block spam getting through

General eFa discussion
Post Reply
ressel
Posts: 27
Joined: 28 Nov 2014 11:59

block spam getting through

Post by ressel »

Hello,

I have som users that get some spam mails, that is filtered as clean, how can I stop emails like this one:

Code: Select all

X-Greylist: delayed 00:05:04 by SQLgrey-1.8.0
Received: from mail-smail-vm19.hanmail.net (mail-smail-vm19.daum.net [175.126.189.237])
     (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
     (No client certificate requested)
     by rogue.bornhosting.dk (Postfix) with ESMTPS id C0D35A14D4
     for <sib***@bd****.dk>; Wed, 17 May 2017 20:39:33 +0200 (CEST)
Received: from wwl1543.hanmail.net ([114.108.152.210])
by mail-smail-vm19.hanmail.net (8.13.8/8.9.1) with ESMTP id v4HIWsZD010991;
Thu, 18 May 2017 03:32:54 +0900
Received: (from hanadmin@localhost)
by wwl1543.hanmail.net (8.12.9/8.9.1) id v4HIWqWJ008469
for <sib***@bd****.dk>; Thu, 18 May 2017 03:32:52 +0900
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
X-Originating-IP: [41.66.12.105]
From: "Ange Paul" <angepaul98@gmail.com>
Sender: angepaul7326@daum.net
Organization: 
To: <angepaul98@gmail.com>
Subject: Goddag kære,
X-Mailer: Daum Web Mailer 1.2
Date: Thu, 18 May 2017 03:32:48 +0900 (KST)
Message-Id: <20170518033248.HM.0000000000004fq@angepaul7326.wwl1543.hanmail.net>
Errors-To: <angepaul7326@daum.net>
X-HM-UT: tc8x4qFaBnoJAT1dePYTXImbzdWpJCX5YotzI9JDB1Q=
X-HM-FIGURE: tc8x4qFaBnrwvlxkzMBz5NbCxBMZaNOP
MIME-Version: 1.0
X-Hanmail-Attr: fc=1

Code: Select all

SpamAssassin Score:	1.65
Spam Report:	
Score	Matching Rule	Description
0.80	BAYES_50	Bayes spam probability is 40 to 60%
1.10	DCC_CHECK	Detected as bulk mail by DCC (dcc-servers.net)
0.00	DKIM_ADSP_CUSTOM_MED	No valid author signature, adsp_override is CUSTOM_MED
0.25	FREEMAIL_ENVFROM_END_DIGIT	Envelope-from freemail username ends in digit
0.00	FREEMAIL_FROM	Sender email is commonly abused enduser mail provider
0.00	HTML_MESSAGE	HTML included in message
0.00	LOTS_OF_MONEY	Huge... sums of money
0.72	MIME_HTML_ONLY	Message only has text/html MIME parts
0.90	NML_ADSP_CUSTOM_MED	ADSP custom_med hit, and not from a mailing list
-0.00	RCVD_IN_DNSWL_NONE	Sender listed at http://www.dnswl.org/, no trust
-2.80	RCVD_IN_MSPIKE_H2	Average reputation (+2)
0.67	SPF_SOFTFAIL	SPF: sender does not match SPF record (softfail)
0.01	T_KAM_HTML_FONT_INVALID	Test for Invalidly Named or Formatted Colors in HTML
0.00	WEIRD_PORT	Uses non-standard port number for HTTP
Best regards
Søren Ressel
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: block spam getting through

Post by pdwalker »

You have to train the system to recognize spam through the bayesian filter.
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: block spam getting through

Post by stusmith »

You can also roll the dice by increasing the score for the default rules in
/etc/mail/spamassassin/local.cf

Code: Select all

score LOTS_OF_MONEY 2.3
I've used that to ramp up some of the default SPF, DKIM, DMARC, and ADSP scores and to write custom rules for domains that we exchange mail with that are broken ( bad SPF, weird sending patterns, match other default rules, etc. )

All-in-all I've got around fifty to sixty custom rules, but the payoff in the end is definitely worth it. Things we want zip through and things we don't want are filtered.
ressel
Posts: 27
Joined: 28 Nov 2014 11:59

Re: block spam getting through

Post by ressel »

pdwalker wrote: 23 May 2017 16:36 You have to train the system to recognize spam through the bayesian filter.
I have been running this server for some years now, and keep press report as spam, most unwanted emails I find, but it feels like it's not working anymore.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: block spam getting through

Post by pdwalker »

0.80 BAYES_50 Bayes spam probability is 40 to 60%

The spammers are constantly changing their methods to get past the filters and our heuristic programs are still not good enough to do what we do instantly; recognize spam.

That said, I think the spamassassin project had stalled for a while, but there are now signs of activity and them getting their act together.

In the meantime, keep training your bayes filter, and adjust your rules as necessary.
Post Reply