Spamassassin rules
It seems more and more spam is getting through my spamassassin settings, so I've been re-evaluating my rules, looking at what others are using and seeing what comes through and what doesn't.. Came up with a little set of rules which appears to be helping quite a bit. I have yet to come up with a false positive with these, but your mileage may very depending on who emails you and how (I never get html email, for instance, so that can be scored high).
RCVD_IN_SORBS is downgraded to zero, since I just discovered it's giving a positive match to mail.dslr.net which is not listed -- hence the blacklist is not reliable.
Note: I use a required_hits setting of 5
HABEAS_SWE=2
HTML_FONT_BIG=2
HTML_FONT_COLOR_RED=2
HTML_IMAGE_ONLY=4
HTML_MESSAGE=2
MIME_HTML_MOSTLY=2
MIME_HTML_ONLY=3
RCVD_IN_BL_SPAMCOP_NET=2
RCVD_IN_DSBL=2
RCVD_IN_DYNABLOCK=2
RCVD_IN_NJABL=2
RCVD_IN_NJABL_PROXY=2
RCVD_IN_SBL=2
RCVD_IN_SORBS=0
UPPERCASE_20_50=2
Comments
Hi Kasia -- it would probably be better to set RCVD_IN_SORBS to something just above 0, like 0.001. Why? Because, while the basic lookup itself is pretty useless, it provides info for other, much more accurate rules -- like RCVD_IN_SORBS_HTTP, which hit 44% of spam with a 99.5% accuracy rating during the 2.6x rescoring run.
--j.
Posted by: Justin Mason | March 21, 2004 04:45 PM
You _do_ train your SA, do you? It seems most people I talk to that spend time writing new rules do not bother learning their filters about the spam they receive. For me, the stock rules work almost perfect (it's a bit slow on learning that most Habeas-mark mail I receive is spam, but accept for that, it does exactly what I want).
My biggest irritation are all those bounces I get because of masks where I'm in the address book of somebody and the mask sends mail with me as sender (number two are stupid virusscanners sending mail to the "sender", not the intended recipient).
Posted by: Pontus | March 22, 2004 03:08 AM
I don't know if they've changed their policies in the meantime maybe, but last I heard a lot of people were pissed about Spamcop as well — they will blacklist domains used as spoofed sender addresses. They've even blacklisted amazon.com at some point.
To add insult to injury, they will only correspond with abuse@$REVERSE_LOOKUP_DOMAIN, which would be abuse@your-isp.net if you're surfing from an ISP connection at home. You would have to SSH into your webserver and bring up their contact form using lynx or something, I guess. Very funny, really.
Posted by: Aristotle Pagaltzis | March 22, 2004 04:10 AM
I don't know if they've changed their policies in the meantime maybe, but last I heard a lot of people were pissed about Spamcop as well — they will blacklist domains used as spoofed sender addresses. They've even blacklisted amazon.com at some point.
To add insult to injury, they will only correspond with abuse@$REVERSE_LOOKUP_DOMAIN, which would be abuse@your-isp.net if you're surfing from an ISP connection at home. You would have to SSH into your webserver and bring up their contact form using lynx or something, I guess. Very funny, really.
Posted by: Aristotle Pagaltzis | March 22, 2004 04:11 AM
Pontus, yes, of course.. for the longest time I've seen no spam, then it slowly started trickling in and recently it's been 5+ a day coming through. Hence new rules, so far, no spam and no false positives.
Posted by: kasia | March 22, 2004 08:15 AM
Look into greylisting in front of SA. Works a charm so far, and takes a helluva load off SA.
http://projects.puremagic.com/greylisting/
Posted by: Scott Delinger | March 30, 2004 03:20 PM