Posts Tagged spam
Posted by mike Filed Under Spam Control with Comments Off
Checking for Legitimate Mail in the Spam Folder
One of the major issues as a mail administrator is trying to determine if legitimate mail was actually sent to the spam folder. So one the ways to verify that issue is to scan the spam contents for legitimate terms. The first problem that you will see is that the spam may be compressed so you will need to uncompress it before you scan. DO NOT access anything in the spam folder with root access. Move the spam to a different location and perform all tasks as an unprivileged user.
spam-9B6i8B9rD+id.gz spam-EeFAaMeaMx1G.gz spam-ihuIgFpirfUo.gz spam-NXXzcRNixkii.gz spam-tf65NhbFJcEu.gz spam-ZmogC5vZyJlk.gz
spam-9EfOeKyIb6sf.gz spam-eip3gM+DilfI.gz spam-IQpbO2KMp8l5.gz spam-ObJ1xedNLU26.gz spam-TfpV+yyYsjAB.gz spam-ZmteJrzYUCBY.gz
spam-9GHo7x7DmOW6.gz spam-ekJaDB7htlKH.gz spam-IRC5D5UIEjMk.gz spam-ocKT1ji46idY.gz spam-Tg8mub5yGGwn.gz spam-Zpi4JatgssEL.gz
spam-9HX9P6ajL6Gq.gz spam-el1WVuh47t9B.gz spam-IUEwPi8iYgfJ.gz spam-ODyC3cxIVbZx.gz spam-Th0SgW4269qG.gz spam-zQcDemaSYlRj
The spam can all be uncompressed with this command:
gunzip spam*
spam-8AbERQ2zlWnW spam-CVTlacjyZDm8 spam-gVVz+mQE3IUP spam-LizqVOW-U8cS spam-Qk2jzhSjXnQh spam-TQVW1CzGrPT8 spam-ZmogC5vZyJlk
spam-8BVfclh+5uVl spam-CxYWRK3g4kwg spam-G-wjm7cpVWs3 spam-lJwHwY48bCzL spam-qLWKQzvEFWwp spam-tSY7hIK5O5Sc spam-ZmteJrzYUCBY
spam-8EvgnhDx-VNk spam-cxZbQ8Uw88q6 spam-gWqLRYA3QxAN spam-loZE8MzZ0SVZ spam-qM+-EWOF95aP spam-Tui6Dq-2vnc7 spam-Zpi4JatgssEL
spam-8vINTJLzfwlB spam-d2eRqmy-4pRL spam-H1qp0lVdM8dK spam-LqmKtErj2CvA spam-qowVrXuhXp-5 spam-TyH60Cn1kMZw spam-zQcDemaSYlRj
spam-8VZvPZ2aJlAi spam-DIzzAzS7BXIa spam-h2fuyznd3PTC spam-lQmRHTcThADD spam-Qqq5tl2Stsqe spam-TyvpEZteK5nw
Now scan for a text strings that may indicate legitimate mail. The example demonstrates mail that you do not want and was correctly plaged in the spam folder.
grep betting *
spam-2AEQl8mQ9rag:X-Envelope-From: <Bake.Pops.Treats@onlinesportbettingsystemsreviews.com>
spam-2AEQl8mQ9rag: header.i=@onlinesportbettingsystemsreviews.com
spam-2AEQl8mQ9rag: header.from=Bake.Pops.Treats@onlinesportbettingsystemsreviews.com
Posted by mike Filed Under Spam Control with Comments Off
There will be times when you have you have your Postfix Mail Server set up and Spam is under control and all of a sudden you will see a new wave of Spam hit your site. This article will help you see how you can make some small adjustments to cut down on new waves of Spam. Here is an example of the new wave of Spam I started getting. I will take you through a few steps I used to eliminate this new wave.
Prospector specializes in delivering results for brokers, lenders as well as mortgage products and services
companies nationwide. If you need to jump-start your company’s sales or originations, we can help.
We understand the industry from the inside out and are the only B2B marketer that can GUARANTEE results
with every campaign. An industry leader for almost a decade, Prospector has the largest active network of loan
producers in the nation who are actively seeking help with their businesses.
We specialize in the following areas;
* FHA, Commercial, Hard Money, Reverse, Conventional Programs
* Loan Modification Networks and Affiliates
* MTG Training and Education
* Lead Generators
* Loan Processing and Compliance
Step #1: Check Your Logs
When you check your logs you are looking for several things. One thing that is important is to see what level this particular email was rated at by Spamassassin. You can see the Hits at 6.353. Now because my set up is using Amavisd-new, the hits and what results from those hits is listed in the /etc/amavisd.conf file. The other thing I pick up from the logs is the IP Address of the mail server that is sending the Spam.
Aug 14 12:23:48 ns amavis[30026]: (30026-11) Passed SPAMMY, [64.235.53.98] [64.235.53.98] <noreply@hyperbiz1.com> -> <person@example.com>, Message-ID: <20090814122346.F1ABF27DF53440BF@hyperbiz1.com>, mail_id: OhHzJmCU7qmf, Hits: 6.353, size: 2637, queued_as: A710E207B83, 5129 ms
Aug 14 12:23:54 ns postfix/smtpd[7279]: < unknown[64.235.53.98]: EHLO hyperbiz1.com
Aug 14 12:23:54 ns postfix/smtpd[7279]: < unknown[64.235.53.98]: MAIL FROM:<noreply@hyperbiz1.com>
Aug 14 12:23:54 ns postfix/smtpd[7279]: extract_addr: input: <noreply@hyperbiz1.
Step #2: Drop Hit Levels
Here is the amavisd.conf file hit levels and you can see that the hit level above was 6.3 and the trigger to block the email is at 6.8. Now an easy solution when you start seeing new Spam is to start slowly reducing the hit level. So what I did is reduce the 6.8 down to 6.0 and then reduce the “spam detected” level from 6.2 to 5.8. This is a small adjustment but made a big difference.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.8; # triggers spam evasive actions (e.g. blocks mail)
Be sure to reload amavisd when you are done making changes. Remember, amavisd is what controls Spamassassin in this set up.
./amavisd reload
Daemon [28054] terminated by SIGTERM, waiting for dust to settle…
becoming a new daemon…
Now one question you may ask is why not write a header check or some other check for regular expressions. The answer is that the last thing you want to do is write a lot of special rules. Try to control Spam by using general princicples that will help reduce Spam because if one wave of Spam is gettign through…another is on the way from someone else.
Posted by mike Filed Under Spam Control with Comments Off
Amavisd-new acts as a connecting point between Spamassassin, Clamav and Postfix. This is important to remember because much of the configuration that would seem to be done on Spamassasin directly, actually occurs in the amavisd-new configuration file.
When amavisd detects spam using Spamassassin it will log it to the log file and it also is able to perform several other actions. It is possible to send it to a quarantine. The quarantine will be where you placed it but typically it will be /var/virusmails. Here is a sample of the spam messages that get collected there.
spam-bKry7jNBnpNH.gz
spam-FHXfz6-3XiuU.gz
spam-JGlrlfOV5Nwg.gz
The quarantine directory is set in /etc/amavisd.conf
$QUARANTINEDIR = ‘/var/virusmails’; # -Q
You can see from above that when mail is placed in the quarantine directory it will tag it and compress it. So to view it run gunzip -d and then review the email.
This example shows Spamassassin tagged this email with a score of 17.454. It also shows that the email was delivered to the spam-quarantine. Notice that the Spam-Status shows yo exactly why it was tagged with such a high score.
# gunzip -d /home/spam-FY4ONy4piwUl.gz
# cat /home/spam-FY4ONy4piwUl
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <boldindianwife@rediffmail.com>
X-Envelope-To: <user@example.com>
X-Quarantine-ID: <FY4ONy4piwUl>
X-Spam-Flag: YES
X-Spam-Score: 17.454
X-Spam-Level: *****************
X-Spam-Status: Yes, score=17.454 tag=2 tag2=6.2 kill=6.9
tests=[DNS_FROM_RFC_ABUSE=0.479, DNS_FROM_RFC_WHOIS=0.879,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.512, MIME_HTML_ONLY=0.001,
SUBJ_ALL_CAPS=1.166, URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,
URIBL_OB_SURBL=2.617, URIBL_SC_SURBL=3.6, URIBL_WS_SURBL=1.533]
Received: from ns.example.com([127.0.0.1])
by localhost (ns.example.com[127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FY4ONy4piwUl for <user@example.com>;
Tue, 23 Sep 2008 01:18:23 -0700 (PDT)
Received: from cardservice22.fiberop.matgnet.com (unknown [82.117.207.22])
by ns.example.com(Postfix) with SMTP id 08584207D90
for <user@example.com>; Tue, 23 Sep 2008 01:18:21 -0700 (PDT)
Message-Id: <20080923114546.8474.qmail@cardservice22.fiberop.matgnet.com>
To: <user@example.com>
Subject: RE: SALE 89% OFF
From: VIAGRA INC <user@example.com>
MIME-Version: 1.0
Content-Type: text/html
Date: Tue, 23 Sep 2008 01:18:21 -0700 (PDT)
Here are the settings fro Spamassassin found in /etc/amavisd.conf. You can see that with a tag score of 6.9 or more an email is sent to the quarantine, blocked from the user.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
Delivery Status Notification (DSN) Messages
Delivery Status Notification refers to OUTBOUND emails that get a return status that it was not deliverable. You can see that at or above level 10 no messages will be sent back to the sender.
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
If users are complaining about mail that is marked Spam in their mailboxes, you can drop the numbers. For example if users are getting email that is marked as Spam and has a number of 5, then you could change to this configuration to put those email in quarantine instead of the user’s mailbox.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.8; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 5.0; # triggers spam evasive actions (e.g. blocks mail)
Of course any time that you adjust these you need to verify that you are not losing mail that is not Spam, but it should be in your quarantine.
Posted by mike Filed Under Spam Control with Comments Off
Having tried a number of RBLs you will see that some are going out of existence, some are either too aggressive or just do not cover all of the areas that give you the protection you need. Here is a list that makes a good combination of protection without getting too crazy. Be sure to try one at a time so you can determine if one is not right for you. Use at your own risk…you could lose email.
zen.spamhaus.org
This list contains three separate lists.
“The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.”
bl.spamcop.net
SpamCop Block List
This list contains IP Addresses which have sent Spam as reported by users themselves. This provides the advantage of a list that is finely tuned and very up to date as users respond to add IPs to this list. However, it is an aggressive list as they state.
“The SCBL is aggressive and often errs on the side of blocking mail.”
The other disadvantage is that any user can add an IP to the list thus creating a serious problem for an organization whether it is justified or not. Your enemies or competitors could use this list against you.
cbl.abuseat.org
The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) and dedicated Spam BOTs which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.
dnsbl-1.uceprotect.net
This is a unique list in that it will provide results of spammers listed in the last 7 days.
Posted by mike Filed Under Virus Control with Comments Off
Install of Amavisd-New on Ubuntu 8.10
One of the most frustrating problems with setting up any mail server is the configuration required for anti-virus protection and Spam checking. Amavisd-new provides an excellent tool to help in setting that up. This is a step-by-step process in providing your mail server, the example is Ubuntu 8.10, with the ability to scan all incoming mail for viruses and Spam.
apt-get install amavisd-new
Starting Amavisd-New
In order to get amavisd-new running, execute the command below to view content in debug mode so you can see what it is doing. One thing you will notice is that by default there is no virus program attached nor any scanning for Spam as it is disabled by default. The point to note here is the modules that it is using, the ports, and the general look and fell of the program.
/etc/init.d/amavis debug
Trying to run amavisd-new in debug mode…
Jan 9 12:46:47.927 nag.example.com /usr/sbin/amavisd-new[4384]: starting. /usr/sbin/amavisd-new at nag.example.com amavisd-new-2.6.1 (20080629), Unicode aware, LANG=”en_US.UTF-8″
Jan 9 12:46:47.928 nag.example.com /usr/sbin/amavisd-new[4384]: user=, EUID: 112 (112); group=, EGID: 123 123 (123 123)
Jan 9 12:46:47.928 nag.example.com /usr/sbin/amavisd-new[4384]: Perl version 5.010000
Jan 9 12:46:47.980 nag.example.com /usr/sbin/amavisd-new[4384]: INFO: no optional modules: IO::Socket::INET6
Jan 9 12:46:47.982 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: 2009/01/09-12:46:47 Amavis (type Net::Server::PreForkSimple) starting! pid(4384)
Jan 9 12:46:47.987 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Binding to UNIX socket file /var/lib/amavis/amavisd.sock using SOCK_STREAM
Jan 9 12:46:47.988 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Group Not Defined. Defaulting to EGID ’123 123′
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: User Not Defined. Defaulting to EUID ’112′
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Setting up serialization via flock
Jan 9 12:46:47.990 nag.example.com /usr/sbin/amavisd-new[4384]: after_chroot_init: EUID: 112 (112); EGID: 123 123 (123 123)
Jan 9 12:46:47.990 nag.example.com /usr/sbin/amavisd-new[4384]: config files read: /usr/share/amavis/conf.d/10-debian_scripts, /usr/share/amavis/conf.d/20-package, /etc/amavis/conf.d/01-debian, /etc/amavis/conf.d/05-domain_id, for .tar tried: pax
Jan 9 12:46:48.037 nag.example.com /usr/sbin/amavisd-new[4384]: Found decoder for .tar at /bin/cpio
Jan 9 12:46:48.038 nag.example.com /usr/sbin/amavisd-new[4384]: Found decoder for .deb at /usr/bin/ar
—cut—
Enable Virus Checks and Spam Checks
Verify that clamav is running .
sudo /etc/init.d/clamav-daemon start
Modify this line in /etc/default/spamassassin
ENABLED=1
It is 0 by default so you must enable Spamassassin to be able to run, now start it.
sudo /etc/init.d/spamassassin start
To enable amavisd-new to work with Spamassassin and clamav you need to modify the /etc/amavis/conf.d/15-content_filter_mode. Uncomment the lines as the root user so they now look like the example and restart amavisd-new in debug mode to view the activity. Now you will see that clamav and Spamassassin are now working with amavisd-new.
15-content_filter_mode
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
Jan 9 12:54:47.978 nag.example.com /usr/sbin/amavisd-new[4563]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: FRISK F-Prot Antivirus
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: Trend Micro FileScanner
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: drweb – DrWeb Antivirus
Jan 9 12:54:47.980 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: KasperskyLab kavscanner
Jan 9 12:54:48.003 nag.example.com /usr/sbin/amavisd-new[4563]: SpamControl: initializing Mail::SpamAssassin
Jan 9 12:54:48.004 nag.example.com /usr/sbin/amavisd-new[4563]: SpamAssassin debug facilities: info
Jan 9 12:54:49.559 nag.example.com /usr/sbin/amavisd-new[4563]: SpamControl: init_pre_fork on SpamAssassin done
Jan 9 12:54:49.576 nag.example.com /usr/sbin/amavisd-new[4573]: SpamControl: init_child on SpamAssassin done
Finish the Amavisd-New Configuration
Create Necessary users and folders as root.
# useradd vscan
# mkdir /var/vscan
# mkdir /var/vscan/tmp
# mkdir /var/vscan/var
# mkdir /var/vscan/db
# mkdir /var/vscan/home
# chown -R vscan:vscan /var/vscan
# chmod -R 750 /var/vscan
Creating a Reinjection Port
The process that you see below shows how mail arrives at the server and is then sent to a content_filter on port 10024, on to the qmgr and then to amavisd-new which then executes the scanning with both Spamassassin and clamav. When the scanning is complete you do not want to send the scanned mail back to port 10024 because you will create a loop. So you need to create a reinjection port so that the mail that has been scanned will be recognized as complete. The reinjection port that is used is port 10025. This section will now show you how to set up those two ports and activate Spamassassin and clamav.
Edit main.cf and Add Content Filter
#Amavisd SetUp
content_filter=amavisd-new:[127.0.0.1]:10024
Edit master.cf and Add Reinjection
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
Add clamav to the group amavis
amavis:x:123:clamav
Send an email and watch the system as it runs in debug mode.
sendmail -f mike@example.com tom@example.com </etc/postfix/main.cf
Review File Contents for Amavisd-New
cd /etc/amavis/conf.d
Once you have install amavisd-new you will find a number of files that make up the configuration for amaavisd-new and how it interacts with Spamassassin and clamav. These files, at least the important parts, are listed here with a brief description.
01-debian
These are the various ways of compressing files. Do not modify.
# SETTINGS RARELY MODIFIED BY THE LOCAL ADMIN
$ENV{PATH} = $path = ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin’;
$file = ‘file’;
$gzip = ‘gzip’;
$bzip2 = ‘bzip2′;
$lzop = ‘lzop’;
$rpm2cpio = ['rpm2cpio.pl','rpm2cpio'];
$cabextract = ‘cabextract’;
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
#$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; #disabled (non-free, no security support)
$unfreeze = undef;
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj'];
#$unrar = ['rar', 'unrar']; #disabled (non-free, no security support)
$unrar = ['unrar-free'];
$zoo = ‘zoo’;
#$lha = ‘lha’; #disabled (non-free, no security support)
$lha = undef;
$pax = ‘pax’;
$cpio = ‘cpio’;
$ar = ‘ar’;
$ripole = ‘ripole’;
$dspam = ‘dspam’;
1; # ensure a defined return
05-domain_id
# amavisd-new needs to know which email domains are to be considered local
# to the administrative domain. Only emails to “local” domains are subject
# to certain functionality, such as the addition of spam tags.
#
# Default local domains to $mydomain and all subdomains. Remember to
# override or redefine this if $mydomain is changed later in the config
# sequence.
@local_domains_acl = ( “.$mydomain” );
1; # ensure a defined return
05-node_id
If you have problems with your FQDN you can alter that manually here.
# $myhostname is used by amavisd-new for node identification, and it is
# important to get it right (e.g. for ESMTP EHLO, loop detection, and so on).
chomp($myhostname = `hostname –fqdn`);
15-av_scanners
This file holds the information required for amavisd to locate the virus scanners you may have installed on your box.
15-content_filter_mode
This file turns off by default the ability of amavisd-new to scan for virus activity or check for spam.
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#
#@bypass_virus_checks_maps = (
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#
#@bypass_spam_checks_maps = (
# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return
21-ubuntu_defaults
There are settings here that you can modify to determine the action your machine should take when it discovers either a virus email or spam.
use strict;
#
# These are Ubuntu specific defaults for amavisd-new configuration
#
# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
$enable_dkim_verification = 1;
# Don’t be verbose about sending mail:
@whitelist_sender_acl = qw( .$mydomain );
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$warnbannedsender = 1;
$warnbadhsender = 1;
$virus_admin = undef;
$spam_admin = undef;
25-amavis_helpers
Functionality required for amavis helpers like amavis-release.
30-template_localization
read_l10n_templates(‘en_US’, ‘/etc/amavis’);
40-policy_banks
# DKIM signing domain whitelist. The domain to use is the domain after
# d= in the DKIM header.
@author_to_policy_bank_maps = ( {
# ‘friends.example.net’ => ‘WHITELIST,NOBANNEDCHECK’,
# ‘user1@cust.example.net’ => ‘WHITELIST,NOBANNEDCHECK’,
‘.ebay.com’ => ‘WHITELIST’,
‘.ebay.co.uk’ => ‘WHITELIST’,
‘ebay.at’ => ‘WHITELIST’,
‘ebay.ca’ => ‘WHITELIST’,
‘ebay.de’ => ‘WHITELIST’,
‘ebay.fr’ => ‘WHITELIST’,
‘.paypal.co.uk’ => ‘WHITELIST’,
‘.paypal.com’ => ‘WHITELIST’, # author signatures
‘./@paypal.com’ => ‘WHITELIST’, # 3rd-party sign. by paypal.com
‘alert.bankofamerica.com’ => ‘WHITELIST’,
‘amazon.com’ => ‘WHITELIST’,
‘cisco.com’ => ‘WHITELIST’,
‘.cnn.com’ => ‘WHITELIST’,
‘skype.net’ => ‘WHITELIST’,
‘welcome.skype.com’ => ‘WHITELIST’,
‘cc.yahoo-inc.com’ => ‘WHITELIST’,
‘cc.yahoo-inc.com/@yahoo-inc.com’ => ‘WHITELIST’,
# ‘google.com’ => ‘MILD_WHITELIST’,
# ‘googlemail.com’ => ‘MILD_WHITELIST’,
# ‘./@googlegroups.com’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroups.com’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroups.co.uk’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroupes.fr’ => ‘MILD_WHITELIST’,
# ‘yousendit.com’ => ‘MILD_WHITELIST’,
# ‘meetup.com’ => ‘MILD_WHITELIST’,
# ‘dailyhoroscope@astrology.com’ => ‘MILD_WHITELIST’,
} );
50-user
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
Posted by mike Filed Under Spam Control with Comments Off
One way you may choose to manage the mail that comes to the Postfix server is to use the locales which is a part of Spamassassin. If you cannot read other languages there is really no need to run them through your mail system. So for example if you wanted to limit email to English you would edit the:
/etc/mail/spamassassin/local.cf
ok_locales en
This will treat any mail in character sets other than Western as spam. Here are the option that you have:
en – Western character sets in general
ja – Japanese character sets
ko – Korean character sets
ru – Cyrillic character sets
th – Thai character sets
zh – Chinese (both simplified and traditional) character sets
all – Allow all character sets
This is an easy setting to help clean up mail that you cannot read anyway.
Posted by mike Filed Under Filters with Comments Off
Listed here are a number of header checks that do work but they are ineffective for the most part. Here is the problem. When you look at these examples they have a Subject that you are searching for. As a result you will be writing header checks until the day you die, not good. My thinking is that you will want to discard this methodology for header checks that are more general and throw a wider net over the problem. Two reason for this are; first you have SpamAssassin or some other program to do actual Spam testing later. Second, you need to preserver resources on your Postfix mail server. Actually this is the most important aspect of what you are doing is trying to save yourself money and time by reducing the load on your server. If you place too many header checks in Postfix you will begin to see a speed loss and resource loss.
So review your header checks and make sure you are using each line wisely.
/^Subject: Get Viagra Online Now !!!/ REJECT
/^Subject: ENLARGE YOUR PACAKGE GUARANTEED/ REJECT
/^Subject: Add REAL Inches To Your Package! GUARANTEED/ REJECT
/^Subject: At Last, Herbal V, the All Natural Alternative!/ REJECT
/^Subject: Have Hair Loss? We Can Help You!\.\.Read on\.\./ REJECT
/^Subject: Pill to Increase Your Ejaculation by \d{3}%/ REJECT
/^Subject: free trial herbal viagra good for men and women/ REJECT
/^Subject: STAYING POWER/ REJECT
/^Subject: Isn\’t It Time You Solved Your \”little\” Problem\?\s*\d{2,6}/ REJECT
/^Subject: Non Prescription Alternative to Viagra/ REJECT
# financial / money
/^Subject: INSTANT Daily PAY!/ REJECT
/^Subject: INSTANT Pay to \$\d{2,3} A Day!/ REJECT
/^Subject: The easiest way to make money on the internet!/ REJECT
/^Subject: INTEREST RATES HAVE DROPPED/ REJECT !
/^Subject: Make Money In Your Sleep! / REJECT
/^Subject: Lowest Rates In Years! / REJECT
/^Subject: make money now!!!!!/ REJECT
/^Subject: HOME-BASED BUSINESSES / REJECT
/^Subject: Sick of paying and paying and staying in debt? / REJECT
/^Subject: Recession Hurts!/ REJECT
/^Subject: Got Debt\?\s*Cut Your Bills in HALF!/ REJECT
/^Subject: Double your policy at No Extra Cost!/ REJECT
/^Subject: Make \d{2}% Yearly Fully Secured!/ REJECT
/^Subject: Have tax problems?\s*\[\w{4,6}\]/ REJECT
/^Subject: Got a Mortgage\?\s{1,9}\d.\d{2}% Fixed Rate Mortgage/ REJECT
/^Subject: Rates Have Fallen Again!\s{1,9}\d.\d{2}% Fixed Rate Mortgage/ REJECT
/^Subject: Take Advantage of Falling Interest Rates!/ REJECT
/^Subject: Double Your Life Insurance at NO EXTRA COST!/ REJECT
/^Subject: Got Debt\?.*\[\w{4,6}\\]/ REJECT
/^Subject: Are you in debt\?\s*\[\w{4,6}\\]/ REJECT
/^Subject: Refinance rates as low as \d.\d{2}%/ REJECT
/^Subject: Hot Casino Action – \d{2,3}% Bonus/ REJECT
/^Subject: Double your policy at No Extra Cost!/ REJECT
/^Subject: Need More Life Insurance\? Double it for No Extra Cost/ REJECT
/^Subject: Did you get your money\?/ REJECT
/^Subject: Tired of dropping stock prices\?\d{1,6}/ REJECT
/^Subject: \d{2,6}\s*Work From Home / REJECT
/^Subject: Debt Consolidation.\s*\[\w{4,6}\]/ REJECT
/^Subject: Mortgage interest rates are lowered AGAIN/ REJECT
/^Subject: Re: Easy money! Muy dinero! \(/ REJECT
/^Subject: Feel the Excitement of CyberXCasino/ REJECT
/^Subject: Free Loan Quotations\.\.\.\.\.Lower your Rate!/ REJECT
/^Subject: Free Vacation$/ REJECT
/^Subject: GUARANTEED MONTHLY INCOME- Join FREE NOW!/ REJECT
/^Subject: Is your mortgage APR as low as \d.\d{2}/ REJECT
/^Subject: Tired of the 40 X 40.*\?/ REJECT
/^Subject: NEVER REPAY, FREE CASH GRANTS\.*\s*\d{2,7}$/ REJECT
/^Subject: Are You Making \$\w{2,}\+ A Month Online\?\s*\d{2,7}$/ REJECT
/^Subject: Secure Your Financial Future!$/ REJECT
/^Subject: \d{2,3}% OFF Your Life Insurance/ REJECT
# piracy
/^Subject: Copy Your Favorite DVD Movies !!!/ REJECT
/^Subject: EASILY COPY ANY DVD MOVIE FOR FREE!/ REJECT
/^Subject: Favorite Movie not on DVD?/ REJECT
# random
/^Subject: Try this, it really works! / REJECT
/^Subject: Increased Emotional Stability / REJECT
/^Subject: Free Travel/ REJECT
/^Subject: Chart Returns – Charles Taylor / REJECT
/^Subject: You could search for a year and\.\.\.\.\./ REJECT
/^Subject: Escape the Ordinary\.\.\.\.\.\.New Opportunity for you\.\./ REJECT
/^Subject: This Is What You’ve Been Waiting For\..*\d{2,6}/ REJECT
/^Subject: Get Rid of those Paper Piles!\s*\d{2,6}/ REJECT
/^Subject: Imaging Software for the Home.*\d{2,6}/ REJECT
/^Subject: End static on the cell/ REJECT
/^Subject: Free Trials & HBC Updates!/ REJECT
/^Subject: Free Trials from Home Business Connection/ REJEC
/^Subject: Fw: Marketing your product or service just got easier!/ REJECT
/^Subject: Re: I did not hear back from you$/ REJECT
/^Subject: Safe, Easy Snoring Solution!\s*\w{2,7}/ REJECT
# search engines
/^Subject: Search Engine Bids Are Now Half Price!/ REJECT
/^Subject: Guaranteed Top Ten Search Engine Placement!!\s*\d{2,7}/ REJECT
# spamware / email addresses
/^Subject: \d{2,3} Million Fresh Email Addresses/ REJECT
/^Subject: \d{2,3} Million Email Addresses – \$\d{2,3}/ REJECT
/^Subject: Internet Marketing Works! -\w{48}/ REJECT
/^Subject: Lets Learn How to market successfully!\s*\d{2,7}/ REJECT
# spyware
/^Subject: Investigate Anyone or Anything now!/ REJECT
/^Subject: NEW!! Find out ANYTHING about ANYONE w\/ your PC!/ REJECT
# paranoia
/^Subject: Protect yourself from Small pox and Anthrax Naturally\s*\w{2,7}/ REJECT
# just plain unrealistic
/^Subject: Boost Your Windows Reliability/ REJECT
/^Subject: Give Windows Operating System A Boost In Reliability!/ REJECT
