Mailing List Archive

anti-spam pointers please
Hi

It's some years since I've spent time tweaking my exim setup to receive
spam. I've forgotten any skills I might once have had in this area.

I've gotten sick of getting 30+ spam emails a day and need to do something
about it! I'd be grateful for some pointers to the state-of-the-art setup.

right now relay blocks, cram_md5 rejects and spamhaus blocks account for about
500-1000 rejections a day (no wonder everyone has gone to Google mail!).

I'm running Exim 4.89-2+deb9u3 under Debian, with spamassassin/spamc 3.4.2.1

Spamd is reporting along the following lines.

spamd: result: . 0 - BAYES_00,
DKIMWL_WL_HIGH,
DKIM_SIGNED,
DKIM_VALID,
DKIM_VALID_EF,
FORGED_MUA_MOZILLA,
HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,
SPF_PASS,
URIBL_BLOCKED scantime=0.5,
size=5448,
user=mail,
uid=8,
required_score=3.0,
rhost=127.0.0.1,
raddr=127.0.0.1,
rport=59670,
mid=<example.mail.com>,
bayes=0.000000,
autolearn=disabled

Pointers much appreciated.

Rory



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 04/01/2019 2:01 pm, Rory Campbell-Lange via Exim-users wrote:
> Hi
>
> It's some years since I've spent time tweaking my exim setup to receive
> spam. I've forgotten any skills I might once have had in this area.
>
> I've gotten sick of getting 30+ spam emails a day and need to do
> something
> about it! I'd be grateful for some pointers to the state-of-the-art
> setup.
>
> right now relay blocks, cram_md5 rejects and spamhaus blocks account
> for about
> 500-1000 rejections a day (no wonder everyone has gone to Google
> mail!).
>
> I'm running Exim 4.89-2+deb9u3 under Debian, with spamassassin/spamc
> 3.4.2.1
>
> Spamd is reporting along the following lines.
>
> spamd: result: . 0 - BAYES_00,
> DKIMWL_WL_HIGH,
> DKIM_SIGNED,
> DKIM_VALID,
> DKIM_VALID_EF,
> FORGED_MUA_MOZILLA,
> HEADER_FROM_DIFFERENT_DOMAINS,
> MAILING_LIST_MULTI,
> SPF_PASS,
> URIBL_BLOCKED scantime=0.5,
> size=5448,
> user=mail,
> uid=8,
> required_score=3.0,
> rhost=127.0.0.1,
> raddr=127.0.0.1,
> rport=59670,
> mid=<example.mail.com>,
> bayes=0.000000,
> autolearn=disabled
>
> Pointers much appreciated.
>
> Rory

I use the following in my content check ACL:

warn message = X-Spam-Score: $spam_score ($spam_bar)
! authenticated = *
spam = smmsp:true
warn message = X-LERCTR-Spam-Score: $spam_score ($spam_bar)
! authenticated = *
spam = smmsp:true
warn message = X-Spam-Report: $spam_report
! authenticated = *
spam = smmsp:true
warn message = X-LERCTR-Spam-Report: $spam_report
! authenticated = *
spam = smmsp:true
# Add X-Spam-Flag if spam is over system-wide threshold
warn message = X-Spam-Flag: YES
! authenticated = *
spam = smmsp:true
condition = ${if >={$spam_score_int}{50}{1}{0}}
warn message = X-LERCTR-Spam-Flag: YES
! authenticated = *
spam = smmsp:true
condition = ${if >={$spam_score_int}{50}{1}{0}}

#warn message = DomainKey-Status: $dkim_status
# !condition = ${if eq{$dkim_status}{}{1}{0}}
# Reject spam messages with score over 7, using an extra condition.
deny message = This message scored $spam_score points.
Congratulations!
! authenticated = *
spam = smmsp:true
condition = ${if >{$spam_score_int}{70}{1}{0}}

With having spamd_address set to 127.0.0.1 783 in the first section.

