how to teach spamassassin that a message is spam without blacklisting it.

[curibe]

How can I teach SpamAssassin to learn from a message that is spam? is this even possible?


by just looking at the subject iam suprised it did not flagged it as spam.


Subject: Hi, review your 50% off Andersen replacement window pricing

and there are other things in the body that should of flagged it. here is the spam score.


SpamAssassin Score: 2.56

Matching Rule

Description

-1.90 BAYES_00 Bayes spam probability is 0 to 1%
1.10 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
1.10 FSL_BULK_SIG
0.00 HTML_FONT_LOW_CONTRAST HTML font color similar or identical to background
0.00 HTML_MESSAGE HTML included in message
1.45 RCVD_IN_BRBL_LASTEXT
0.79 RDNS_NONE Delivered to internal network by a host with no rDNS
-0.00 SPF_HELO_PASS SPF: HELO matches SPF record
-0.00 SPF_PASS SPF: sender matches SPF record
0.01 T_REMOTE_IMAGE
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.

*********************************************************************
how can i tell spam assassin to learn from the message to give it a higher score? is this even possible?

[zohman]

How can I teach SpamAssassin to learn from a message that is spam? is this even possible?
how can i tell spam assassin to learn from the message to give it a higher score? is this even possible?

Hi curibe,

you most be aware what is spam and what could be mail subscription by users.
this message passes SPF IP and SPF HELO, and you have there BAYES_00 also.

BAYES_00 description:
the Bayesian algorithm will assign a high score to it based on previous experience.
Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.

but there is also RCVD_IN_BRBL_LASTEXT, hmm.. litlle suspicious.
those kind of messages probebly have Unsubsribe url link.

regarding your question, yes it possible,
this is why we have /etc/MailScanner/spam.assassin.prefs.conf.
you can change scores for custom rules..
create your own ruls and so on.

for example, RDNS_NONE as 0.79 score, lets change it to 1.25
in spam.assassin.prefs.conf at the "Change SpamAssassin Rules scores" section you insert:

Code: Select all

# =============== Change SpamAssassin Rules scores ===============
score RDNS_NONE 1.25

want to add new rule?

Code: Select all

# =============== Adding SpamAssassin Rules =============== 

header   FRIEND_GREETINGS	Subject =~ /you have an E-Card from/i
describe FRIEND_GREETINGS	Nasty E-card from FriendGreetings.com
score     FRIEND_GREETINGS	100.0

header          HAM_UNTRUSTED_RELAY From =~ /\@example.com/i
describe        HAM_UNTRUSTED_RELAY Not exactly trusted
score            HAM_UNTRUSTED_RELAY 2.10

you can also make a rule from rules that triggers the score..
for example lets make..

Code: Select all

meta            MY_COUSTOM1     (RCVD_IN_BRBL_LASTEXT + RDNS_NONE)
header         MY_COUSTOM1      From =~ /\@example.com/i
describe      MY_COUSTOM1       Not exactly trusted
score           MY_COUSTOM1       5.0
 

we learn here that if the message hit RCVD_IN_BRBL_LASTEXT+RDNS_NONE on the score
and the "From" header contain @example.com, this rule also kick-in on the final spam score,
and it will with highly probability mark as spam.

*you can get rules ideas from: /etc/mail/spamassassin/KAM.cf

Regards,
Zohman.

[curibe]

can i do
meta MY_COUSTOM1 (RCVD_IN_BRBL_LASTEXT + RDNS_NONE)
describe MY_COUSTOM1 Not exactly trusted
score MY_COUSTOM1 5.0

with out the "header MY_COUSTOM1 From =~ /\@example.com/i"

reason why i ask is because im noticing that is not comming from the same @sample.com

[curibe]

should i just set RCVD_IN_BRBL_LASTEXT to maybe 2 or 3 instead of 1.45?

[zohman]

can i do
meta MY_COUSTOM1 (RCVD_IN_BRBL_LASTEXT + RDNS_NONE)
describe MY_COUSTOM1 Not exactly trusted
score MY_COUSTOM1 5.0

with out the "header MY_COUSTOM1 From =~ /\@example.com/i"

reason why i ask is because im noticing that is not comming from the same @sample.com

yes.

should i just set RCVD_IN_BRBL_LASTEXT to maybe 2 or 3 instead of 1.45?

you can also do that,
just keep track that all mails flow like you expected.