Suggestions for spam control on a Symbiosis server?


#1

Ahoy there,

Although Bytemark Symbiosis is a fantastic web hosting product it might be argued that symbiosis is a little weak where email hosting and spam control is concerned. For serious business email I have been forced to employ the ‘bells and whistles’ of hosted exchange due to the lack of spam control on a Symbiosis machine.

More recently I have set the /srv/.spamassassin/user_prefs score to 1 but I’m still receiving messages with illicit headers. Within the Symbiosis Jessie user guide it states - ‘There is no facility to train the SpamAssassin Bayesian learner yet’ which is surely a contributing factor right? As a recent workaround I’ve resorted to the following measures:

  • Blacklisting 5 – 10 rouge (spammy) server IPs (effective but agricultural).

  • Setup SPF and DKIM records.

  • Setup of DNS RBL which has been fairly successful.
    Email defences; additional DNS RBL

  • Changing email addresses that become spam ridden (Only works for a limited period).

Don’t get me wrong Symbiosis is a great product though slightly blighted by the lack of anti-spam rejection capability. It would be nice to see more emphasis within the Symbiosis documentation in terms of the options available for spam regulation. Where to place SpamAssassin customisation/ rules and some working examples would be great!

I’m looking to make SpamAssassin’s spam rejection more effective. Has anyone successfully setup the SpamAssassin Bayesian learner or customised the SpamAssassin config file with any great success?

Additionally I’d be interested to hear ideas from Bytemark users who have been successful in establishing alternative anti-spam measures.

I don’t think it’s a big ask to be able to reject mail with headers such as:

‘Hair loss reversed naturally’

‘Proven Reversing HearingLoss a Technique Finally Revealed’

‘How Betty-White overcame Alzhemiers’

‘Mens Health ! Have sex 5 times this weekend’

‘Stop CELLULITE From Ruining Your Body !’

‘Get Relief from HERPES By this treatment !!’

‘Beauty of Asian.’

‘Treats for Toenail Fungus.’

‘Explore Hair Restoration Solutions.’

‘’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’
All salient thoughts would be most appreciated?

PS I recently found this article: https://blog.cihar.com/archives/2006/05/11/dns_blacklists_in_exim/
Not the panacea and akin to DNS RBL but I wonder if it will work without breaking Symbiosis?

Kind regards Pete Roberts


#2

Hi

I have added additional rules to spamassassin which were based on the spam that was coming through and on the types of business my customers do. For example, none of my customers do business in Brazil, Russia, Hungary, Korea, Ukraine or Romania so I have a rule for these that adds 2.0 to the SpamAssassin score. Vast amounts of spam originate from .xyz so I have a rule for that to add a point or two. I add 3.0 for words in the subject header like sxx or pus$y or an@l

I use Regexes to cover as much as possible. In all I have about 30 extra rules and it really cuts the spam down. Some still gets through but the customers are happy and no one is complaining about emails being binned.

In your case (with the examples shown) I would be looking at regexes like

/\bha[i|l|1]r\bl[0|o][s|\$][s|\$]\b/
/\b[s|\$]exy?\b/


#3

Hi there,

Tvm for your kind response - sounds good!
By regedits I assume that you mean custom spam assassin rules?

Could you be more specific with your approach ie where do I
put the rules/regedits? In the /srv/.spamassassin/user_prefs file perhaps?

Some working examples would also be good or even a copy of
your rules as a starting point. Thanks
in advance.

Kind regards Pete


#4

Out of interest, do you also have spamhaus active in your setup - http://symbiosis.bytemark.co.uk/docs/symbiosis.html#_using_real_time_blacklists_from_spamhaus


#5

Hi Phil,
Yes I have Spamhaus active within my setup. According to the logs zen.spamhaus.org seems to be blocking most of the spam but I’m also seeing rejections from:

bad.psky.me
truncate.gbudb.net
b.barracudacentral.org

Gem’s post above has real potential - I’m just waiting for a bit more detail.

Kind regards Pete


#6

Hi Everyone

OK - here are some examples from my /etc/spamassassin/local.cf file. These go at the bottom of the file and each rule consists of three parts. Each rule MUST have a unique name to link the three parts and I CAPITALISE my rules and prefix the rules with H_ if they apply to the email header rather than the body

These tests were developed from an analysis of my customers emails. Simply put, I logged in to the email boxes of the customers who complained the most and looked at the emails that had got through the standard spam filters. Certain patterns soon emerged and my rules were based on what I learned.

An example of a header rule is below. Many spammy emails swap characters in the subject line - 0 for o, $ for s, 4 for A and so on. This rule catches the most common ones I saw and adds 1.0 to the spam score

score H_EMBEDDED_CHAR 1.0
describe H_EMBEDDED_CHAR Alphabetic word contains unusual characters
header H_EMBEDDED_CHAR Subject =~ /[a-z]+[$#%&5@]{1,2}[a-z.!,?)]/i

So the rule name that links them is H_EMBEDDED_CHAR and this must be unique. No other can have this name.
The score H_EMBEDDED_CHAR 1.0 is the amount to add to spam scoring

The describe H_EMBEDDED_CHAR Alphabetic word contains unusual characters gives the message to show in the spam analysis that is added to any email spamassassin fails.

