SpamAssassin in a box local.cf customization
Idea shared by Steve Reid - 2/20/2015 at 8:18 AM
Here is my config:
#    Rescore some rules
# score        HTML_IMAGE_ONLY_02          3.5
# score        FORGED_IMS_TAG              2.5
score     ALL_TRUSTED             0
score     RCVD_IN_NIX_SPAM        0 1.5 0 1.5
score     RCVD_IN_HOSTKARMA_WL        0 0 0 0
score        RCVD_IN_HOSTKARMA_NO        0.2
score        RCVD_IN_HOSTKARMA_BR        0.2
score        KHOP_SC_CIDR24            0.3
score        KHOP_SC_TOP_CIDR8        0.3
score        NORMAL_HTTP_TO_IP        0.5
score        LOTS_OF_MONEY                0.2
score     RCVD_IN_DNSWL_NONE         0 0 0 0
score        RP_MATCHES_RCVD            0
score        BAYES_00                0
score        RCVD_IN_DNSWL_NONE        0
score        RCVD_IN_MSPIKE_H3        0
score        BAYES_100                2.8
score        BAYES_90                2.5
score        BAYES_80                2.3
score        BAYES_70                2.0
score        BAYES_60                1.8
score        BAYES_50                1.5
score        BAYES_40                1.3
score        BAYES_30                1.0
score        BAYES_20                0.8
score        BAYES_10                0.3
score        JAM_PHARMACY_BD                2.0
score        JAM_DO_STH_HERE                0.5
score        MIME_HTML_ONLY                1.5
score        DIET_1                    1.5
score        RAZOR2_CHECK                2.0
score        T_LOTS_OF_MONEY                1.0
score        FROM_12LTRDOM                0.5
score        FRT_TODAY2                1.0
score        JAM_SMALL_FONT_SIZE            1.0
score        RCVD_IN_DNSWL_LOW            0.0
score        JAM_REPLACED_I_BD            1.0
score        JAM_LONG_LINK                1.0
score        JAM_LOAN_BD                1.0
Not sure if anyone else has customizations they can share?

12 Replies

Reply to Thread
I disabled all RBL checks in SpamAssassinInABox because I want to manage them on a daily basis, but I do use it for URIBL's since it scores better than I could do manually. I think I increased the RAZOR2 score like you did. I find the JAM_SMALL_FONT_SIZE rule to be very inaccurate and I think I set it to a very low weight.
I was told that this file will get overwritten with an update of SpamAssassin in a box. Supposedly any file in the same folder with .cf will get loaded. I just make a backup.
If you upgrade the full program from Jam Software it will update the local.cf, but any of the normal SpamAssassin update channels will not update the local.cf.
SmarterMail 13.3
Hi, friends. I've been working with my local.cf file. I find that when I implement Steve Reid's configuration, SmarterMail refuses to start, and gives me a series of abstruse connection errors. The full local.cf file is below. What do you think I am doing wrong?
Is there a place where one can simply download an optimized local.cf file for SAIB?
Thank you as always for any advice.
# This is the right place to customize your installation of SpamAssassin.
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
# Only a small subset of options are listed below
#   Add *****SPAM***** to the Subject header of spam e-mails
# rewrite_header Subject *****SPAM*****

#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#   IMPORTANT: Do not enable report_safe when using JAM Software products!!!
report_safe 0

#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
# trusted_networks 212.17.35.

#   Set file-locking method (flock is not safe over NFS, but is faster)
# lock_method flock

#   Set the threshold at which a message is considered spam (default: 5.0)
# required_score 5.0

#   Use Bayesian classifier (default: 1)
# use_bayes 1

#   Bayesian classifier auto-learning (default: 1)
# bayes_auto_learn 0
#    This is the directory and filename for Bayes databases. Several
#    databases will be created, with this as the base directory and
#    filename, with _toks, _seen, etc. appended to the base.
bayes_path C:\ProgramData\JAM Software\spamdService\sa-bayes\bayes
#    With "bayes_auto_learn_on_error" turned on, autolearning will be
#    performed only when a bayes classifier had a different opinion from
#    what the autolearner is now trying to teach it (i.e. it made an
#    error in judgement). This strategy may or may not produce better
#    future classifications, but usually works very well, while also
#    preventing unnecessary overlearning and slows down database growth.
bayes_auto_learn_on_error 1

