(yea yea, I know, it’s been going on for a while 🙂
Okay, the Spam fight is back on. My spam filters have dropped down as spammers are taking screaming advantage of the problems inherent in Bayesian filters, so I’m starting to do some tuning.
Setup: ‘amavisd-new’ runs attached to Postfix on ‘seawall’ , which is our firewall. All inbound mail to all our internal domains (and a bunch of relays) flows through this machine – traffic is 200-400 messages an hour.
First problem – I want to turn on the X-Spam-Status: line in -every- inbound message that amavisd/sa scans. In the amavisd.conf file, I have:
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scannedalone #$remove_existing_x_scanned_headers= 1; # remove existing headers # (defaults to false) $remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone # $remove_existing_spam_headers = 1; # remove existing spam headers if # spam scanning is enabled (default)
and
# default values, can be overridden by more specific lookups, e.g. SQL $sa_tag_level_deflt = -999; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions # at or above that level: bounce/reject/drop,
As far as I know, those should turn on the header in all inbound messages.
Second problem – how do I make the filters more effective? The number of domains / users here is pretty limited (perhaps 15-25 targets), so I’ve been considering putting in an SA rule that either whitelists or lowers the scoring if the mail is ‘well formed’ (To: dbs@homeport.org),
ala Bcc’es don’t get boosted, Received lines that go through China get bumped down, all the normal tunings.
Any suggestions of where this can best be done? I’ve looked at a couple SA rules sites, such as:
http://www.rulesemporium.com/
I’m also thinking of implementing this ruleset:
http://www.exit0.us/index.php/BunchOfLetters
(specifically targeted at spam that has bayesian random text in it).
WDYallT?
Been fighting that fight myself. I added antidrug, sare adult, sare oem, FVGT_Tripwire, sare fraud, and bigevil recently and they had good effect. I use popcorn and chickenpox and a bunch of custom rules (based on expectations of a law firm so not entirely reasonable for personal mail… I mean you guys might actually expect to see the word penis in the subject line of a mail 🙂
I find that there are some very good rbl’s out there… xbl.spamhaus.org for instance is pretty good.
I do find that the bayes stuff is limited. I am constantly feeding it to try to get better stuff, but I do see alot of mail getting big bayes scores despite attempts to avoid it. You definately have to suplement.
lleaf