[thisisit3]

Contrary to popular belief, spam is easy to combat. All it takes is a well configured SpamAssassin running on the server. Unfortunately the definition of "well configured" is very loosely defined in this context as its completely different for every domain/server.

One such example is the average person who blocks emails that contain the word "viagra", but an actual medical doctor may use that word rather regularly.

So here is how to make SpamAssassin block 99% of spam:


STEP 1 - Raise score for Realtime Blackhole lists (RBL)

The default scores for RBLs are set too low. For example, if an email is marked as spam by SORBS then there is no reason giving it a score of 2. Based on my tests over a two year period RBLs are very safe to use. There are some issues with SpamCop but those always resolve after a few days.

Edit your "/etc/mail/spamassassin/local.cf" and add:

Code:

# Raise RBL scores
score RCVD_IN_BL_SPAMCOP_NET 10
score RCVD_IN_SBL 5
score RCVD_BY_IP 2
score DNS_FROM_AHBL_RHSBL 3
score URIBL_WS_SURBL 3
score RCVD_IN_SORBS_WEB 3
score RCVD_IN_SORBS_SMTP 3
score URIBL_OB_SURBL 5
score RCVD_IN_NJABL_DUL 4
score RCVD_IN_XBL 5
score RCVD_IN_SORBS_DUL 3
score URIBL_SBL 5
score URIBL_JP_SURBL 4

STEP 2 - Raise score for BAYES

The default scores for BAYES are set to the lowest possible. These scores are automaticaly generated by a special script used by the developers of SpamAssassin and its generates the score based on all the rules. Unfortunately the high probability scores are too low, for example a 90% probability is a definit spam, so there is no reason why its score should be 2.

Edit your "/etc/mail/spamassassin/local.cf" and add:

Code:

# Raise bayes scores
score BAYES_80 3.5
score BAYES_95 4.5
score BAYES_99 5.0

STEP 3 - S.A. Rules Emporium (SARE)

There is a special team of commandos who track daily spam. These guys have sat down and written rules that target specific strings within spam. One such tick is to scan for telephones and addresses used in spam, thus they don't need to look for "viagra" in all its different variations instead they look for the phone or address of the guy selling them. As a result, their rules allow a doctor to get emails with "viagra" in them, while blocking spam at the same time.

These guys go even further, they have rules for:
- Rules to detect commonly abused redirectors and uri obfuscation techniques.
- Addresses and phone numbers harvested from spam
- Bayes poison using lists of words with equal length
- HTML coding rules that detect various spammer tricks applied through HTML coding within messages
- Header rules that are not found in other SARE rulesets.
- Rule set which flags specific spam and/or spam from specific spammers
- SARE Adult rules are designed to catch spam with "Adult" material.
- SARE "BML" rules are designed to catch "business, marketing and educational" spam.
- SARE Fraud rules are designed to catch "Nigerian 419", "International Lotto", etc. type scams.
- LOADS OF OTHERS...

Their website is at: http://www.rulesemporium.com/

Below are the safest rule sets which can be used everywhere. Just go to your "/etc/mail/spamassassin/" directory and run the following commands from the shell, thats all you need to do, they are automaticaly included when SA scans that directory.

Code:

wget http://www.rulesemporium.com/rules/70_sare_evilnum0.cf
wget http://www.rulesemporium.com/rules/70_sare_evilnum1.cf
wget http://www.rulesemporium.com/rules/70_sare_header0.cf
wget http://www.rulesemporium.com/rules/70_sare_html0.cf
wget http://www.rulesemporium.com/rules/70_sare_oem.cf
wget http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf
wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf
wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf

STEP 4 - Final step

Finally, make sure your required score is still set to the default 5 because all the above rules expect that it hasn't been changed.

Code:

required_score 5.0

Once you've run your system with the above and you are comfortable with the results, you may automaticaly delete spam with a score of 8 or more. The safest way is to create a filter rule in cPanel (Mail -> Email Filtering):

Code:

Select "Any header" that "contains" the string "X-Spam-Level: ********" (without quotes)

The result is this:

$message_headers contains "X-Spam-Level: ********"

[R45]

Those settings are going to lead to a lot of false matches. The RBL settings aren't bad (though still quite high), but your BAYES settings are going to lead to a ton of wrong catches over time. BAYES is not dependable and should never be able to make a complete match. The beauty of the score system is making sure positive matches aren't arbitrarily done by making sure a combination of tests must be matched. High settings like that just aren't practical for a production setup.

