[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SpamAssassin now used to filter BTS Mail

On Wed, Oct 16, 2002 at 11:15:04AM -0500, Branden Robinson wrote:
> On Tue, Oct 15, 2002 at 11:18:31PM -0700, Ian Zimmerman wrote:
> > 
> > Sean> even the famous Nigerian spams did not get a yes.  I think they
> > Sean> rated 4.8 and the limit was set to 5.  I am not a spam assassin
> > Sean> guru so I did not quite grok the two headers.  How many
> > Sean> asterisks is too many?
> > 
> > 4 is the most you'll see, because 5 means a hit and the mail won't
> > show up.
> Let us please lower the threshhold for the mailing lists to 4.0 or even
> 3.0.

not a good idea.  it's easy for legitimate mail to get a score of 3 or
4.  or even 8 or 9.

it's better to maintain a list of additional checks for spamassasin
which result in the score being increased.

i have about 1800 lines worth of local spamassassin rules (generated
from thousands of spam phrases, porn phrases, nigerian scams, spammer
domains, ip addresses seen in URLs etc) which increase the score of many
spams to over 30.  i run spamassasin with a threshhold of 10 (rather
than the default of 5) and it still blocks most spam.  i discard
anything that scores over 20, and quarantine everything between 10 & 20
- every few days i review the quarantined spam and update my rules.

e.g. rules like:

header  LOCAL_HEADER_CHECKS_110 ALL =~ /\n(?:Reply-To|CC|To|From|Sender|X-Envelope-Sender|Message-Id|Return-Path):.*@(?:.{0,30}\.)?(?:z-offer\.com|zebra\.hypa\.net|zendersex\.com|zenthen\.com|zeosinfotech\.com|zephers\.com|zero-debt\.net|zero-spc-mail\.com|zhoster\.com|ziagold\.net|zinamedia\.com|zingittravel\.com|ziptracker\.net|zj\.cn|zkk\.com|zoa\.to|zonehosts\.net|zoomerang\.com|zooph\.com|zpj\.it|zzimplus\.com|zzn\.com|zzptt\.fj\.cn)\b/i
score   LOCAL_HEADER_CHECKS_110 5.0


rawbody LOCAL_BODY_DOMAINS_167 /\b(?:yourwebsite(?:\.|=2e)com|youwinit(?:\.|=2e)com|youwinit(?:\.|=2e)net|z-offer(?:\.|=2e)com|zebra(?:\.|=2e)hypa(?:\.|=2e)net|zendersex(?:\.|=2e)com|zenthen(?:\.|=2e)com|zeosinfotech(?:\.|=2e)com|zephers(?:\.|=2e)com|zero-debt(?:\.|=2e)net|zero-spc-mail(?:\.|=2e)com|zhoster(?:\.|=2e)com|ziagold(?:\.|=2e)net|zinamedia(?:\.|=2e)com|zingittravel(?:\.|=2e)com|ziptracker(?:\.|=2e)net|zj(?:\.|=2e)cn|zkk(?:\.|=2e)com|zoa(?:\.|=2e)to|zonehosts(?:\.|=2e)net|zoomerang(?:\.|=2e)com|zooph(?:\.|=2e)com|zpj(?:\.|=2e)it)/i
score   LOCAL_BODY_DOMAINS_167  5.0

i used to be on the anti-spam team for murphy (many of the smartlist
procmail anti-spam rules on murphy were written by me), but stopped
working regularly on it ages ago when it became evident that there was
no will within debian to do anything about the spam problem.  if anyone
wants a copy of my rules (or the scripts and source files which generate
the rules) for use with debian lists, i'll make them available.

btw, it's also important to block spam at the SMTP level, when certain
domains or regexp patterns appear in the SMTP envelope (e.g. reject mail
when the client says "HELO knownspammerdomain.com").  qmail is
completely inadequate for doing this, but there's a reluctance for
replacing it with postfix because changing the list server is a
complicated job.  one short-term solution to this problem is to use a
postfix server as an MX relay in front of the qmail list server running
anti-spam rules and content-filters (such as amavis with spamassassin
and clamav).  this postfix relay shouldn't handle the lists itself, it
should just filter incoming mail for spam *before* it gets to the qmail
box - change the MX records for *.debian.org to point to the postfix box
and block direct incoming smtp to all other debian machines from
anywhere but other debian machines.


craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

Reply to: