On 4/23/19 12:57 AM, Brent Clark wrote: > Good day David > > Looking at what you got going, Im glad I asked this request. > Thanks very much for sharing. > > Kind Regards > Brent Clark >
This was just an example based on my mail flow and very customized/tuned SA rules for my mail filters. I am sure that others on this list may not agree with my settings below based on different philosophies / strategies of spam filtering. I try to find patterns to group mail into major categories then handle each category differently. For example, system-generated emails using a subdomain that aren't real human / user accounts with passwords that can be compromised are a category. By the time this category makes it past the MTA checks (postscreen, RBLs, DNS checks, TLD checks, HELO checks, etc.) then the majority of them can be safely added to whitelist_auth entries and SA doesn't need to evaluate them for content filtering. Content filtering is the hardest to do as the spammers are constantly changing the strategies / campaigns to get around content filtering. The best way to filter for content is with very good Bayes training but this usually doesn't help with zero day / hour spam from compromised accounts. Another major category of email is certain sources of emails from large MSPs that generally do not get listed on RBLs because there are good email senders mixed in with the spammers / compromised accounts. \.(secureserver\.net|web-hosting\.com|websitewelcome\.com|inmotionhosting\.com|unifiedlayer\.com|ezhostingserver\.com|siteprotect\.com|internetbilisim\.net|privateemail\.com|registrar-servers\.com|registeredsite\.com|reflexion\.net|sparkpostmail\.com|siteground\.us|dreamhost\.com|yourhostingaccount\.com|maropost\.com|myregisteredsite\.com) That is my current regex for "notrust" known sources of spam with legit emails mixed in. Here I maintain a private DWL of senders to trust (subtract a few points) while a set of meta rules amplify anything suspicious sent from those untrusted above. In then end, I am able to query a MySQL database to find historical scores to add to the DWL using a script so this is mostly automated. Office 365 is another category of email that is tough to filter properly because it's so large of an MSP and regulary / frequently has compromised accounts that send spam for 30 minutes or so before Microsoft seems to shut them down. Here I wanted to setup something like greylisting to handle new senders with a delay. I am using traditional greylisting but it has to be disabled for outbound.protection.microsoft.com and google.com email servers for technical reasons. Recently I started another private DWL to handle o365 senders similarly to the "notrust" list above and so far it seems to be working out. Hope this helps, Dave > On 2019/04/18 15:52, David Jones wrote: >> On 4/18/19 1:55 AM, Brent Clark wrote: >>> Good day Guys >>> >>> Would anyone be willing to share their shortcircuiting list. >>> >>> Currently I am just shortcircuiting CLAMAV, Im looking to improve SA. >>> >>> Many thanks. >>> >>> Regards >>> Brent >> >> shortcircuit ALL_TRUSTED off >> shortcircuit USER_IN_WHITELIST on >> shortcircuit USER_IN_DEF_WHITELIST on >> shortcircuit USER_IN_BLACKLIST on >> shortcircuit USER_IN_DKIM_WHITELIST on >> shortcircuit USER_IN_SPF_WHITELIST on >> shortcircuit USER_IN_DEF_DKIM_WL off >> shortcircuit USER_IN_DEF_SPF_WL off >> shortcircuit RCVD_IN_RP_CERTIFIED off >> shortcircuit RCVD_IN_RP_SAFE off >> >> You will need to set the priority lower than the default to hit before >> some of the entries above. Run some messages manually with >> "spamassassin -D < email.msg" to see the priority if your shortcircuit >> rule isn't getting hit because a lower priority shortcircuit hit first. >> >> I also have some outbound rules that shortcircuit unique emails like >> those from scanner/copiers that often have missing headers like no >> Message-ID, bad HELO, etc. >> >> Here's an example of a useful one that we all have problems with if we >> are filtering outbound email: >> >> meta ENA_COPIER ALL_TRUSTED && (__SUBJ_COPIER || >> __MAILER_COPIER || __MSGID_COPIER || __MIME_COPIER || __FROM_COPIER || >> __RCVD_COPIER) >> priority ENA_COPIER -500 >> describe ENA_COPIER Sent from a copier on network. >> score ENA_COPIER -0.001 >> priority ENA_COPIER -500 >> shortcircuit ENA_COPIER ham >> tflags ENA_COPIER noautolearn nice >> >> I am not publishing the details of those header rules in the meta above >> on purpose so this rule could be exploited by a compromised account from >> our network through our mail relays. These should be fairly obvious >> based on their names as to what they do. >> >> Hope this helps, >> -- David Jones