The header H_EMBEDDED_CHAR Subject =~ /[a-z]+[$#%&5@]{1,2}[a-z.!,?)]/i contains the REGEX which in this case looks for at least one letter followed by a $ ~ % 2@s then more letters and punctation

Below I have added 6 header tests and 4 body tests. I have several dozen like these but these illustrate what can be achieved with a little effort. As a precaution for some of my customers who deal the the NHS and Government I added the following whitelist entries

whitelist_from *@nhs.net
whitelist_from *.nhs.uk
whitelist_from *.gov.uk

As well as whitelist entries for my accounts@ email to ensure that their bills and invoices from me never go into spam :slight_smile:

---- Examples ----

score H_EMBEDDED_CHAR 1.0
describe H_EMBEDDED_CHAR Alphabetic word contains unusual characters
header H_EMBEDDED_CHAR Subject =~ /[a-z]+[\$\#\%&5\@]{1,2}[a-z\.\!\,\?\)]/i

score H_EMBEDDED_ZERO 3.0
describe H_EMBEDDED_ZERO Alphabetic word contains a zero
header H_EMBEDDED_ZERO Subject =~ /[a-z]+[0]{1,2}[a-z\.\!\,\?\)]+/i

score H_XMAILER 2.0
describe H_XMAILER Sent by bulk mailer
header H_XMAILER X-mailer =~ /PHPMailer/

score H_DOMAIN_TYPE_DODGY 2.0
describe H_DOMAIN_TYPE_DODGY From domain type know as probable spam source
header H_DOMAIN_TYPE_DODGY From =~ /.+\.(xyz|br|ru|ro|rs|cn|hu|lv|id|party|loan|lan|mx|bg|sk|hr)/

score H_X_ORIG_SCRIPT 4.0
describe H_X_ORIG_SCRIPT V. High probability of spam
header H_X_ORIG_SCRIPT X-php-originating-script =~ /eval\(\)\'d code/i

score H_GB_HD_PHARMA_1 1.0
describe H_GB_HD_PHARMA_1 Possible pills / pharma spam
header H_GB_HD_PHARMA_1 Subject =~ /m[a4]nh[o0][o0]d/i



score OBSC_1 3.0
describe OBSC_1 Body contains obvious swear word
body OBSC_1 /f[\$\@&\#5%]ck/i

describe ANAL_1 Obvious swear word
score ANAL_1 3.0
body ANAL_1 /\b\@anl[\b\.\!\?]/i

describe ANAL_2 Obvious swear word
score ANAL_2 3.0
body ANAL_2 /\ban\@l[\b\.\!\?]/i

score XYZ_DOMAINS_BODY 1.0
describe XYZ_DOMAINS_BODY Contains links to .xyz domains
body XYZ_DOMAINS_BODY /\.xyz/i

Spamassassin not working on one domain
#7

Hi there,

Great job and for what it’s worth your tutorial could do
with being included within the Symbiosis documentation.

One last question, do I need to uncomment the /etc/spamassassin/local.cf

file for the rules to work?

Kind regards Pete


#8

Hi Pete

Uncomment the file from where? As far as I know Spamassassin should always try and execute local.cf

Why not pick a few spam items that are getting through at present and set up a rule to deal with them and see if they start going into your spambox? When your descriptions show up in the spam analysis then you know its working OK. For example, in the analysis below the email WOULD have received a score of 2.2 my filter GB_SUSPECT_LINK was triggered and pushed the score well over the line

Content analysis details:   (6.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.4 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
                            [79.96.25.93 listed in bb.barracudacentral.org]
-0.0 SPF_PASS               SPF: sender matches SPF record
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5263]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 4.0 GB_SUSPECT_LINK        FULL: Body contains suspect link

And with content like “Hungry and married pretty girl is looking for a man who likes *********” it was definitely spam

Kind regards

Beverley


#9

Hi,

Based on previously received spam mail I generated some
example rules earlier today.

I was simply wondering whether there was any need to
uncomment any of the options within the /etc/spamassassin/local.cf file that’s
all - but I guess not.

Thanks once again.

Kind regards Pete


#10

Hi Pete

Sorry - I did not understand what you meant about the commenting. I have looked in my local.cf and everything is commented out except the rules I have added.

I hope that the additional filtering helps

Kind regards

Beverley


#11

Update to this topic - the addition of custom rules to spam
assassin has been highly successful!


#12

Excellent! I am glad it has worked for you

Kind regards

Beverley


#13

I’ve followed the first part of this and a lot of spam has been caught, but I’m still not sure why some of the supposedly ‘simple’ spam is getting through.

I haven’t yet sorted out adding custom rules to SA, as I tend to add to my local filters once the mail is downloaded (generally small though irritating volume, fast speed, no bandwidth limits), though it’s still bemusing.

I get a lot of spam with pretty much the same visual format - some kind of coloured background, centred text with a link, and then a lot of nonsense text at the end which is probably designed to try to fool filters. And then some weird ASCII ‘emoji’ type of symbols at the end. These seem extremely basic to me and I don’t know why they’re not being picked up by any of the spam filters - they are tagged ‘innocent’ across the board.


#14

Andy,

Assess the type of spam you’re receiving and add some custom rules to SpamAssassin.
You’ll be surprised at the results.

Kind regards Pete


#15

Must admit I’ve got so much on my plate at the moment I’m not sure I need the hassle of learning and then adding rules to SA. :slight_smile: Fortunately now only about 1 or 2 pieces of spam find their way through per day (where it used to be in the multiple tens). Maybe when I invent that extra day per week :slight_smile: