On Tue, Oct 01, 2019 at 04:22:48PM +1000, Russell Coker wrote:

I currently have SpamAssassin set to reject anything over 5.0, but I'm still getting a lot of spam.

Are there any other good options? I haven't tweaked SA much, just used mostly the default Debian settings with a few whitelist entries (which are not responsible for the spam). It could be that I'm not running SA properly, if anyone has some quick tips on how to optimise it then I'm interested. I'm not so interested in detailed configuration changes because I don't want to go down the path of SA tweaking and because the server I run has lots of people from different regions and some use of multiple languages so I can't just tweak it for me personally. I guess I could try the Bayes stuff, does that give much of a benefit and how easy is it to setup?

I run spamassassin and my own custom postfix junk maps and header_checks rules. I wrote scripts to generate custom SA rules from the same domains that go into the junk maps. I don't bother with body_checks rules much these days because most spammers figured out base64 encoding years ago (so i catch that crap with SA). Every few weeks or months I trawl through my spamassassin quaratine mbox to find new stuff for the header_checks rules. and also to look for the rare false positive. fail2ban monitors my mail logs and blocks repeated failures. I also have a bogus secondary MX (because secondary MXs are preferred by spammers - they think it's a way to get past more stringent anti-spam rules on primary MXs). It's just another postfix smtpd on my mail server host, listening on a different IP address. It soft-rejects **everything**. fail2ban monitors the log for this too. I've also got some nice f2b-loop rules that ban repeat offenders for longer and longer times (the more often an IP address is banned for any reason, the sooner it ends up in the permanent all-ports f2b-loop5 chain). I also use various RBLs, including country code RBLs that block mail based on the country of origin. Since it's my own **personal** mail server, it's safe to do that - I don't know anyone in China or Russia or any of the other common spam-source countries. Not safe to do on a shared or work mail server. Similarly, I reject all mail from the TLDs that seem to be populated solely or almost-entirely by spammers - .biz, .tech, .info, .loan and many more. The downside is that it's a fair amount of work to maintain, even with all the scripts i've written to semi-automate it (mostly reading spam and copy-pasting spammer domains and spammy phrases and coming up with good regexps). An hour or two per week or sometimes more. But a) i've been doing this since the mid-1990s, so it's easy and b) I'd rather do this than trust my mail to google or some other corporation. BTW, here's a useful header checks rule (rejects mail from Mr, Mrs, Miss Dr, Eng. etc): # Mr/Mrs/Ms/Miss/Dr/etc 419-spam. /^(?:Subject|From):\s*"?(?:From\s*)?(?:[DM]rs?\.?\b|Ms\.?|Miss|Duke|CEO|Barrister|AGENT|Eng\.|Engineer)/ REJECT HCP_105 I don't think I've **ever** seen a legitimate mail that included such a title in the From: or Subject: line - it's all 419 spam. The "HCP_105" is a code to help me match log entries with header_checks rules in case I spot a false positive in the logs. I'm currently up to HCP_136. That's about 164 rules because some of them have suffixes like HCP_135a, or HCP_135b because I group them by "theme" (nigerian 419 scams, pill spam, porn spam, religious nutter spam, loyalty card scams, bogus hacker bitcoin blackmail spams, etc) and also split them into multiple rules when they get too long.

At this stage I'm even considering challenge-response. I figure if everything below a SA score of 3.0 was let through, everyone who I've ever sent mail to or who I've received good mail from was let through, and everything with a SA

Don't do challenge-response. What it does is offload YOUR spam problem onto the people whose email addresses have been forged by a spammer, making it THEIR problem. It's obnoxious. It's just another form of backscatter-spam. And you need personal motivation rather than just a wish to be a good net citizen, it will get your server onto backscatter RBLs. craig ps: many years ago I wrote some procmail rules that look for Challenge Response messages and automatically fetches the URL embedded in the message with curl. e.g. # yes, auto-confirming your spam is a free service i'm happy to provide. # thank you for off-loading your spam onto me. :0 * ^Subject: Please confirm your message | lynx -dump -nonumbers -listonly -stdin | grep 'tmda\.cgi' | xargs -d'\n' -n1 curl >/dev/null 2>&1 -- craig sanders <cas@taz.net.au>