A step by step guide on how to catch more spam with SpamAssassin
This guide will show you how to catch and fight more spam with Spamassassin by using the modules RelayCountry, TextCat and White and Blacklists.
If you followed the Spamassassin part in the Qmail guide located here How To Install SpamAssassin On FreeBSD. Then you should already be catching / fighting most spam comming your way. However changes are that a few spam mails will still find it’s way to your mailbox. This guide will try and help you catch / fight these.
You should already have the following modules listed below installed and enabled in the file named init.pre usually located here /usr/local/etc/mail/spamassassin/ if you followed the Spamassassin part in the qmail guide you have, as I made sure of that.
loadplugin Mail::SpamAssassin::Plugin::RelayCountry
loadplugin IP::Country::Fast
loadplugin Mail::SpamAssassin::Plugin::TextCat
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
The first plugin "TexCat" is a language guesser and we can use this to filter out spam written in languages we don’t want to receive. This is not the same as filtering spam according to what country code they claim they are comming from.
Here’s a scenario.
If an email is written in russian I don’t want to receive it. So TextCat is used here. But if a mail is written in english but comming from an IP address assigned to Russia I will however receive it which in this case is what I want.
The second plugin "RelayCountry" is used to block spam depending on what country the email was relayed through. This requires the "IP Country Fast" Module to be present and loaded as well.
Now this is not the same as blocking spam depending on what country the mail is originating from.
In order to filter out spam from where it originated i.e. the country in which they are hosted you should use the "URICountry" Plugin. I’m not done testing this plugin yet. As soon as I’m done I’ll add the "URICountry" plugin to this guide as well.
The third plugin "WhiteListSubject" is used to white and blacklist mails based on either sender, domain, and or subject.
Now with the above 3 plugin’s we can do a lot. But fighting spam is an ever ongoing war you can install 1 million spam filters and plugin’s and you will probably still get some spam. For your servers sake try to and keep your plugin’s to a minimum as some of them consumes quite some memory and cpu depending on how much spam you receive of course.
Now in order to tweak Spamassassin and use the above plugin’s we need to edit the file local.cf in /usr/local/etc/mail/spamassassin/
Note: Modifications should be placed at the end of the local.cf file. Placing them at the end will ensure you that all modules are loaded and enabled before the custom filtering starts. Remember to restart Spamassassin when done.
Let’s start out with an example of blocking spam Relayed through Russia. Now the task here is quite simple we use RelayCountry to analyse what country the email is relayed through and then we give it a score higher than the score you are using as the threshold at which a message is considered spam i.e. higher than this entry "required_score x.x" also located in the local.cf file.
Right this is quite simple actually I have my required_score set to 3.4 so in order to block spam relaying through Russia I’ll just give these mails a score of 8.0 that will delete them on my server. Yes I have my server set to delete spam and not just to mark it as spam. Right the configuration pr. country is 3 lines. Just add the following lines below and you’re done. Remember whenever you have added or changed your configuration you will need to restart Spamassassin in order for the changes to take effect.
cd /usr/local/etc/mail/spamassassin
vi local.cf
header RELAYCOUNTRY_RU X-Relay-Countries =~ /RU/
describe RELAYCOUNTRY_RU Relayed through Russia
score RELAYCOUNTRY_RU 8.0
You can add as many as you like here are the next 3 lines is used to filter out spam relayed through China.
cd /usr/local/etc/mail/spamassassin
vi local.cf
header RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/
describe RELAYCOUNTRY_CN Relayed through China
score RELAYCOUNTRY_CN 8.0
With the rules above you probably just eliminated 75 % of all your spam. You can see a complete list of country codes from Iana here Iana Country Codes
Warning: Although it is possible to block IP Addresses using the above method it is not advisable. The IP address in question could be a part of shared hosting and maybe hundreds of domains are sharing the same IP as outgoing IP address and you would block them as well. When blocking an Address be sure to block only ADSL/DSL or Dial Up’s. If you really want to Block an IP Address use the method below and replace xxx.xxx.xxx.xxx with a real IP address.
header SPAMMING_IP Received =~ /xxx\.xxx\.xxx\.xxx/
describe SPAMMING_IP Spam Mail from xxx.xxx.xxx.xxx
score SPAMMING_IP 8.0
Right moving on to filter spam according to what language is being used. And if you want also according to what locale is being used. Filtering this requires 2 or 3 lines depending on whether you want to filter language used only, locale used only or both at the same time plus the score you want to set to filter this out.
Let’s start with the ok languages. In this example I’ll use a couple of countries that should “NOT” be marked as possible spam in another language I’ll use da en fr de no sv. That’s Danish, English, French, German, Norwegian, And Swedish.
cd /usr/local/etc/mail/spamassassin
vi local.cf
ok_languages da en fr de no sv
score UNWANTED_LANGUAGE_BODY 8.0
Next we can do the same depending on what locale is being used. Let’s say All mail using danish and english as locale should not be marked as possible spam in another language.
cd /usr/local/etc/mail/spamassassin
vi local.cf
ok_locales da en
score UNWANTED_LANGUAGE_BODY 8.0
Now we can combine the above rules to truncate the local.cf file like this.
cd /usr/local/etc/mail/spamassassin
vi local.cf
ok_languages da en fr de no sv
ok_locales da en
score UNWANTED_LANGUAGE_BODY 8.0
Right moving on to filtering spam using white and black listing.
White and blacklists are quite easy to work with. To keep it simple you would usually filter out mails based on either a complete domain or address@domain.xxx
To whitelist a domain so that all email regardless is white listed us use the following line.
cd /usr/local/etc/mail/spamassassin
vi local.cf
whitelist_from *@domain.xxx
Whitelist an email address only use the following line.
cd /usr/local/etc/mail/spamassassin
vi local.cf
whitelist_from somewhere@domain.xxx
Now these are the same rules we would use for blacklisting. Just exchange "whitelist_from" with "blacklist_from". So blacklisting the above would look like this.
cd /usr/local/etc/mail/spamassassin
vi local.cf
blacklist_from *@domain.xxx
Blacklist an email address only use the following line.
cd /usr/local/etc/mail/spamassassin
vi local.cf
blacklist_from somewhere@domain.xxx
This guide is marked permanently as "work in progress" and therefor updates are added to this guide whenever I think something interesting shows up and should be added here.