SpamAssassin
Some random bits and pieces related to SpamAssassin and Amavis
I’ve been looking for additional rulesets to add to SpamAssassin but haven’t found many – the SARE project appears offline (for example). Eventually I found – The SOUGHT SpamAssassin ruleset which despite it’s age (published in 2007) seems to still be maintained.
See http://taint.org/2007/08/15/004348a.html
To enable this on Debian Wheezy, I added a cron job (/etc/cron.d/sa-update-sought) like :
10 */3 * * * debian-spamd /usr/local/sbin/sa-update-sought
And then created /usr/local/sbin/sa-update-sought which looks a bit like :
#!/bin/bash
if [ $UID != 119 ]; then
su - debian-spamd -c "/usr/local/sbin/sa-update-sought"
exit 0
fi
# See http://taint.org/2007/08/15/004348a.html
/usr/bin/sa-update -v --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org
# so wow, so speed.
/usr/bin/sa-compile
(Don’t forget to chmod 755 the script and also perhaps run it containing ‘set -x’ and/or ‘set -e’)
Amavis – deal with duplicate headers
Firstly, Amavis was complaining about duplicated headers for some emails. Typically this would be something useless like MIME-Version, which I don’t care about. So to stop Amavis moaning about duplicated headers – add to your config under /etc/amavis/conf.d/50-user (on debian) –
$allowed_header_tests{'multiple'} = 0;
Amavis – log spamassassin rulsets and generally more
The default Amavis log file will look something like :
Mar 23 06:48:18 my.server /usr/sbin/amavisd-new[13368]: (13368-03) Passed CLEAN {RelayedInbound}, [client.ip.addr]:37490 [client.ip.addr] -> <someone@local>, Queue-ID: 3FDEC181A06, Message-ID: <c72c5e1d26a048c0af4be75044e1e80e@bazarchic-invitations.com>
, mail_id: d-dsS6ecM4vR, Hits: -9.49, size: 34124, queued_as: 80D4118089F, dkim_sd=20132014:bazarchic-invitations.com, 3203 ms
Which isn’t all that useful – especially if you need to know WHY it did (or didn’t) score against SpamAssassin (i.e. WHY was it -9.49).
So, to make Amavis more verbose in logging – so you can see which SpamAssassin tests triggered etc – add to /etc/amavis/conf.d/50-user (debian) –
$log_templ = $log_verbose_templ;
Now you’ll see something more like :
Mar 28 14:33:49 my.server /usr/sbin/amavisd-new[9149]: (09149-05) Passed SPAMMY {RelayedTaggedInbound}, [client.ip.addr]:62696 [client.ip.addr] <some.user@whatever> -> <someone@else.example.com>, Queue-ID: EF4F4180E71, Message-ID: <C46A064E2A2B52469C092EE761AD74602BFCCC@xxxxxx-Exch.xxxxxxx.xxxx>, mail_id: dzG4JS_4jH29, Hits: 6.314, size: 46717, queued_as: BBEB71819B4, Subject: "hello world this is a subject", From: Test_Person_<test@my.domain>, helo=whatever.server, Tests: [HTML_MESSAGE=0.001,LOCAL_SEX=5,URI_HEX=1.313], shortcircuit=no, autolearn=disabled, autolearnscore=6.314, asn=AS57307_188.227.240.0/21, 4714 ms
Now – you can clearly see why it scored 6.314 – without needing to find the mail and read it’s headers.
SpamAssassin – some random rules
Add into /etc/spamassassin into a file named something like ‘local_rules.cf’
WhatCounts – spammy mailer?
# X-Mailer: WhatCounts - seems spammy. header LOCAL_WHATCOUNTS X-Mailer =~ /WhatCounts/ describe LOCAL_WHATCOUNTS Spammy mailer (WhatCounts) score LOCAL_WHATCOUNTS 3.0
Sex
Often slipped into spammy email; presumably serious email (well, for a business at least) won’t contain such stuff.
body LOCAL_SEX /\b(sex)\b/i describe LOCAL_SEX Email contains the word sex. score LOCAL_SEX 5.0
PHP Eval’ed code
I saw quite a few spammy emails which contained a specific header – so this penalises such mail. It’s crude.
# Saw email headers like : X-PHP-Originating-Script: 10000:sendme.php(3) : eval()'d code header PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/i describe PHP_EVAL Eval()'ed PHP code as source score PHP_EVAL 8.0
SpamAssassin – decode short urls
https://github.com/smfreegard/DecodeShortURLs is a useful plugin to install – allowing you to decode shortened URLs – and hopefully then score/find them in RBLs etc.
i.e. expanding http://t.co/BLAH to http://blahblah.server.com/something/blah.html