[thisisit3]

I disagree. The default BAYES settings are useless, they raise the score by a few points which doesn't really do anything in practice.

All my servers rely on BAYES to make complete matches (BAYES_99 is 5 points) and it works perfectly. I've monitored emails for 6 months and found 0 (zero!) false positives.

Based on discussions in the SA mailing list, many developers agree with me, that the default is set too low, but they require that defaults are low.

[R45]

BAYES is not foolproof. You'll have to manually maintain the database to get absolutely accurate matches. It's AI, and by its nature it will get dirty over time. The thing is, it's much better to start with lower settings and adjust upwards when you detect how spam is evading SA, besides the fact that you'll be missing countless numbers of real emails.

I'm sorry but I can't believe you get 0 false positives over 6 months with those settings, unless you don't use much email.

[thisisit3]

The BAYES database here works 100% perfectly. I've let it collect spam on its own (auto learn, which is enabled by default) and then set all the above settings. I then tracked for 6 months all emails marked with BAYES_80 or above (without deleting anything).

During that time, i never got a single false positive, all BAYES highly marked emails were real spam.

It doesn't get "dirty" over time, even when spammers use poison words, because SA automaticaly cleans the learned data over time.

I've got a high volume of emails and some of my domains are very weird, from newspapers to law offices. Their emails are very important and their business depends on them. I've been very careful while doing the above operation and thats why it took me 6 months to complete.

My findings show that SA version 3.x has a much better bayes engine than 2.x versions. In addition, the default auto learn feature works rather well and never had any problems with it learning false positives. Even with the above scores, there are a few (but very few) spam emails that get through, some of those are the new kind that use a JPEG image as their content.

[Connie]

I don't have

Quote:

/etc/mail/spamassassin/local.cf

I have /etc/mail/ " cdl-s.com" and "yourdomain.com".

This site is on a shared server and I don't have the spam box enabled if that makes a difference.

Not sure how to proceed based on your instructions?

[thisisit3]

The above steps are for VPS or Dedicated systems, not for shared servers (were you don't have root access to modify files under /etc/).

For a shared server you can follow all the above steps EXCEPT step 3. Just ignore the file "/etc/mail/spamassassin/local.cf" mentioned about and instead follow the steps by editing the file "/home/<yourusernamehere>/.spamassassin/user_prefs".

For example, if your ssh login name is "connie" then edit: /home/connie/.spamassassin/user_prefs

Everything else is pretty much the same. In case you are wondering why you can't follow STEP 3, thats because shared "spamd" won't load custom rule sets from users home dirs for security reasons. For example if one such rule is a bad regular expression, it could take down the server.

[Connie]

OK found it. Thanks. Being the dummie that I am, I proceed with caution. Are you saying to just copy and past the above rules (except #3 on a shared server) in the the user prefs file?

I already have SA set to a score of 4, and to automatically delete spam. Will that make a difference in regard to the rules you posted?

[thisisit3]

Yes, just copy/paste them in your user_prefs file.

You mean you have "required_score" set to 4? I'd suggest you reset it back to 5, since the above rules are already "hard" enough. You can just run it as 5 for a test period and see.

[Connie]

OK, I'll give it a try.

[Vin DSL]

Heh!

This should be good!

[Connie]

Everthing is working Great thisisit3. Thanks!

[thisisit3]

no problem, i'm glad it works.

[thetar]

I have been using these settings for a little bit now and there has been some spam that gets through unmarked that gmail (my server email pop3's into my gmail account) was able to tell was spam and moved to the spam filter, but the server never marked it.

Is there any changes that you have made sense your post, or any other rules that are out there that could help reduce spam even more?

Not complaining as these work good, but could always be tweaked...

[thisisit3]

Its possible that Exim or SA will not mark an email because of one or more of several reasons, for example:

1) email is bigger (in KB) than X amount, as set from your cPanel settings

2) email comes from a trusted source as set from your cPanel settings

3) Exim is set, so as when spamd daemons are either full or dead, to pass/forward emails unscanned.

I solved (3) by editing my /etc/exim.conf and changed the "warn" to "deny" in the spamassassin condition.

Also, if your SA daemons (spamd) die or are full, then that also requires investigation, for example: not enough memory, etc.