Blog IndexPosts by TagHome

Extreme Spam Filtering

Posted <2017-05-03 Wed 17:41> by Aaron S. Jackson.

I have been spending some time to try and figure out why SpamAssassin has been doing a poor job for me. Perhaps I am being unfair. It correctly handles a lot of spam emails, but quite a few still managed to get through.

I spent a bit of time and studied the seemingly-ham-spam by passing it through SpamAssassin in test mode. There were a few cases where I felt some of the scores needed to be higher, just based on the type of spam email I have been receiving. I have since defined the following spam rules and scores:

header SUBJ_VIP Subject =~ /VIP/
header SUBJ_MORT Subject =~ /mortgage/i
header SUBJ_APR Subject =~ /APR/
header SUBJ_INCOME Subject =~ /income/i
header SUBJ_NOTICE Subject =~ /notice/i
header FROM_PMI From =~ /Faster PMI/
header SUBJ_PRIHE Subject =~ /private health/i

body BODY_GIRL /girl/i
body BODY_NIPPLE /nipple/i
body BODY_PROFILE /profile/i

skip_rbl_checks 0
rbl_timeout 3
score RCVD_IN_BL_SPAMCOP_NET 3
score RCVD_IN_URIBL_SBL 2.5
score RCVD_IN_BRBL_LASTEX 2.5
score RCVD_IN_SORBS_DUL 2.5
score URIBL_ABUSE_SURBL 2.5
score URIBL_MW_SURBL 3
score URIBL_JP_SURBL 2.5
score URIBL_PH_SURBL 3
score URIBL_WS_SURBL 2.5
score URIBL_RED 1
score XPRIO 2 # priority email flag
score BANG_GUAR 1.5 # typical spam phrase
score FREEMAIL_FORGED_REPLYTO 2.5 # freemale address, from not same as to
score FREEMAIL_REPLYTO_END_DIGIT 0.5 # someone342@aol.coms
score HTML_EXTRA_CLOSE 1 # bad html
score HTML_MESSAGE 0.2 # html email
score T_DKIM_INVALID 0.5 # invalid DKIM
score PP_MIME_FAKE_ASCII_TEXT 0.5 # fake ascii
score NO_DNS_FOR_FROM 1
score RDNS_DYNAMIC 1.4
score LOTS_OF_MONEY 0.75 # lots of money
score URI_PHISH 2.5 # usually 4.5
score SUBJ_VIP 0.3
score SUBJ_MORT 0.5
score SUBJ_APR 0.5
score SUBJ_INCOME 0.5
score SUBJ_NOTICE 0.4
score BODY_GIRL 0.2
score BODY_NIPPLE 0.2
score BODY_PROFILE 0.2
score FROM_PMI 1.5
score SUBJ_PRIHE 1.5

These rules are fairly aggressive, and it has really helped. However, some emails slip through. I found that when I tested manually, maybe an hour or so after the email had slipped through, they were classed as spam because the RBL and SORBS lists finally caught up. The only way I can think of solving this is by periodically scanning my maildir to see if any spam has gotten through unnoticed. Here is a little script which gets run every 30 minutes:

#!/usr/local/bin/bash

find ~/Maildir/new -type f -mmin -40 | while read -r file; do
    cat $file | spamassassin -e > /dev/null 2> /dev/null
    if [ $? -gt 0 ]; then
        mv $file ~/Maildir/.Junk/new/
    fi

done

It will find all new emails in the INBOX folder, which were received within the past 40 minutes, and move them to Junk if they are spam.

Related posts:

Tags: linux

Blog IndexPosts by TagHome

Copyright 2007-2017 Aaron S. Jackson (modified: Sun 23 Jul 14:30:45 BST 2017)