#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
bayes_ignore_header x-spam-status
bayes_ignore_header x-spam-checker-version
bayes_ignore_header X-Spam-Status
bayes_ignore_header x-spam-report
bayes_ignore_header x-process
bayes_ignore_header x-backup
bayes_ignore_header X-MS-Exchange-Organization-PCL
bayes_ignore_header X-MS-Exchange-Organization-SCL
bayes_ignore_header x-ms-exchange-organization-AuthSource
bayes_ignore_header X-MS-Exchange-Organization-AuthAs
bayes_ignore_header X-MS-Exchange-Organization-OriginalArrivalTime
bayes_ignore_header X-MS-Exchange-Forest-ArrivalHubServer
bayes_ignore_header X-MS-Exchange-Organization-OriginalClientIPAddress
bayes_ignore_header X-MS-Exchange-Organization-OriginalServerIPAddress
bayes_ignore_header X-MS-Exchange-Organization-MessageDirectionality
bayes_ignore_header X-MS-Exchange-Organization-Cross-Premises-Headers-Processed
# If the score is smaller that this, email will be automatically
# learned as nonspam. The threshold can be negative.
bayes_auto_learn_threshold_nonspam 0.05
# If the score is larger than this, email will be automatically
# learned as spam.
bayes_auto_learn_threshold_spam 11.0
# TextCat - language guesser (also defined in v310.pre, but not activated)
# Note: You have to specify ok_languages in order to make Textcat score spam
loadplugin Mail::SpamAssassin::Plugin::TextCat
#    Shortcircuit - stop evaluation early if high-accuracy rules fire
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
#   strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
shortcircuit USER_IN_WHITELIST       on
shortcircuit USER_IN_DEF_WHITELIST   on
shortcircuit USER_IN_ALL_SPAM_TO     on
shortcircuit SUBJECT_IN_WHITELIST    on
#   the opposite; blacklisted mails can also save CPU
shortcircuit USER_IN_BLACKLIST       on
shortcircuit USER_IN_BLACKLIST_TO    on
shortcircuit SUBJECT_IN_BLACKLIST    on
#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
# shortcircuit ALL_TRUSTED             on
#   and a well-trained bayes DB can save running rules, too
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
#    Some JAM customized Shortcircuit configuration
#    Set Bayes_99 priority higher so it hits more early ( => less RBL checks )
priority BAYES_99                   -850
#     Allow rules to be defined in user_prefs
allow_user_rules 1
#    Replace default headers through more formatted output
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) * on _HOSTNAME_ * at _DATE_
add_header all Status _YESNO_, score=_SCORE_, hits=_HITS_, required=_REQD_, autolearn=_AUTOLEARN_, shortcircuit=_SC_
add_header spam Level _STARS(*)_
add_header all Report _REPORT_

#    Google uses DKIM so this should only whitelist real google mails
whitelist_auth adwords-noreply@google.com   
whitelist_auth googlealerts-noreply@google.com
def_whitelist_from_spf *@jam-software.de
def_whitelist_from_spf *@jam-software.com

# DNSBL of German publisher heise (http://www.heise.de/ix/nixspam/)
header NIX_SPAM  eval:check_rbl('nix-spam',
describe NIX_SPAM Listed in NIX_SPAM DNSBL (heise.de)
tflags NIX_SPAM  net
score NIX_SPAM  1.2

#    Rescore some rules
# score        HTML_IMAGE_ONLY_02          3.5
# score        FORGED_IMS_TAG              2.5
score     ALL_TRUSTED             0
score     RCVD_IN_NIX_SPAM        0 1.5 0 1.5
score     RCVD_IN_HOSTKARMA_WL        0 0 0 0
score        RCVD_IN_HOSTKARMA_NO        0.2
score        RCVD_IN_HOSTKARMA_BR        0.2
score        KHOP_SC_CIDR24            0.3
score        KHOP_SC_TOP_CIDR8        0.3
score        NORMAL_HTTP_TO_IP        0.5
score        LOTS_OF_MONEY                0.2
score     RCVD_IN_DNSWL_NONE         0 0 0 0
score        RP_MATCHES_RCVD            0
score        BAYES_00                0
score        RCVD_IN_DNSWL_NONE        0
score        RCVD_IN_MSPIKE_H3        0
score        BAYES_100                2.8
score        BAYES_90                2.5
score        BAYES_80                2.3
score        BAYES_70                2.0
score        BAYES_60                1.8
score        BAYES_50                1.5
score        BAYES_40                1.3
score        BAYES_30                1.0
score        BAYES_20                0.8
score        BAYES_10                0.3
score        JAM_PHARMACY_BD                2.0
score        JAM_DO_STH_HERE                0.5
score        MIME_HTML_ONLY                1.5
score        DIET_1                    1.5
score        RAZOR2_CHECK                2.0
score        T_LOTS_OF_MONEY                1.0
score        FROM_12LTRDOM                0.5
score        FRT_TODAY2                1.0
score        JAM_SMALL_FONT_SIZE            1.0
score        RCVD_IN_DNSWL_LOW            0.0
score        JAM_REPLACED_I_BD            1.0
score        JAM_LONG_LINK                1.0
score        JAM_LOAN_BD                1.0
Not really sure, but I would say to start over and be careful when making the changes.
Dear Steve,

I carefully used tabs between the columns, and now it works. The SAIB scores are now active in SAIB local.cf. Thank you very much, as always, for your kind help. I am curious to see how this SAIB optimization affects spam incursions.

Question -- are you aware of any other optimized SAIB scores? I'm looking on the JAM software site and I am not seeing any references to optimizing these SAIB scores -- and apparently it is essential to optimize local.cf with these SAIB scores.

I hope this finds you well.

best from Eric
I'm not aware of any examples, however these are the same customization options available to regular spamassassin, so there should be info out there.

I modified mine by checking headers for a while on incorrectly scored emails.
Got it!

So, this message just came through -- it is spam, and it appeared in the mailbox of a client who, these days, is really irritated at me for not controlling spam better. =) How can I analyze this message and then make an edit in SAIB local.cf?

Received: from sbe207.slyhidemyaffair.ninja (ptr1.sentris.net []) by tarsier.viviotech.net with SMTP;
Tue, 14 Apr 2015 13:21:56 -0400
Date: Tue, 14 Apr 2015 10:25:24 -0700
Mime-Version: 1.0
From: Your Secret Proposition
Content-Type: text/plain; charset="UTF-8"
Subject: Sleep with Someone Else's Wife Tonight Invitation expires 04/14/2015.
Hu-Xya: b1c46e4638ebebf9a92f2834a03ec32aefb1c46e4638ebebf9a92f2834a03ec32a-t10423121
X-SmarterMail-Spam: SPF_None, ISpamAssassin 0 [raw: 0], SpamAssassin 0 [raw: 0], DK_None, DKIM_None
X-SmarterMail-SpamDetail: Content analysis details: (0.0 points, 5.0 required)
X-SmarterMail-SpamDetail: pts rule name description
X-SmarterMail-SpamDetail: ---- ---------------------- --------------------------------------------------
X-SmarterMail-SpamDetail: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
X-SmarterMail-SpamDetail: See
X-SmarterMail-SpamDetail: http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
X-SmarterMail-SpamDetail: for more information.
X-SmarterMail-SpamDetail: [URIs: judybyron.com]
X-SmarterMail-TotalSpamWeight: 0
You should first off ensure you have implemented all aspects of Bruces spam document. I use spamassassin only to supplement and pick up messages that squeeze through. Also it looks like you have a dns issue that is not allow URIBL lookups to work properly.
I was wondering about that DNS issue. Hmmm...

I have carefully implemented all of Bruce's document -- but I will double check.

What do you think is going on with the DNS issue? Sorry to bug you about all of this stuff. =) I really appreciate your time. Eric
We run a local instance of DNS on our smartermail server, this is to ensure RBL and UIRBL request come from our own public IP. The problem happens when you use a public dns server, such as google. The RBLs will begin rejecting requests if it receives too many from a single IP.
Makes sense! I am working on this. Thank you again. =)

Reply to Thread