I've been struggling with SPAM

[Ron]

I've been struggling with SPAM on one account, about 200 messages a day.

At one point CPanel was able to delete SPAM with SA scores above a certain amount. Then that went away. Then it came back.

At one point CPanel was unable to bounce messages based on any user requirement. Now it can.

I was getting almost 200 SPAMs a day on this one account. Last night I went to CPanel and saw that it had both account level filtering and user level filtering available. I also saw the rules I had put into place at some point in the past that didn't show up in CP's X3 skin. Now they do.

Looking at the rules, there was a converted rule that had been designed in the past to delete SPAMs with an SA score > 20. It used the Spam-Bar header and if it contained 20 consecutive asterisks ("*") it deleted the mail. At some point however, the spam bar was changed from asterisks to plus signs ("+") (to differentiate positive SA scores from negative SA scores, which are represented by minus signs ("-").

Some time ago, I had attempted to add a rule for 20 plus signs and it was now there. I decided to lower the requirement to 10. This eliminated about 1/2 of the SPAM, give or take. Looking at the remaining SPAMs, many had the following line:

Code:

-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust

It appears that dnswl is fairly compromised at this point, at least from looking at my account.

So I added the following line into my
/home/(account)/.spamassassin/user_prefs file:

Code:

score RCVD_IN_DNSWL_HI -0.0

I also noticed that yet again very many of the SPAMs still slipping through had negative AWL scores. That AWL just never seems to work really well. Maybe they should have named the thing "Auto averaging and totally confusing ineffective List"

Anyway, while I was in the .spamassassin directory, I took the opportunity to delete the AWL (auto-whitelist) file. It will be automagically recreated as needed.

We shall see.

[Ron]

I was getting about 200 spams a day, I made changes Wednesday afternoon. I get the majority of the spams during business hours, Eastern Time, on weekends I see fewer.

Thursday I got 67.

Friday I got 61.

31 so far today.

I guess this means by changing/adding a filter to discard mails with an SA score >=10 and made the change to disregard DNSWL high trust, I reduced spam received by 2/3. Not bad! Still getting 67 a day, but it's a start. It looks like I'll catch a bunch more if I lower the score to 9, but I'll wait until next week to fully inspect the remaining headers for patterns, especially since I also deleted the old AWL file.

Changed my mind. Decided to run sa-learn today so I can see the results from that on Monday.

I had created a "Spamm" folder using Squirrel mail to hold all the spam that got through since Thursday, so I ran sa-learn like this:

Code:

bash$ /usr/bin/sa-learn --spam /home/(JPCaccountName)/mail/(domain)/(mailbox)/.Spamm/cur
netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included
netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included
netset: cannot include 69.73.128.0/18 as it has already been included
Learned tokens from 155 message(s) (155 message(s) examined)
bash$

We'll see!

[Ron]

Here's an update. I've received 58 spams today, just about on pace with what I received on the last weekday.

Out of the 58 spams reaching my inbox:
18 scored between 9 and 9.9.
8 between 8.0 and 8.9
12 between 7.0 and 7.9
12 between 5.0 and 6.9
8 were between 0.3 and 4.9

Hams received were ALL negative, ranging in scores from -2.7 to -10.6.
Not a single SPAM received was negative, with the lowest scores being 0.3, 1.3, 1.5, 1.8, 2.6, 3.5, 4.0, 4.0.
All others were above 5.0.

During my analysis, about halfway through I started tracking some Bayes scores along with the total score. I discovered that many SPAMs with scores in the 7 to 9.9 range were tagged with bayes probability scores of 80% and up.

I've made the following additional changes. I have raised the SA scores for bayes Probability > 80% by 2 points each, and lowered the filters required score for deletion to 9. I continue to move the SPAMs to the Spamm folder I created and then run the sa-learn function against them.

I've reduced the score necessary for the filter to discard spams from 10 to 9 through CPanel.

I've changed the scores for Bayes as follows:

Code:

score BAYES_80  5.5
score BAYES_95  6.5
score BAYES_99  7.0

In addition I already had the previous custom Bayes scores:

Code:

score BAYES_00 -5.0
score BAYES_05 -3.0
score BAYES_20 -2.0

Analysis shows this should lower the number of spams reaching my account to 30 to 40 per day from the original 200.

We'll see!

PS Thanks to Vin DSL for suggesting the sa-learn route a couple of years ago. I searched for that to see what he was doing when I started this approach last week.

[Ron]

SPAM totals so far:

67 on Thursday
61 on Friday
40 on Saturday
36 on Sunday
63 on Monday

[Ron]

39 SPAMs on Tuesday.

[nayan007]

1. First thing you need to do is remove catchall email for your domain. Please create proper email accounts and forwarders only, instead of using catch-all default address and setup the Default Address to ":fail:" (without quotes). You can do this from your control panel.

Otherwise you will receive a very large number of junk, worms and virus and are open for dictionary attack on your domain. What is dictionary attack? Spammers send millions of emails to your domain by generating random usernames@yourdomain.com. By setting up catchall you are opening the door to the attack. Catchall is a bad idea these days as it opens your domain for dictionary attack. You should create email accounts or email forwarders (alias) only for the required address. Secondly computer worms/virus also use dictionary attack to propagate.

2. Activate SpamAssassin from your control panel. Also if you activate SpamBox, regularly check it and clear it.

3. You will need to customize spamassassin for your usage and this will be an ongoing struggle.

Please visit SpamAssassin: Welcome to SpamAssassin and learn how you can tweak spamassassin configuration files.

Some discussion with how other users are fighting spam is here: Spam

[Ron]

PAM totals so far:

67 on Thursday
61 on Friday
40 on Saturday
36 on Sunday
63 on Monday
39 on Tuesday
27 on Wednesday

27!!

Just a couple of changes:

A few tweaked settings; in addition to a couple others, the main changes were deleting spams >= 9, getting rid of the corrupted DNSWL, adding a few points to the three highest BAYES categories.

Training SA's Bayes function using sa-learn for a week.

I'm done!

For now.

[Ron]

SPAM totals so far:

67 on Thursday
61 on Friday
40 on Saturday
36 on Sunday
63 on Monday
39 on Tuesday
27 on Wednesday
37 on Thursday
29 on Friday
15 on Saturday

[Ron]

SPAM totals so far:

67 on Thursday
61 on Friday
40 on Saturday
36 on Sunday
63 on Monday
39 on Tuesday
27 on Wednesday
37 on Thursday
29 on Friday
15 on Saturday
9 on Sunday. Woo hoo!

[nayan007]

Hi,this is a serious issue.Please open a ticket for this and submit to the technical support team http://imagicon.info/cat/6-19/vbulletin-smile.gif

[Ron]

Hi,this is a serious issue.Please open a ticket for this and submit to the technical support team

Why? I'm using the proper supported tool, making changes that are appropriate for my domain. I don't understand your suggestion.

SPAM totals so far:

67 on Thursday
61 on Friday
40 on Saturday
36 on Sunday

63 on Monday
39 on Tuesday
27 on Wednesday
37 on Thursday
29 on Friday
15 on Saturday
9 on Sunday.

33 on Monday.

[Ron]

SPAM totals so far:

67 on Thursday
61 on Friday
40 on Saturday
36 on Sunday

63 on Monday
39 on Tuesday
27 on Wednesday
37 on Thursday
29 on Friday
15 on Saturday
9 on Sunday

33 on Monday
35 on Tuesday
39 on Wednesday
33 on Thursday -- 15 of them have an SA score of 8.0 to 8.9. Hmmmmm.....
50 on Friday
21 on Saturday
23 on Sunday

29 on Monday
50 on Tuesday
37 on Wednesday
33 on Thursday
Somehow I missed Friday...
10 on Saturday
17 on Sunday (Christmas (Actual))

22 on Monday (Christmas (Observed))