>>On 08.06.15 23:03, Michael B Allen wrote:
>>So I have had SA running for about 2 days on a very small site with a
>>handful of users. I've been running the default config just to see how
>>well it would do by itself. Unfortunately quite a lot of spam is
>>getting through. So far 40 of 142 spams have passed.
>>
>>So my question is, what is the best way to improve things? Is there
>>any particular must-have plugins? What is the one thing I can do to a
>>default install that is going to give me the biggest return on
>>invested effort?
>network checks like razor/pyzor/dcc (they all require third-party programs)
>TextCat (if you and your users are able to set up ok_languages)
+1 on the razor/pyzor/dcc but they can be challenging to get working
TextCat is good and easy to enable.
Some of the best and easiest things you can enable to block spam are
outside of SpamAssassin at your MTA (sendmail, postfix, etc.).
- Enable RBLs and DBLs. zen.spamhaus.org is the best way to block the
majority of junk before it reaches SA. Just make sure you are below their
free threshold limit. One important way to do this is to make sure your
SA server isn't pointed to an Internet caching DNS server that would join
your queries with others. Install a local caching DNS server that does not
forward to another caching DNS server and change /etc/resolv.conf to use
127.0.0.1.
Look in this list archives for other RBLs and DBLs that have been recently
recommended. My most effective RBL is sip.invaluement.com based on my
logs. This is a subscription-based RBL that is reasonably priced and worth
every penny.
My top hit counts from last week from dnsblcount.pl script (using
postscreen so the numbers are most likely skewed based on ordering and
thresholds being met with multiple RBL hits):
sip.invaluement.com 1323365
b.barracudacentral.org 464976
zen.spamhaus.org 243244
sip24.invaluement.com 238086
dbl.spamhaus.org 72507
- Enable DNS checks:
Make sure the sending mail server's SMTP HELO is a valid domain.
Make sure the sender address (MAIL FROM) is a valid domain.
Make sure the sending mail server has a PTR record. Some can go farther with
this one and require the PTR match the SMTP HELO for FCrDNS but there are
many legit mail servers out there that don't have this setup properly so I can
only check to make sure a PTR record exists. Later in SA I add points for
rule
RDNS_NONE that penalizes for incorrect FCrDNS.
- Enable greylisting. This is just about the only way you can block zero-hour
spam
from compromised accounts that come from legit mail servers before they get
listed in RBLs. I use SQLgrey with Postfix and was able to ease it in slowly
with
it's feature called discrimination mode.
- Block the newer TLDs until you need to allow them. Spammers are registering
the new TLDs like ".link" and ".click" then sending spam from it. There was a
recent thread in this mailing list talking about how to get a list of them.
- Block TLDs that often contain nothing but spam. Not everyone can do this but
in my environment, I am able to block .br, .hu, .ro, .ru, .tw, .vn, etc. I
have a
small whitelist built over time that I allow trusted IPs to bypass this check
but
most of the time this is email from infected PCs that are members in a botnet
sending from all over the world with these country codes.
Inside SA add the KAM.cf rules (Google for it) and update them a couple of times
each day. These rules are a must!
I also have added CRM114 and BOGOFILTER plugins which are similar to BAYES
but don't require the manual training. These are fairly difficult to install
but
provide a good complement to BAYES scoring and actually help automatically
train my BAYES database.
Setup ClamAV and add the UNOFFICIAL SIGS.
