Re: FIlter

[David Jones]

On 12/11/2017 01:19 PM, Junk wrote:
I wonder in addition to what recomened i could add to increase the score.
I am browsing through the archives to learn more but if you think of
something quick i could try.
Switching to postfix is my next goal but this requires me to rebuild my
server as i want to stage the switch and ubuntu server is not happy to
have both mta installed at the same time.

I a still hitting some spam everyday that scores just below 5.

Here are few messages samples.

https://ufile.io/k3dzf



How are you integrating/calling Spamassassin?  Run "spamassassin -D < 
file" (where file is a single email from that mbox file) as the same 
user that is calling SA to see if there are any major problems.  Run 
"sa-update -D -vvv" and make sure you are current.

Why aren't we seeing Spamhaus, MailSpike and other RBL rule hits?  Have 
you disabled those rules locally?  These IPs shouldn't have had a chance 
to make it through even SA's default ruleset:

http://multirbl.valli.org/lookup/204.188.255.50.html


Here's how one from IP 154.16.149.120 scored on my SA platform:

Content analysis details:   (54.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- 
--------------------------------------------------
 8.2 URIBL_IVMURI           listed on ivmSIP/24 found at invaluement
                            [URIs: continuedfunds.win]
 3.2 RCVD_IN_IVM24BL        RBL: No description available.
                            [154.16.149.120 listed in 
sip24.invaluement.com]
 3.3 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
                            [154.16.149.120 listed in zen.spamhaus.org]
 4.2 RCVD_IN_LASHBACK_LASTEXT RBL: Last external is listed in Lashback
                            ubl.unsubscore.com
                            [154.16.149.120 listed in ubl.unsubscore.com]
 2.2 RCVD_IN_LASHBACK       RBL: Received is listed in Lashback
                            ubl.unsubscore.com
 4.2 RCVD_IN_IVMBL          RBL: No description available.
                            [154.16.149.120 listed in sip.invaluement.com]
 5.2 RCVD_IN_SENDERSCORE_0_29 RBL: Senderscore.org score of 0 to 29
                            [154.16.149.120 listed in 
score.senderscore.com]
 2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
                            [154.16.149.120 listed in psbl.surriel.com]
 1.4 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
                            [154.16.149.120 listed in 
bb.barracudacentral.org]
 1.5 RCVD_IN_HOSTKARMA_BL   RBL: Sender listed in HOSTKARMA-BLACK
                      [154.16.149.120 listed in 
hostkarma.junkemailfilter.com]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 5.0 URIBL_DBL_SPAM         Contains a spam URL listed in the DBL blocklist
                            [URIs: continuedfunds.win]
 2.2 ENA_BODY_CONTENT4      BODY: Inappropriate content in the message 
body.
 2.1 TO_MALFORMED           To: has a malformed address
 0.5 KAM_NUMSUBJECT         Subject ends in numbers
 4.2 BAYES_95               BODY: Bayes spam probability is 95 to 99%
                            [score: 0.9744]
 2.2 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
 1.4 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.8 KAM_ASCII_DIVIDERS     Spam that uses ascii formatting tricks
 0.0 FSL_BULK_SIG           Bulk signature with no Unsubscribe
 0.0 ENA_BAD_SPAM           Spam hitting really bad rules.


Are you seeing any DCC and PYZOR hits like above?

Upgrading to SA 3.4.1 with the new TLD recognition would help.  There 
are a lot of TLDs in that mbox file that I don't even allow at the MTA 
like .loan and .win.

A well-tuned MTA in front of SA is key to blocking this type of trivial 
spam that is listed on many RBLs.

There's a number of rulesets that I use - many are mentioned here in this
list and discussed so a look at the archives will probably be helpful.

KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
Hashcash
HashBL
SEM - spameatingmonkey.net

To mention just a few...


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No:
307357


-----Original Message-----
From: Junk [mailto:j...@lexoncom.com]
Sent: Friday, December 01, 2017 1:36 PM
To: Kevin Miller
Cc: users@spamassassin.apache.org
Subject: RE: FIlter

Do  you know any additional lists that could be added in addition to:
- built ones
- http://wiki.junkemailfilter.com
- razors

I have the spam score set to above to be 100% spam as i noticed what is
below 5% sometimes falls into not a spam email.





--
David Jones