best practise or best configuration

General eFa discussion
Post Reply
keysteal
Posts: 20
Joined: 10 Nov 2018 07:25

best practise or best configuration

Post by keysteal »

Hello to all,

I have been using Efa Project for almost 3 years, I am still satisfied, but I have noticed that many
dangerous phishing emails (from banks in general) are filtered as clean. There is here in the forum,
a simple guide on how to do the best configuration of Efa Project and avoid most of the emails that
Efa does not recognize as spam?

Thanks to all.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: best practise or best configuration

Post by shawniverson »

eFa really provides a default set of rules (spamassassin, clamav-unofficial-sigs) that gets you started.

The two biggest ways to combat spam are to add RBLs to your configuration (either with postfix/postscreen or in MailScanner, depending on whether you want the performance benefit of blocking at the MTA level) and creating custom rules for SpamAssassin.

If you are able to share a Report from one or more of these emails I could help you get going in the right direction.
keysteal
Posts: 20
Joined: 10 Nov 2018 07:25

Re: best practise or best configuration

Post by keysteal »

This is a recent example:
An example
An example
Schermata 2021-11-02 alle 21.42.04.png (369.35 KiB) Viewed 2560 times
keysteal
Posts: 20
Joined: 10 Nov 2018 07:25

Re: best practise or best configuration

Post by keysteal »

Another one:
Schermata 2021-11-02 alle 21.49.01.png
Schermata 2021-11-02 alle 21.49.01.png (611.59 KiB) Viewed 2560 times
Schermata 2021-11-02 alle 21.50.36.png
Schermata 2021-11-02 alle 21.50.36.png (488.36 KiB) Viewed 2560 times
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: best practise or best configuration

Post by shawniverson »

The first thing I spot is a DKIM_INVALID. So, you could assign a higher score to incoming emails that have a DKIM_INVALID.

I'll look at these in greater detail later and give you some suggestions and steps to take.
keysteal
Posts: 20
Joined: 10 Nov 2018 07:25

Re: best practise or best configuration

Post by keysteal »

Hi @shawniverson,

I don't find a guide how to set DKIM scores inside Efa, do you have some?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: best practise or best configuration

Post by shawniverson »

Any score in SpamAssassin can be overridden or used in what is known as a meta rule.

https://cwiki.apache.org/confluence/dis ... itingrules

You can place your rules in local.cf or a custom file under /etc/mail/spamassassin of your choosing.

So, you could do this, for example:

Code: Select all

score DKIM_INVALID 5.0
Or this:

Code: Select all

meta            MY_CUSTOM_RULE DKIM_INVALID && PHP_SCRIPT
describe        MY_CUSTOM_RULE sending a PHP script and having bad DKIM is bad
score           MY_CUSTOM_RULE 5.0
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: best practise or best configuration

Post by shawniverson »

I also think you would benefit using good RBLs, which can be done in a variety of ways:

Postscreen is the preferred method these days but takes some configuration and care:

http://www.postfix.org/POSTSCREEN_README.html

http://rob0.nodns4.us/postscreen.html

Or you can do it simply using Postfix, just not as powerfully as Postscreen:

https://docs.rackspace.com/support/how- ... n-postfix/

/etc/MailScanner/MailScanner.conf can also use RBLs, this is more CPU intensive but is a good start to see what is getting caught in the RBLs

Also, SpamAssassin can use RBLs to and you can assign scores based on RBL lookups
keysteal
Posts: 20
Joined: 10 Nov 2018 07:25

Re: best practise or best configuration

Post by keysteal »

Thx @shawniverson, I'll give them a look.
Post Reply