Spamassassin tricks
tickticker
tickticker at cox.net
Thu Sep 7 16:50:49 MST 2006
buncha things...
add a dnsbl.cf in your /etc/mail/spamassassin directory
paste the following (which may or may not be updated, but hit's alot):
----------------------snip-----------------------------
#dnsbl.cf - Place this file in /etc/mail/spamassassin/dnsbl.cf
#Note that files are loaded in alphabetical order, any entries in local.cf
#will override the entries in this configuration file.
# EASYNET_NL is the Easynet.nl List: http://blackholes.easynet.nl .
header RCVD_IN_EASY rbleval:check_rbl('relay',
'blackholes.easynet.nl.')
describe RCVD_IN_EASY Received via EASYed relay
tflags RCVD_IN_EASY net
# use *.blackholes.us DNSBL's
# $Id: blackholes.cf,v 1.2 2002/08/07 06:23:58 pancrace Exp $
header RCVD_IN_ARGENTINA eval:check_rbl('country',
'argentina.blackholes.us.')
describe RCVD_IN_ARGENTINA Received from Argentina
header RCVD_IN_BRAZIL eval:check_rbl('country',
'brazil.blackholes.us.')
describe RCVD_IN_BRAZIL Received from Brazil
header RCVD_IN_CHINA eval:check_rbl('country',
'china.blackholes.us.')
describe RCVD_IN_CHINA Received from China
header RCVD_IN_JAPAN eval:check_rbl('country',
'japan.blackholes.us.')
describe RCVD_IN_JAPAN Received from Japan
header RCVD_IN_KOREA eval:check_rbl('country',
'korea.blackholes.us.')
describe RCVD_IN_KOREA Received from Korea
header RCVD_IN_NIGERIA eval:check_rbl('country',
'nigeria.blackholes.us.')
describe RCVD_IN_NIGERIA Received from Nigeria
header RCVD_IN_RUSSIA eval:check_rbl('country',
'russia.blackholes.us.')
describe RCVD_IN_RUSSIA Received from Russia
header RCVD_IN_SINGAPORE eval:check_rbl('country',
'singapore.blackholes.us.')
describe RCVD_IN_SINGAPORE Received from Singapore
header RCVD_IN_TAIWAN eval:check_rbl('country',
'taiwan.blackholes.us.')
describe RCVD_IN_TAIWAN Received from Taiwan
header RCVD_IN_THAILAND eval:check_rbl('country',
'thailand.blackholes.us.')
describe RCVD_IN_THAILAND Received from Thailand
score RCVD_IN_ARGENTINA 3.0
score RCVD_IN_BRAZIL 3.0
score RCVD_IN_CHINA 3.0
score RCVD_IN_JAPAN 3.0
score RCVD_IN_KOREA 3.0
score RCVD_IN_NIGERIA 3.0
score RCVD_IN_RUSSIA 3.0
score RCVD_IN_SINGAPORE 3.0
score RCVD_IN_TAIWAN 3.0
score RCVD_IN_THAILAND 3.0
header RCVD_IN_BROADWING eval:check_rbl('isp',
'broadwing.blackholes.us.')
describe RCVD_IN_BROADWING Received from Broadwing network space
header RCVD_IN_CIBERLYNX eval:check_rbl('isp',
'ciberlynx.blackholes.us.')
describe RCVD_IN_CIBERLYNX Received from Ciberlynx network space
header RCVD_IN_CW eval:check_rbl('isp', 'cw.blackholes.us.')
describe RCVD_IN_CW Received from Cable and Wireless network
space
header RCVD_IN_ELI eval:check_rbl('isp', 'eli.blackholes.us.')
describe RCVD_IN_ELI Received from ELI network space
header RCVD_IN_EPOCH eval:check_rbl('isp',
'epoch.blackholes.us.')
describe RCVD_IN_EPOCH Received from Epoch network space
header RCVD_IN_HE eval:check_rbl('isp', 'he.blackholes.us.')
describe RCVD_IN_HE Received from Hurricane Electric network
space
header RCVD_IN_INFLOW eval:check_rbl('isp',
'inflow.blackholes.us.')
