You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by AJ Weber <aw...@comcast.net> on 2017/10/12 13:25:19 UTC
improving detection to cloudmark-like levels?
OK, please, this is meant with all good intentions...
I have been running SA 3.3.0 on my server for years. Using the standard
rule updates channel and "sought.rules.yerp.org". (I don't see those
updated too often, maybe I need to check on that update process.) Also
enabled: DCC, Pyzor and Razor2.
This does a very good job as currently configured. However, I also have
Cloudmark's "DesktopOne" client-product installed for years. They are
discontinuing that product on Dec 1. I certainly would see the
cloudmark-product catch _additional_ spam on a daily basis (very
accurately).
So I'm sure they have some "secret sauce" and I'm not asking for that to
be revealed, but since pyzor is supposedly using their database, I'm
just trying to figure out if there's a way to get my SA filter to
improve even further and close the gap?
So it's a very open-ended ask, but I thought maybe I could start a
conversation and see if there are any ideas out there. I'm open to new
rules, plug-ins, etc. Spam volume is only getting worse, and these
spammers are getting more creative.
Thanks in advance,
AJ
Re: improving detection to cloudmark-like levels?
Posted by David Jones <dj...@ena.com>.
On 10/12/2017 09:32 AM, AJ Weber wrote:
> On 10/12/2017 10:07 AM, Kevin A. McGrail wrote:
>> On 10/12/2017 9:25 AM, AJ Weber wrote:
>>> I'm open to new rules, plug-ins, etc. Spam volume is only getting
>>> worse, and these spammers are getting more creative.
>>
>> Hi AJ,
>>
>> I have to say that 3.3.0 is pretty old. I'd look to run a newer
>> version, invest some time into researching a few RBLs and consider
>> adding my KAM.cf file.
> OK, I'll look into the update procs. I don't see an updated package
> available via yum (CentOS), but maybe I'm not looking in the right place.
>
> I do use an RBL or two, I think "bl.mailspike.net", but I haven't
> figured out how to test that they're working correctly.
>
> Thanks for the quick reply.
I have found that looking at other good configs is very helpful. Check
out the Postfix and SpamAssassin settings of these projects for ideas:
https://efa-project.org/
http://www.iredmail.org/
If you run an edge mail filter server, then put as much spam-blocking
logic (RBLs, DNS checks, SMTP HELO checks, FCrDNS checks, domain
existance checks) as possible in the MTA configs and let SpamAssassin
handle a much smaller percentage of mostly clean messages.
If you run Postfix, enable Postscreen and it's RBL weighting along with
postwhite to bypass major mail providers. This will allow you to
combine the power of many RBLs and increase the sensitivity of all RBLs.
See this mailing list's archives for many discussions on postscreen
and adding the senderscore.org RBL.
Make sure you are using a local recursive DNS server and not pointing to
another DNS server. Again see the mailing list archives for a lengthy
discussion on this topic related to URIBL_BLOCKED.
Definitely download the KAM.cf a couple of times a day into your
/etc/mail/spamassasin directory. It's a must.
Setup ClamAV with the extra UNOFFICIAL signatures.
Try to implement greylisting if possible. It can be rolled out in a
slow, phased approach so that your users don't even notice the delay it
causes for new senders. The benefits far outweigh the occasional delay
in email. Make sure to exclude Google's mail servers from greylisting.
Add Steve Freegard's DecodeShortURLs.cf plugin by dropping the .pm and
.cf file in /etc/mail/spamassassin.
https://github.com/smfreegard/DecodeShortURLs/blob/master/DecodeShortURLs.cf
Purchase a subscription to the IVM RBL feed. If you are filtering mail
for more than a few mailboxes, it's very valuable and well worth the
price to save you and your users from dealing with a lot of spam. See
https://www.invaluement.com
Add other RBLs to SA like senderscore.org, lashback, mailspike, etc. and
enable the Shortcircuit plugin in v320.pre:
# cat /etc/mail/spamassassin/lashback.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_LASHBACK eval:check_rbl('lashback', 'ubl.unsubscore.com.')
describe __RCVD_IN_LASHBACK Received is listed in Lashback
ubl.unsubscore.com
tflags __RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK eval:check_rbl_sub('lashback', '127.0.0.2')
describe RCVD_IN_LASHBACK Received is listed in Lashback ubl.unsubscore.com
score RCVD_IN_LASHBACK 0.8
tflags RCVD_IN_LASHBACK net
header RCVD_IN_LASHBACK_LASTEXT eval:check_rbl('lashback-lastexternal',
'ubl.unsubscore.com.')
describe RCVD_IN_LASHBACK_LASTEXT Last external is listed in Lashback
ubl.unsubscore.com
score RCVD_IN_LASHBACK_LASTEXT 1.2
tflags RCVD_IN_LASHBACK_LASTEXT net
endif
# cat /etc/mail/spamassassin/senderscore.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_SENDERSCORE_90_100
eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$')
meta RCVD_IN_SENDERSCORE_90_100 SPF_PASS && __RCVD_IN_SENDERSCORE_90_100
describe RCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 to 100
score RCVD_IN_SENDERSCORE_90_100 -1.2
tflags RCVD_IN_SENDERSCORE_90_100 net
header __RCVD_IN_SENDERSCORE_80_89
eval:check_rbl('senderscorer80-lastexternal','score.senderscore.com.','^127\.0\.4\.(8[0-9])$')
meta RCVD_IN_SENDERSCORE_80_89 SPF_PASS && __RCVD_IN_SENDERSCORE_80_89
describe RCVD_IN_SENDERSCORE_80_89 Senderscore.org score of 80 to 89
score RCVD_IN_SENDERSCORE_80_89 -0.2
tflags RCVD_IN_SENDERSCORE_80_89 net
header RCVD_IN_SENDERSCORE_70_79
eval:check_rbl('senderscorer70-lastexternal','score.senderscore.com.','^127\.0\.4\.(7[0-9])$')
describe RCVD_IN_SENDERSCORE_70_79 Senderscore.org score of 70 to 79
score RCVD_IN_SENDERSCORE_70_79 0.2
tflags RCVD_IN_SENDERSCORE_70_79 net
header RCVD_IN_SENDERSCORE_60_69
eval:check_rbl('senderscorer60-lastexternal','score.senderscore.com.','^127\.0\.4\.(6[0-9])$')
describe RCVD_IN_SENDERSCORE_60_69 Senderscore.org score of 60 to 69
score RCVD_IN_SENDERSCORE_60_69 1.2
tflags RCVD_IN_SENDERSCORE_60_69 net
header RCVD_IN_SENDERSCORE_50_59
eval:check_rbl('senderscorer50-lastexternal','score.senderscore.com.','^127\.0\.4\.(5[0-9])$')
describe RCVD_IN_SENDERSCORE_50_59 Senderscore.org score of 50 to 59
score RCVD_IN_SENDERSCORE_50_59 1.8
tflags RCVD_IN_SENDERSCORE_50_59 net
header RCVD_IN_SENDERSCORE_30_49
eval:check_rbl('senderscorer30-lastexternal','score.senderscore.com.','^127\.0\.4\.([3-4][0-9])$')
describe RCVD_IN_SENDERSCORE_30_49 Senderscore.org score of 30 to 49
score RCVD_IN_SENDERSCORE_30_49 2.2
tflags RCVD_IN_SENDERSCORE_30_49 net
header RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
describe RCVD_IN_SENDERSCORE_0_29 Senderscore.org score of 0 to 29
score RCVD_IN_SENDERSCORE_0_29 2.8
tflags RCVD_IN_SENDERSCORE_0_29 net
endif
# cat /etc/mail/spamassassin/mailspike.cf
shortcircuit RCVD_IN_MSPIKE_H5 on
score RCVD_IN_MSPIKE_H4 -2.2
score RCVD_IN_MSPIKE_H3 -1.8
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 0.8
score RCVD_IN_MSPIKE_L4 1.2
score RCVD_IN_MSPIKE_L5 1.8
# cat /etc/mail/spamassassin/shortcircuit.cf
shortcircuit ALL_TRUSTED off
shortcircuit USER_IN_WHITELIST on
priority USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on
shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on
# grep Shortcircuit /etc/mail/spamassassin/v320.pre
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
Hope this helps. Try out these suggestions slowly with low scores and
ease them up to the highest score you can while maintaining accurate
results.
--
David Jones
Re: improving detection to cloudmark-like levels?
Posted by AJ Weber <aw...@comcast.net>.
On 10/12/2017 10:07 AM, Kevin A. McGrail wrote:
> On 10/12/2017 9:25 AM, AJ Weber wrote:
>> I'm open to new rules, plug-ins, etc. Spam volume is only getting
>> worse, and these spammers are getting more creative.
>
> Hi AJ,
>
> I have to say that 3.3.0 is pretty old. I'd look to run a newer
> version, invest some time into researching a few RBLs and consider
> adding my KAM.cf file.
OK, I'll look into the update procs. I don't see an updated package
available via yum (CentOS), but maybe I'm not looking in the right place.
I do use an RBL or two, I think "bl.mailspike.net", but I haven't
figured out how to test that they're working correctly.
Thanks for the quick reply.
Re: improving detection to cloudmark-like levels?
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 10/19/2017 5:18 AM, Jari Fredriksson wrote:
> The mail is ham from sourceforge.net. I'm able to deliver the post to=20
> KAM if he is willing to look at it.
It's a rule likely to FP but yes, there are instructions in KAM.cf about
FP reports. I've lowered the score on that rule.
Regards,
KAM
Re: improving detection to cloudmark-like levels?
Posted by Jari Fredriksson <ja...@iki.fi>.
Auto report on spam with 10+ AS points. All other spam is manually
reported.
br. jarif
Jari Fredriksson kirjoitti 19.10.2017 12:18:
> David Jones kirjoitti 13.10.2017 14:16:
>> On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
>>> I don't use Kam.cf <http://Kam.cf> as it is very prone to false=20
>>> positives and way too aggressively scored by default. I'm pretty
>>> happy=
> =20
>>> with my current setup with 3.4.1 though.
>>> =20
>> =20
>> If you are happy with your SA accuracy, don't change a thing. :)
>> Have you tried the KAM.cf lately?
>
> Indeed I have. This just came today:
>
> X-Spam-Report:
> * 0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
> * [mail99.sea21.rsgsv.net TXT:v=3Dspf1]
> [ip4:148.105.12.99 include:spf.mandrillapp.com]
> [?all]
> * 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
> * [URIs: forward-to-friend.com]
> * -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record
> * [148.105.12.99 listed in iadb.isipp.com]
> * -0.0 RCVD_IN_IADB_LISTED RBL: Participates in the IADB system
> * -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record
> * -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender
> ID=20
> record
> * -0.1 RCVD_IN_IADB_DK RBL: IADB: Sender publishes Domain Keys=20
> record
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at=20
> http://www.dnswl.org/, no
> * trust
> * [148.105.12.99 listed in list.dnswl.org]
> * 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd
> level=20
> mail
> * domains are different
> * -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover
> relay=
> =20
> domain
> * 1.0 HTML_MESSAGE BODY: HTML included in message
> * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> * [score: 0.0000]
> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or=20
> identical to
> * background
> * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than
> 76=20
> chars
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not=20
> necessarily
> * valid
> * 10 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,=20
> =2Ebid &
> * .link TLD Abuse
> * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> * 0.0 KAM_SHORT Use of a URL Shortener for very short URL
>
> The mail is ham from sourceforge.net. I'm able to deliver the post
> to=20
> KAM if he is willing to look at it.
>
> Hit points like 10 points for this issue BAD_TLD are just killing my=20
> system, which will report to spamcop, razor and pyzor without manual=20
> intervention :(
>
> False positives are usually nonexistent with my setup, and this can
> not=20
> be taken into production.
>
> br. jarif
>
>
>> =20
>> KAM.cf does have high scores when you first look at it but if you have
>> other SA add-ons that subtract points for being "good", then the high
>> KAM.cf scores complement things well. Also, I am using MailScanner
>> and the default block score is 6.0 which helps a bit too. My custom
>> rule scores tend to be high on both ends.
>> =20
>>> 12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail"=20
>>> <ke...@mcgrail.com> kirjoitti:
>>> >On 10/12/2017 9:25 AM, AJ Weber wrote:
>>> >> I'm open to new rules, plug-ins, etc.=C2=A0 Spam volume is only
>>> gett=
> ing
>>> >> worse, and these spammers are getting more creative.
>>> >
>>> >Hi AJ,
>>> >
>>> >I have to say that 3.3.0 is pretty old.=C2=A0 I'd look to run a
>>> newer
>>> >version, invest some time into researching a few RBLs and consider
>>> >adding my KAM.cf <http://KAM.cf> file.
>>> >
>>> >Regards,
>>> >KAM
>
> --=20
> jarif@iki.fi
--
jarif@iki.fi
Re: improving detection to cloudmark-like levels?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 19 Oct 2017, at 5:18 (-0400), Jari Fredriksson wrote:
> Hit points like 10 points for this issue BAD_TLD are just killing my=20
> system, which will report to spamcop, razor and pyzor without manual=20
> intervention :(
I don't really know the Razor or Pyzor policy, as I believe they are designed for auto-reporting that may be occasionally wrong, but you should NOT report anything to SpamCop without certainty that what you're reporting is spam. See the last section of https://www.spamcop.net/fom-serve/cache/125.html for details.
Explication of that policy I've seen from SpamCop Deputies has included the direct statement that it is NOT appropriate to automatically trust a SpamAssassin score of any severity on its own as a basis for reporting but it is acceptable to use SA as a confirmation tool (i.e. a safety net preventing bad reports) when reporting mail that targets spamtraps (most of which can in theory get small amounts of entirely innocently misdirected email.)
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Paying Work: https://linkedin.com/in/billcole
Re: improving detection to cloudmark-like levels?
Posted by David Jones <dj...@ena.com>.
On 10/19/2017 04:18 AM, Jari Fredriksson wrote:
> David Jones kirjoitti 13.10.2017 14:16:
>> On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
>>> I don't use Kam.cf <http://Kam.cf> as it is very prone to false=20
>>> positives and way too aggressively scored by default. I'm pretty happy=
> =20
>>> with my current setup with 3.4.1 though.
>>> =20
>> =20
>> If you are happy with your SA accuracy, don't change a thing. :)
>> Have you tried the KAM.cf lately?
>
> Indeed I have. This just came today:
>
> X-Spam-Report:
> * 0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
> * [mail99.sea21.rsgsv.net TXT:v=3Dspf1]
> [ip4:148.105.12.99 include:spf.mandrillapp.com]
> [?all]
> * 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
> * [URIs: forward-to-friend.com]
> * -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record
> * [148.105.12.99 listed in iadb.isipp.com]
> * -0.0 RCVD_IN_IADB_LISTED RBL: Participates in the IADB system
> * -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record
> * -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID=20
> record
> * -0.1 RCVD_IN_IADB_DK RBL: IADB: Sender publishes Domain Keys=20
> record
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at=20
> http://www.dnswl.org/, no
> * trust
> * [148.105.12.99 listed in list.dnswl.org]
> * 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level=20
> mail
> * domains are different
> * -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay=
> =20
> domain
> * 1.0 HTML_MESSAGE BODY: HTML included in message
> * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> * [score: 0.0000]
> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or=20
> identical to
> * background
> * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76=20
> chars
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not=20
> necessarily
> * valid
> * 10 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,=20
> =2Ebid &
> * .link TLD Abuse
> * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> * 0.0 KAM_SHORT Use of a URL Shortener for very short URL
>
> The mail is ham from sourceforge.net. I'm able to deliver the post to=20
> KAM if he is willing to look at it.
You should consider changing the default scores of RCVD_IN_IADB_RDNS,
RCVD_IN_IADB_DK, and RCVD_IN_IADB_LISTED to -2.0 or lower. I have the
shortcircuit plugin enabled with this config:
shortcircuit ALL_TRUSTED off
shortcircuit USER_IN_WHITELIST on
priority USER_IN_WHITELIST -400
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on
shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on
score RCVD_IN_RP_CERTIFIED -100
score RCVD_IN_RP_SAFE -10
score RCVD_IN_DNSWL_HI -10
score RCVD_IN_IADB_LISTED -100
score RCVD_IN_IADB_SPF -10
score RCVD_IN_IADB_DK -10
score RCVD_IN_IADB_RDNS -10
score RCVD_IN_IADB_SENDERID -10
score RCVD_IN_IADB_OPTIN -10
This eliminates content-based rules like KAM.cf firing for trusted
senders. You don't have to go as far as I did with shortcircuit'ing
them but even setting a -2.0 or -4.0 score for those RCVD_IN_* rules
above could help with trusted senders and save a lot of your time.
>
> Hit points like 10 points for this issue BAD_TLD are just killing my=20
> system, which will report to spamcop, razor and pyzor without manual=20
> intervention :(
>
> False positives are usually nonexistent with my setup, and this can not=20
> be taken into production.
>
> br. jarif
>
>
>> =20
>> KAM.cf does have high scores when you first look at it but if you have
>> other SA add-ons that subtract points for being "good", then the high
>> KAM.cf scores complement things well. Also, I am using MailScanner
>> and the default block score is 6.0 which helps a bit too. My custom
>> rule scores tend to be high on both ends.
>> =20
>>> 12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail"=20
>>> <ke...@mcgrail.com> kirjoitti:
>>> >On 10/12/2017 9:25 AM, AJ Weber wrote:
>>> >> I'm open to new rules, plug-ins, etc.=C2=A0 Spam volume is only
>>> gett=
> ing
>>> >> worse, and these spammers are getting more creative.
>>> >
>>> >Hi AJ,
>>> >
>>> >I have to say that 3.3.0 is pretty old.=C2=A0 I'd look to run a newer
>>> >version, invest some time into researching a few RBLs and consider
>>> >adding my KAM.cf <http://KAM.cf> file.
>>> >
>>> >Regards,
>>> >KAM
>
> --=20
> jarif@iki.fi
--
David Jones
Re: improving detection to cloudmark-like levels?
Posted by Jari Fredriksson <ja...@iki.fi>.
David Jones kirjoitti 13.10.2017 14:16:
> On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
>> I don't use Kam.cf <http://Kam.cf> as it is very prone to false=20
>> positives and way too aggressively scored by default. I'm pretty happy=
=20
>> with my current setup with 3.4.1 though.
>>=20
>=20
> If you are happy with your SA accuracy, don't change a thing. :)
> Have you tried the KAM.cf lately?
Indeed I have. This just came today:
X-Spam-Report:
* 0.5 JMQ_SPF_NEUTRAL_ALL ASKDNS: SPF set to ?all!
* [mail99.sea21.rsgsv.net TXT:v=3Dspf1]
[ip4:148.105.12.99 include:spf.mandrillapp.com]
[?all]
* 0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
* [URIs: forward-to-friend.com]
* -0.2 RCVD_IN_IADB_RDNS RBL: IADB: Sender has reverse DNS record
* [148.105.12.99 listed in iadb.isipp.com]
* -0.0 RCVD_IN_IADB_LISTED RBL: Participates in the IADB system
* -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record
* -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID=20
record
* -0.1 RCVD_IN_IADB_DK RBL: IADB: Sender publishes Domain Keys=20
record
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at=20
http://www.dnswl.org/, no
* trust
* [148.105.12.99 listed in list.dnswl.org]
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level=20
mail
* domains are different
* -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay=
=20
domain
* 1.0 HTML_MESSAGE BODY: HTML included in message
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or=20
identical to
* background
* 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76=20
chars
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not=20
necessarily
* valid
* 10 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,=20
=2Ebid &
* .link TLD Abuse
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
* 0.0 KAM_SHORT Use of a URL Shortener for very short URL
The mail is ham from sourceforge.net. I'm able to deliver the post to=20
KAM if he is willing to look at it.
Hit points like 10 points for this issue BAD_TLD are just killing my=20
system, which will report to spamcop, razor and pyzor without manual=20
intervention :(
False positives are usually nonexistent with my setup, and this can not=20
be taken into production.
br. jarif
>=20
> KAM.cf does have high scores when you first look at it but if you have
> other SA add-ons that subtract points for being "good", then the high
> KAM.cf scores complement things well. Also, I am using MailScanner
> and the default block score is 6.0 which helps a bit too. My custom
> rule scores tend to be high on both ends.
>=20
>> 12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail"=20
>> <ke...@mcgrail.com> kirjoitti:
>> >On 10/12/2017 9:25 AM, AJ Weber wrote:
>> >> I'm open to new rules, plug-ins, etc.=C2=A0 Spam volume is only gett=
ing
>> >> worse, and these spammers are getting more creative.
>> >
>> >Hi AJ,
>> >
>> >I have to say that 3.3.0 is pretty old.=C2=A0 I'd look to run a newer
>> >version, invest some time into researching a few RBLs and consider
>> >adding my KAM.cf <http://KAM.cf> file.
>> >
>> >Regards,
>> >KAM
--=20
jarif@iki.fi
Re: improving detection to cloudmark-like levels?
Posted by David Jones <dj...@ena.com>.
On 10/13/2017 04:45 AM, Jari Fredriksson wrote:
> I don't use Kam.cf <http://Kam.cf> as it is very prone to false
> positives and way too aggressively scored by default. I'm pretty happy
> with my current setup with 3.4.1 though.
>
If you are happy with your SA accuracy, don't change a thing. :) Have
you tried the KAM.cf lately?
KAM.cf does have high scores when you first look at it but if you have
other SA add-ons that subtract points for being "good", then the high
KAM.cf scores complement things well. Also, I am using MailScanner and
the default block score is 6.0 which helps a bit too. My custom rule
scores tend to be high on both ends.
> 12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail"
> <ke...@mcgrail.com> kirjoitti:
> >On 10/12/2017 9:25 AM, AJ Weber wrote:
> >> I'm open to new rules, plug-ins, etc. Spam volume is only getting
> >> worse, and these spammers are getting more creative.
> >
> >Hi AJ,
> >
> >I have to say that 3.3.0 is pretty old. I'd look to run a newer
> >version, invest some time into researching a few RBLs and consider
> >adding my KAM.cf <http://KAM.cf> file.
> >
> >Regards,
> >KAM
--
David Jones
Re: improving detection to cloudmark-like levels?
Posted by Jari Fredriksson <ja...@iki.fi>.
I don't use Kam.cf as it is very prone to false positives and way too aggressively scored by default. I'm pretty happy with my current setup with 3.4.1 though.
12. lokakuuta 2017 17.07.41 GMT+03:00 "Kevin A. McGrail" <ke...@mcgrail.com> kirjoitti:
>On 10/12/2017 9:25 AM, AJ Weber wrote:
>> I'm open to new rules, plug-ins, etc. Spam volume is only getting
>> worse, and these spammers are getting more creative.
>
>Hi AJ,
>
>I have to say that 3.3.0 is pretty old. I'd look to run a newer
>version, invest some time into researching a few RBLs and consider
>adding my KAM.cf file.
>
>Regards,
>KAM
--
Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.
--
Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.
Re: improving detection to cloudmark-like levels?
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 10/12/2017 9:25 AM, AJ Weber wrote:
> I'm open to new rules, plug-ins, etc. Spam volume is only getting
> worse, and these spammers are getting more creative.
Hi AJ,
I have to say that 3.3.0 is pretty old. I'd look to run a newer
version, invest some time into researching a few RBLs and consider
adding my KAM.cf file.
Regards,
KAM
Re: improving detection to cloudmark-like levels?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 12 Oct 2017, AJ Weber wrote:
> Using the standard rule updates channel and "sought.rules.yerp.org".
> (I don't see those updated too often, maybe I need to check on that
> update process.)
As far as I know, the Sought rules aren't being generated any more, and
haven't been for a few years now. They may still be useful, but they are
increasingly stale.
The standard rules are blocked by score generation issues in the masscheck
system that are resisting analysis... :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista is at best mildly annoying and at worst makes you want to
rush to Redmond, Wash. and rip somebody's liver out. -- Forbes
-----------------------------------------------------------------------
196 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: improving detection to cloudmark-like levels?
Posted by AJ Weber <aw...@comcast.net>.
On 10/12/2017 11:33 AM, Ian Zimmerman wrote:
> I don't know how you got the supposition about pyzor.
>
> pyzor is completely independent of Cloudmark (unlike razor) and AFAIK
> pyzor scores are based on participating users' reports and nothing
> else.
Sorry. It is razor2 that is (or was - according to the website)
supported by Cloudmark.
Re: improving detection to cloudmark-like levels?
Posted by Ian Zimmerman <it...@very.loosely.org>.
On 2017-10-12 09:25, AJ Weber wrote:
> So I'm sure they have some "secret sauce" and I'm not asking for that
> to be revealed, but since pyzor is supposedly using their database,
> I'm just trying to figure out if there's a way to get my SA filter to
> improve even further and close the gap?
I don't know how you got the supposition about pyzor.
pyzor is completely independent of Cloudmark (unlike razor) and AFAIK
pyzor scores are based on participating users' reports and nothing
else.
pyzor is also libre software, including the server (unlike razor). That
means anyone can run their own server. I started doing so a couple of
weeks ago, see [1]. You're welcome to join :-)
[1]
https://lists.gt.net/spamassassin/users/205264
--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.