Anti Spam Settings

Use this forum for discussions about SpamAssassin and anti-spam in general.
^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Anti Spam Settings

Post by ^DooM^ » 2009-06-21 20:09

People often ask what anti spam settings I use so I have compiled a list. This list also uses SpamAssassin but also works pretty well without it enabled. These settings will not delete email marked as spam this only marks potential email where upon users can set filters in their clients or ask me to add a rule on the server to remove them. If you want the server to auto remove them set the delete threshold to around 7.

Antispam->General

Code: Select all

Spam Mark Threshold      = 6
Spam Delete Threshold    = 100
Max Message Size to Scan = 1024
All tickboxes selected.
Antispam->Spam Tests

Code: Select all

Use SPF            = 1
Check host in HELO = 1
Check DNS MX       = 1
Verify DKIM        = 1
Antispam->SpamAssassin (Optional)

Code: Select all

Enabled
Use score from spam assassin (Anything over 6.3 = spam)
Antispam->Tarpitting

Code: Select all

Both set to 0
Antispam->DNS Blacklists

Code: Select all

zen.spamhaus.org       | 127.0.0.* | Rejected by http://www.spamhaus.org/zen/ | Score = 5
dnsbl.njabl.org        | 127.0.0.* | Rejected by njabl.org                    | Score = 1
psbl.surriel.com       | 127.0.0.* | Rejected by surriel.com                  | Score = 1
virbl.dnsbl.bit.nl     | 127.0.0.* | Rejected by virbl.bit.nl                 | Score = 1
b.barracudacentral.org | 127.0.0.* | Rejected by barracuda                    | Score = 2
Antispam->SURBL Servers

Code: Select all

multi.surbl.org | Rejected by SURBL | Score = 1
Antispam->Greylisting

Code: Select all

Minutes to Defer      = 7
Days to remove unused = 2
Days to remove used   = 72
Again these are the settings I use. They may not work for everyone but I have found they work really well in all the setups I have implemented.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Keba
Normal user
Normal user
Posts: 126
Joined: 2009-04-11 11:43

Re: Anti Spam Settings

Post by Keba » 2009-06-21 20:50

Excellent post - what do you do on AV though?
Keba

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2009-06-21 22:15

I currently use Clam AV Version 0.92. I am in 2 minds whether to try to upgrade to latest build and see if i can sort the issues out or go with a NIX version or perhaps try something new so I am open to suggestions on that one :)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

boogieman
New user
New user
Posts: 10
Joined: 2009-05-21 13:03

Re: Anti Spam Settings

Post by boogieman » 2009-06-23 16:09

looks good!
i will give it a try :)

thanks!

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Anti Spam Settings

Post by sheffters » 2009-08-03 14:43

^DooM^ wrote:I currently use Clam AV Version 0.92. I am in 2 minds whether to try to upgrade to latest build and see if i can sort the issues out or go with a NIX version or perhaps try something new so I am open to suggestions on that one :)
Im on 0.95.2 ... no problems with it, although it doesn't catch everything - Norton's fired a couple of times with AV alerts when I've downloaded mail, although that primarily seems to be human readable scripts from a security mailing list rather than anything 'hidden' in an exe. Clam AV picks up ~3-4 day viruses that it deals with ok.

S.

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2009-08-03 17:04

That running on a windows or a nix box?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Anti Spam Settings

Post by sheffters » 2009-08-03 20:14

Win Server 2003

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2009-08-03 23:41

Ok thanks pal, i'll upgrade when i get chance.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti Spam Settings

Post by mattg » 2009-08-04 01:51

I've been on CLAM version at least 5.1 since May, currently on 5.2, on my server 2003 install.

I have used the one recommended in this thread - http://www.hmailserver.com/forum/viewto ... 12&t=13699
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

morcock
New user
New user
Posts: 11
Joined: 2009-12-09 14:43

Re: Anti Spam Settings

Post by morcock » 2010-01-01 13:03

Good post. Thanks a lot.

¡¡¡Happy New Year 2010!!!

rocknolds
New user
New user
Posts: 26
Joined: 2009-11-27 13:03

Re: Anti Spam Settings

Post by rocknolds » 2010-01-03 12:45

hello doom, sorry for quoting your long notes below but could you please tell us how to test if these settings are functioning in my HMS box? many thanks
Last edited by ^DooM^ on 2010-02-06 14:23, edited 1 time in total.
Reason: removed giant quote

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2010-01-03 17:28

If your daily spam has decreased i would assume they are working. Also checking the headers on the email will tell you.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

aliinal
New user
New user
Posts: 18
Joined: 2009-03-20 10:22

Re: Anti Spam Settings

Post by aliinal » 2010-02-06 13:00

Thanks Doom,

One more post from you again that is very useful.

Best,
Ali

User avatar
bagu
Normal user
Normal user
Posts: 187
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Anti Spam Settings

Post by bagu » 2010-02-08 18:33

Just a question : why do you disable tarpiting ?

It will be usefull to prevent spam, no ?
hMailServer 5.6.8 With SpamAssassin 3.4.1

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2010-02-08 23:08

Not really and Martin is even thinking of removing it. In my tests it did absolutely nothing to help fight spam. The spam emails still came in they just took a bit longer to get through.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
bagu
Normal user
Normal user
Posts: 187
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Anti Spam Settings

Post by bagu » 2010-02-09 04:01

After posting, i read many docs, and you're right...
even if tarpiting is useful to prevent ddos attack in firewall, it's just a way to get more than one connexion to your mailserver for only one mail (spam or not)...so, it's a good idea to remove it.
hMailServer 5.6.8 With SpamAssassin 3.4.1

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 12:50

^DooM^ wrote:
Antispam->DNS Blacklists

Code: Select all

zen.spamhaus.org       | 127.0.0.* | Rejected by http://www.spamhaus.org/zen/ | Score = 5
dnsbl.njabl.org        | 127.0.0.* | Rejected by njabl.org                    | Score = 1
psbl.surriel.com       | 127.0.0.* | Rejected by surriel.com                  | Score = 1
virbl.dnsbl.bit.nl     | 127.0.0.* | Rejected by virbl.bit.nl                 | Score = 1
b.barracudacentral.org | 127.0.0.* | Rejected by barracuda                    | Score = 2
Antispam->SURBL Servers

Code: Select all

multi.surbl.org | Rejected by SURBL | Score = 1
as for the DNSBLs I'd add "ix.dnsbl.manitu.net" and "combined.njabl.org" while removing "dnsbl.njabl.org" to avoid overlapping; I'd also replace the barracuda "b" list with the "bb.barracudacentral.org" and add "bl.spamcop.net" (before any comment; spamcop wasn't reliable in a past but they heavily changed their listing policies and checks and I've used that list for quite a while now without side effects) - as for virbl; not bad, but in my experience gets really few hits and in general those emails are blocked by the ClamAV scanner; at any rate, if you want to add some lists to reject bots/worms/abusers and the like, you may give these

httpbl.abuse.ch
drone.abuse.ch
dnsbl.dronebl.org
torexit.dan.me.uk
bogons.cymru.com

a spin; as for the URIBLs, I think that adding "dbl.spamhaus.org" and "black.uribl.com" won't hurt; in particular, the spamhaus DBL helps cutting off the so called "snowshoe" spamruns

for further infos about the above lists, please have a look a their websites

HTH

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2010-07-28 13:08

I'll give those new lists a try although I still refuse to use spamcop regardless of if they have "changed" ;)

I am also already using the spamhaus URI check, just not updated my list since i wrote it but handy for others, cheers!
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 14:28

^DooM^ wrote:I'll give those new lists a try although I still refuse to use spamcop regardless of if they have "changed" ;)
Up to you; all I can say is that I was one of the (many) folks refusing to use "spamcop" due to a number of reasons; then, time ago, I stumbled upon some discussions related to spamcop and, reading those and other infos (some are available on the spamcop site) it seemed like spamcop changed its mind, so... I decided to give the list another try and... well... I'm STILL using it; so, at least, give it a spin, set it up in "minimal score" mode and then check it by yourself; again, I'm no "spamcop" fan, but I can see they did improve and are trying hard to keep improving
^DooM^ wrote:I am also already using the spamhaus URI check, just not updated my list since i wrote it but handy for others, cheers!
No problem at all; mine was just a note about something one may want to experiment

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 14:46

ObiWan wrote: ...
ix.dnsbl.manitu.net
combined.njabl.org
bb.barracudacentral.org
bl.spamcop.net
...
httpbl.abuse.ch
drone.abuse.ch
dnsbl.dronebl.org
torexit.dan.me.uk
bogons.cymru.com
...
dbl.spamhaus.org
black.uribl.com
...

for further infos about the above lists, please have a look a their websites
As for web sites...

DNSBL

http://www.dnsbl.manitu.net/

http://www.njabl.org/use.html

http://www.barracudacentral.org/reputation

http://www.spamcop.net/bl.shtml

http://dnsbl.abuse.ch/faq.php

http://www.dronebl.org/

https://www.dan.me.uk/dnsbl

http://www.team-cymru.org/Services/Bogons/dns.html

URIBL (yeah, that's the right name for those)

http://www.spamhaus.org/dbl/

http://www.uribl.com/

HTH :)

mustang
New user
New user
Posts: 11
Joined: 2006-11-08 09:28

Re: Anti Spam Settings

Post by mustang » 2010-07-28 15:09

Very nice guide, missed some settings..

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 15:20

^DooM^ wrote:I am also already using the spamhaus URI check, just not updated my list since i wrote it but handy for others, cheers!
Forgot, you suggest to use 100 for the "delete threshold" but you then use scores like 1, 2 or 5; this means that, in case a given incoming session hits one of the blacklists (or an email hits an URIBL) the message won't be rejected but just "scored" ... now, while such a thing may be ok for some "aggressive" lists, I think that conservative/trusted ones (like "zen") should cause a straight reject (so in your case, have a score of 101) - am I missing something here or are you really letting such messages in and letting your server process them wasting resources ?

As a note, in case you would like to experiment, here's a proposal

Code: Select all

100 zen.spamhaus.org
100 bb.barracudacentral.org
100 ix.dnsbl.manitu.net
100 bl.spamcop.net
100 combined.njabl.org
100 v4.fullbogons.cymru.com
 50 psbl.surriel.com
 50 db.wpbl.info
 50 httpbl.abuse.ch
 50 dnsbl.dronebl.org
 50 dnsbl-1.uceprotect.net
 50 virbl.dnsbl.bit.nl
 50 drone.abuse.ch
 50 torexit.dan.me.uk
 35 dul.dnsbl.sorbs.net
 35 bl.spamcannibal.org
 35 dnsbl-2.uceprotect.net
 35 blackholes.five-ten-sg.com
 25 dnsbl-3.uceprotect.net
 20 dnsbl-0.uceprotect.net
the first column is the DNSBL "score" (assuming the "delete" score is 100); if you feel brave enough, give the above a spin, maybe you'll have some surprise ... even if some of the lists shown above will look like "don't use"; see, in the case of aggressive lists, it's just a matter of using them for scoring only and tuning the score as needed; again, try the above, I think you may be surprised ;)

Note: you should set your "spamtag" score to (say) 10 and tune the other filters as needed

mustang
New user
New user
Posts: 11
Joined: 2006-11-08 09:28

Re: Anti Spam Settings

Post by mustang » 2010-07-28 15:47

ObiWan wrote:
^DooM^ wrote:I am also already using the spamhaus URI check, just not updated my list since i wrote it but handy for others, cheers!
Forgot, you suggest to use 100 for the "delete threshold" but you then use scores like 1, 2 or 5; this means that, in case a given incoming session hits one of the blacklists (or an email hits an URIBL) the message won't be rejected but just "scored" ... now, while such a thing may be ok for some "aggressive" lists, I think that conservative/trusted ones (like "zen") should cause a straight reject (so in your case, have a score of 101) - am I missing something here or are you really letting such messages in and letting your server process them wasting resources ?

As a note, in case you would like to experiment, here's a proposal

Code: Select all

100 zen.spamhaus.org
100 bb.barracudacentral.org
100 ix.dnsbl.manitu.net
100 bl.spamcop.net
100 combined.njabl.org
100 v4.fullbogons.cymru.com
 50 psbl.surriel.com
 50 db.wpbl.info
 50 httpbl.abuse.ch
 50 dnsbl.dronebl.org
 50 dnsbl-1.uceprotect.net
 50 virbl.dnsbl.bit.nl
 50 drone.abuse.ch
 50 torexit.dan.me.uk
 35 dul.dnsbl.sorbs.net
 35 bl.spamcannibal.org
 35 dnsbl-2.uceprotect.net
 35 blackholes.five-ten-sg.com
 25 dnsbl-3.uceprotect.net
 20 dnsbl-0.uceprotect.net
the first column is the DNSBL "score" (assuming the "delete" score is 100); if you feel brave enough, give the above a spin, maybe you'll have some surprise ... even if some of the lists shown above will look like "don't use"; see, in the case of aggressive lists, it's just a matter of using them for scoring only and tuning the score as needed; again, try the above, I think you may be surprised ;)

Note: you should set your "spamtag" score to (say) 10 and tune the other filters as needed
With so many dnsbl, is your mailserver not long busy with retrieving information?

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Anti Spam Settings

Post by Bill48105 » 2010-07-28 16:08

mustang wrote:With so many dnsbl, is your mailserver not long busy with retrieving information?
I was thinking the same thing.. Unless it's a repeat connection (and cached) one would think it'd take forever to do all those lookups even on local DNS server, especially with hard-coded lookup timeouts in hmail..

