1

Topic: Improve Spam Filtering?

I recently switched from a homebrew mail server cobbled together from various tutorials to iRedMail.  Simply love how easy it was to get everything set up the way I like it.

However, one negative change is that my users are seeing a LOT more spam get through with iRedMail.  One user went from receiving 1-2 messages / day to more than 100.

I have not done much of anything to mess with the spamassassin settings, other than to turn down the threshold where it will add the spam headers to his spammy mail so that I can see what scores he is getting.  They are surprising.  Here are a few headers from some messages he received today:

X-Spam-Flag: NO
X-Spam-Score: -6.611
X-Spam-Status: No, score=-6.611 tagged_above=-100 required=6.31 tests=[BAYES_00=-1.9, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449, RDNS_NONE=0.793, SPF_PASS=-10, URIBL_DBL_SPAM=1.7] autolearn=no
X-Original-Helo: mx2.naptowncon.com (iRedMail: http://www.iredmail.org/)
X-Spam-Flag: NO
X-Spam-Score: -1.64
X-Spam-Status: No, score=-1.64 tagged_above=-100 required=6.31 tests=[BAYES_40=-0.001, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PSBL=2.7, RCVD_IN_RP_RNBL=1.31, RDNS_NONE=0.793, SPF_PASS=-10, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=0.4087] autolearn=no
X-Original-Helo: nullmx.liquidfaresucks.com (iRedMail: http://www.iredmail.org/)
X-Spam-Flag: NO
X-Spam-Score: -2.335
X-Spam-Status: No, score=-2.335 tagged_above=-100 required=6.31 tests=[BAYES_00=-1.9, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_CSS=1, RCVD_IN_PSBL=2.7, RDNS_NONE=0.793, SPF_PASS=-10, URIBL_DBL_SPAM=1.7, URIBL_JP_SURBL=0.4087, URIBL_RHS_DOB=1.514] autolearn=no
X-Original-Helo: webmail.uae-real-estate.net (iRedMail: http://www.iredmail.org/)

There are a few things that jump out at me:
1) All these have a spam score of < 1.
2) They all appear to be being sent from spammers who are using iredmail to configure their servers (unless I'm reading the X-Original-Helo incorrectly.

So, I have 2 questions: 
a) Is there a setting somewhere that mucks around with the spam filters if the sending server is an iredmail setup?
b) How can I set up a way to train spamassassin for my endusers w/out using webmail?  i.e., can I set up a special mailbox they forward their spam to in order to help train the filters?  If so, how do I set that up?

Thanks in advance for any advice you can offer. smile


==== Provide required information ====
- iRedMail version and backend (LDAP/MySQL/PGSQL):
iRedMail 0.8.0
MySQL backend

- Linux/BSD distribution name and version:
Ubuntu Linux 12.04

- Any related log? Log is helpful for troubleshooting.
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Improve Spam Filtering?

As you can see, a valid SPF DNS setting decrease the spam score:

SPF_PASS=-10

You can try to remove SPF related score setting in /etc/mail/spamassassin/local.cf by commenting out below line:

score SPF_PASS -10.000

Restarting Amavisd service is required.

3

Re: Improve Spam Filtering?

ZhangHuangbin wrote:

As you can see, a valid SPF DNS setting decrease the spam score:

SPF_PASS=-10

You can try to remove SPF related score setting in /etc/mail/spamassassin/local.cf by commenting out below line:

score SPF_PASS -10.000

Restarting Amavisd service is required.


Thanks for this suggestion!  This single change has cut down the spam load by around 70%.  That's great! 

Now I'd like to see what else I can do to improve the performance of spamassassin.  What is the best way to set up spamassassin to train it on spam vs ham in an iredmail install?

Thanks!

4

Re: Improve Spam Filtering?

kimball wrote:

Now I'd like to see what else I can do to improve the performance of spamassassin.  What is the best way to set up spamassassin to train it on spam vs ham in an iredmail install?

Try this:

- Store SpamAssassin Bayes data in SQL database
  http://www.iredmail.org/wiki/index.php? … yes.In.SQL

You should check SPAM emails to find the same or similar part, then tune your Postfix/SpamAssassin/etc to block/reject/quarantine it. Anti-spam is not a one-time job. smile

5

Re: Improve Spam Filtering?

Got to admit - just started playing with iredmail and the standard setup and was quite suprised to see SPF being set to -10.

If there is one thing spammers do its adopt new technology quickly - SPF pass should have a very minor score impact really imo so yes i also seen a huge increase in spam when first switching due to this.

The official spamassassin rules only give SPF_PASS a -0.001 rating

http://spamassassin.apache.org/tests_3_2_x.html
http://spamassassin.apache.org/tests_3_3_x.html

-10 is a silly value!

In regards to the bayes stuff - putting it into a dbase is a great idea - been doing it for years it works well and means you can also offload it to another server if you want (along with spamassassin as well), the markasjunk2 works well as well i did find i had to hack it a little to get it to work - somethings iirc were not working properly there are somethings in code like (memory could be wrong)

$this->storage->..........

i had to change these in some places too

$this->imap->..........

And it works great now.

I took spamassassin out of amavisd and ran it directly from postfix, and with the bayes in dbase ive now got per user bayes filtering rather than global bayes

6

Re: Improve Spam Filtering?

You can use per-user bayes filtering with markasjunk2, just change "--username=vmail" to "--username=%u" in sa-learn.

$rcmail_config['markasjunk2_spam_cmd'] = 'sa-learn --spam --username=%u %f';
$rcmail_config['markasjunk2_ham_cmd'] = 'sa-learn --ham --username=%u %f';

7

Re: Improve Spam Filtering?

imknight wrote:

Got to admit - just started playing with iredmail and the standard setup and was quite suprised to see SPF being set to -10.
If there is one thing spammers do its adopt new technology quickly - SPF pass should have a very minor score impact really imo so yes i also seen a huge increase in spam when first switching due to this.

You're right, and it happened to one customer here: http://www.iredmail.org/forum/topic2460 … rking.html
I removed these two settings in SA local.cf moment ago (code commit log), and mentioned this change in iRedMail upgrade tutorial (link). Thanks for your feedback.