how to adjust SpamAssassin local.cf file to block some particularly pernicious spam
Question asked by Eric Bourland - May 17, 2016 at 9:45 AM
Unanswered
System:
* SmarterMail 15
* SpamAssassin in a Box 2.2 (64-bit)
* Bruce Barnes's antispam recommendations

Question:
Hi friends. I am trying to adjust my SpamAssassin local.cf file to block some particularly pernicious spam -- really sneaky, yucky stuff that is going to affect all of my clients if I do not stop it. Thank you for your suggestions as always. Eric
 
Here is the header of a recent spam message:
Return-Path: <philip.fainer@manulifesecurities.ca>
Received: from mx0c-00199c02.pphosted.com (mx0c-00199c02.pphosted.com [67.231.158.178]) by tarsier.viviotech.net with SMTP;
   Tue, 17 May 2016 11:12:35 -0400
Received: from pps.filterd (m0096755.ppops.net [127.0.0.1])
	by mx0c-00199c02.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id u4HEka5x023288;
	Tue, 17 May 2016 10:48:06 -0400
Received: from caembxp01.crxpc001.com ([192.203.239.132])
	by mx0c-00199c02.pphosted.com with ESMTP id 22m40qecy4-1
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL);
	Tue, 17 May 2016 10:48:06 -0400
Received: from CAEMBXP02.crxpc001.com (10.77.203.35) by CAEMBXP01.crxpc001.com
 (10.77.203.32) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 17 May
 2016 10:48:04 -0400
Received: from CAEMBXP02.crxpc001.com ([10.77.203.35]) by
 CAEMBXP02.crxpc001.com ([10.77.203.35]) with mapi id 15.00.1156.000; Tue, 17
 May 2016 10:48:04 -0400
From: Philip Fainer <Philip.Fainer@manulifesecurities.ca>
Subject: Your Mailbox quota
Thread-Topic: Your Mailbox quota
Thread-Index: AdGwfPW0oaRXJU1ZQqiDUEQnXB2hLQ==
Date: Tue, 17 May 2016 14:48:03 +0000
Message-ID: <3d7a0d2b935247a3be915a890a05ae16@CAEMBXP02.crxpc001.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.77.203.50]
Content-Type: multipart/alternative;
	boundary="_000_3d7a0d2b935247a3be915a890a05ae16CAEMBXP02crxpc001com_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.96,1.0.3,0.0.0000
 definitions=2016-05-17_05:2016-05-17,2016-05-17,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=100 spamscore=100 suspectscore=0
 phishscore=100 adultscore=0 bulkscore=100 classifier=spam adjust=0
 reason=mlx scancount=1 engine=7.0.1-1603290000 definitions=main-1605170183
X-Rcpt-To: <eric@ebwebwork.com>
X-SmarterMail-Spam: SPF_None, ISpamAssassin 0 [raw: 0], SpamAssassin 2 [raw: 1], DK_None, DKIM_None
X-SmarterMail-SpamDetail: Content analysis details:   (1.0 points, 5.0 required)
X-SmarterMail-SpamDetail: pts rule name              description
X-SmarterMail-SpamDetail: ---- ---------------------- --------------------------------------------------
X-SmarterMail-SpamDetail: 0.0 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
X-SmarterMail-SpamDetail: 1.0 MISSING_HEADERS        Missing To: header
X-SmarterMail-SpamDetail: 0.0 T_SPF_TEMPERROR        SPF: test of record failed (temperror)
X-SmarterMail-SpamDetail: 0.0 T_SPF_HELO_TEMPERROR   SPF: test of HELO record failed (temperror)
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE           BODY: HTML included in message
X-SmarterMail-TotalSpamWeight: 2

 
Here is my current local.cf file -- I welcome suggestions, edits, and so on.
 
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
#   Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****

#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#   IMPORTANT: Do not enable report_safe when using JAM Software products!!!
report_safe 0

#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.

#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock

#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0

#   Use Bayesian classifier (default: 1)
#
# use_bayes 1

#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 0
#    This is the directory and filename for Bayes databases. Several
#    databases will be created, with this as the base directory and
#    filename, with _toks, _seen, etc. appended to the base.
#
bayes_path C:\ProgramData\JAM Software\spamdService\sa-bayes\bayes
#    With "bayes_auto_learn_on_error" turned on, autolearning will be
#    performed only when a bayes classifier had a different opinion from
#    what the autolearner is now trying to teach it (i.e. it made an
#    error in judgement). This strategy may or may not produce better
#    future classifications, but usually works very well, while also
#    preventing unnecessary overlearning and slows down database growth.
bayes_auto_learn_on_error 1

#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
bayes_ignore_header x-spam-status
bayes_ignore_header x-spam-checker-version
bayes_ignore_header X-Spam-Status
bayes_ignore_header x-spam-report
bayes_ignore_header x-process
bayes_ignore_header x-backup
bayes_ignore_header X-MS-Exchange-Organization-PCL
bayes_ignore_header X-MS-Exchange-Organization-SCL
bayes_ignore_header x-ms-exchange-organization-AuthSource
bayes_ignore_header X-MS-Exchange-Organization-AuthAs
bayes_ignore_header X-MS-Exchange-Organization-OriginalArrivalTime
bayes_ignore_header X-MS-Exchange-Forest-ArrivalHubServer
bayes_ignore_header X-MS-Exchange-Organization-OriginalClientIPAddress
bayes_ignore_header X-MS-Exchange-Organization-OriginalServerIPAddress
bayes_ignore_header X-MS-Exchange-Organization-MessageDirectionality
bayes_ignore_header X-MS-Exchange-Organization-Cross-Premises-Headers-Processed
# If the score is smaller that this, email will be automatically
# learned as nonspam. The threshold can be negative.
bayes_auto_learn_threshold_nonspam 0.05
# If the score is larger than this, email will be automatically
# learned as spam.
bayes_auto_learn_threshold_spam 11.0
# TextCat - language guesser (also defined in v310.pre, but not activated)
# Note: You have to specify ok_languages in order to make Textcat score spam
#
loadplugin Mail::SpamAssassin::Plugin::TextCat
#    Shortcircuit - stop evaluation early if high-accuracy rules fire
#
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#   strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#
shortcircuit USER_IN_WHITELIST       on
shortcircuit USER_IN_DEF_WHITELIST   on
shortcircuit USER_IN_ALL_SPAM_TO     on
shortcircuit SUBJECT_IN_WHITELIST    on
#   the opposite; blacklisted mails can also save CPU
shortcircuit USER_IN_BLACKLIST       on
shortcircuit USER_IN_BLACKLIST_TO    on
shortcircuit SUBJECT_IN_BLACKLIST    on
#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
# shortcircuit ALL_TRUSTED             on
#   and a well-trained bayes DB can save running rules, too
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
#    Some JAM customized Shortcircuit configuration
#    
#    Set Bayes_99 priority higher so it hits more early ( => less RBL checks )
priority BAYES_99                   -850
#     
#     Allow rules to be defined in user_prefs
#
allow_user_rules 1
#    Replace default headers through more formatted output
#
clear_headers
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) * on _HOSTNAME_ * at _DATE_
add_header all Status _YESNO_, score=_SCORE_, hits=_HITS_, required=_REQD_, autolearn=_AUTOLEARN_, shortcircuit=_SC_
add_header spam Level _STARS(*)_
add_header all Report _REPORT_

#    Google uses DKIM so this should only whitelist real google mails
#
whitelist_auth adwords-noreply@google.com   
whitelist_auth googlealerts-noreply@google.com
def_whitelist_from_spf *@jam-software.de
def_whitelist_from_spf *@jam-software.com

#    Rescore some rules
#
# score        HTML_IMAGE_ONLY_02          3.5
# score        FORGED_IMS_TAG              2.5
score     ALL_TRUSTED            -0.5
score     RCVD_IN_HOSTKARMA_WL            0 -0.5 0 -0.2
score    RCVD_IN_HOSTKARMA_NO            0.2
score    RCVD_IN_HOSTKARMA_BR            0.2
score    KHOP_SC_CIDR24            0.3
score    KHOP_SC_TOP_CIDR8            0.3
score    NORMAL_HTTP_TO_IP            0.5
score   LOTS_OF_MONEY            0.2
score     RCVD_IN_DNSWL_NONE            0  -0.1  0    -0.1
score    RCVD_IN_DNSWL_NONE            0
score    RCVD_IN_NIX_SPAM            0 1.5 0 1.5
score    NORMAL_HTTP_TO_IP            0.5
score    RP_MATCHES_RCVD            0
score    BAYES_00            0
score    RCVD_IN_MSPIKE_H3            0
score    BAYES_100            2.8
score    BAYES_90            2.5
score    BAYES_80            2.3
score    BAYES_70            2.0
score    BAYES_60            1.8
score    BAYES_50            1.5
score      BAYES_40            1.3
score    BAYES_30            1.0
score    BAYES_20            0.8
score    BAYES_10            0.3
score    JAM_PHARMACY_BD            3.0
score    JAM_DO_STH_HERE            0.5
score    MIME_HTML_ONLY            1.5
score    DIET_1            2.5
score    RAZOR2_CHECK            2.0
score    T_LOTS_OF_MONEY            2.0
score    FROM_12LTRDOM            0.5
score    FRT_TODAY2            1.0
score    JAM_SMALL_FONT_SIZE            1.0
score    RCVD_IN_DNSWL_LOW            0.0
score    JAM_REPLACED_I_BD            1.0
score    JAM_LONG_LINK            1.0
score    JAM_LOAN_BD            2.0
 

1 Reply

Reply to Thread
0
Hi Eric. Have you thought about trying Message Sniffer along with SA in a Box? I have a few customers who use a combo of Declude, Message Sniffer, SA in a Box and the smartermail antispam settings. That combo works really well together and my customers are happy with the configuration that I set in place for them.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread