Amavis / SpamAssassin

SpamAssassin

Some random bits and pieces related to SpamAssassin and Amavis

I’ve been looking for additional rulesets to add to SpamAssassin but haven’t found many – the SARE project appears offline (for example). Eventually I found – The SOUGHT SpamAssassin ruleset which despite it’s age (published in 2007) seems to still be maintained.

See http://taint.org/2007/08/15/004348a.html

To enable this on Debian Wheezy, I added a cron job (/etc/cron.d/sa-update-sought) like :

10 */3 * * * debian-spamd /usr/local/sbin/sa-update-sought

And then created /usr/local/sbin/sa-update-sought which looks a bit like :

#!/bin/bash
if [ $UID != 119 ]; then
    su - debian-spamd -c "/usr/local/sbin/sa-update-sought"
    exit 0
fi

# See http://taint.org/2007/08/15/004348a.html
/usr/bin/sa-update -v --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org
# so wow, so speed.
/usr/bin/sa-compile

(Don’t forget to chmod 755 the script and also perhaps run it containing ‘set -x’ and/or ‘set -e’)

Amavis – deal with duplicate headers

Firstly, Amavis was complaining about duplicated headers for some emails. Typically this would be something useless like MIME-Version, which I don’t care about. So to stop Amavis moaning about duplicated headers – add to your config under /etc/amavis/conf.d/50-user (on debian) -

$allowed_header_tests{'multiple'} = 0;

Amavis – log spamassassin rulsets and generally more

The default Amavis log file will look something like :

Mar 23 06:48:18 my.server /usr/sbin/amavisd-new[13368]: (13368-03) Passed CLEAN {RelayedInbound}, [client.ip.addr]:37490 [client.ip.addr]  -> <someone@local>, Queue-ID: 3FDEC181A06, Message-ID: <c72c5e1d26a048c0af4be75044e1e80e@bazarchic-invitations.com>
, mail_id: d-dsS6ecM4vR, Hits: -9.49, size: 34124, queued_as: 80D4118089F, dkim_sd=20132014:bazarchic-invitations.com, 3203 ms

Which isn’t all that useful – especially if you need to know WHY it did (or didn’t) score against SpamAssassin (i.e. WHY was it -9.49).

So, to make Amavis more verbose in logging – so you can see which SpamAssassin tests triggered etc – add to /etc/amavis/conf.d/50-user (debian) -

$log_templ = $log_verbose_templ;

Now you’ll see something more like :

Mar 28 14:33:49 my.server /usr/sbin/amavisd-new[9149]: (09149-05) Passed SPAMMY {RelayedTaggedInbound}, [client.ip.addr]:62696 [client.ip.addr] <some.user@whatever> -> <someone@else.example.com>, Queue-ID: EF4F4180E71, Message-ID: <C46A064E2A2B52469C092EE761AD74602BFCCC@xxxxxx-Exch.xxxxxxx.xxxx>, mail_id: dzG4JS_4jH29, Hits: 6.314, size: 46717, queued_as: BBEB71819B4, Subject: "hello world this is a subject", From: Test_Person_<test@my.domain>, helo=whatever.server, Tests: [HTML_MESSAGE=0.001,LOCAL_SEX=5,URI_HEX=1.313], shortcircuit=no, autolearn=disabled, autolearnscore=6.314, asn=AS57307_188.227.240.0/21, 4714 ms

Now – you can clearly see why it scored 6.314 – without needing to find the mail and read it’s headers.

SpamAssassin – some random rules

Add into /etc/spamassassin into a file named something like ‘local_rules.cf’

WhatCounts – spammy mailer?

# X-Mailer: WhatCounts - seems spammy.
header LOCAL_WHATCOUNTS X-Mailer =~ /WhatCounts/
describe LOCAL_WHATCOUNTS Spammy mailer (WhatCounts)
score LOCAL_WHATCOUNTS 3.0

Sex

Often slipped into spammy email; presumably serious email (well, for a business at least) won’t contain such stuff.

body LOCAL_SEX /\b(sex)\b/i
describe LOCAL_SEX Email contains the word sex.
score LOCAL_SEX 5.0

PHP Eval’ed code

I saw quite a few spammy emails which contained a specific header – so this penalises such mail. It’s crude.

# Saw email headers like : X-PHP-Originating-Script: 10000:sendme.php(3) : eval()'d code
header PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/i
describe PHP_EVAL Eval()'ed PHP code as source
score PHP_EVAL 8.0

SpamAssassin – decode short urls

https://github.com/smfreegard/DecodeShortURLs is a useful plugin to install – allowing you to decode shortened URLs – and hopefully then score/find them in RBLs etc.

i.e. expanding http://t.co/BLAH to http://blahblah.server.com/something/blah.html

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>