how to adjust SpamAssassin local.cf file to block some particularly pernicious spam
Question asked by Eric Bourland - May 17, 2016 at 9:45 AM
Unanswered
System:
* SmarterMail 15
* SpamAssassin in a Box 2.2 (64-bit)
* Bruce Barnes's antispam recommendations

Question:
Hi friends. I am trying to adjust my SpamAssassin local.cf file to block some particularly pernicious spam -- really sneaky, yucky stuff that is going to affect all of my clients if I do not stop it. Thank you for your suggestions as always. Eric
 
Here is the header of a recent spam message:
Return-Path: <philip.fainer@manulifesecurities.ca>
Received: from mx0c-00199c02.pphosted.com (mx0c-00199c02.pphosted.com [67.231.158.178]) by tarsier.viviotech.net with SMTP;
   Tue, 17 May 2016 11:12:35 -0400
Received: from pps.filterd (m0096755.ppops.net [127.0.0.1])
	by mx0c-00199c02.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id u4HEka5x023288;
	Tue, 17 May 2016 10:48:06 -0400
Received: from caembxp01.crxpc001.com ([192.203.239.132])
	by mx0c-00199c02.pphosted.com with ESMTP id 22m40qecy4-1
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL);
	Tue, 17 May 2016 10:48:06 -0400
Received: from CAEMBXP02.crxpc001.com (10.77.203.35) by CAEMBXP01.crxpc001.com
 (10.77.203.32) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 17 May
 2016 10:48:04 -0400
Received: from CAEMBXP02.crxpc001.com ([10.77.203.35]) by
 CAEMBXP02.crxpc001.com ([10.77.203.35]) with mapi id 15.00.1156.000; Tue, 17
 May 2016 10:48:04 -0400
From: Philip Fainer <Philip.Fainer@manulifesecurities.ca>
Subject: Your Mailbox quota
Thread-Topic: Your Mailbox quota
Thread-Index: AdGwfPW0oaRXJU1ZQqiDUEQnXB2hLQ==
Date: Tue, 17 May 2016 14:48:03 +0000
Message-ID: <3d7a0d2b935247a3be915a890a05ae16@CAEMBXP02.crxpc001.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.77.203.50]
Content-Type: multipart/alternative;
	boundary="_000_3d7a0d2b935247a3be915a890a05ae16CAEMBXP02crxpc001com_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.96,1.0.3,0.0.0000
 definitions=2016-05-17_05:2016-05-17,2016-05-17,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=100 spamscore=100 suspectscore=0
 phishscore=100 adultscore=0 bulkscore=100 classifier=spam adjust=0
 reason=mlx scancount=1 engine=7.0.1-1603290000 definitions=main-1605170183
X-Rcpt-To: <eric@ebwebwork.com>
X-SmarterMail-Spam: SPF_None, ISpamAssassin 0 [raw: 0], SpamAssassin 2 [raw: 1], DK_None, DKIM_None
X-SmarterMail-SpamDetail: Content analysis details:   (1.0 points, 5.0 required)
X-SmarterMail-SpamDetail: pts rule name              description
X-SmarterMail-SpamDetail: ---- ---------------------- --------------------------------------------------
X-SmarterMail-SpamDetail: 0.0 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
X-SmarterMail-SpamDetail: 1.0 MISSING_HEADERS        Missing To: header
X-SmarterMail-SpamDetail: 0.0 T_SPF_TEMPERROR        SPF: test of record failed (temperror)
X-SmarterMail-SpamDetail: 0.0 T_SPF_HELO_TEMPERROR   SPF: test of HELO record failed (temperror)
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE           BODY: HTML included in message
X-SmarterMail-TotalSpamWeight: 2

 
Here is my current local.cf file -- I welcome suggestions, edits, and so on.
 
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
#   Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****

#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#   IMPORTANT: Do not enable report_safe when using JAM Software products!!!
report_safe 0

#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.

#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock

#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0

#   Use Bayesian classifier (default: 1)
#
# use_bayes 1

#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 0
#    This is the directory and filename for Bayes databases. Several
#    databases will be created, with this as the base directory and
#    filename, with _toks, _seen, etc. appended to the base.
#
bayes_path C:\ProgramData\JAM Software\spamdService\sa-bayes\bayes
#    With "bayes_auto_learn_on_error" turned on, autolearning will be
#    performed only when a bayes classifier had a different opinion from
#    what the autolearner is now trying to teach it (i.e. it made an
#    error in judgement). This strategy may or may not produce better
#    future classifications, but usually works very well, while also
#    preventing unnecessary overlearning and slows down database growth.
bayes_auto_learn_on_error 1

