would normally be too risky to reject on their own to >>> make them more reliable. >>> >>> Then you can start experimenting with RBLs at >>> http://multirbl.valli.org/lookup/ with low weights and slowly bump them up >>> as you find ones that are helpful for your particular mail flow. Here is my >>> current list: >>> >>> postscreen_dnsbl_sites = >>> dnsbl.sorbs.net=127.0.0.[10;14]*9 >>> zen.spamhaus.org=127.0.0.[10;11]*8 >>> dnsbl.sorbs.net=127.0.0.5*7 >>> zen.spamhaus.org=127.0.0.[4..7]*7 >>> b.barracudacentral.org=127.0.0.2*7 >>> zen.spamhaus.org=127.0.0.3*7 >>> dnsbl.inps.de=127.0.0.2*7 >>> hostkarma.junkemailfilter.com=127.0.0.2*4 >>> dnsbl.sorbs.net=127.0.0.7*4 >>> bl.spamcop.net=127.0.0.2*4 >>> bl.spameatingmonkey.net=127.0.0.[2;3]*4 >>> dnsrbl.swinog.ch=127.0.0.3*4 >>> ix.dnsbl.manitu.net=127.0.0.2*4 >>> psbl.surriel.com=127.0.0.2*4 >>> bl.mailspike.net=127.0.0.[10;11;12]*4 >>> bl.mailspike.net=127.0.0.2*4 >>> ubl.unsubscore.com=127.0.0.2*4 >>> zen.spamhaus.org=127.0.0.2*3 >>> dnsbl-1.uceprotect.net=127.0.0.2*2 >>> dnsbl.sorbs.net=127.0.0.6*3 >>> dnsbl.sorbs.net=127.0.0.9*2 >>> dnsbl.sorbs.net=127.0.0.8*2 >>> score.senderscore.com=127.0.4.[0..29]*2 >>> hostkarma.junkemailfilter.com=127.0.0.4*2 >>> all.spamrats.com=127.0.0.38*2 >>> bl.nszones.com=127.0.0.[2;3]*1 >>> dnsbl-2.uceprotect.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.4*1 >>> score.senderscore.com=127.0.4.[30..69]*1 >>> all.spamrats.com=127.0.0.38*2 >>> bl.nszones.com=127.0.0.[2;3]*1 >>> dnsbl-2.uceprotect.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.4*1 >>> score.senderscore.com=127.0.4.[30..69]*1 >>> dnsbl.sorbs.net=127.0.0.3*1 >>> hostkarma.junkemailfilter.com=127.0.1.2*1 >>> dnsbl.sorbs.net=127.0.0.15*1 >>> ips.backscatterer.org=127.0.0.2*1 >>> bl.nszones.com=127.0.0.5*-1 >>> wl.mailspike.net=127.0.0.[18;19;20]*-2 >>> hostkarma.junkemailfilter.com=127.0.0.1*-2 >>> ips.whitelisted.org=127.0.0.2*-2 >>> safe.dnsbl.sorbs.net=127.0.[0..255].0*-2 >>> list.dnswl.org=127.0.[0..255].0*-2 >>> dnswl.inps.de=127.0.[0;1].[2..10]*-2 >>> list.dnswl.org=127.0.[0..255].1*-3 >>> list.dnswl.org=127.0.[0..255].2*-4 >>> list.dnswl.org=127.0.[0..255].3*-5 >>> >>> - Setup postwhite with Postfix to bypass major/trusted senders so you don't >>> reject too much with the above RBL lists. >>> >>> - Enable basic DNS check in Postfix main.cf: >>> >>> smtpd_recipient_restrictions = >>> permit_mynetworks, >>> ..., >>> permit_sasl_authenticated, >>> reject_non_fqdn_sender, >>> reject_non_fqdn_recipient, >>> reject_non_fqdn_hostname, >>> reject_invalid_hostname, >>> reject_unauth_destination, >>> reject_unverified_recipient, >>> reject_unknown_reverse_client_hostname, >>> reject_unknown_sender_domain, >>> reject_unlisted_sender, >>> reject_unlisted_recipient, >>> ..., >>> >>> >>> - Enable greylisting if you can. It really does work, especially helpful >>> with zero-hour spammers from compromised accounts that are very difficult >>> to block. It is possible to deploy it slowly so users don't notice a delay. >>> >>> - Enable Postfix rate limiting. >>> >>> - Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can >>> use. OpenDMARC with some custom rules can give Spamassassin basic DMARC >>> support. >>> >>> header DMARC_PASS Authentication-Results =~ /your-server-here; >>> dmarc=pass/ >>> describe DMARC_PASS DMARC check passed >>> score DMARC_PASS -0.01 >>> >>> header DMARC_FAIL Authentication-Results =~ /your-server-here; >>> dmarc=fail/ >>> describe DMARC_FAIL DMARC check failed >>> score DMARC_FAIL 0.01 >>> >>> header DMARC_NONE Authentication-Results =~ /your-server-here; >>> dmarc=none/ >>> describe DMARC_NONE DMARC check neutral >>> score DMARC_NONE 0.01 >>> >>> header DMARC_FAIL_REJECT Authentication-Results =~ >>> /your-server-here; dmarc=fail \(p=reject/ >>> describe DMARC_FAIL_REJECT DMARC check failed and the sending domains >>> says to reject this message >>> score DMARC_FAIL_REJECT 8.2 >>> >>> >>> - Consider slightly bumping up the scores on FREEMAIL* rules this these are >>> often sources of abuse. >>> >>> - Add DecodeShortURLs.pm and DecodeShortURLs.cf >>> >>> - Enable Lashback RBL in SA /etc/mail/spamassassin/lashback.cf: >>> >>> ifplugin Mail::SpamAssassin::Plugin::DNSEval >>> >>> header __RCVD_IN_LASHBACK eval:check_rbl('lashback', >>> 'ubl.unsubscore.com.') >>> describe __RCVD_IN_LASHBACK Received is listed in Lashback >>> ubl.unsubscore.com >>> tflags __RCVD_IN_LASHBACK net >>> >>> header RCVD_IN_LASHBACK eval:check_rbl_sub('lashback', >>> '127.0.0.2') >>> describe RCVD_IN_LASHBACK Received is listed in Lashback >>> ubl.unsubscore.com >>> score RCVD_IN_LASHBACK 1.2 >>> tflags RCVD_IN_LASHBACK net >>> >>> header RCVD_IN_LASHBACK_LASTEXT >>> eval:check_rbl('lashback-lastexternal', 'ubl.unsubscore.com.') >>> describe RCVD_IN_LASHBACK_LASTEXT Last external is listed in Lashback >>> ubl.unsubscore.com >>> score RCVD_IN_LASHBACK_LASTEXT 2.2 >>> tflags RCVD_IN_LASHBACK_LASTEXT net >>> >>> endif >>> >>> - Make sure that DCC, Razor, and Pyzor are installed and there are hits in >>> your mail logs. >>> >>> - Properly train your Bayesian DB with spam first then ham second. >>> >>> - Have a huge list of whitelist_auth and whitelist_from_rcvd entries for >>> trusted senders which allows me to bump up many scores without causing >>> false positives on them. >>> >>>>> On Dec 1, 2017, at 5:05 PM, Kevin Miller <[email protected]> wrote: >>>>> >>>>> There's a number of rulesets that I use - many are mentioned here in this >>>>> list and discussed so a look at the archives will probably be helpful. >>>>> >>>>> KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf >>>>> Hashcash >>>>> HashBL >>>>> SEM - spameatingmonkey.net >>>>> >>>>> To mention just a few... >>>>> >>>>> >>>>> ...Kevin >>>>> -- >>>>> Kevin Miller >>>>> Network/email Administrator, CBJ MIS Dept. >>>>> 155 South Seward Street >>>>> Juneau, Alaska 99801 >>>>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >>>>> 307357 >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Junk [mailto:[email protected]] >>>>> Sent: Friday, December 01, 2017 1:36 PM >>>>> To: Kevin Miller >>>>> Cc: [email protected] >>>>> Subject: RE: FIlter >>>>> >>>>> Do you know any additional lists that could be added in addition to: >>>>> - built ones >>>>> - http://wiki.junkemailfilter.com >>>>> - razors >>>>> >>>>> I have the spam score set to above to be 100% spam as i noticed what is >>>>> below 5% sometimes falls into not a spam email. >>>>> >>> >>> -- >>> David Jones > > > -- > David Jones
