Using Amavisd and Spamassassin to Block Spam
There will be times when you have you have your Postfix Mail Server set up and Spam is under control and all of a sudden you will see a new wave of Spam hit your site. This article will help you see how you can make some small adjustments to cut down on new waves of Spam. Here is an example of the new wave of Spam I started getting. I will take you through a few steps I used to eliminate this new wave.
Prospector specializes in delivering results for brokers, lenders as well as mortgage products and services
companies nationwide. If you need to jump-start your company’s sales or originations, we can help.
We understand the industry from the inside out and are the only B2B marketer that can GUARANTEE results
with every campaign. An industry leader for almost a decade, Prospector has the largest active network of loan
producers in the nation who are actively seeking help with their businesses.
We specialize in the following areas;
* FHA, Commercial, Hard Money, Reverse, Conventional Programs
* Loan Modification Networks and Affiliates
* MTG Training and Education
* Lead Generators
* Loan Processing and Compliance
Step #1: Check Your Logs
When you check your logs you are looking for several things. One thing that is important is to see what level this particular email was rated at by Spamassassin. You can see the Hits at 6.353. Now because my set up is using Amavisd-new, the hits and what results from those hits is listed in the /etc/amavisd.conf file. The other thing I pick up from the logs is the IP Address of the mail server that is sending the Spam.
Aug 14 12:23:48 ns amavis[30026]: (30026-11) Passed SPAMMY, [64.235.53.98] [64.235.53.98] <noreply@hyperbiz1.com> -> <person@example.com>, Message-ID: <20090814122346.F1ABF27DF53440BF@hyperbiz1.com>, mail_id: OhHzJmCU7qmf, Hits: 6.353, size: 2637, queued_as: A710E207B83, 5129 ms
Aug 14 12:23:54 ns postfix/smtpd[7279]: < unknown[64.235.53.98]: EHLO hyperbiz1.com
Aug 14 12:23:54 ns postfix/smtpd[7279]: < unknown[64.235.53.98]: MAIL FROM:<noreply@hyperbiz1.com>
Aug 14 12:23:54 ns postfix/smtpd[7279]: extract_addr: input: <noreply@hyperbiz1.
Step #2: Drop Hit Levels
Here is the amavisd.conf file hit levels and you can see that the hit level above was 6.3 and the trigger to block the email is at 6.8. Now an easy solution when you start seeing new Spam is to start slowly reducing the hit level. So what I did is reduce the 6.8 down to 6.0 and then reduce the “spam detected” level from 6.2 to 5.8. This is a small adjustment but made a big difference.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.8; # triggers spam evasive actions (e.g. blocks mail)
Be sure to reload amavisd when you are done making changes. Remember, amavisd is what controls Spamassassin in this set up.
./amavisd reload
Daemon [28054] terminated by SIGTERM, waiting for dust to settle…
becoming a new daemon…
Now one question you may ask is why not write a header check or some other check for regular expressions. The answer is that the last thing you want to do is write a lot of special rules. Try to control Spam by using general princicples that will help reduce Spam because if one wave of Spam is gettign through…another is on the way from someone else.
