Friday, March 12, 2010

Everything about SpamAssassin and spam!

SkyHi @ Friday, March 12, 2010
Contrary to popular belief, spam is easy to combat. All it takes is a well configured SpamAssassin running on the server. Unfortunately the definition of "well configured" is very loosely defined in this context as its completely different for every domain/server.

One such example is the average person who blocks emails that contain the word "viagra", but an actual medical doctor may use that word rather regularly.

So here is how to make SpamAssassin block 99% of spam:


STEP 1 - Raise score for Realtime Blackhole lists (RBL)

The default scores for RBLs are set too low. For example, if an email is marked as spam by SORBS then there is no reason giving it a score of 2. Based on my tests over a two year period RBLs are very safe to use. There are some issues with SpamCop but those always resolve after a few days.

Edit your "/etc/mail/spamassassin/local.cf" and add:

Code:
# Raise RBL scores
score RCVD_IN_BL_SPAMCOP_NET 10
score RCVD_IN_SBL 5
score RCVD_BY_IP 2
score DNS_FROM_AHBL_RHSBL 3
score URIBL_WS_SURBL 3
score RCVD_IN_SORBS_WEB 3
score RCVD_IN_SORBS_SMTP 3
score URIBL_OB_SURBL 5
score RCVD_IN_NJABL_DUL 4
score RCVD_IN_XBL 5
score RCVD_IN_SORBS_DUL 3
score URIBL_SBL 5
score URIBL_JP_SURBL 4

STEP 2 - Raise score for BAYES

The default scores for BAYES are set to the lowest possible. These scores are automaticaly generated by a special script used by the developers of SpamAssassin and its generates the score based on all the rules. Unfortunately the high probability scores are too low, for example a 90% probability is a definit spam, so there is no reason why its score should be 2.

Edit your "/etc/mail/spamassassin/local.cf" and add:

Code:
# Raise bayes scores<br />score BAYES_80 3.5<br />score BAYES_95 4.5<br />score BAYES_99 5.0

STEP 3 - S.A. Rules Emporium (SARE)

There is a special team of commandos who track daily spam. These guys have sat down and written rules that target specific strings within spam. One such tick is to scan for telephones and addresses used in spam, thus they don't need to look for "viagra" in all its different variations instead they look for the phone or address of the guy selling them. As a result, their rules allow a doctor to get emails with "viagra" in them, while blocking spam at the same time.

These guys go even further, they have rules for:
- Rules to detect commonly abused redirectors and uri obfuscation techniques.
- Addresses and phone numbers harvested from spam
- Bayes poison using lists of words with equal length
- HTML coding rules that detect various spammer tricks applied through HTML coding within messages
- Header rules that are not found in other SARE rulesets.
- Rule set which flags specific spam and/or spam from specific spammers
- SARE Adult rules are designed to catch spam with "Adult" material.
- SARE "BML" rules are designed to catch "business, marketing and educational" spam.
- SARE Fraud rules are designed to catch "Nigerian 419", "International Lotto", etc. type scams.
- LOADS OF OTHERS...

Their website is at: http://www.rulesemporium.com/

Below are the safest rule sets which can be used everywhere. Just go to your "/etc/mail/spamassassin/" directory and run the following commands from the shell, thats all you need to do, they are automaticaly included when SA scans that directory.

Code:
wget http://www.rulesemporium.com/rules/70_sare_evilnum0.cf<br />wget http://www.rulesemporium.com/rules/70_sare_evilnum1.cf<br />wget http://www.rulesemporium.com/rules/70_sare_header0.cf<br />wget http://www.rulesemporium.com/rules/70_sare_html0.cf<br />wget http://www.rulesemporium.com/rules/70_sare_oem.cf<br />wget http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf<br />wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf<br />wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf

STEP 4 - Final step

Finally, make sure your required score is still set to the default 5 because all the above rules expect that it hasn't been changed.

Code:
required_score 5.0
Once you've run your system with the above and you are comfortable with the results, you may automaticaly delete spam with a score of 8 or more. The safest way is to create a filter rule in cPanel (Mail -> Email Filtering):

Code:
Select "Any header" that "contains" the string "X-Spam-Level: ********" (without quotes)<br /><br />The result is this:<br /><br />$message_headers contains "X-Spam-Level: ********"
__________________
Top Server Tips by thisisit3

Monitoring script for WHM
Exim customization
Complete Guide to Backups
SSL certificates
SpamAssassin and spam
Logs & logrotate
BFD rules for Jag servers
Server Memory Usage script
Clean your /var/log/messages
Use your dcpumon
Apache memory limit (RlimitMEM)


REFERENCE
http://www.jaguarpc.com/forums/showthread.php?t=17227