Spamassassin and Spam prevention improvement

[coolemail]

I have Plesk 9.2.3 with Linux 2.6.32.16-2.art.x86_64 and CentOS5. I'm running qmail scanner with clamav and trying to get the Spam protection better than it is at present.

In my /etc/mail/spamassassin/local.cf file I have a line:

Code: Select all

blacklist_from *static.theplanet.com

because we have been receiving so many Spam emails from IPs owned by them.

I thought that a lot of those had stopped, but noticed an entry in the maillog for an email that was delivered which had:

Sep 27 13:09:42 plesk2 /var/qmail/bin/relaylock[14993]: /var/qmail/bin/relaylock: mail from 74.53.125.45:36802 (2d.7d.354a.static.theplanet.com)

Should that email therefore not have been rejected?

I've also added 74.53.125.32/27 to the ASL blacklist which I think should prevent anything from those IPs getting through.

I would like to improve the success rate of Spamassassin and don not think I have it quite right. On a related note, I received an email from Spamhaus compliance to say that we are querying the Spamhaus servers and basically have too many emails going through it. Under Plesk Home>Server-wide mail preferences we have under "DNS zones for DNSBL service":

Code: Select all

bl.spamcop.net;dyna.spamrats.com;dnsbl-1.uceprotect.net;b.barracudacentral.org

I cannot remember where we put in the various config details for Spamassassin now that it is not running on Plesk CP - can someone help on that? And can anyone suggest how to improve Spamassassin in the light of the email we have received from them - wish to avoid paying a lot for their blacklist querying if possible.

Thinking of installing Spamdyke, even though this has, in previous experience, led to us getting some false positives etc.

I hope many people will be able to offer help to answer the questions above and improve our Spam protection.

Many thanks, as ever, in advance.

[scott]

the blacklist feature in spamassassin increases the score, rather than reject at the SMTP layer. Which isnt a bad thing, since it trains the bayes system on those messages as spam. You also might want to run:

yum install razor-agents dcc pyzor

and restart spamd.

[coolemail]

Thanks for the quick response Scott. I have pyzor, but could not restart spamd

[plesk2.mydomain.co.uk ~]# yum install razor-agents dcc pyzor
Loaded plugins: allowdowngrade, changelog, fastestmirror, merge-conf, security
Loading mirror speeds from cached hostfile
* addons: mirror.as29550.net
* atomic: www6.atomicorp.com
* base: mirror.as29550.net
* extras: mirror.as29550.net
* updates: mirror.as29550.net
Setting up Install Process
Package razor-agents-2.84-1.el5.art.x86_64 already installed and latest version
Package dcc-1.3.120-1.el5.art.x86_64 already installed and latest version
Package pyzor-0.5.0-4.el5.art.noarch already installed and latest version
Nothing to do
[plesk2.mydomain.co.uk ~]# service spamd restart
spamd: unrecognized service
[plesk2.mydomain.co.uk ~]# locate spamd
/etc/spamdyke-statistics.pl
/etc/spamdyke.conf.rpmnew
/etc/spamdyke.conf.rpmsave
/etc/spamdyke_stats.pl
/usr/bin/spamd
/usr/local/psa/admin/bin/spamd
/usr/local/psa/admin/sbin/spamd
/usr/local/psa/var/cgitory/SupportPRO SupportDesk-3.0-1/htdocs/admin/spamdetails.php
/usr/local/psa/var/cgitory/SupportPRO SupportDesk-3.0-1/htdocs/admin/includes/spamdetails.php
/usr/local/psa/var/cgitory/SupportPRO SupportDesk-3.0-1/htdocs/admin/languages/en/spamdetails.php
/usr/local/psa/var/cgitory/SupportPRO SupportDesk-3.0-1/htdocs/staff/spamdetails.php
/usr/local/psa/var/cgitory/SupportPRO SupportDesk-3.0-1/htdocs/staff/includes/spamdetails.php
/usr/local/psa/var/cgitory/SupportPRO SupportDesk-3.0-1/htdocs/staff/languages/en/spamdetails.php
/usr/local/psa/var/cgitory/iScripts EasyBiller-1.0-1/htdocs/helpdesk/admin/spamdetails.php
/usr/local/psa/var/cgitory/iScripts EasyBiller-1.0-1/htdocs/helpdesk/admin/includes/spamdetails.php
/usr/local/psa/var/cgitory/iScripts EasyBiller-1.0-1/htdocs/helpdesk/admin/languages/en/spamdetails.php
/usr/local/psa/var/cgitory/iScripts EasyBiller-1.0-1/htdocs/helpdesk/staff/spamdetails.php
/usr/local/psa/var/cgitory/iScripts EasyBiller-1.0-1/htdocs/helpdesk/staff/includes/spamdetails.php
/usr/local/psa/var/cgitory/iScripts EasyBiller-1.0-1/htdocs/helpdesk/staff/languages/en/spamdetails.php
/usr/share/spamdyke
/usr/share/doc/spamdyke-4.0.10
/usr/share/man/man1/spamd.1.gz
/usr/share/setroubleshoot/plugins/spamd_enable_home_dirs.py
/usr/share/setroubleshoot/plugins/spamd_enable_home_dirs.pyc
/usr/share/setroubleshoot/plugins/spamd_enable_home_dirs.pyo
/var/ossec/rules/spamd_rules.xml
/var/qmail/spamdyke
/var/qmail/spamdyke/blacklist_ip.rpmsave
/var/qmail/spamdyke/blacklist_keywords.rpmsave
/var/qmail/spamdyke/blacklist_rdns
/var/qmail/spamdyke/blacklist_senders.rpmsave
/var/qmail/spamdyke/whitelist_ip.rpmsave
/var/qmail/spamdyke/whitelist_recipients
/var/qmail/spamdyke/whitelist_senders.rpmsave
/var/run/spamd
/var/run/spamd.pid
[plesk2.mydomain.co.uk ~]#

[spaceout]

Try

Code: Select all

service spamassassin restart

[coolemail]

Try

Code: Select all

service spamassassin restart

Thank you, that worked. But I'm not sure if it will make any difference as I had pyzor anyway.
I'd love any "best practice" suggestions on how to reduce the Spam and what others do with the Spamhaus issue of not being able to use their blocklists.

[faris]

Install spamdyke if you have not done so already. That's right at the top of Best Practice for qmail.

If you do so you'll need to move your blacklists from the plesk side of things to the spamdyke config.
Be warned that pop-before-relay will also stop working. You'll get lots of wonderful log entries (if you want) telling you what is being rejected and why.

Read the documentation. Experiment on a different port. www.spamdyke.org (but Scott has an rpm in the Atomic repo).

Faris.

[spaceout]

I would also highly recommend Spamdyke.

On my server I get a crazy amount of spam from .info domains and I have a wildcard block on that entire top level domain (*@*.info). Obviously, this is a little extreme and won't work for everyone, but it prevents a huge amount of spam for some of my clients.

[biggles]

+1 for spamdyke. And you also can also install a wonderful plugin from haggybear (I think there is a port in the atomic repo, but out of old habit I install it myself), which gives your clients control over their own spamdyke settings/greylisting.

[BruceLee]

We use spamdyke too (also from haggybear with mysql support). The latest mysql version also supports the new spamdyke version 4.1.0 which has some nice new features.

[coolemail]

Thanks for that resounding support for Spamdyke. I used to have it operational on our servers and there are the main files there still

[plesk2.expat-email.co.uk ~]# locate spamdyke
/etc/spamdyke-statistics.pl
/etc/spamdyke.conf.rpmnew
/etc/spamdyke.conf.rpmsave
/etc/spamdyke_stats.pl
/usr/share/spamdyke
/usr/share/doc/spamdyke-4.0.10
/var/qmail/spamdyke
/var/qmail/spamdyke/blacklist_ip.rpmsave
/var/qmail/spamdyke/blacklist_keywords.rpmsave
/var/qmail/spamdyke/blacklist_rdns
/var/qmail/spamdyke/blacklist_senders.rpmsave
/var/qmail/spamdyke/whitelist_ip.rpmsave
/var/qmail/spamdyke/whitelist_recipients
/var/qmail/spamdyke/whitelist_senders.rpmsave
[plesk2.expat-email.co.uk ~]#

so is there something easy I can do to just make it work again within the whole qmail? A line added to a qmail config file, perhaps? Because some of the files still have the various changes that we had put in like whitelist and blacklist entries.

[BruceLee]

follow the tut from here:
http://atomicorp.com/forums/viewtopic.p ... +haggybear
or installl from atomic repo. after installation you can update manually.

[faris]

This is the problem when you use an RPM - it puts things in various places and you don't necessarily know where.

Look at your /etc/xinet.d/smtp_psa to see where the configuration file has been put.

In the configuration file you'll see links to some of the files and folders that you mentioned. Basically spamdyke is flexible, so you can have everything in your config file, or you can point to other files containing lists of things, or you can point to directories containing various bits and bobs, usually domain-specific.

Their purpose is all explained in the spamdyke documentation.

For example, a spamdyke.conf might look a bit like this:

Code: Select all

#basics:
#use log-level=verbose to see which dnsrbls triggered. use info for normal level. use debug for loads of stuff.
log-level=verbose
local-domains-file=/var/qmail/control/rcpthosts
local-domains-file=/var/qmail/control/morercpthosts

#general options:
max-recipients=50
idle-timeout-secs=60
greeting-delay-secs=5
policy-url=http://www.redacted.net/terms/emailterms.php
#graylist options
graylist-dir=/var/qmail/graylist
graylist-level=always-create-dir
graylist-min-secs=300
graylist-max-secs=1814400
#general blacklists
ip-blacklist-file=/etc/spamdyke.d/blacklist_ip
sender-blacklist-file=/etc/spamdyke.d/blacklist_sender
rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns
recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient
#whitelisting
ip-whitelist-file=/etc/spamdyke.d/whitelist_ip
rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns
recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient
sender-whitelist-file=/etc/spamdyke.d/whitelist_sender
#dnsbls
dns-blacklist-entry=email.dnsbl.redacted.org
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
dns-blacklist-entry=dnsbl.sorbs.net
dns-blacklist-entry=b.barracudacentral.org
#general settings
reject-empty-rdns
reject-unresolvable-rdns
reject-missing-sender-mx

[coolemail]

thank you faris. I will do all that.

While posting, can anyone give me the easy way in Spamassassin to blacklist "LinkedIn Communication" if found in the subject. We are seeing a lot of Spam purporting to come from them and it would seem sensible in the rules to give more points to that phrase. I have had a look at the various Spamassassin links but could not find anything very clear about all that. I'd be grateful for the hint if people can help.
The genuine LinkedIn emails are signed and come from a single IP. The Spam ones are not signed, come from various IPs, but there is always one line that makes it look like it is from LinkedIn and the true LinkedIn emails have this.

Received: (qmail 3158 invoked by uid 10113); 30 Sep 2010 16:40:08 +0100
Received: from 115.242.66.92 by plesk2.mydomain.co.uk (envelope-from <extinguishd819@real-sense.com>, uid 2020) with qmail-scanner-2.08st
(clamdscan: 0.96.2/12051. spamassassin: 3.2.5. perlscan: 2.08st.
Clear:RC:0(115.242.66.92):SA:0(-0.9/3.0):.
Processed in 4.515238 secs); 30 Sep 2010 15:40:08 -0000
X-Spam-Status: No, hits=-0.9 required=3.0
Received: from unknown (HELO NMGBLXIP) (115.242.66.92)
by plesk2.mydomain.co.uk with SMTP; 30 Sep 2010 16:40:03 +0100
Received: from mail14-a-ab.linkedin.com (mail14-a-ab.linkedin.com [64.74.98.136])
by mx.last.plus.net (8.13.8/8.13. with ESMTP id 0WLHWVF084260

That makes me think that I will have to blacklist by various common words in the subject. Or otherwise, I will do it from various phrases that I may find in the body of the email if that is possible (can you tell me how I would do that?).

[coolemail]

can anyone tell me how to get SpamAssassin to show the breakdown of the scores (WITH VALUES) when emails come in?

Email headers show:

X-Spam-Status: Yes, hits=3.3 required=3.0
X-Spam-Level: +++
Received: from lmmoss.com (130.94.180.117)

and the maillog shows the SA rule only, without the score:

Oct 5 11:08:40 plesk2 spamd[9252]: spamd: result: . 1 - BAYES_00,HTML_MESSAGE,MPART_ALT_DIFF_COUNT,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK scantime=0.5,size=6114,user=qscand,uid=10113,required_score=3.0,rhost=localhost,raddr=127.0.0.1,rport=59694,mid=<20101005030505.blycv$vdrzczkzj.tfd@japovy.buckhou.com>,bayes=0.000852,autolearn=no

And at server level, are we able to tell SA that particular emails are Spam for it to use in the Bayes testing when it has allowed some through which are Spam but not tagged as such? I haev the feeling that it is not learning what it should at present.

[faris]

There's an option in the qmail-scanner configuration file but Scott recommends against it as it slows performance quite a bit.

You can see the breakdown in the maillog though, so if you just want to see what's happening out of curiosity then you can use that.

Faris.