Re: clamav-unofficial-sigs not helping in a spam flood

Thu, 24 Mar 2016 11:52:34 -0700 


Am 24.03.2016 um 19:45 schrieb Yves Goergen:

The Bayes filter has never worked for me, but I can't train it either.
This is a multi-user server and I can't put every single message I get
manually into some script to teach it. It's not practical. And while
Thunderbird has a Junk toolbar button it doesn't report back to the
server. So that's not usable.



nonsense - site-wide bayes for several servers, some hundret users and 
shared with another company with their own users here



nobody enforces a per-user bayes, but if you complain about bad spam 
scanning and not capable or willing to setup bayes i can't take you serious



how do you imagine to have a filter working in time and proper without 
knowing your mailflow



your response sounds like "i don't want to invest any time but expect 
perfect working things"



Switching from Exim to Postfix with all the configuration that hangs at
it is way too much work. It's probably easier to switch from Linux+Exim
to Windows with a complete mail solution that includes a working spam
filter out of the box.



so live with the results or search something doing the ame RBL scoring 
for exim



I have the impression that the often-recommended sanesecurity data which
is included in clamav-unofficial-sigs doesn't help at all. I can't see
any difference between before and after its installation.



looks like nobody including you knows your setup, sanesceurity sigs 
surely blocks a large amount of spam even in our setup where postfix / 
spamassassin kill most crap long before the last ressort SA



Am 24.03.2016 um 18:50 schrieb Yves Goergen:

I'm getting more and more spam every day and SpamAssassin can't handle
it. Most of it looks very similar but it isn't filtered out.

I've set up clamav-unofficial-sigs recently by installing the Ubuntu
package. My MTA is configured so that anything detected by clamav is
declared a virus and rejected immediately. I also get a report of
virus-rejected mails. But it doesn't catch a single message. Maybe one
out of a hundred in a week.

How can I verify that the clamav-unofficial-sigs package is set up
properly? Or is it not useful in these situations with today's spam?


a well trained SA (bayes) and custom body/subject rules kill most to all
spam - in fact a proper setup is using many RBL balcklists with scoring
and combined DNSWL also socred and so most unk don't make it to the
smtpd daemin


What other solutions are there to improve the detection rate of
SpamAssassin? My current spam-to-useful ratio in some mailboxes is
somewhere around 10:1. That's close to the point of abandoning e-mail
and reverting to telephone and snailmail. The rate of spam phone calls
is a lot lower, and that's not considering the filter.


train your bayes proper


Examples of the subjects from the recent days:

     FW: Order RF#391032
     Document2
     FW: Payment Receipt
     Sixt Invoice: 6502444876 from 24.03.2016
     Attached document(s)
     FW: Payment Details - [223434]
     Image9876411149045.pdf
     Voicemail from 07730881627 <07730881627> 00:00:24
     FW: Order Status #022412
     FW: Payment #092161
     FW: Confirmation #388194


train your bayes and write scored subject rules


All of the messages have attachments, but I can't block all attachments
completely.

Does grey-listing still work today? Is there an easy way to enable it in
either SpamAssassin or Exim? I don't want to fiddle around with
databases and such for days in a running system


get rid auf exim, with postfix and the config below 99% of all junk
don't make it to a smtpd process at all, a large part hangs up after 10
seconds and is killed by "postscreen_greet_wait" and the rest hits
enough dnsbl to get a score of 8 while backed with enough whitelists

postscreen_dnsbl_ttl = 90s
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:11}s
postscreen_dnsbl_sites =
    dnsbl.sorbs.net=127.0.0.10*9
    dnsbl.sorbs.net=127.0.0.14*9
    zen.spamhaus.org=127.0.0.[10;11]*8
    dnsbl.sorbs.net=127.0.0.5*7
    zen.spamhaus.org=127.0.0.[4..7]*7
    b.barracudacentral.org=127.0.0.2*7
    dnsbl.inps.de=127.0.0.2*7
    zen.spamhaus.org=127.0.0.3*6
    dnsbl.sorbs.net=127.0.0.7*4
    hostkarma.junkemailfilter.com=127.0.0.2*4
    bl.spamcop.net=127.0.0.2*4
    bl.spameatingmonkey.net=127.0.0.[2;3]*4
    dnsrbl.swinog.ch=127.0.0.3*4
    ix.dnsbl.manitu.net=127.0.0.2*4
    psbl.surriel.com=127.0.0.2*4
    bl.mailspike.net=127.0.0.[10;11;12]*4
    bl.mailspike.net=127.0.0.2*4
    zen.spamhaus.org=127.0.0.2*3
    dnsbl.sorbs.net=127.0.0.6*3
    dnsbl.sorbs.net=127.0.0.8*2
    hostkarma.junkemailfilter.com=127.0.0.4*2
    score.senderscore.com=127.0.4.[0..20]*2
    dnsbl.sorbs.net=127.0.0.9*2
    bl.spamcannibal.org=127.0.0.2*2
    dnsbl-1.uceprotect.net=127.0.0.2*2
    score.senderscore.com=127.0.4.[0..69]*2
    all.spamrats.com=127.0.0.38*2
    dnsbl-2.uceprotect.net=127.0.0.2*1
    dnsbl.sorbs.net=127.0.0.2*1
    dnsbl.sorbs.net=127.0.0.4*1
    dnsbl.sorbs.net=127.0.0.3*1
    bl.nszones.com=127.0.0.[2;3]*1
    hostkarma.junkemailfilter.com=127.0.1.2*1
    ips.backscatterer.org=127.0.0.2*1
    bl.nszones.com=127.0.0.5*-1
    score.senderscore.com=127.0.4.[90..100]*-1
    wl.mailspike.net=127.0.0.[18;19;20]*-2
    hostkarma.junkemailfilter.com=127.0.0.1*-2
    ips.whitelisted.org=127.0.0.2*-2
    list.dnswl.org=127.0.[0..255].0*-2
    dnswl.inps.de=127.0.[0;1].[2..10]*-2
    list.dnswl.org=127.0.[0..255].1*-3
    list.dnswl.org=127.0.[0..255].2*-4
    list.dnswl.org=127.0.[0..255].3*-5





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to