describe RCVD_IN_INFLOW Received from Inflow network space
header RCVD_IN_INTERNAP eval:check_rbl('isp',
'internap.blackholes.us.')
describe RCVD_IN_INTERNAP Received from Internap network space
header RCVD_IN_LEVEL3 eval:check_rbl('isp',
'level3.blackholes.us.')
describe RCVD_IN_LEVEL3 Received from Level 3 network space
header RCVD_IN_RACKSPACE eval:check_rbl('isp',
'rackspace.blackholes.us.')
describe RCVD_IN_RACKSPACE Received from Rackspace network space
header RCVD_IN_RR eval:check_rbl('isp', 'rr.blackholes.us.')
describe RCVD_IN_RR Received from Road Runner network space
header RCVD_IN_SKYNETWEB eval:check_rbl('isp',
'skynetweb.blackholes.us.')
describe RCVD_IN_SKYNETWEB Received from SkynetWeb network space
header RCVD_IN_VALUEWEB eval:check_rbl('isp',
'valueweb.blackholes.us.')
describe RCVD_IN_VALUEWEB Received from Valueweb/Cybergate network
space
header RCVD_IN_VERIO eval:check_rbl('isp',
'verio.blackholes.us.')
describe RCVD_IN_VERIO Received from Verio network space
#header RCVD_IN_WANADOOFR eval:check_rbl('isp',
'wanadoo-fr.blackholes.us.')
#describe RCVD_IN_WANADOOFR Received from Wanadoo.fr network space
header RCVD_IN_XO eval:check_rbl('isp', 'xo.blackholes.us.')
describe RCVD_IN_XO Received from XO/Concentric network space
header RCVD_IN_SORBS eval:check_rbl('isp', 'dnsbl.sorbs.net.')
describe RCVD_IN_SORBS Received from IP in dnsbl.sorbs.net
header RCVD_IN_SPEWS eval:check_rbl('isp',
'l1.spews.dnsbl.sorbs.net.')
describe RCVD_IN_SPEWS Received from IP in Spews.sorbs.net
header RCVD_IN_ROGERS eval:check_rbl('isp',
'rogers.blackholes.us.')
describe RCVD_IN_ROGERS Received from rogers network space
score RCVD_IN_BROADWING 0.5
score RCVD_IN_CIBERLYNX 0.5
score RCVD_IN_CW 0.5
score RCVD_IN_ELI 0.5
score RCVD_IN_EPOCH 0.5
score RCVD_IN_HE 0.5
score RCVD_IN_INFLOW 0.5
score RCVD_IN_INTERNAP 0.5
score RCVD_IN_LEVEL3 0.5
score RCVD_IN_RACKSPACE 0.5
score RCVD_IN_RR 0.5
score RCVD_IN_SKYNETWEB 0.5
score RCVD_IN_VALUEWEB 0.5
score RCVD_IN_VERIO 0.5
#score RCVD_IN_WANADOOFR 0.5
score RCVD_IN_XO 0.5
score RCVD_IN_SORBS 0.5
score RCVD_IN_ROGERS 0.5
score RCVD_IN_CBL 0.5
score RCVD_IN_SBL 0.5
score RCVD_IN_BL_SPAMCOP_NET 1.5
score RCVD_IN_EASY 2.0
score RCVD_IN_SPEWS 2.0
score RCVD_IN_DSBL 2.0
#Single Zone BL's first
#CBL.ABUSEAT.ORG is a DNSBL of senders who have sent to spamtrap addresses.
#This one is pretty good at hitting crap spammers not caught by some others,
#especially clueless cable modem spammers.
header RCVD_IN_CBL rbleval:check_rbl('relay',
'cbl.abuseat.org')
describe RCVD_IN_CBL DNSBL: sender has sent spam to spamtraps
tflags RCVD_IN_CBL net
# Multizone / Multi meaning BLs next
# SORBS, like MAPS RBL+ is a multi-meaning BL, so it is treated separately
header RCVD_IN_SORBS rbleval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe RCVD_IN_SORBS Received via a relay in dnsbl.sorbs.net
tflags RCVD_IN_SORBS net
# X prefix was used to insure that it was run at the end, but it's not
needed
# anymore since we run the rule with rblreseval -- Marc
header X_SORBS_OPEN_HTTP rbleval:check_rbl_results_for('sorbs',
'127.0.0.2')
describe X_SORBS_OPEN_HTTP DNSBL: sender is Confirmed Open Proxy
tflags X_SORBS_OPEN_HTTP net
header X_SORBS_SOCKS rbleval:check_rbl_results_for('sorbs',
'127.0.0.3')
describe X_SORBS_SOCKS DNSBL: send ip addy Confirmed Open Socks Proxy
tflags X_SORBS_SOCKS net
header X_SORBS_MISC rbleval:check_rbl_results_for('sorbs',
'127.0.0.4')
describe X_SORBS_MISC DNSBL: sender is Confirmed Open Misc Proxy
tflags X_SORBS_MISC net
header X_SORBS_SMTP rbleval:check_rbl_results_for('sorbs',
'127.0.0.5')
describe X_SORBS_SMTP DNSBL: sender is a Confirmed Open Relay
tflags X_SORBS_SMTP net
header X_SORBS_SPAM rbleval:check_rbl_results_for('sorbs',
'127.0.0.6')
describe X_SORBS_SPAM DNSBL: sender is a Confirmed spam Source
tflags X_SORBS_SPAM net
header X_SORBS_WEB rbleval:check_rbl_results_for('sorbs',
'127.0.0.7')
describe X_SORBS_WEB DNSBL: sender is Confirmed Spam Support
Web Server
tflags X_SORBS_WEB net
header X_SORBS_ZOMBIE rbleval:check_rbl_results_for('sorbs',
'127.0.0.9')
describe X_SORBS_ZOMBIE DNSBL: sender is a Zombie Domain
tflags X_SORBS_ZOMBIE net
header X_SORBS_NOMAIL rbleval:check_rbl_results_for('sorbs',
'127.0.0.12')
describe X_SORBS_NOMAIL DNSBL: sender is a Confirmed No Mail
Ever zone
tflags X_SORBS_NOMAIL net
---------------------------snip--------------------------------
this in your local.cf, note some are probably not necessary to you, such
as language, are your other rbls in place, and install dcc and razor
that you can see noted
-------------------------snip----------------------------
lock_method flock
use_bayes 1
use_pyzor 0
#auto_learn 1
#rewrite_subject 1
required_hits 5.0
ok_languages en es
#report_safe 1
ok_locales en
rbl_timeout 5
razor_config /var/spool/filter/.razor/razor-agent.conf
use_razor2 1
razor_timeout 5
#dns_available no
bayes_auto_learn_threshold_spam 6.00
dcc_home /var/dcc
############################################################################
score NO_REAL_NAME 1.1
score USER_IN_WHITELIST -15.000
score DRUGS_ERECTILE 3.160 1.100 3.372 1.493
score DRUGS_ERECTILE_OBFU 2.833 3.046 2.816 3.408
---------------snip--------------------------
check your init.pre for
------------snip--------------------
# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash
# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF
#loadplugin Mail::SpamAssassin::Plugin::Razor2
------------snip------------------
just a few things, i've tweaked so much over time, it's too much to put
in an email but this should get you started. I cannot stress teaching
via sa-learn, installing DCC and Razor2
Regards,
tickticker
Nathan England wrote:
>Anyone have any good spamassassin tricks while I'm on the topic?
>I have mine set to change the header of anything over a 4.0 but it is very
>rare that anything is given over a 4.0. Even spam will only get a few points
>over a 4.0
>
>What are people doing to get a 20.0 as some tutorials say to set it at?
>
>
--
Transforming Intelligent Construct Keen on Thorough Infiltration,
Ceaseless Killing and Efficient Repair <http://cyborg.namedecoder.com>
-------------- next part --------------
Skipped content of type multipart/related
More information about the PLUG-discuss
mailing list