OS is an old Debian 3.1/Sarge
SpamAssassin version 3.2.3
running on Perl version 5.8.4
MTA is qmail, from qmailrocks
qmail-scanner 2.01 tweaked with q-s-2.01st-20070204.patch
Also using ClamAV
Qmail, qmail-scanner, clamav and Spamassassin are all running, mail is being filtered, all
is good. SA is running as a daemon and Q-S is calling SA in fast mode. I have SA set to
flag anything over 4.0 as spam. Q-S is set to silently delete anything 5.5 and above on
sight.
I'm using sa-update to pull rulesets weekly. My set list is:
updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_obfu.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
I only wanted really solid rules that don't misfire. SA-update seems to run fine, and I
have files in /var/lib/spamassassin that seem to indicate I have all those rules.
spamassassin --lint reports no problems. I _do_ get a lot less spam than before.
And yet, sometimes the spam that makes it through is startlingly obvious. Lots of
expletives about male anatomy and the like, in plaintext mails. I turned on the
X-Spam-Report header to see how things were going. A typical flagged "anatomical
enlargement" spam might show:
X-Spam-Status: Yes, hits=4.4 required=4.0
X-Spam-Level: ++++
X-Spam-Report: SA TESTS
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
0.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[201.240.244.254 listed in dnsbl.sorbs.net]
1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?201.240.244.254>]
0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: ecamn.com]
Another spam (variant of the exact same body text) that didn't get flagged
shows:
X-Spam-Status: No, hits=2.5 required=4.0
X-Spam-Level: ++
X-Spam-Report: SA TESTS
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
0.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: ecamn.com]
0.1 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary
Neither one is picking up on any of the content of the message body, they're just firing
on the headers and transmission info.
I could post the body text here, but I don't want THIS message to trip spam filters. In
any case, I think I have something misconfigured, because it seems like these spams ought
to be caught. Am I not using the proper rulesets for this sort of thing, or do I have
something hosed up?
Are the rulesets here:
http://www.koders.com/noncode/fidBB2367C919EFE21595CF39216741049B8CF03958.aspx
http://www.koders.com/noncode/fid2FDA2298EF0A572237595868731E4FA234A59A55.aspx
production rulesets? If so, how would one "subscribe" to them. They seemed to have some
good ideas in them.
Thanks in advance for any advice.
--
Chris 'Xenon' Hanson, omo sanza lettere Xenon AlphaPixel.com
PixelSense Landsat processing now available! http://www.alphapixel.com/demos/
"There is no Truth. There is only Perception. To Perceive is to Exist." - Xen
