Blog IndexPosts by TagHome

Extreme Spam Filtering

Posted <2017-05-03 Wed 17:41> by Aaron S. Jackson.

I have been spending some time to try and figure out why SpamAssassin has been doing a poor job for me. Perhaps I am being unfair. It correctly handles a lot of spam emails, but quite a few still managed to get through.

I spent a bit of time and studied the seemingly-ham-spam by passing it through SpamAssassin in test mode. There were a few cases where I felt some of the scores needed to be higher, just based on the type of spam email I have been receiving. I have since defined the following spam rules and scores:

header SUBJ_VIP Subject =~ /VIP/
header SUBJ_MORT Subject =~ /mortgage/i
header SUBJ_APR Subject =~ /APR/
header SUBJ_INCOME Subject =~ /income/i
header SUBJ_NOTICE Subject =~ /notice/i
header FROM_PMI From =~ /Faster PMI/
header SUBJ_PRIHE Subject =~ /private health/i

body BODY_GIRL /girl/i
body BODY_NIPPLE /nipple/i
body BODY_PROFILE /profile/i

skip_rbl_checks 0
rbl_timeout 3
score RCVD_IN_BL_SPAMCOP_NET 3
score RCVD_IN_URIBL_SBL 2.5
score RCVD_IN_BRBL_LASTEX 2.5
score RCVD_IN_SORBS_DUL 2.5
score URIBL_ABUSE_SURBL 2.5
score URIBL_MW_SURBL 3
score URIBL_JP_SURBL 2.5
score URIBL_PH_SURBL 3
score URIBL_WS_SURBL 2.5
score URIBL_RED 1
score XPRIO 2 # priority email flag
score BANG_GUAR 1.5 # typical spam phrase
score FREEMAIL_FORGED_REPLYTO 2.5 # freemale address, from not same as to
score FREEMAIL_REPLYTO_END_DIGIT 0.5 # someone342@aol.coms
score HTML_EXTRA_CLOSE 1 # bad html
score HTML_MESSAGE 0.2 # html email
score T_DKIM_INVALID 0.5 # invalid DKIM
score PP_MIME_FAKE_ASCII_TEXT 0.5 # fake ascii
score NO_DNS_FOR_FROM 1
score RDNS_DYNAMIC 1.4
score LOTS_OF_MONEY 0.75 # lots of money
score URI_PHISH 2.5 # usually 4.5
score SUBJ_VIP 0.3
score SUBJ_MORT 0.5
score SUBJ_APR 0.5
score SUBJ_INCOME 0.5
score SUBJ_NOTICE 0.4
score BODY_GIRL 0.2
score BODY_NIPPLE 0.2
score BODY_PROFILE 0.2
score FROM_PMI 1.5
score SUBJ_PRIHE 1.5

These rules are fairly aggressive, and it has really helped. However, some emails slip through. I found that when I tested manually, maybe an hour or so after the email had slipped through, they were classed as spam because the RBL and SORBS lists finally caught up. The only way I can think of solving this is by periodically scanning my maildir to see if any spam has gotten through unnoticed. Here is a little script which gets run every 30 minutes:

#!/usr/local/bin/bash

find ~/Maildir/new -type f -mmin -40 | while read -r file; do
    cat $file | spamassassin -e > /dev/null 2> /dev/null
    if [ $? -gt 0 ]; then
        mv $file ~/Maildir/.Junk/new/
    fi

done

It will find all new emails in the INBOX folder, which were received within the past 40 minutes, and move them to Junk if they are spam.

Wanting to leave a comment?

Comments and feedback are welcome by email (aaron@nospam-aaronsplace.co.uk).

Related posts:

Tags: linux

Blog IndexPosts by TagHome

Copyright 2007-2021 Aaron S. Jackson (compiled: Fri 1 Jan 10:51:33 GMT 2021)