#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
bayes_ignore_header x-spam-status
bayes_ignore_header x-spam-checker-version
bayes_ignore_header X-Spam-Status
bayes_ignore_header x-spam-report
bayes_ignore_header x-process
bayes_ignore_header x-backup
bayes_ignore_header X-MS-Exchange-Organization-PCL
bayes_ignore_header X-MS-Exchange-Organization-SCL
bayes_ignore_header x-ms-exchange-organization-AuthSource
bayes_ignore_header X-MS-Exchange-Organization-AuthAs
bayes_ignore_header X-MS-Exchange-Organization-OriginalArrivalTime
bayes_ignore_header X-MS-Exchange-Forest-ArrivalHubServer
bayes_ignore_header X-MS-Exchange-Organization-OriginalClientIPAddress
bayes_ignore_header X-MS-Exchange-Organization-OriginalServerIPAddress
bayes_ignore_header X-MS-Exchange-Organization-MessageDirectionality
bayes_ignore_header X-MS-Exchange-Organization-Cross-Premises-Headers-Processed
# If the score is smaller that this, email will be automatically
# learned as nonspam. The threshold can be negative.
bayes_auto_learn_threshold_nonspam 0.05
# If the score is larger than this, email will be automatically
# learned as spam.
bayes_auto_learn_threshold_spam 11.0
# TextCat - language guesser (also defined in v310.pre, but not activated)
# Note: You have to specify ok_languages in order to make Textcat score spam
#
loadplugin Mail::SpamAssassin::Plugin::TextCat
#    Shortcircuit - stop evaluation early if high-accuracy rules fire
#
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#   strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#
shortcircuit USER_IN_WHITELIST       on
shortcircuit USER_IN_DEF_WHITELIST   on
shortcircuit USER_IN_ALL_SPAM_TO     on
shortcircuit SUBJECT_IN_WHITELIST    on
#   the opposite; blacklisted mails can also save CPU
shortcircuit USER_IN_BLACKLIST       on
shortcircuit USER_IN_BLACKLIST_TO    on
shortcircuit SUBJECT_IN_BLACKLIST    on
#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
# shortcircuit ALL_TRUSTED             on
#   and a well-trained bayes DB can save running rules, too
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
#    Some JAM customized Shortcircuit configuration
#    
#    Set Bayes_99 priority higher so it hits more early ( => less RBL checks )
priority BAYES_99                   -850
#     
#     Allow rules to be defined in user_prefs
#
allow_user_rules 1
#    Replace default headers through more formatted output
#
clear_headers
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) * on _HOSTNAME_ * at _DATE_
add_header all Status _YESNO_, score=_SCORE_, hits=_HITS_, required=_REQD_, autolearn=_AUTOLEARN_, shortcircuit=_SC_
add_header spam Level _STARS(*)_
add_header all Report _REPORT_

#    Google uses DKIM so this should only whitelist real google mails
#
whitelist_auth adwords-noreply@google.com   
whitelist_auth googlealerts-noreply@google.com
def_whitelist_from_spf *@jam-software.de
def_whitelist_from_spf *@jam-software.com

#    Rescore some rules
#
# score        HTML_IMAGE_ONLY_02          3.5
# score        FORGED_IMS_TAG              2.5
score     ALL_TRUSTED            -0.5
score     RCVD_IN_HOSTKARMA_WL            0 -0.5 0 -0.2
score    RCVD_IN_HOSTKARMA_NO            0.2
score    RCVD_IN_HOSTKARMA_BR            0.2
score    KHOP_SC_CIDR24            0.3
score    KHOP_SC_TOP_CIDR8            0.3
score    NORMAL_HTTP_TO_IP            0.5
score   LOTS_OF_MONEY            0.2
score     RCVD_IN_DNSWL_NONE            0  -0.1  0    -0.1
score    RCVD_IN_DNSWL_NONE            0
score    RCVD_IN_NIX_SPAM            0 1.5 0 1.5
score    NORMAL_HTTP_TO_IP            0.5
score    RP_MATCHES_RCVD            0
score    BAYES_00            0
score    RCVD_IN_MSPIKE_H3            0
score    BAYES_100            2.8
score    BAYES_90            2.5
score    BAYES_80            2.3
score    BAYES_70            2.0
score    BAYES_60            1.8
score    BAYES_50            1.5
score      BAYES_40            1.3
score    BAYES_30            1.0
score    BAYES_20            0.8
score    BAYES_10            0.3
score    JAM_PHARMACY_BD            3.0
score    JAM_DO_STH_HERE            0.5
score    MIME_HTML_ONLY            1.5
score    DIET_1            2.5
score    RAZOR2_CHECK            2.0
score    T_LOTS_OF_MONEY            2.0
score    FROM_12LTRDOM            0.5
score    FRT_TODAY2            1.0
score    JAM_SMALL_FONT_SIZE            1.0
score    RCVD_IN_DNSWL_LOW            0.0
score    JAM_REPLACED_I_BD            1.0
score    JAM_LONG_LINK            1.0
score    JAM_LOAN_BD            2.0
 

13 Replies

Reply to Thread
0
Linda Pagillo Replied
Hi Eric. Have you thought about trying Message Sniffer along with SA in a Box? I have a few customers who use a combo of Declude, Message Sniffer, SA in a Box and the smartermail antispam settings. That combo works really well together and my customers are happy with the configuration that I set in place for them.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Eric Bourland Replied
Ms. Pagillo,

Good evening. My question, specifically, concerned configuration of the SpamAssassion local.cf file. I assure you I have considered Message Sniffer, but, for now, my question was focused on SpamAssassin and local.cf.

Since the company you represent, "Mail's Best Friend", is the company that vends Message Sniffer, I am now concerned that you have replied to my question with an uninvited marketing overture -- that is, spam. Unwanted marketing material.

It seems to me that you have introduced spam into this professional forum. This disinclines me to ever consider using Message Sniffer or any product sold by your business, "Mail's Best Friend".

I spend a good portion of my professional career fighting spam, and discouraging aggressive marketers. I did not expect to encounter either in this professional forum.

I welcome the chance to be proved wrong in my assessment of your message. Until then I remain sincerely yours.

Eric
0
Linda Pagillo Replied
I apologize if I sounded like I was trying to sell you something. That was not my intention at all and I'm sorry that it appeared that way. I was simply asking a question based on what I have experienced with my customers and how it has helped them thinking it could possibly help you as well. As for your question about your local.cf file, I will be happy to assist if I can. What you are more than likely seeing is "pre-tested" spam. By definition, the spammer pre-tests their campaign against all available tests by sending samples to themselves on protected systems. When they have a version that gets past all of the tests they fire it off in huge volumes with their bot-net. As you are probably seeing, most of these messages are bypassing all spam defenses including SA in a Box. I believe the best way to combat this without adding any additional spam filtering software to your configuration, is adding some additional, custom rules to your SpamAssassin set up. I have a pre-tested filter that we have built based on certain characteristics of this type of spam. The filter is free of charge. Perhaps you can look at it and write a few rules based off of it to add to your setup. Also, if you would like to email me with headers from 4 or 5 of these spam messages, I will be happy to take a closer look, free of charge, to see what else I can do for you. Also, I can email you the pre-tested filter if you like. I don't see a way to upload it here in the forums. I'm hoping to hear from you so I can help with the issue. We are all on the same team here. We want to combat spam just as much as you do. Thanks!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Eric Bourland Replied
Dear Ms. Pagillo,

Thank you for this thoughtful and very helpful reply. I respect your intentions and your technical knowledge. =)

>>> When they have a version that gets past all of the tests they fire it off in huge volumes with their bot-net.

I believe it.

>>> As you are probably seeing, most of these messages are bypassing all spam defenses including SA in a Box

Yes, indeed. =(

I would be very grateful to see your pretested SpamAssassin filter, if you have time to send it. My email is: eric@ebwebwork.com

Thank you again for your time and help. Wishing you the best. =)

Eric
0
Linda Pagillo Replied
Thank you for your kind words Eric. I just sent you an email with the filter and some additional, helpful information. If you have any questions, I will be happy to help.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Sterling Kendrick Replied
Last December we added Message Sniffer to our SA in a Box and the results have been awesome.
0
Linda Pagillo Replied
Yes, Message Sniffer works really well to stay on top of the newest types of spam that are constantly popping up. I have a few customers who use the combo I described in my first post and they feel the same way that you do. I use Message Sniffer on my own personal Smartermail server with Declude and another free program we offer called The Gauntlet and it has worked really well for me. I'm glad to hear that you have had great results as well.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Devang Shah Replied
Hello Ms Linda,

if u can share local.cf file & other step which will help is fighting ongoing Spam & steps which can help here, my mail ID is devang@yaajman.com

Devang
0
Linda Pagillo Replied
Hi Devang. Are you currently using Message Sniffer and/or Declude? The reason I'm asking is because if you use Message Sniffer directly with Smartermail, I wanted to include the proper Message Sniffer lines for the local.cf as well. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Devang Shah Replied
Hi Linda,
i have setup Declude & Bruce's setting as of now but still getting loads of spam & viruses

0
Linda Pagillo Replied
My suggestion would be to use Declude, Message Sniffer and the antispam settings in SM. However, everything needs to be configured correctly in order for it to work in the most effective way. Please contact me directly so I can help you work on this. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Dear Linda, thank you as always for your thoughtful, expert help in stopping spam. Eric
0
My pleasure Eric!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread