You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Brent Clark <br...@gmail.com> on 2019/04/18 06:55:25 UTC
SA shortcircuit
Good day Guys
Would anyone be willing to share their shortcircuiting list.
Currently I am just shortcircuiting CLAMAV, Im looking to improve SA.
Many thanks.
Regards
Brent
Re: SA shortcircuit
Posted by David Jones <dj...@ena.com>.
On 4/23/19 12:57 AM, Brent Clark wrote:
> Good day David
>
> Looking at what you got going, Im glad I asked this request.
> Thanks very much for sharing.
>
> Kind Regards
> Brent Clark
>
This was just an example based on my mail flow and very customized/tuned
SA rules for my mail filters. I am sure that others on this list may
not agree with my settings below based on different philosophies /
strategies of spam filtering.
I try to find patterns to group mail into major categories then handle
each category differently. For example, system-generated emails using a
subdomain that aren't real human / user accounts with passwords that can
be compromised are a category. By the time this category makes it past
the MTA checks (postscreen, RBLs, DNS checks, TLD checks, HELO checks,
etc.) then the majority of them can be safely added to whitelist_auth
entries and SA doesn't need to evaluate them for content filtering.
Content filtering is the hardest to do as the spammers are constantly
changing the strategies / campaigns to get around content filtering.
The best way to filter for content is with very good Bayes training but
this usually doesn't help with zero day / hour spam from compromised
accounts.
Another major category of email is certain sources of emails from large
MSPs that generally do not get listed on RBLs because there are good
email senders mixed in with the spammers / compromised accounts.
\.(secureserver\.net|web-hosting\.com|websitewelcome\.com|inmotionhosting\.com|unifiedlayer\.com|ezhostingserver\.com|siteprotect\.com|internetbilisim\.net|privateemail\.com|registrar-servers\.com|registeredsite\.com|reflexion\.net|sparkpostmail\.com|siteground\.us|dreamhost\.com|yourhostingaccount\.com|maropost\.com|myregisteredsite\.com)
That is my current regex for "notrust" known sources of spam with legit
emails mixed in. Here I maintain a private DWL of senders to trust
(subtract a few points) while a set of meta rules amplify anything
suspicious sent from those untrusted above. In then end, I am able to
query a MySQL database to find historical scores to add to the DWL using
a script so this is mostly automated.
Office 365 is another category of email that is tough to filter properly
because it's so large of an MSP and regulary / frequently has
compromised accounts that send spam for 30 minutes or so before
Microsoft seems to shut them down. Here I wanted to setup something
like greylisting to handle new senders with a delay. I am using
traditional greylisting but it has to be disabled for
outbound.protection.microsoft.com and google.com email servers for
technical reasons. Recently I started another private DWL to handle
o365 senders similarly to the "notrust" list above and so far it seems
to be working out.
Hope this helps,
Dave
> On 2019/04/18 15:52, David Jones wrote:
>> On 4/18/19 1:55 AM, Brent Clark wrote:
>>> Good day Guys
>>>
>>> Would anyone be willing to share their shortcircuiting list.
>>>
>>> Currently I am just shortcircuiting CLAMAV, Im looking to improve SA.
>>>
>>> Many thanks.
>>>
>>> Regards
>>> Brent
>>
>> shortcircuit ALL_TRUSTED off
>> shortcircuit USER_IN_WHITELIST on
>> shortcircuit USER_IN_DEF_WHITELIST on
>> shortcircuit USER_IN_BLACKLIST on
>> shortcircuit USER_IN_DKIM_WHITELIST on
>> shortcircuit USER_IN_SPF_WHITELIST on
>> shortcircuit USER_IN_DEF_DKIM_WL off
>> shortcircuit USER_IN_DEF_SPF_WL off
>> shortcircuit RCVD_IN_RP_CERTIFIED off
>> shortcircuit RCVD_IN_RP_SAFE off
>>
>> You will need to set the priority lower than the default to hit before
>> some of the entries above. Run some messages manually with
>> "spamassassin -D < email.msg" to see the priority if your shortcircuit
>> rule isn't getting hit because a lower priority shortcircuit hit first.
>>
>> I also have some outbound rules that shortcircuit unique emails like
>> those from scanner/copiers that often have missing headers like no
>> Message-ID, bad HELO, etc.
>>
>> Here's an example of a useful one that we all have problems with if we
>> are filtering outbound email:
>>
>> meta ENA_COPIER ALL_TRUSTED && (__SUBJ_COPIER ||
>> __MAILER_COPIER || __MSGID_COPIER || __MIME_COPIER || __FROM_COPIER ||
>> __RCVD_COPIER)
>> priority ENA_COPIER -500
>> describe ENA_COPIER Sent from a copier on network.
>> score ENA_COPIER -0.001
>> priority ENA_COPIER -500
>> shortcircuit ENA_COPIER ham
>> tflags ENA_COPIER noautolearn nice
>>
>> I am not publishing the details of those header rules in the meta above
>> on purpose so this rule could be exploited by a compromised account from
>> our network through our mail relays. These should be fairly obvious
>> based on their names as to what they do.
>>
>> Hope this helps,
>>
--
David Jones
Re: SA shortcircuit
Posted by Brent Clark <br...@gmail.com>.
Good day David
Looking at what you got going, Im glad I asked this request.
Thanks very much for sharing.
Kind Regards
Brent Clark
On 2019/04/18 15:52, David Jones wrote:
> On 4/18/19 1:55 AM, Brent Clark wrote:
>> Good day Guys
>>
>> Would anyone be willing to share their shortcircuiting list.
>>
>> Currently I am just shortcircuiting CLAMAV, Im looking to improve SA.
>>
>> Many thanks.
>>
>> Regards
>> Brent
>
> shortcircuit ALL_TRUSTED off
> shortcircuit USER_IN_WHITELIST on
> shortcircuit USER_IN_DEF_WHITELIST on
> shortcircuit USER_IN_BLACKLIST on
> shortcircuit USER_IN_DKIM_WHITELIST on
> shortcircuit USER_IN_SPF_WHITELIST on
> shortcircuit USER_IN_DEF_DKIM_WL off
> shortcircuit USER_IN_DEF_SPF_WL off
> shortcircuit RCVD_IN_RP_CERTIFIED off
> shortcircuit RCVD_IN_RP_SAFE off
>
> You will need to set the priority lower than the default to hit before
> some of the entries above. Run some messages manually with
> "spamassassin -D < email.msg" to see the priority if your shortcircuit
> rule isn't getting hit because a lower priority shortcircuit hit first.
>
> I also have some outbound rules that shortcircuit unique emails like
> those from scanner/copiers that often have missing headers like no
> Message-ID, bad HELO, etc.
>
> Here's an example of a useful one that we all have problems with if we
> are filtering outbound email:
>
> meta ENA_COPIER ALL_TRUSTED && (__SUBJ_COPIER ||
> __MAILER_COPIER || __MSGID_COPIER || __MIME_COPIER || __FROM_COPIER ||
> __RCVD_COPIER)
> priority ENA_COPIER -500
> describe ENA_COPIER Sent from a copier on network.
> score ENA_COPIER -0.001
> priority ENA_COPIER -500
> shortcircuit ENA_COPIER ham
> tflags ENA_COPIER noautolearn nice
>
> I am not publishing the details of those header rules in the meta above
> on purpose so this rule could be exploited by a compromised account from
> our network through our mail relays. These should be fairly obvious
> based on their names as to what they do.
>
> Hope this helps,
>
Re: SA shortcircuit
Posted by David Jones <dj...@ena.com>.
On 4/18/19 1:55 AM, Brent Clark wrote:
> Good day Guys
>
> Would anyone be willing to share their shortcircuiting list.
>
> Currently I am just shortcircuiting CLAMAV, Im looking to improve SA.
>
> Many thanks.
>
> Regards
> Brent
shortcircuit ALL_TRUSTED off
shortcircuit USER_IN_WHITELIST on
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL off
shortcircuit USER_IN_DEF_SPF_WL off
shortcircuit RCVD_IN_RP_CERTIFIED off
shortcircuit RCVD_IN_RP_SAFE off
You will need to set the priority lower than the default to hit before
some of the entries above. Run some messages manually with
"spamassassin -D < email.msg" to see the priority if your shortcircuit
rule isn't getting hit because a lower priority shortcircuit hit first.
I also have some outbound rules that shortcircuit unique emails like
those from scanner/copiers that often have missing headers like no
Message-ID, bad HELO, etc.
Here's an example of a useful one that we all have problems with if we
are filtering outbound email:
meta ENA_COPIER ALL_TRUSTED && (__SUBJ_COPIER ||
__MAILER_COPIER || __MSGID_COPIER || __MIME_COPIER || __FROM_COPIER ||
__RCVD_COPIER)
priority ENA_COPIER -500
describe ENA_COPIER Sent from a copier on network.
score ENA_COPIER -0.001
priority ENA_COPIER -500
shortcircuit ENA_COPIER ham
tflags ENA_COPIER noautolearn nice
I am not publishing the details of those header rules in the meta above
on purpose so this rule could be exploited by a compromised account from
our network through our mail relays. These should be fairly obvious
based on their names as to what they do.
Hope this helps,
--
David Jones