Extreme Spam Filtering
I have been spending some time to try and figure out why SpamAssassin has been doing a poor job for me. Perhaps I am being unfair. It correctly handles a lot of spam emails, but quite a few still managed to get through.
I spent a bit of time and studied the seemingly-ham-spam by passing it through SpamAssassin in test mode. There were a few cases where I felt some of the scores needed to be higher, just based on the type of spam email I have been receiving. I have since defined the following spam rules and scores:
header SUBJ_VIP Subject =~ /VIP/ header SUBJ_MORT Subject =~ /mortgage/i header SUBJ_APR Subject =~ /APR/ header SUBJ_INCOME Subject =~ /income/i header SUBJ_NOTICE Subject =~ /notice/i header FROM_PMI From =~ /Faster PMI/ header SUBJ_PRIHE Subject =~ /private health/i body BODY_GIRL /girl/i body BODY_NIPPLE /nipple/i body BODY_PROFILE /profile/i skip_rbl_checks 0 rbl_timeout 3 score RCVD_IN_BL_SPAMCOP_NET 3 score RCVD_IN_URIBL_SBL 2.5 score RCVD_IN_BRBL_LASTEX 2.5 score RCVD_IN_SORBS_DUL 2.5 score URIBL_ABUSE_SURBL 2.5 score URIBL_MW_SURBL 3 score URIBL_JP_SURBL 2.5 score URIBL_PH_SURBL 3 score URIBL_WS_SURBL 2.5 score URIBL_RED 1 score XPRIO 2 # priority email flag score BANG_GUAR 1.5 # typical spam phrase score FREEMAIL_FORGED_REPLYTO 2.5 # freemale address, from not same as to score FREEMAIL_REPLYTO_END_DIGIT 0.5 # firstname.lastname@example.org score HTML_EXTRA_CLOSE 1 # bad html score HTML_MESSAGE 0.2 # html email score T_DKIM_INVALID 0.5 # invalid DKIM score PP_MIME_FAKE_ASCII_TEXT 0.5 # fake ascii score NO_DNS_FOR_FROM 1 score RDNS_DYNAMIC 1.4 score LOTS_OF_MONEY 0.75 # lots of money score URI_PHISH 2.5 # usually 4.5 score SUBJ_VIP 0.3 score SUBJ_MORT 0.5 score SUBJ_APR 0.5 score SUBJ_INCOME 0.5 score SUBJ_NOTICE 0.4 score BODY_GIRL 0.2 score BODY_NIPPLE 0.2 score BODY_PROFILE 0.2 score FROM_PMI 1.5 score SUBJ_PRIHE 1.5
These rules are fairly aggressive, and it has really helped. However, some emails slip through. I found that when I tested manually, maybe an hour or so after the email had slipped through, they were classed as spam because the RBL and SORBS lists finally caught up. The only way I can think of solving this is by periodically scanning my maildir to see if any spam has gotten through unnoticed. Here is a little script which gets run every 30 minutes:
#!/usr/local/bin/bash find ~/Maildir/new -type f -mmin -40 | while read -r file; do cat $file | spamassassin -e > /dev/null 2> /dev/null if [ $? -gt 0 ]; then mv $file ~/Maildir/.Junk/new/ fi done
It will find all new emails in the INBOX folder, which were received within the past 40 minutes, and move them to Junk if they are spam.