ObiWan, you got log timestamps from start & finish of those lookups on fresh connection to share? :D
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 16:11

Bill48105 wrote: ObiWan, you got log timestamps from start & finish of those lookups on fresh connection to share? :D
I may extract them if you want; but in general there's no slowdown at all (and some of my boxes are quite... busy); the local DNS setup and caching help quite a lot, then, as I wrote, those lists are usually pretty fast to answer and, even in case they'd become slow, it won't be a problem at all

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 16:15

ObiWan wrote: I may extract them if you want; but in general there's no slowdown at all (and some of my boxes are quite... busy); the local DNS setup and caching help quite a lot, then, as I wrote, those lists are usually pretty fast to answer and, even in case they'd become slow, it won't be a problem at all
As a note; if you're running hMail on a server class OS (e.g. win2k3) you may just setup the DNS server, otherwise (or if you don't want to use the built in DNS) you may just install unbound, sure, you'll then need to fiddle with the setup but it works quite well too

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2010-07-28 17:09

ObiWan wrote:Forgot, you suggest to use 100 for the "delete threshold" but you then use scores like 1, 2 or 5; this means that, in case a given incoming session hits one of the blacklists (or an email hits an URIBL) the message won't be rejected but just "scored" ... now, while such a thing may be ok for some "aggressive" lists, I think that conservative/trusted ones (like "zen") should cause a straight reject (so in your case, have a score of 101) - am I missing something here or are you really letting such messages in and letting your server process them wasting resources ?
Shame on you for not reading ;)
^DooM^ wrote:These settings will not delete email marked as spam this only marks potential email where upon users can set filters in their clients or ask me to add a rule on the server to remove them. If you want the server to auto remove them set the delete threshold to around 7.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-28 18:44

^DooM^ wrote: Shame on you for not reading ;)
ARGH !!

Ok, got it, sorry... it's just that, when it comes to "conservative" DNSBL hits I tend
to go for "reject" to both spare server resouces and avoid "junk" hitting the users
mailboxes, by the way that's not a general rule, if you want to just "tag" then that's
up to you :)

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2010-07-28 21:57

unfortunately hmail is not currently capable of per domain dnsbl rejections so this is the next best thing. It does use up extra resources but so far I can live with it :)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: Anti Spam Settings

Post by tBB » 2010-07-28 22:09

ObiWan wrote: 35 dnsbl-2.uceprotect.net
25 dnsbl-3.uceprotect.net
20 dnsbl-0.uceprotect.net
Ugh, UCEProtect. Well, of course it's up to you but personally I wouldn't recommend this RBL. Their page is full of dubious claims, dumb advises, grammatical errors (even in German which is their native language) and sentences of which some would most probably qualify as blackmailing in some countries. By no means I would use their service in a production environment. But that's just my 0.02 EUR :)

Best regards,

Nico

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-29 16:25

^DooM^ wrote:unfortunately hmail is not currently capable of per domain dnsbl rejections so this is the next best thing. It does use up extra resources but so far I can live with it :)
uh... "per domain" ?!? That isn't what I meant; the idea is to set "trusted" DNSBL scores to "reject" and "aggressive/untrusted" ones to "score" (by using high scores for the first one and relatively low ones for the others); and I don't think that a "per domain" check would be of much use, spoofing senders domains is easy, especially if the sender doesn't publish an SPF record, so, again, I don't think that would be a good idea

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-29 16:29

tBB wrote:
ObiWan wrote: 35 dnsbl-2.uceprotect.net
25 dnsbl-3.uceprotect.net
20 dnsbl-0.uceprotect.net
Ugh, UCEProtect. Well, of course it's up to you but personally I wouldn't recommend this RBL. Their page is full of dubious claims, dumb advises, grammatical errors (even in German which is their native language) and sentences of which some would most probably qualify as blackmailing in some countries. By no means I would use their service in a production environment. But that's just my 0.02 EUR :)
Nico, if you reread my post you'll see that, by using values of 35...20 I'm just using those
lists for "scoring" and not to reject emails; that's the ONLY way to use them :) I agree about
the fact that they are uber-aggressive, on the other hand, they often list "fresh sources"
of spam/junk, so, using them in scoring mode may (and will) help keeping the junk out of
your mailboxes... but I would NEVER use them to straight reject a connection :)

OT: since there's a discussion about integrating ClamD scanning into hMail... may it be
possible to turn the "clamdscan" into a standard DLL ? Such a thing would mean being
able to call whatever functions exported to such a DLL to scan a message and that in
turn would both avoid the need to build a ClamD "client" inside hMail and allow to keep
the scanning interface up-to-date in case the ClamD interface would change again :)

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: Anti Spam Settings

Post by tBB » 2010-07-29 17:45

ObiWan wrote:I'm just using those lists for "scoring" and not to reject emails; that's the ONLY way to use them :)
I've noticed how you're using them, I just don't recommend using projects with a IMO very questionable reputation such as UCEProtect or AHBL at all.
ObiWan wrote:OT: since there's a discussion about integrating ClamD scanning into hMail... may it be
possible to turn the "clamdscan" into a standard DLL ?
Writing a simple streaming client as dll would be certainly possible and I like the plugin idea too but IMO it wouldn't make much sense as long as there is no real plugin API and all other parts of the anti-spam/virus process are hardcoded. Also ClamD's TCP protocol is not going to change in the foreseeable future (and even if it does, with hMS being open source this shouldn't be much of a problem).

Best regards,

Nico

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2010-07-30 03:41

ObiWan wrote:
^DooM^ wrote:unfortunately hmail is not currently capable of per domain dnsbl rejections so this is the next best thing. It does use up extra resources but so far I can live with it :)
uh... "per domain" ?!? That isn't what I meant; the idea is to set "trusted" DNSBL scores to "reject" and "aggressive/untrusted" ones to "score" (by using high scores for the first one and relatively low ones for the others); and I don't think that a "per domain" check would be of much use, spoofing senders domains is easy, especially if the sender doesn't publish an SPF record, so, again, I don't think that would be a good idea
You totally missed the point of my post. I cant reject with DNS for specific domains and allow others to be only marked so with the lack of that ability I am left with the only other option and that is to mark all messages and delete marked emails for the domains that would prefer to not receive spam and trust the DNSBL's
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2010-07-30 08:56

^DooM^ wrote:
ObiWan wrote:
^DooM^ wrote:unfortunately hmail is not currently capable of per domain dnsbl rejections so this is the next best thing. It does use up extra resources but so far I can live with it :)
uh... "per domain" ?!? That isn't what I meant; the idea is to set "trusted" DNSBL scores to "reject" and "aggressive/untrusted" ones to "score" (by using high scores for the first one and relatively low ones for the others); and I don't think that a "per domain" check would be of much use, spoofing senders domains is easy, especially if the sender doesn't publish an SPF record, so, again, I don't think that would be a good idea
You totally missed the point of my post. I cant reject with DNS for specific domains and allow others to be only marked so with the lack of that ability I am left with the only other option and that is to mark all messages and delete marked emails for the domains that would prefer to not receive spam and trust the DNSBL's
Uhm... now I see; you are referring to the lack of a function to allow certain "local" (to hMail) domains to only tag spam and others to reject it... yet I think this isn't a good idea; at least not on a domain basis; it would be a better idea implementing it on mailbox basis and then allowing to setup wildcards, this would allow much more flexibility since you may either list (say) "foo@example.com" and "bar@example.com" so that those mailbox will just "tag" spam or you may list "*@example.com" and have the whole domain using the tagging; such a feature would be particularly useful for some mailboxes for which you want to receive all mail, like, for example "abuse" or "postmaster" although it should be implemented with a bit of care, see, some filters (like DNSBLs/URIBLs/SPF...) may just be used for tagging in such a case, but others checks (like AV scanning) should still result in a straight reject

Khurram
Normal user
Normal user
Posts: 38
Joined: 2007-12-02 09:21

Re: Anti Spam Settings

Post by Khurram » 2011-04-07 10:08

^DooM^ wrote:People often ask what anti spam settings I use so I have compiled a list. This list also uses SpamAssassin but also works pretty well without it enabled. These settings will not delete email marked as spam this only marks potential email where upon users can set filters in their clients or ask me to add a rule on the server to remove them. If you want the server to auto remove them set the delete threshold to around 7.

........

Again these are the settings I use. They may not work for everyone but I have found they work really well in all the setups I have implemented.
Sorry to resurrect the old thread. I just got started with SpamAssassin on hmailServer. I have followed DooM's settings and have trained the bayes filter with spam/ham email. It is working fine except for 1 thing: it is scanning outbound mail also. How can I tell it to stop spam checking for outbound mail?

Thanks.

Edit:

Found the answer while looking for something else. Look at this http://www.hmailserver.com/documentatio ... ce_iprange, define an ip range for your network and remove check for anti-spam for this ip range.

urmel
New user
New user
Posts: 2
Joined: 2011-09-28 18:32

Re: Anti Spam Settings

Post by urmel » 2011-09-28 19:49

Hi,

I've enabled anti-spam with ^DooM^'s example settings. Sending and receiving mails are working fine but I can't see that the anti-spam settings are working. I never get an entry in the log or an additional header in the messagefile. How can I test the settings?

I'm using hMailServer 5.3.3-B1879 on Windows XP.

Thank you

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2011-09-28 22:26

Perhaps you just haven't gotten any spam yet?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

urmel
New user
New user
Posts: 2
Joined: 2011-09-28 18:32

Re: Anti Spam Settings

Post by urmel » 2011-10-04 08:01

Hello,
Perhaps you just haven't gotten any spam yet?
@^DooM^
Yes, you're right. Yesterday i got spam and it works very fine.

Thank you

urmel

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-18 12:31

I also am using Dooms spam setting although a bit more aggresively but continue to get 100 or more spam messages a day

I am using the VBS script below as well. Below that is a header with the word [SPAM] in it. I have no clue where that is coming from because I stopped using SA on a centos system (thinking that is where the [SPAM] was coming from.
I turned off all references to insert SPAM into the subject block.
How can I create a rule to delete anything that has spam in the subject block? I tried it doesn't work for some reason.
100 to 150 spam emails a day is unacceptable
Below are pics of my settings
Image
Image
I also know I am being very agressive but I don't know of any way to stop it.
My backup mail server has the same settings (but is running windows server 2008) and it just rejects everything


HELP PLEASE


(Script)
Sub OnClientConnect(oClient)
Dim geoip
Result.Value = 1
set geoip = CreateObject("GeoIPCOMEx.GeoIPEx")
geoip.set_db_path("c:\Program files\hmailserver\geoip\")
geoip.find_by_addr(oClient.IPAddress)
country = geoip.country_code

If (country = "LH" ) Then
Result.Value = 0
End if
If (country = "LN" ) Then
Result.Value = 0
End if
If (country = "NL" ) Then
Result.Value = 1
End if
If (country = "US" ) Then
Result.Value = 0
End if
If (country = "SE" ) Then
Result.Value = 0
End if
If (country = "CA" ) Then
Result.Value = 0
End if

If (Result.Value = 1 ) Then ' Rejected
EventLog.Write("Geo-IP rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+geoip.country_code+" "+geoip.country_name)
End if


' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

' Sub OnDeliveryStart(oMessage)
' End Sub

' Sub OnDeliverMessage(oMessage)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
End Sub

' End Sub

' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

' Sub OnDeliverMessage(oMessage)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

Sub OnAcceptMessage(oClient, oMessage)
If oClient.Username <> "" Then
If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
Result.Value = 2
Result.Message = "You are only allowed to send from your own account"
End If
End If
End Sub

(End of eventhandler script)


Spam email header

X-Vipre-Scanned: 00324C4C00318A00324D99-TDI
Return-Path: b1.DirectCashSource.0-125639ad-797e.rsegroup.com.-BESCHER@mx2.superbcashcentral.com
Delivered-To: BESCHER@rsegroup.com
Received: from mx2.superbcashcentral.com ([67.218.229.23])
by pop.rsegroup.com
; Sat, 18 Aug 2012 05:05:24 -0500
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=v1; d=superbcashcentral.com;
b=cToTPwwH1D/L9Ptl9BPr1dmWyzfJF7kSsbr28SzVIs/jCzTAXHu1FYQUKJviyPc9T+luDcKkUeEV3n8bbhmBOJ9+OPlupfoQ4HZqc5H8tJfX6/6hkUGx25/ciATTp/9Q;
Received: (from daemon@localhost)
by mx2.superbcashcentral.com (8.14.5/8.14.5) id q7IA0eZi043113;
Sat, 18 Aug 2012 06:00:40 -0400 (EDT)
Date: Sat, 18 Aug 2012 06:03:41 -0400 (EDT)
Message-Id: <201208181000.q7IA0eZi043113@mx2.superbcashcentral.com>
From: Pending Deposit <DirectCashSource@mx2.superbcashcentral.com>
To: <BESCHER@rsegroup.com>
List-Unsubscribe: <http://mx2.superbcashcentral.com/remove ... -BESCHER?r>, <mailto:r.DirectCashSource.0-125639ad-797e.rsegroup.com.-BESCHER@mx2.superbcashcentral.com?subject=remove>
Subject: [SPAM] Complete your deposit form here
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti Spam Settings

Post by mattg » 2012-08-18 15:50

Have you enabled greylisting?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-21 13:01

Yes Matt. I may not know scripting and programming and I may not understand all the settings
in Hmail (such as ip ranges and how do they work exactly) but everything else yes I do know

My secondary has been blocking just about every country under the sun. I have in the primary server allmost everycoutry blocked (according to the logs) and still over 150 spam messages a day
I would be more than happy (after 12 years of doing this) to have some one look at my servers and tell me whats going on
Appreciate all yours and Doom's as well as Martin hard work. Or I am still on 5.4.b1931

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti Spam Settings

Post by mattg » 2012-08-21 13:52

We might check in the IP ranges, also in the domain settings you can individually turn greylisting on / off
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-21 15:53

I have greylisting turned on for all domains (not many anymore) and they are still coming
between my last post and this one 45 spam messages to me alone and another 50 to my Mother (she just called me to let me know)

It's just a sudden things started happening about 2 months ago

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Anti Spam Settings

Post by percepts » 2012-08-21 16:27

are they all coming from the same IP?
are they all coming from the same domain name?
have you switched OFF catchall on all your domains?
are they all being sent to exactly the same email addresses each time?

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-21 20:11

the answer in your order are
1. NO
2. No
3. Where is catall (I don't have a postmaster account on all domains
4 No


I implemenetid a domain blocking event work good except for blocking the domain I have listed in my blacklist.txt
it blocks all local domains
Below is the vbs file what is wrong with it? Should it be 0 onstead of 1 for when it checks the file?
Thanks

Sub OnClientConnect(oClient)
Dim geoip
Result.Value =1
set geoip = CreateObject("GeoIPCOMEx.GeoIPEx")
geoip.set_db_path("c:\Program files\hmailserver\geoip\")
geoip.find_by_addr(oClient.IPAddress)
country = geoip.country_code

If (country = "LH" ) Then
Result.Value = 0
End if
If (country = "LN" ) Then
Result.Value = 0
End if
If (country = "GB" ) Then
Result.Value = 0
End if
If (country = "US" ) Then
Result.Value = 0
End if
If (country = "SE" ) Then
Result.Value = 0
End if
If (country = "DE" ) Then
Result.Value = 0
End if
If (country = "CA" ) Then
Result.Value = 0
End if
If (Result.Value = 1 ) Then ' Rejected
EventLog.Write("Geo-IP rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34) +geoip.country_code+" "+geoip.country_name)
End if
End Sub


' Sub OnAcceptMessage(oClient, oMessage)


' End Sub

' Sub OnDeliveryStart(oMessage)
' End Sub

' Sub OnDeliverMessage(oMessage)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

' Sub OnDeliverMessage(oMessage)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

Sub OnAcceptMessage(oClient, oMessage)
Dim FSO,txtfile,strtxt
If oMessage.FromAddress<>"" Then
set FSO=CreateObject("Scripting.FileSystemObject")
Set txtfile = FSO.OpenTextFile("C:\Program Files\hMailServer\Events\Blacklist.txt",1,TriStateTrue)
Do Until txtfile.AtEndOfStream
strtxt = Trim(txtfile.ReadLine)
If (InStr(1,oMessage.FromAddress,strtxt,1)>0) Then
Result.Value = 2
Result.Message ="Your domain is in the local blacklist,server rejected!"
End if
Loop
txtfile.Close
End if
End Sub

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Anti Spam Settings

Post by percepts » 2012-08-21 20:43

The code you posted in last nessage looks OK to me.

Look at one of the spam message headers and find the senders IP number.

then goto the following page and put the IP number. You will be able to see which country it is coming from.

http://whatismyipaddress.com/ip

if its coming from a country which you have set the return code to zero then it won't be blocked cos its a valid country.

catchall is found in your hmail admin panel.
click on domains / your domain name / advanced
if you have a catchall email address set in there then remove the entry in the catchall so its blank and save it.

catchall email addresses are a PITA and totally unecessary. The only people they help are spammers.

report back on above and what you found.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Anti Spam Settings

Post by percepts » 2012-08-21 20:57

And while you are looking at the catchall check to see if you have enabled greylisting for each individual domain which is on the same panel as the catchall

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-21 22:40

No Catchalls, enabled greylisting on all domains
but why would that code not allow senders (local) to send a message
and say it;s a 554 and it's blacklisted locally


Thanks

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-21 22:43

Also if I have a rule that say if a from field *.*.info for example has a search type "wildcard" and then to tell it to delete it
why isn't it

Thanks

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Anti Spam Settings

Post by percepts » 2012-08-21 22:48

I have no idea

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2012-08-21 23:03

rules match the SMTP Envelope FROM not the header in the email FROM (They can and often are different). Check SMTP logs to see what FROM address they sent as.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-22 14:59

Hi Doom
I have done that. Everything I have done I am still getting 25 to 30 spam messages a hour
I do know of one another account that is receiving as much.
I am at a loss and losing customers
Any more ideas. I have been doing this for years and this is the first time I have had this issues

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Anti Spam Settings

Post by ^DooM^ » 2012-08-22 16:01

Install Spam Assassin would be my recommendation. Also check to make sure you have auth ticked on local to local in your internet ip range.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Anti Spam Settings

Post by Bill48105 » 2012-08-22 16:11

bescher,
Sounds like you have some spam-bait boxes.. Your best solution would be to change email address(es) of the ones getting pounded hard but I realize that isn't always a realistic option. (But sometimes you gotta bite the bullet if particular addresses get hit hard). Otherwise as DooM said get spamassassin in & if that doesn't help as much as needed put ASSP in front of your server. After tuning you should be able to block 99% of spam but unless you are willing to live with false positives you will always have some spam on active boxes due to how spammers obtain addresses & target them.

