Spamassasin pointless?

Hi there,

are you guys using Spam Assassin successfully? I enabled it and installed “Mark As Spam 2” plug-in for Roundcube. I click on every spam message to report it as spam. I still get spam messages and spam messages are not recognized as spam (I set virtualmin to add “[SPAM]” in front of the title). I even made the following script to let SA learn about spam messages.

#!/bin/bash
sa-learn --spam /home/[user]/Maildir/.Junk/cur

I am executing it from time to time, just to make sure that SA learns something. The output of that script is like follows.

Learned tokens from 146 message(s) (440 message(s) examined

How do I debug what is happening? Is there a GUI for SA so I can see graphically what is happening?

Kind regards
Keanu

Have you looked in Webmin / Servers / SpamAssassin Mail Filter?

There are other GUIs, but they’re all pretty much the same. Actually, I think the one in Webmin is probably better than most.

As for whether SpamAssassin is pointless… All I can say is that it catches the great bulk of my spam using the default settings. The only changes I make to local.cf are to address the endless peniphernalia spam I get from “USA PHARMACY” and “PHARMACY USA.” Whoever composes those messages manages to keep the score just under the 4.0 that many folks use (5 is the SA default), so SA needs a bit of help with them.

Other than that, very little spam makes it through. I think I had two or three pieces today out of about 400 messages.

Yes, I looked over the available options but there is no options you can use to actually optimize spam removal significantly. I was reading more about Pyzor, Razor and DCC today and I am wondering why those are not enabled in Virtualmin. I installed Pyzor and will see if it’s enough to get rid of the spam I get everyday.

Nevertheless I still think the current anti spam system in Virtualmin is just not enough.

You can also handle some more emailsettings yourself. (Dovecot postfix)

For tls version and cypher the weak old parts not using anymore helps a lot to.
Most modern enough do support newer, if not warn your custommers to use better modern and secure versions only., is very important for their own security also.

If not using weak parts tls 1.0 en perhaps tls 1.1 then even a tls no fallback problem is no more problem.

For other then emailports and services definitly get rid of tls 1.0 and tls 1.1 and old Cypher and to less bits so use 3072 and or 4096.

Email ports your custommers but take in mind PCI compliant and LAW rules in some EU country’s have forbidden using tls 1.0 and tls 1.1 already
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_BSI_TLS_Version_2_0.pdf?__blob=publicationFile&v=2

A lot of abusive servers for spam and co are using very to older parts and then mails from them …

I dunno… About 70 to 80 percent of my incoming that makes it as far as the MTA is spam, and very little of it gets past Spamassassin. I recently added some more peniphernalia-related entries in local.cf because I somehow got on every online pharmacy mailing list in the Interwebs-connected world, but other than that, I’m running a stock Spamassassin installation.

Perhaps part of the reason is because of a side thing I do as an RBL maintainer. Long story short, a while ago I got this brainstorm to plant honeypots on about a bazillion sites, with all of the reports going to one particular server, which would then compile blocklists and share them with the other servers. From there, it kind of morphed into collecting and sharing data about all sorts of malicious acts using CSF’s BLOCK_REPORT function, which allows execution of an external script every time an IP is blocked.

I also share my reports with AbuseIPDB in real-time, and I also download blocklists from them every hour and import them into CSF. I use a few other blocklists, as well, but I forget what they are offhand. I’ll check tomorrow if you want. Finally, I make two of my own blocklists, updated daily, available for free to anyone who wants them. Search on “recently misbehaving IP addresses” if you want to find them.

In a nutshell, all of my servers block malicious attackers in real time, plus contribute to a database on one of the servers that generates an updated blocklist every hour, plus use the AbuseIPDB lists and a few other blocklists. Hence, it’s very likely that a lot of spam isn’t even making it past the firewall. But almost all of it that does gets stopped by Spamassassin.

If you’re running CSF, you may want to look into using some blocklists. Blocking miscreants at the firewall is, in my opinion, better and more resource-friendly than filtering spam, anyway. Just look in /etc/csf/csf.blocklists and you’ll find some decent ones all ready to use (but commented out). Or use mine if you want. That’s what they’re there for.

Hi Richard,

very interesting approach using the firewall. You have some in detail walk-through is some kind of blog? Would be nice to read. Things like https://www.abuseipdb.com/csf/html are probably a good starting point :slight_smile:

I can just tell that since I enabled Pyzor and Razor2 for Spamassassin all my spam is detected and moved to a Junk folder like it should. Razor2 in particular is making a large difference and logs everything it does like I would expect it to do (makes everything super easy to debug). I am very happy currently but it would be even better to block spammer IPs.

It’s not really a blog, but I do have a site that provides more detailed instructions, as well as links to the lists themselves.

The site, which I own and which is ad-monetized (so I don’t want to directly link to it here), was built in a few hours as an afterthought once I had all the blocklist generators in place. I figured since I was generating all these bad IP lists, I might as well share them (and maybe make some money from the ads, as well). Two of the lists are free and are updated daily. Two others are subscription-based and are updated hourly. There’s a great deal of overlap between them; so for most people, the free lists are fine.

You can find the site by using Google (or probably most other search engines) to search on “recently misbehaving IP addresses”. If you’re using CSF Firewall or some other firewall capable of importing plain text files, feel free to use my free lists if you like. No registration or authentication is required. Only update them once a day (86400 seconds), however. The lists are only updated once a day anyway, and too-frequent update requests will get a requesting server tempblocked (only from my site, not added to the lists).

Just as an aside, ephemerality and automatic rehabilitation are core to my thinking as a maintainer. As someone who has had to clean up many, many inherited IPs’ reputations, few things bother me more than blocklists that don’t rehabilitate IP addresses once they’ve stopped misbehaving. All IP’s are automatically removed from my lists within a few days after they stop acting maliciously.

This probably common knowledge to every good sys admin but adding following options (RBL = Real-time Blackhole) to Postfix removed all of my spam. It’s not even reaching Spamassassin now.

/etc/postfix/main.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

Be careful with Spamhaus. I’ve had lots of false positives with them.

YUP while:
Spamhaus Zen Reports Dynamic Ip Addresses by default

on the contrary, we’re very pleased with zen spamhaus, but disabled spamcop as the false positives were almost 50% of incoming !!!

That’s interesting. I always had the opposite experience.