Guide On How To Catch More Spam With SpamAssassin On FreeBSD

Guide On How To Catch More Spam With SpamAssassin On FreeBSD 2017-08-04T09:38:35+01:00

A Step By Step Guide On How To Tweak SpamAssassin On FreeBSD
If you followed my Spamassassin guide. Then you should already be catching most email spam. However changes are that a few spam mails will still find it’s way to your mailbox. This guide will try and help you catch these.

Before we start. The following modules should be present in /usr/local/etc/mail/spamassassin/v310.pre

loadplugin IP::Country::Fast
loadplugin Mail::SpamAssassin::Plugin::TextCat
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject

You can do a quick check like this.

grep "loadplugin" /usr/local/etc/mail/spamassassin/v310.pre

You will get a list that looks something like this.

#loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
#loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
#loadplugin Mail::SpamAssassin::Plugin::TextCat
#loadplugin Mail::SpamAssassin::Plugin::AccessDB
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin IP::Country::Fast
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags

And the following should be present in /usr/local/etc/mail/spamassassin/init.pre

loadplugin Mail::SpamAssassin::Plugin::RelayCountry

Again you can do a quick check like this.

grep "loadplugin" /usr/local/etc/mail/spamassassin/init.pre

You should get a list very similar to this.

loadplugin Mail::SpamAssassin::Plugin::RelayCountry
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::Hashcash
# loadplugin Mail::SpamAssassin::Plugin::SPF

Right now that this is settled let’s get started.

The first plugin we will use is called “TexCat” this is a language guesser and we can use this to filter out spam written in languages we don’t want to receive. This is not the same as filtering spam according to what country code they claim they are coming from. Just telling you so you don’t mix these 2 things up.

Here’s a made up scenario. If an email is written in Russian I don’t want to receive it. So TextCat is used here. But if a mail is written in English but coming from an IP address assigned to Russia I will however receive it. So TextCat will not block mails depending on country but rather language. Got it? Nice let’s move on.

The second plugin we will use “RelayCountry” is used to block spam depending on what country the email was relayed through. This also requires the “IP Country Fast” Module to be present and loaded as well as shown earlier.

Now this is not the same as blocking spam depending on what country the mail is originating from. It is quite possible for an email to originate i.e “being written and send from a home in Italy” but the mail could be relayed through an internet provider in let’s say Russia.

“I don’t know it’s an example maybe Russia was providing cheap mail to those in the Italian household, it’s an example ok”.

So the “RelayCountry” plugin will as the name states block regarding to what country relayed the email in this case Russia. In order to filter out spam from where it originated in this case Italy, one would use something like the “URICountry” plugin. I’m not done testing the “URICountry” plugin, but will update this guide once I have. Got all of this as well? Sweet let’s move on.

The third plugin we will use “WhiteListSubject” is used to white and blacklist mails based on either sender, domain, and or subject. I don’t think I need to elaborate on what this means.

Right now that you know the behaviour of the plugins we are going to use let’s put them into action.

In the first example we will block mails relayed from specific countries. I’ll try and explain what’s going on. Now in the file /usr/local/etc/mail/spamassassin/local.cf you have set a score as when to mark an email as spam. Mine is set at 3.4 You can check yours like this.

grep "score" /usr/local/etc/mail/spamassassin/local.cf

My output looks like this, you may have set a different score but that is irrelevant.

required_score 3.4

What is relevant though is that we are going to add a score higher than let’s use my score 3.4 as an example to emails being relayed from unwanted relay countries. Gee I hope this makes sense. Basically what we are going to do is this. If we get an email that has been relayed from Russia with whatever score it has. The score could be lower than 3.4 then we are going to apply a score of 8.0 to that mail and because of this SpamAssassin will kick in because the rule says mail with score 3.4+ is spam. Got this? Good so let’s put the rule in place.

Add the following lines to /usr/local/etc/mail/spamassassin/local.cf

header RELAYCOUNTRY_RU X-Relay-Countries =~ /RU/
describe RELAYCOUNTRY_RU Relayed through Russia
score RELAYCOUNTRY_RU 8.0

The above will mark all mail beeing relayed from Russia with a score of 8.0 and because our rules are saying everything above 3.4 is spam it will be marked as such. If we want to do this for China as well the lines to be added will have to look like this.

cd /usr/local/etc/mail/spamassassin
header RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/
describe RELAYCOUNTRY_CN Relayed through China
score RELAYCOUNTRY_CN 8.0

You can add as many as you like. For a complete list of country codes [click here]

Now the scoring as shown above can also be used to block out specific IP addresses. Not advisable though as the IP address may be spoofed or it may be a DHCP lease and maybe later one will get that IP address which you have no objection about. With that in mind it is still possible like this. Replace xxx.xxx.xxx.xxx with the IP address you which to block.

header SPAMMING_IP Received =~ /xxx\.xxx\.xxx\.xxx/
describe SPAMMING_IP Spam Mail from xxx.xxx.xxx.xxx
score SPAMMING_IP 8.0

Right moving on to filter spam according to what language is being used. It works like this. You have a list of “ok_languages” languages listed there will never be marked as “possible” spam in another language. All other languages will be getting a score of 8.0 in the example below.

The syntax looks like this. This will mark all mail written in a language other than Danish, English, French, German, Norwegian and Swedish as spam.

ok_languages da en fr de no sv
score UNWANTED_LANGUAGE_BODY 8.0

Next we can do the same depending on what locale is being used. We will use the same countries as before.

ok_locales da en
score UNWANTED_LANGUAGE_BODY 8.0

Now lets combine this and add it to the configuration file. Add the following to this file /usr/local/etc/mail/spamassassin/local.cf

ok_languages da en fr de no sv
ok_locales da en
score UNWANTED_LANGUAGE_BODY 8.0

I hope this made sense everyone, it’s difficult to describe this in a straight forward way.

Right moving on to filtering spam using white and black listing. White and blacklists are quite easy to work with. To keep it simple you would usually filter out mails based on either a complete domain or [email protected]

To whitelist a domain so that all email from this domain whitelisted edit the add this line to the following file /usr/local/etc/mail/spamassassin/local.cf

whitelist_from *@domain.xxx

To whitelist a specific email address only use the following syntax.

whitelist_from [email protected]

Now these are the same rules we would use for blacklisting. Just exchange “whitelist_from” with “blacklist_from”. So blacklisting the above would look like this. adding it to the same configuration file as the whitelistings here. /usr/local/etc/mail/spamassassin/local.cf

Blacklist a complete domain.

blacklist_from *@domain.xxx

And to blacklist only a specific email address.

blacklist_from [email protected]

And we are done here.

Spell checkers don’t – Grammar checkers don’t either.