If you need help with SA and/or ASSP I'd create your own post & link back here rather than muck up DooM's helpful thread. ;)
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-08-22 23:06

We have a linux box running SA already. Local to Local auth is checked as well.
I tried to install ASSP once and ran into nothingwith issues installing the RPM's so I gave it up.
Will continue to monitor and let you know BILL. I also have been having issues with SA set up on the local machine as it won't update
when I try to update it comes up with the error message:

C:\sa>sa-update.exe --nogpg
Error: cannot load shared library 'C:\sa\spamd.exe'

and have not found a answer for why it's doing it

Thanks Bill

ObiWan
Senior user
Senior user
Posts: 278
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Anti Spam Settings

Post by ObiWan » 2012-09-06 16:22

bescher wrote:Hi Doom
I have done that. Everything I have done I am still getting 25 to 30 spam messages a hour
I do know of one another account that is receiving as much.
I am at a loss and losing customers
Any more ideas. I have been doing this for years and this is the first time I have had this issues
I think that you'd better start enabling FULL logging in hMail and then looking at the logs contents, those may (and possibly will) let you understand what's going on; for example, you may be facing issues due to stolen account credentials used to pump out email or, in your case, your hMail may be sitting behind some kind of "proxy" hiding the real incoming IP address and so, in effect, forbidding hMS to perform the needed checks on the incoming sender IP... or either, you may just have unticked or misconfigured some option... see, if the issue was really hMS then a LOT of folks would be here complaining, but since it isn't the case, I suspect that there may be something screwed with your setup

My 2 cents.

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Anti Spam Settings

Post by bescher » 2012-09-06 17:44

Hi ObiWan
Nothing has changed we are not behind a proxy server, account credentials look OK (we are down to 45 clients now)
I appreciate all your comments even if it is your 2 cents. I looked at another server and for internal and internet I
set the same things.
I do know that if it wasn't for the geoIP country block there would be 3000 messages sent in today alone.
I have more rules then anything. I had some complaints about not receiving mail so I cleaned out the ip ranges
back down to my computer and internet But it just started about 2 months ago. from 10 to 15 spam messages to over 200 in a day is crazy
and nothing was changed. I implemented ti the country block so allmost all of it (unless geoip is wrong ) iscoming from the us

Thanks
Stillworking on it
Bob

Onlyme!
New user
New user
Posts: 3
Joined: 2012-10-13 16:50

Re: Anti Spam Settings

Post by Onlyme! » 2012-10-14 12:23

I wanted to keep my anti-spam settings simple yet somewhat aggressive.
This is what I currently have configured and testing.

Antispam > General

Code: Select all

Spam Mark Threshold      = 2
Spam Delete Threshold    = 9
Max Message Size to Scan = 64
Only the 'add to message subject' selected, word added: [ JUNK ]
Notes
1. I have a Outlook filter configured to move anything flagged as [ JUNK ] to a specified folder.
2. Most spam I would appear to receive tends to be small in size, hence the 64Kb maximum scan size.


Antispam > Spam Tests

Code: Select all

Use SPF            = 1
Check host in HELO = 1
Check DNS MX       = 0
Verify DKIM        = 0
Antispam > SURBL Servers

Code: Select all

multi.surbl.org | Score = 1
Antispam > DNS Blacklists

Code: Select all

zen.spamhaus.org  | Score = 10
b.barracudacentral.org | Score = 10
recent.spam.dnsbl.sorbs.net  | Score = 10
Antispam > Whitelist

Code: Select all

One local domain / mail server wildcarded.
It is highly reliant on the DNS Blacklists doing their job, but does appear to be working pretty well at the moment.
According to the stats my spam ratio is roughly 9:1 (9 spam for every 1 legitimate email).
False positives? nothing that I've noticed so far but it may be to early to tell.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Anti Spam Settings

Post by Bill48105 » 2012-10-15 03:14

Onlyme!, wow that's a bit too aggressive & dangerous really.. Too trusting in the RBL's. All it takes is a false positive hit on one & delete goes your message with threshold at 9 & RBL scoring at 10.. Guess to each his own but to me that'd be unacceptible for my users. As a matter of fact I prefer to not delete unless an onscene score is reached & onstead rely on server rules & outlook rules to move things around to Spam/Junk folders which are deleted after 30 days that way there is a cushion in case of FP's which DO happen. And btw, 64K is way too small.. I regularly see spam that is well over 64K, heck even 1MB seems too small theses days.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Post Reply