SpamAssassin Rules We All NEED

[Sanity]

thank you!! :)

[SS88]

As of today I have REMOVED the following:

This code was automatically placing emails with embedded images and Amazon's e-mails into the spam folder. Embedded images in e-mails is something very common these days.

Code: Select all

#
# Do a check for odd letter combinations
#
# The following rules were borrowed from an older version of SA.
rawbody  __PGP_BEGIN            /^-----BEGIN PGP SIGNATURE-----$/
rawbody  __PGP_MIDDLE           /^[0-9A-Za-z+\/]{64}$/
rawbody  __PGP_END              /^-----END PGP SIGNATURE-----$/
meta     __PGP_SIGNATURE        (__PGP_BEGIN && __PGP_MIDDLE && __PGP_END)

# Prevent hits with Double forwards, or messages with attachments not parsed out.
rawbody  __FVGT_rb_ATTACHMENT   /Content-Disposition: attachment/i

# Core obfu rules, these are generated from multiple US dictionary files.
body  __FVGT_b_OBFU_J           /j[bcfgw]/i
body  __FVGT_b_OBFU_OTHER       /(vj|vk|xj|xk|yy|zf|zj)/i
body  __FVGT_b_OBFU_Q0          /[jkpqtvwz]q/i
body  __FVGT_b_OBFU_Q1          /q[afhjkmnsy]/i
body  __FVGT_b_OBFU_V           /[fgqw]v/i
body  __FVGT_b_OBFU_X           /[cgjkqsvz]x/i
body  __FVGT_b_OBFU_Z           /[fjkpqx]z/i

meta  __FVGT_m_MULTI_ODD2 ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
meta  __FVGT_m_MULTI_ODD3 ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 2)
meta  __FVGT_m_MULTI_ODD4 ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 3)
meta  __FVGT_m_MULTI_ODD5 ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 4)

# Core meta rules, these combine multiple variations of above rules.
meta       FVGT_m_MULTI_ODD2   (__FVGT_m_MULTI_ODD2 && !__FVGT_rb_ATTACHMENT && !__PGP_SIGNATURE)
describe   FVGT_m_MULTI_ODD2   Contains multiple odd letter combinations
meta       FVGT_m_MULTI_ODD3   (__FVGT_m_MULTI_ODD3 && !__FVGT_rb_ATTACHMENT && !__PGP_SIGNATURE)
describe   FVGT_m_MULTI_ODD3   Contains multiple odd letter combinations
meta       FVGT_m_MULTI_ODD4   (__FVGT_m_MULTI_ODD4 && !__FVGT_rb_ATTACHMENT && !__PGP_SIGNATURE)
describe   FVGT_m_MULTI_ODD4   Contains multiple odd letter combinations
meta       FVGT_m_MULTI_ODD5   (__FVGT_m_MULTI_ODD5 && !__FVGT_rb_ATTACHMENT && !__PGP_SIGNATURE)
describe   FVGT_m_MULTI_ODD5   Contains multiple odd letter combinations

score  FVGT_m_MULTI_ODD2 1.1
score  FVGT_m_MULTI_ODD3 1.3
score  FVGT_m_MULTI_ODD4 1.3
score  FVGT_m_MULTI_ODD5 1.4

[bgg]

Hello

Can any experienced one please check the suggested cPanel policy by someone: http://toao.net/566-improving-spamassas ... statistics

Perhaps VestaCP will improve in spam tackling. Thanks a lot

Bg

Code: Select all

score BAYES_40 1
score BAYES_50 2
score BAYES_60 3
score BAYES_80 4
score BAYES_95 5
score BAYES_99 6
score SPF_FAIL 5
score SPF_PASS 0
score SPF_NEUTRAL 0
score URIBL_BLACK 10
describe URIBL_BLACK Contains a URL listed in black.uribl.com
score RCVD_IN_SBL 10
describe RCVD_IN_SBL Rcvd via a relay in Spamhaus SBL (Direct UBE)
score RCVD_IN_XBL 10
describe RCVD_IN_XBL Last ext relay in Spamhaus XBL (exploits)
score RCVD_IN_PBL 10
describe RCVD_IN_PBL Last ext relay in Spamhaus PBL (Non-MTA IPs)
score URIBL_DBL_SPAM 10
describe URIBL_DBL_SPAM Contains a URL listed in the Spamhaus DBL
score RCVD_IN_BRBL_LASTEXT 10
describe RCVD_IN_BRBL_LASTEXT Last external relay in Barracuda RBL
score RCVD_IN_BL_SPAMCOP_NET 0 1.246 0 1.347 # false positives - occasionally blocks Hotmail.  Default was 15.

[mike08]

So, I have faced a new problem regarding spam, and that is related to forwarding emails.

These rules listed in this thread work perfect to filter all those incoming emails as spam if they are so, however what happens if some customers have setup email forwarding to their accounts under vestacp?

As an example I have customers who have set their emails on vesta to forward emails to gmail, yahoo, hotmail, etc. Some of them receive many spam emails which are categorized in the Junk folder within vestacp thanks to this config, however these emails are being forwarded to other email providers causing them to block our IPs because of the forwarding.

I found some config settings within exim that can are preventing emails to be forwarded if they are categorized as spam by spam assassin under directadmin, but not sure how can I implement this to vestacp instance: https://help.directadmin.com/item.php?id=156
http://forum.directadmin.com/showthread.php?t=42111

Is there someone with a better knowledge on this scenario?

Running on Debian 7 64 bits and vestacp 16

[SS88]

I think in exim.conf you have to put the router before everything else (I could be wrong - you can test). This is for Debian 7.

So

Code: Select all

localuser_spam:
  driver = accept
  transport = local_spam_delivery
  condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{yes}{no_such_user}}}}

Would go before this part:

Code: Select all

userforward:

That means spam messages are dealt with first before any forwarding, etc.

[mike08]

I think in exim.conf you have to put the router before everything else (I could be wrong - you can test). This is for Debian 7.

So

Code: Select all

localuser_spam:
  driver = accept
  transport = local_spam_delivery
  condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{yes}{no_such_user}}}}

Would go before this part:

Code: Select all

userforward:

That means spam messages are dealt with first before any forwarding, etc.

Will test it within the next couple of days and post here if it works!

[mike08]

Yep, this actually solved the situatio, changing the order of the routers is all I needed, now mails only in the inbox are being forwarded :)

[SS88]

Yep, this actually solved the situatio, changing the order of the routers is all I needed, now mails only in the inbox are being forwarded :)

Fantastic!

I'm going to update all my exim.conf files as well. Might be an idea to have this as a feature.

[fedekrum]

Sorry to be such a pain!!! I am a complete newbie on SA, but regarding the last post, can you provide a

1-cut this from file :xxxxx
2 Place the cursor after yyyyyy
3-Paste xxxxx

Why I am asking for this?
Because I think that moving the wrong paragraph to the wrong place can result in some other problem.

Thanks !! (and If I missed something, please be nice with me !! :)

[SS88]

Sorry to be such a pain!!! I am a complete newbie on SA, but regarding the last post, can you provide a

1-cut this from file :xxxxx
2 Place the cursor after yyyyyy
3-Paste xxxxx

Why I am asking for this?
Because I think that moving the wrong paragraph to the wrong place can result in some other problem.

Thanks !! (and If I missed something, please be nice with me !! :)

Cut this from exim.conf

Code: Select all

localuser_spam:
  driver = accept
  transport = local_spam_delivery
  condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{yes}{no_such_user}}}}

and paste it BEFORE (in exim.conf):

Code: Select all

userforward:

so your exim.conf looks like (this is only PART of your exim.conf):

Code: Select all

dnslookup:
  driver = dnslookup
  domains = !+local_domains
  transport = remote_smtp
  no_more

localuser_spam:
  driver = accept
  transport = local_spam_delivery
  condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}{yes}{no_such_user}}}}

userforward:
  driver = redirect
  check_local_user
  file = $home/.forward
  allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply