filter for subjects

["Fettke, Dirk" <Di...@its-technidata.de>]

Hi,

I become desperate... I want any mail with specific subject (like:
viagra postbank, Adobe...) mark as spam. The Mail should be dropped and
not delivered to
Mailbox. 
Our Mailserver is only for relaying and filtering for spam and viruses.
So there are no local mailboxes.
Is there a possibility to do this with spamassassin?
It can't be so difficult, or?

Thanks
Dirk

RE: filter for subjects

[Herb Martin <He...@learnquick.com>]

> -----Original Message-----
> From: jdow [mailto:jdow@earthlink.net] 
> Sent: Monday, August 15, 2005 8:55 AM
> To: users@spamassassin.apache.org
> Subject: Re: filter for subjects
> 
> 1) You can use SARE rules to increase scores for words like viagra.
> 2) You cannot under any circumstance have SpamAssassin not pass mail
>    on to the next delivery step. It is possible to have the next
>    delivery step drop the mail into /dev/null.
> 3) It is not wise to get too frantic and drop things just because they
>    say "Adobe". Some might be legitimate. (That is not a 
> usual spam word
>    here, at least.)

Agreeing and elaborating on this and some of the
other sugguestions...

SA drops NOTHING -- SA scores the spam or ham so
that THE ADMINISTRATOR or USER can decide what to do with
it.  Such decisions belong to the administrator and
the recipient of the email.

Some admins send the mail through leaving the entire 
decision to the User/recipient and some use various
criteria to reject, bounce (generally bad these days),
or save (some) of the likely spam for review.

We bounce nothing, but we do reject using SpamAssassin
this way using Exim MTA (other MTA can do something 
similar):

	1) All "spam" is held for review (we have spam
		down to such a small amount this is easy)
		if it passes the next step.

	2) If the score meets a "superspam" threshold
		we use an Exim ACL (during Data time before
		the email is accepted) to check subjects and
		a few other such criteria (sender etc.)

		Since SA has already marked the email as
		seriously likely to be spam these checks
		can be a bit looser than they would be if
		the message were random.

Using the Adobe-subject example above:  If the message
contains 2 of:  Microsoft Adobe Macromedia Corel AND
is SuperSpam it is droppabable but this wouldn't be
possible if a legitimate news message subject had
something like "Adobe sues Microsoft" or "Corel partners
with Macromedia".  (This is just an example and a more
conservative filter could say, "three of" these words
but that is up to the admin etc.)

Our spam went down to almost nothing by using Greylisting
in a reduced manner:  We avoid almost all of the problems 
associated with Greylisting by only using it for messages
that are already 'suspicious' (i.e., things many people
will use to REFUSE mail, are used by our Exim ACLs to drive
the message through Greylisting.  93% of these message
are never re-tried.  So far no good mail has been identified
as being dropped and practically no real mail is even delayed.

['Suspicion' Checks include: Header checks, valid reverse, 
valid Helo vs. reverse host name, SPF, dynamic host name
or certain country code patterns, and membership on blacklists, 
including some very agressive lists since no list can actually
block the email.]

SpamAssassin never sees mail unless the other checks including
greylisting of suspicious messages pass them through.

If a message passes to SpamAssassin and is checked against
the "simple subject etc. filters" and not dropped it is STILL
driven through Greylisting if that has not already been done for
this message's Helo/From/To triplet.

This defense in depth is knocking spam down to a trickle
AT THE SERVER, and practically nothing* is getting through
to users with no complaints of missing mail or evidence of
such in the logs.

We are still manually reviewing the Spam trapped at the
server.

Nothing bounces.  Very little spam is ever accepted.

And 95% of the Spam we trap is scores above 25 points.
Almost none is scored below 15 points.

We have practically none in the "trough" between Spam
and Ham -- it is all classifying cleanly which really
lets SpamAssassin shine.


--
Herb Martin

Re: filter for subjects

[jdow <jd...@earthlink.net>]

1) You can use SARE rules to increase scores for words like viagra.
2) You cannot under any circumstance have SpamAssassin not pass mail
   on to the next delivery step. It is possible to have the next
   delivery step drop the mail into /dev/null.
3) It is not wise to get too frantic and drop things just because they
   say "Adobe". Some might be legitimate. (That is not a usual spam word
   here, at least.)

{^_^}
----- Original Message ----- 
From: "Fettke, Dirk" <Di...@its-technidata.de>


Hi,

I become desperate... I want any mail with specific subject (like:
viagra postbank, Adobe...) mark as spam. The Mail should be dropped and
not delivered to
Mailbox. 
Our Mailserver is only for relaying and filtering for spam and viruses.
So there are no local mailboxes.
Is there a possibility to do this with spamassassin?
It can't be so difficult, or?

Thanks
Dirk

Re: filter for subjects

[Matt Kettler <mk...@comcast.net>]

At 08:19 AM 8/15/2005, Fettke, Dirk wrote:
>I become desperate… I want any mail with specific subject (like: viagra 
>postbank, Adobe…) mark as spam.

Ok, SA can be made to do that.. it's a little less straightforward than 
just saying "block subject xyz" but it's not hard.

A short rule with a high score will do the trick:

header BANNED_SUB1      subject ~= /Banned subject text 1/i
score BANNED_SUB1               100


>The Mail should be dropped and not delivered to Mailbox.

That is a trick SA itself can't do. It can't delete mail. HOWEVER, most of 
the tools that call SA can do this.

>Our Mailserver is only for relaying and filtering for spam and viruses. So 
>there are no local mailboxes.

Ok, so you want to do this at the MTA layer.. amavis or mailscanner would 
be good choices. Both can be told to delete spam mail over a certain score 
level.

>Is there a possibility to do this with spamassassin?


When combined with other tools, yes, although something as simple as just 
blocking a specific subject is a job that spamassassin is overkill for.

If you only need subject blocking, and you don't need robust spam scanning, 
you might want to look at something less powerful like milter-regex instead.