--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 01/04/19, Larry Rosenman (ler@lerctr.org) wrote:
> On 04/01/2019 2:01 pm, Rory Campbell-Lange via Exim-users wrote:
> > It's some years since I've spent time tweaking my exim setup to receive
> > spam. I've forgotten any skills I might once have had in this area.
> >
> > I've gotten sick of getting 30+ spam emails a day and need to do
> > something about it! I'd be grateful for some pointers to the
> > state-of-the-art setup.
...
> > Pointers much appreciated.
>
> I use the following in my content check ACL:
>
> warn message = X-Spam-Score: $spam_score ($spam_bar)
> ! authenticated = *
> spam = smmsp:true
> warn message = X-LERCTR-Spam-Score: $spam_score ($spam_bar)
> ! authenticated = *
> spam = smmsp:true
> warn message = X-Spam-Report: $spam_report
> ! authenticated = *
> spam = smmsp:true
> warn message = X-LERCTR-Spam-Report: $spam_report
> ! authenticated = *
> spam = smmsp:true
> # Add X-Spam-Flag if spam is over system-wide threshold
> warn message = X-Spam-Flag: YES
> ! authenticated = *
> spam = smmsp:true
> condition = ${if >={$spam_score_int}{50}{1}{0}}
> warn message = X-LERCTR-Spam-Flag: YES
> ! authenticated = *
> spam = smmsp:true
> condition = ${if >={$spam_score_int}{50}{1}{0}}
>
> #warn message = DomainKey-Status: $dkim_status
> # !condition = ${if eq{$dkim_status}{}{1}{0}}
> # Reject spam messages with score over 7, using an extra condition.
> deny message = This message scored $spam_score points. Congratulations!
> ! authenticated = *
> spam = smmsp:true
> condition = ${if >{$spam_score_int}{70}{1}{0}}
>
> With having spamd_address set to 127.0.0.1 783 in the first section.

Hi Larry

Thanks very much for the suggestions.

Glancing at the docs under chapter 35, I guess my local users are
"authenticated" due to our use of cram_md5. I'm giving your rules a go!

I wonder also if my /etc/spamassasin/local.cf is right

required_score 3.0
score RP_MATCHES_RCVD -0.01
bayes_auto_learn 0
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit

Required score seems quite a bit lower than 70 in Exim.

Thanks again
Rory


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
Am Dienstag, 2. April 2019, 09:20:26 CEST schrieb Rory Campbell-Lange via
Exim-users:
> required_score 3.0
this is very low from my experience (if you work with "default" SA setup -
especially if you enabled most of the available extensions). This typoically
leads to a lot of false positives if you have a typical SA setup. If you have
most extensions disabled, then 3.0 may be "fitting", but then SA could not
recognize spam well, because it has not much facts to decide / value a email.

SA default is 5.0 which is a good value for "typical" personal usage. 2.5-3.0
is more typical for greylisting or similiar more "soft" limits.

Typcial values in multi-user environments are around 5.0-7.0, while every 0.1
is important. If you go under 5.0 you (very) propably will loose some ham. On
a machine with around 200.000 SMTP sessions per day i tweaked the score over
monthes in a range of 0.4 to find working results.

With further own extensions (or score "additions" in EXIM) the score could
rise further - so even a bit higher values may required.


hth a bit,
best regards,


niels.


--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---








--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 2 Apr 2019, at 10:18, Niels Dettenbach via Exim-users <exim-users@exim.org> wrote:
>
> Typcial values in multi-user environments are around 5.0-7.0, while every 0.1
> is important. If you go under 5.0 you (very) propably will loose some ham. On
> a machine with around 200.000 SMTP sessions per day i tweaked the score over
> monthes in a range of 0.4 to find working results.

If you look at Rory’s exim config in his original post, reject score is set to 7. The required_score in SA is not really relevant.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On Apr 01, Rory Campbell-Lange via Exim-users wrote
> Hi
>
> It's some years since I've spent time tweaking my exim setup to receive
> spam. I've forgotten any skills I might once have had in this area.

I've had much more success with other techniques, greylisting,
zen.spamhaus.org, delayed HELO, and fail2ban.

Very little then gets through the spamassassin, and it deals with the
rest.

Happy to share my config, but most of it is just setting Debian macros.

Thanks,

Richard

--
junix.systems/privacy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
Hi Rory

Are you including Sanesecurity signatures in setup?
If not. Just install the debian package, clamav-unofficial-sigs.
Then ensure Exim or Spamassasin is configured to scan mail, via Clamav.

HTH
Regards
Brent

On 2019/04/01 21:01, Rory Campbell-Lange via Exim-users wrote:
> Hi
>
> It's some years since I've spent time tweaking my exim setup to receive
> spam. I've forgotten any skills I might once have had in this area.
>
> I've gotten sick of getting 30+ spam emails a day and need to do something
> about it! I'd be grateful for some pointers to the state-of-the-art setup.
>
> right now relay blocks, cram_md5 rejects and spamhaus blocks account for about
> 500-1000 rejections a day (no wonder everyone has gone to Google mail!).
>
> I'm running Exim 4.89-2+deb9u3 under Debian, with spamassassin/spamc 3.4.2.1
>
> Spamd is reporting along the following lines.
>
> spamd: result: . 0 - BAYES_00,
> DKIMWL_WL_HIGH,
> DKIM_SIGNED,
> DKIM_VALID,
> DKIM_VALID_EF,
> FORGED_MUA_MOZILLA,
> HEADER_FROM_DIFFERENT_DOMAINS,
> MAILING_LIST_MULTI,
> SPF_PASS,
> URIBL_BLOCKED scantime=0.5,
> size=5448,
> user=mail,
> uid=8,
> required_score=3.0,
> rhost=127.0.0.1,
> raddr=127.0.0.1,
> rport=59670,
> mid=<example.mail.com>,
> bayes=0.000000,
> autolearn=disabled
>
> Pointers much appreciated.
>
> Rory
>
>
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
Just to add

Include Kevin McGrails KAM rules to your SpamAssassin.
http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf

You just need to your Ham corpus is good, else rescore the values.

HTH
Brent


On 2019/04/02 13:15, Brent Clark wrote:
> Hi Rory
>
> Are you including Sanesecurity signatures in setup?
> If not. Just install the debian package, clamav-unofficial-sigs.
> Then ensure Exim or Spamassasin is configured to scan mail, via Clamav.
>
> HTH
> Regards
> Brent
>
> On 2019/04/01 21:01, Rory Campbell-Lange via Exim-users wrote:
>> Hi
>>
>> It's some years since I've spent time tweaking my exim setup to receive
>> spam. I've forgotten any skills I might once have had in this area.
>>
>> I've gotten sick of getting 30+ spam emails a day and need to do
>> something
>> about it! I'd be grateful for some pointers to the state-of-the-art
>> setup.
>>
>> right now relay blocks, cram_md5 rejects and spamhaus blocks account
>> for about
>> 500-1000 rejections a day (no wonder everyone has gone to Google mail!).
>>
>> I'm running Exim 4.89-2+deb9u3 under Debian, with spamassassin/spamc
>> 3.4.2.1
>>
>> Spamd is reporting along the following lines.
>>
>>     spamd: result: . 0 - BAYES_00,
>>                 DKIMWL_WL_HIGH,
>>                 DKIM_SIGNED,
>>                 DKIM_VALID,
>>                 DKIM_VALID_EF,
>>                 FORGED_MUA_MOZILLA,
>>                 HEADER_FROM_DIFFERENT_DOMAINS,
>>                 MAILING_LIST_MULTI,
>>                 SPF_PASS,
>>                 URIBL_BLOCKED scantime=0.5,
>>                 size=5448,
>>                 user=mail,
>>                 uid=8,
>>                 required_score=3.0,
>>                 rhost=127.0.0.1,
>>                 raddr=127.0.0.1,
>>                 rport=59670,
>>                 mid=<example.mail.com>,
>>                 bayes=0.000000,
>>                 autolearn=disabled
>>
>> Pointers much appreciated.
>>
>> Rory
>>
>>
>>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On Mon, 1 Apr 2019 at 22:12, Rory Campbell-Lange via Exim-users <
exim-users@exim.org> wrote:

> Hi
>
> It's some years since I've spent time tweaking my exim setup to receive
> spam. I've forgotten any skills I might once have had in this area.
>
> I've gotten sick of getting 30+ spam emails a day and need to do something
> about it! I'd be grateful for some pointers to the state-of-the-art setup.
>
> right now relay blocks, cram_md5 rejects and spamhaus blocks account for
> about
> 500-1000 rejections a day (no wonder everyone has gone to Google mail!).
>
> I'm running Exim 4.89-2+deb9u3 under Debian, with spamassassin/spamc
> 3.4.2.1
>
> Spamd is reporting along the following lines.
>
> spamd: result: . 0 - BAYES_00,
> DKIMWL_WL_HIGH,
> DKIM_SIGNED,
> DKIM_VALID,
> DKIM_VALID_EF,
> FORGED_MUA_MOZILLA,
> HEADER_FROM_DIFFERENT_DOMAINS,
> MAILING_LIST_MULTI,
> SPF_PASS,
> URIBL_BLOCKED scantime=0.5,
> size=5448,
> user=mail,
> uid=8,
> required_score=3.0,
> rhost=127.0.0.1,
> raddr=127.0.0.1,
> rport=59670,
> mid=<example.mail.com>,
> bayes=0.000000,
> autolearn=disabled
>
> Pointers much appreciated.
>
> Rory



Hello Rory,

Long time!

Lately, you can also substitute rspamd for SpamAssassin.
I hope you are also doing rDNS checks. They help me block many spammers too.



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 02/04/19, Graeme Fowler via Exim-users (exim-users@exim.org) wrote:
> On 2 Apr 2019, at 10:18, Niels Dettenbach via Exim-users <exim-users@exim.org> wrote:
> >
> > Typcial values in multi-user environments are around 5.0-7.0, while every 0.1
> > is important. If you go under 5.0 you (very) propably will loose some ham. On
> > a machine with around 200.000 SMTP sessions per day i tweaked the score over
> > monthes in a range of 0.4 to find working results.

Thanks for the comments, Graeme

I think the issue is that the bayes score seems unreasonably low. (see extract
below).

Perhaps one of my local.cf spamassassin settings needs to be altered?
man spamassassin
and
man spamc
aren't very helpful on these configuration items.

required_score 3.0
score RP_MATCHES_RCVD -0.01
# I changed this to 1 earlier today from 0
bayes_auto_learn 1
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit

X-LERCTR-Spam-Score: 0.9 (/)
X-Spam-Report: Spam detection software, running on the system "clwnew",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: http://www.carautorepaires.trade/l/lt17AA14786WC837W/1386TU4650I6977L282OQ16700329D1334124886
http://www.carautorepaires.trade/l/lc10UN14786DF837E/1386EH4650B6977Q282AT16700329Y1334124886
Have you tried everything to shed that excess fat off your tummy?

Content analysis details: (0.9 points, 3.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: carautorepaires.trade]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: carautorepaires.trade]
0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
DNSWL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[79.133.33.86 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 DIET_1 BODY: Lose Weight Spam
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 04/02/2019 2:20 am, Rory Campbell-Lange via Exim-users wrote:
> On 01/04/19, Larry Rosenman (ler@lerctr.org) wrote:
>> On 04/01/2019 2:01 pm, Rory Campbell-Lange via Exim-users wrote:
>> > It's some years since I've spent time tweaking my exim setup to receive
>> > spam. I've forgotten any skills I might once have had in this area.
>> >
>> > I've gotten sick of getting 30+ spam emails a day and need to do
>> > something about it! I'd be grateful for some pointers to the
>> > state-of-the-art setup.
> ...
>> > Pointers much appreciated.
>>
>> I use the following in my content check ACL:
>>
>> warn message = X-Spam-Score: $spam_score ($spam_bar)
>> ! authenticated = *
>> spam = smmsp:true
>> warn message = X-LERCTR-Spam-Score: $spam_score ($spam_bar)
>> ! authenticated = *
>> spam = smmsp:true
>> warn message = X-Spam-Report: $spam_report
>> ! authenticated = *
>> spam = smmsp:true
>> warn message = X-LERCTR-Spam-Report: $spam_report
>> ! authenticated = *
>> spam = smmsp:true
>> # Add X-Spam-Flag if spam is over system-wide threshold
>> warn message = X-Spam-Flag: YES
>> ! authenticated = *
>> spam = smmsp:true
>> condition = ${if >={$spam_score_int}{50}{1}{0}}
>> warn message = X-LERCTR-Spam-Flag: YES
>> ! authenticated = *
>> spam = smmsp:true
>> condition = ${if >={$spam_score_int}{50}{1}{0}}
>>
>> #warn message = DomainKey-Status: $dkim_status
>> # !condition = ${if eq{$dkim_status}{}{1}{0}}
>> # Reject spam messages with score over 7, using an extra condition.
>> deny message = This message scored $spam_score points.
>> Congratulations!
>> ! authenticated = *
>> spam = smmsp:true
>> condition = ${if >{$spam_score_int}{70}{1}{0}}
>>
>> With having spamd_address set to 127.0.0.1 783 in the first section.
>
> Hi Larry
>
> Thanks very much for the suggestions.
>
> Glancing at the docs under chapter 35, I guess my local users are
> "authenticated" due to our use of cram_md5. I'm giving your rules a go!
>
> I wonder also if my /etc/spamassasin/local.cf is right
>
> required_score 3.0
> score RP_MATCHES_RCVD -0.01
> bayes_auto_learn 0
> ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
> endif # Mail::SpamAssassin::Plugin::Shortcircuit
>
> Required score seems quite a bit lower than 70 in Exim.
>
> Thanks again
> Rory
Please do *NOT* use the X-LERCTR header (that's my domain)....

Also, to get a nice compact report, I have smmsp's user_prefs set to:
?68% [root@thebighonker.lerctr.org:~] # cat user_prefs
clear_report_template
report SpamScore (_SCORE_/_REQD_) _TESTSSCORES(,)_
?68% [root@thebighonker.lerctr.org:~] #

(smmsp is the user exim calls spamd as).

note also that $spam_score_int is the score * 10.


--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 02/04/19, Odhiambo Washington via Exim-users (exim-users@exim.org) wrote:
> On Mon, 1 Apr 2019 at 22:12, Rory Campbell-Lange via Exim-users <
> exim-users@exim.org> wrote:
>
> > It's some years since I've spent time tweaking my exim setup to receive
> > spam. I've forgotten any skills I might once have had in this area.

> Hello Rory,
>
> Long time!
>
> Lately, you can also substitute rspamd for SpamAssassin.
> I hope you are also doing rDNS checks. They help me block many spammers too.

Hi Odhiambo. Lovely to receive an email from you after all these years!

I've spent some time looking at the rspamd website following your
mention of it. I'll turn to that if I can't improve my spamassassin
performance!

For RDNS do you recommend something along the lines of

drop message = REJECTED - Sender Verify Failed and no RDNS
log_message = REJECTED - Sender Verify Failed and no RDNS
!verify = reverse_host_lookup
!verify = sender/callout=2m,defer_ok
!condition = ${if eq{$sender_verify_failure}{}}

(reference https://github.com/Exim/exim/wiki/Verification)

Kind regards
Rory


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 02/04/19, Larry Rosenman via Exim-users (exim-users@exim.org) wrote:
> On 04/02/2019 2:20 am, Rory Campbell-Lange via Exim-users wrote:
> > On 01/04/19, Larry Rosenman (ler@lerctr.org) wrote:
> > > On 04/01/2019 2:01 pm, Rory Campbell-Lange via Exim-users wrote:
> > > > It's some years since I've spent time tweaking my exim setup to receive
> > > > spam. I've forgotten any skills I might once have had in this area.
> > > >
> > > > I've gotten sick of getting 30+ spam emails a day and need to do
> > > > something about it! I'd be grateful for some pointers to the
> > > > state-of-the-art setup.
> >
> > Glancing at the docs under chapter 35, I guess my local users are
> > "authenticated" due to our use of cram_md5. I'm giving your rules a go!
> >
> > I wonder also if my /etc/spamassasin/local.cf is right
> >
> > required_score 3.0
> > score RP_MATCHES_RCVD -0.01
> > bayes_auto_learn 0
> > ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
> > endif # Mail::SpamAssassin::Plugin::Shortcircuit
> >
> > Required score seems quite a bit lower than 70 in Exim.
> >
> > Thanks again
> > Rory

> Please do *NOT* use the X-LERCTR header (that's my domain)....

Sorry about that Larry -- that was a test using your rules.

> Also, to get a nice compact report, I have smmsp's user_prefs set to:
> ?68% [root@thebighonker.lerctr.org:~] # cat user_prefs
> clear_report_template
> report SpamScore (_SCORE_/_REQD_) _TESTSSCORES(,)_
> ?68% [root@thebighonker.lerctr.org:~] #
>
> (smmsp is the user exim calls spamd as).
>
> note also that $spam_score_int is the score * 10.

Thank you. My scores are improving

However I'm still getting all BAYES_OO scores as -1.9. I assume this is
because I've not yet trained sa-learn with enough spam. (I've trained it
with several thousand spam messages).

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On Wed, 3 Apr 2019 at 11:27, Rory Campbell-Lange <rory@campbell-lange.net>
wrote:

> On 02/04/19, Odhiambo Washington via Exim-users (exim-users@exim.org)
> wrote:
> > On Mon, 1 Apr 2019 at 22:12, Rory Campbell-Lange via Exim-users <
> > exim-users@exim.org> wrote:
> >
> > > It's some years since I've spent time tweaking my exim setup to receive
> > > spam. I've forgotten any skills I might once have had in this area.
>
> > Hello Rory,
> >
> > Long time!
> >
> > Lately, you can also substitute rspamd for SpamAssassin.
> > I hope you are also doing rDNS checks. They help me block many spammers
> too.
>
> Hi Odhiambo. Lovely to receive an email from you after all these years!
>
> I've spent some time looking at the rspamd website following your
> mention of it. I'll turn to that if I can't improve my spamassassin
> performance!
>
> For RDNS do you recommend something along the lines of
>
> drop message = REJECTED - Sender Verify Failed and no RDNS
> log_message = REJECTED - Sender Verify Failed and
> no RDNS
> !verify = reverse_host_lookup
> !verify = sender/callout=2m,defer_ok
> !condition = ${if eq{$sender_verify_failure}{}}
>
> (reference https://github.com/Exim/exim/wiki/Verification)
>
> Kind regards
> Rory
>

Hi Rory,

Yes, you can do that, but I would actually split the test into two for
clarity in logging.


deny message = REJECTED - rDNS Verify Failed
log_message = rDNS fail for $sender_host_address
# check only port 25, not users submitting on port 587
condition = ${if eq{$interface_port}{25}}
!verify = reverse_host_lookup


I would do the sender verification check separately:

deny message = REJECTED - Sender Verify Failed
log_message = REJECTED - Sender Verify Failed for $sender_address
!verify = sender/callout=2m,defer_ok,
!condition = ${if eq{$sender_verify_failure}{}}

YMMV.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On Wed, 3 Apr 2019 at 11:55, Odhiambo Washington <odhiambo@gmail.com> wrote:

>
>
> On Wed, 3 Apr 2019 at 11:27, Rory Campbell-Lange <rory@campbell-lange.net>
> wrote:
>
>> On 02/04/19, Odhiambo Washington via Exim-users (exim-users@exim.org)
>> wrote:
>> > On Mon, 1 Apr 2019 at 22:12, Rory Campbell-Lange via Exim-users <
>> > exim-users@exim.org> wrote:
>> >
>> > > It's some years since I've spent time tweaking my exim setup to
>> receive
>> > > spam. I've forgotten any skills I might once have had in this area.
>>
>> > Hello Rory,
>> >
>> > Long time!
>> >
>> > Lately, you can also substitute rspamd for SpamAssassin.
>> > I hope you are also doing rDNS checks. They help me block many spammers
>> too.
>>
>> Hi Odhiambo. Lovely to receive an email from you after all these years!
>>
>> I've spent some time looking at the rspamd website following your
>> mention of it. I'll turn to that if I can't improve my spamassassin
>> performance!
>>
>> For RDNS do you recommend something along the lines of
>>
>> drop message = REJECTED - Sender Verify Failed and no RDNS
>> log_message = REJECTED - Sender Verify Failed and
>> no RDNS
>> !verify = reverse_host_lookup
>> !verify = sender/callout=2m,defer_ok
>> !condition = ${if eq{$sender_verify_failure}{}}
>>
>> (reference https://github.com/Exim/exim/wiki/Verification)
>>
>> Kind regards
>> Rory
>>
>
> Hi Rory,
>
> Yes, you can do that, but I would actually split the test into two for
> clarity in logging.
>
>
> deny message = REJECTED - rDNS Verify Failed
> log_message = rDNS fail for $sender_host_address
> # check only port 25, not users submitting on port 587
> condition = ${if eq{$interface_port}{25}}
> !verify = reverse_host_lookup
>
>
> I would do the sender verification check separately:
>
> deny message = REJECTED - Sender Verify Failed
> log_message = REJECTED - Sender Verify Failed for $sender_address
> !verify = sender/callout=2m,defer_ok,
> !condition = ${if eq{$sender_verify_failure}{}}
>
> YMMV.
>
>
I hasten to add that I prefer to do sender verification in acl_smtp_rcpt.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On 04/03/2019 3:33 am, Rory Campbell-Lange wrote:
> On 02/04/19, Larry Rosenman via Exim-users (exim-users@exim.org) wrote:
>> On 04/02/2019 2:20 am, Rory Campbell-Lange via Exim-users wrote:
>> > On 01/04/19, Larry Rosenman (ler@lerctr.org) wrote:
>> > > On 04/01/2019 2:01 pm, Rory Campbell-Lange via Exim-users wrote:
>> > > > It's some years since I've spent time tweaking my exim setup to receive
>> > > > spam. I've forgotten any skills I might once have had in this area.
>> > > >
>> > > > I've gotten sick of getting 30+ spam emails a day and need to do
>> > > > something about it! I'd be grateful for some pointers to the
>> > > > state-of-the-art setup.
>> >
>> > Glancing at the docs under chapter 35, I guess my local users are
>> > "authenticated" due to our use of cram_md5. I'm giving your rules a go!
>> >
>> > I wonder also if my /etc/spamassasin/local.cf is right
>> >
>> > required_score 3.0
>> > score RP_MATCHES_RCVD -0.01
>> > bayes_auto_learn 0
>> > ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
>> > endif # Mail::SpamAssassin::Plugin::Shortcircuit
>> >
>> > Required score seems quite a bit lower than 70 in Exim.
>> >
>> > Thanks again
>> > Rory
>
>> Please do *NOT* use the X-LERCTR header (that's my domain)....
>
> Sorry about that Larry -- that was a test using your rules.
Thanks!
>
>> Also, to get a nice compact report, I have smmsp's user_prefs set to:
>> ?68% [root@thebighonker.lerctr.org:~] # cat user_prefs
>> clear_report_template
>> report SpamScore (_SCORE_/_REQD_) _TESTSSCORES(,)_
>> ?68% [root@thebighonker.lerctr.org:~] #
>>
>> (smmsp is the user exim calls spamd as).
>>
>> note also that $spam_score_int is the score * 10.
>
> Thank you. My scores are improving
>
> However I'm still getting all BAYES_OO scores as -1.9. I assume this is
> because I've not yet trained sa-learn with enough spam. (I've trained
> it
> with several thousand spam messages).
BAYES_00 means it's HAM, you want to see if you are getting any BAYES_9*
hits for SPAM.


--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On Apr 02, Richard Jones via Exim-users wrote
> I've had much more success with other techniques, greylisting,
> zen.spamhaus.org, delayed HELO, and fail2ban.
>
> Very little then gets through the spamassassin, and it deals with the
> rest.

Here are some metrics for you, logs run from the start of the year:

# Number of successful connections
grep "H=" /var/log/exim4/mainlog | wc -l
26046

# Spam messages as scored over 2.0 by SA
grep "Spam message" /var/log/exim4/mainlog | wc -l
38

# Messages blocked by Spamhaus
grep "zen.spamhaus.org" /var/log/exim4/mainlog | wc -l
710

Connection attempts blocked by Fail2Ban
IMAP: 52361
Exim: 24395
Exim+: 7545

The last one is my own exim rules and catches honey-pot addresses,
previous spam hosts, previous spamhaus catches, and SPF hard fails.
It's purpose is mostly to keep my logs cleaner.

Thanks,

R

--
junix.systems/privacy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: anti-spam pointers please [ In reply to ]
On Wed, 3 Apr 2019 at 18:59, Richard Jones via Exim-users <
exim-users@exim.org> wrote:

> On Apr 02, Richard Jones via Exim-users wrote
> > I've had much more success with other techniques, greylisting,
> > zen.spamhaus.org, delayed HELO, and fail2ban.
> >
> > Very little then gets through the spamassassin, and it deals with the
> > rest.
>
> Here are some metrics for you, logs run from the start of the year:
>
> # Number of successful connections
> grep "H=" /var/log/exim4/mainlog | wc -l
> 26046
>
> # Spam messages as scored over 2.0 by SA
> grep "Spam message" /var/log/exim4/mainlog | wc -l
> 38
>
> # Messages blocked by Spamhaus
> grep "zen.spamhaus.org" /var/log/exim4/mainlog | wc -l
> 710
>
> Connection attempts blocked by Fail2Ban
> IMAP: 52361
> Exim: 24395
> Exim+: 7545
>
> The last one is my own exim rules and catches honey-pot addresses,
> previous spam hosts, previous spamhaus catches, and SPF hard fails.
> It's purpose is mostly to keep my logs cleaner.
>
> Thanks,
>
> R
>
>
Hi Richard,

Would you be willing to share your fail2ban config bits?
I have never used fail2ban, so would like to install and try, starting from
a vantage point.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/