What are the best/required/optimal settings for SpamAssassin?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-11-30 12:13

Hello, I've been using SpamAssassin recently and would like to know if I should change the default setting to get the best possible spam protection. Should I make changes to the settings or not?

I think there is a learning mode, but it's off when I understand it correctly. Does not it make sense to activate this?

In addition, each SPAM mail is attached as attachment with a prefixed text "Spam detection software, running on the system" localhost ", has identified this incoming email ...". Can I switch it off, so that the mail lands normally in a mailbox? It is ok for me if the subject is provided with "** SPAM **".

palinka
Senior user
Senior user
Posts: 398
Joined: 2017-09-12 17:57

Re: What are the best/required/optimal settings for SpamAssassin?

Post by palinka » 2018-11-30 12:51

Read this thread in its entirety. There's great information that will get you up and running with Bayes learning, which is probably the most effective tool in SA after you get it trained.

https://hmailserver.com/forum/viewtopic ... 20&t=26866

As far as settings in SA, I experimented with a bunch of different things and came back to pretty much the default settings. They seem to work the best, at least for my setup. YMMV.

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-11-30 14:14

The linked thread is too extensive for me and I can not see what this has to do with my questions. After all, I do not want to do a master's thesis on SA :shock:

User avatar
SorenR
Senior user
Senior user
Posts: 2624
Joined: 2006-08-21 15:38
Location: Denmark

Re: What are the best/required/optimal settings for SpamAssassin?

Post by SorenR » 2018-11-30 15:00

ak18 wrote:
2018-11-30 14:14
The linked thread is too extensive for me and I can not see what this has to do with my questions. After all, I do not want to do a master's thesis on SA :shock:
You could not be further from the truth... If you want to use SA, you need to study for it. Like with everything else in life - there are NO easy solutions! Just look at #MeToo and GDPR :roll:

1: In [SpamAssassin]\etc\spamassassin locate "local.cf". Located somewhere in the top find "report_safe 1" and change it to "report_safe 0"
Save spam messages as a message/rfc822 MIME attachment instead of
modifying the original message (0: off, 2: use text/plain instead)
2: I generally keep "learning mode OFF" as manually training SA ("The URL from Hell" - linked in above post) is the best way. A few years down the line I can now say I am very close to 0.1% false positives and NO SPAM in our Inbox'es.

3: In the above link you'll see very few modifications to SA configuration - you DO NOT need to configure Bayes to use MySQL, using the default file based storage is fine (MySQL is for Geeks anyways :wink: ).
The main issue is how to ensure that SA is doing it's optimum, and that is done with "supervised training". Just like school!

https://spamassassin.apache.org/doc.html
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 398
Joined: 2017-09-12 17:57

Re: What are the best/required/optimal settings for SpamAssassin?

Post by palinka » 2018-12-01 14:06

ak18 wrote:
2018-11-30 14:14
The linked thread is too extensive for me and I can not see what this has to do with my questions. After all, I do not want to do a master's thesis on SA :shock:
If I can make it work, you can. Believe me, I'm no programmer. And Soren is right - it's extremely effective. I get very, very few false positives from SA. I can't even remember the last time I got a false positive from SA. And the few actual spam that make it through under my delete threshold are marked POSSIBLE SPAM in the subject line so nobody can possibly miss it. Bayes does an excellent job after it's been trained for a while.

If you combine this with a couple of other techniques, spam will be a thing of the past. But Bayes is definitely the most important one.

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-01 17:07

What are your experiences?

1. Should I activate greylisting or is it no longer helpfull to block SPAM?

2. If I use SpamAssassin, should I disable the buildin Anti-SPAM protection of the hMailServer or should it be activated additionally?

3. What score value should I use for SpamAssassin? 5.0 or another?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7520
Joined: 2011-09-08 17:48

Re: What are the best/required/optimal settings for SpamAssassin?

Post by jimimaseye » 2018-12-01 17:44

viewtopic.php?f=21&t=28133

(You'll still have to read. )
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-02 03:21

Done, but found no answer to my questions.

palinka
Senior user
Senior user
Posts: 398
Joined: 2017-09-12 17:57

Re: What are the best/required/optimal settings for SpamAssassin?

Post by palinka » 2018-12-02 04:27

ak18 wrote:
2018-12-01 17:07
What are your experiences?

1. Should I activate greylisting or is it no longer helpfull to block SPAM?

2. If I use SpamAssassin, should I disable the buildin Anti-SPAM protection of the hMailServer or should it be activated additionally?

3. What score value should I use for SpamAssassin? 5.0 or another?
There are lots of discussions here regarding these matters. It's really a personal preference. I can give you my thoughts but they are just my opinions alone. Many here will disagree for many different reasons. You should research these matters to see what best fits your personal setup.

1. Grey listing is virtually dead thanks to large mail providers using many different IPs for the same domain. I don't use it.
2. I disable only DKIM. Surbl listing is very useful.
3. I use the default 5.0.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7520
Joined: 2011-09-08 17:48

Re: What are the best/required/optimal settings for SpamAssassin?

Post by jimimaseye » 2018-12-02 10:31

ak18 wrote:
2018-11-30 14:14
The linked thread is too extensive for me and I can not see what this has to do with my questions. After all, I do not want to do a master's thesis on SA :shock:
ak18 wrote:
2018-12-02 03:21
Done, but found no answer to my questions.
You didn't read carefully enough then, my suggestions are very clearly defined .

No one can come and do your machine for you, you have to make an effort for yourself. If you find reading a chore then perhaps a forum isn't the best place to seek help from.


[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-03 22:55

Now I have two hMailServers with SpamAssassin running on different servers.

Server A sent a mail to Server B... and it is marked as SPAM. Please see this headers:

Code: Select all

...
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on localhost
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,RCVD_IN_SORBS_DUL autolearn=ham autolearn_force=no version=3.4.1
...
X-hMailServer-Spam: YES
X-hMailServer-Reason-2: Rejected by DKIM. - (Score: 5)
X-hMailServer-Reason-Score: 5
hMailServer says, DKIM is bad
SpamAssassin says, DKIM is valid

Why?

User avatar
mattg
Moderator
Moderator
Posts: 19101
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What are the best/required/optimal settings for SpamAssassin?

Post by mattg » 2018-12-03 23:18

hMailserver ONLY checks the most recent DKIM, and compares it to the IP address of the sending server

SpamAssassin checks ALL DKIM headers, without any comparison to IP addresses

In my mind, hMailserver does this correctly.
The point of signing is to ensure that the message doesn't get changed, and that includes new headers added.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-04 00:33

Could it be that the new header entries of SpamAssassin fail the DKIM-check by the hMailServer?

User avatar
SorenR
Senior user
Senior user
Posts: 2624
Joined: 2006-08-21 15:38
Location: Denmark

Re: What are the best/required/optimal settings for SpamAssassin?

Post by SorenR » 2018-12-04 02:37

ak18 wrote:
2018-12-04 00:33
Could it be that the new header entries of SpamAssassin fail the DKIM-check by the hMailServer?
DKIM checks are done before SpamAssassin.

My hMailServer only do DNSBL, SURBL and SPF checks, SpamAssassin do the rest.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-05 09:06

mattg wrote:
2018-12-03 23:18
hMailserver ONLY checks the most recent DKIM, and compares it to the IP address of the sending server
In my mind, hMailserver does this correctly.
And why are marking both hMailServer received mails from the other one as SPAM?
What of the DKIM-data is compaired with the IP address of what?
mattg wrote:
2018-12-03 23:18
SpamAssassin checks ALL DKIM headers, without any comparison to IP addresses
The point of signing is to ensure that the message doesn't get changed, and that includes new headers added.
You mean SpamAssassin is better, because it checks all headers and hMailServer not?
SorenR wrote:
2018-12-04 02:37
My hMailServer only do DNSBL, SURBL and SPF checks, SpamAssassin do the rest.
DNSBL, SURBL is disabled by the default setup of hMailServer. So I should enable it? And must be added some new entries, or must only the existing default-entries (zen.spamhaus.org/bl.spamcop.net/multi.surbl.org) enabled?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7520
Joined: 2011-09-08 17:48

Re: What are the best/required/optimal settings for SpamAssassin?

Post by jimimaseye » 2018-12-05 10:08

ak18 wrote:
2018-12-03 22:55

Code: Select all

...
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on localhost
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,RCVD_IN_SORBS_DUL autolearn=ham autolearn_force=no version=3.4.1
...
X-hMailServer-Spam: YES
X-hMailServer-Reason-2: Rejected by DKIM. - (Score: 5)
X-hMailServer-Reason-Score: 5
hMailServer says, DKIM is bad
SpamAssassin says, DKIM is valid
Can you show the full headers (including the bits you snipped) from Spamassassin of this message. Also, for completeness run viewtopic.php?f=20&t=30914 and post the results.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2624
Joined: 2006-08-21 15:38
Location: Denmark

Re: What are the best/required/optimal settings for SpamAssassin?

Post by SorenR » 2018-12-05 10:32

ak18 wrote:
2018-12-05 09:06
SorenR wrote:
2018-12-04 02:37
My hMailServer only do DNSBL, SURBL and SPF checks, SpamAssassin do the rest.
DNSBL, SURBL is disabled by the default setup of hMailServer. So I should enable it? And must be added some new entries, or must only the existing default-entries (zen.spamhaus.org/bl.spamcop.net/multi.surbl.org) enabled?
It depends on type of SPAM and experience of the operator (you).

My settings:

Spam mark threshold = 3
Spam delete threshold = 1000

DNSBL
Host: zen.spamhaus.org
Result: 127.0.0.2-11
Message: RBL - Rejected by Spamhaus
Score: 5

Host: b.barracudacentral.org
Result: 127.0.0.2
Message: RBL - Rejected by Barracuda Reputation Block List
Score: 5

Host: bl.spamcop.net
Result: 127.0.0.2
Message: RBL - Rejected by SpamCop
Score: 5

Host: sbl.spamhaus.org
Result: 127.0.0.3
Message: RBL - Rejected by Spamhaus (Snowshoe)
Score: 1000

SURBL
Host: multi.surbl.org
Message: URIBL - Rejected by SURBL
Score: 5

Host: dbl.spamhaus.org
Message: URIBL - Rejected by Spamhaus
Score: 5

I don't use GreyListing, I have a 20 second "sleep" in 3 places in the EventHandlers.vbs script. Just as effective and without the added hours of waiting for mails from Google, Outlook and others.

Code: Select all

Function Wait(sec)
   With CreateObject("WScript.Shell")
      .Run "timeout /T " & Int(sec), 0, True
'     .Run "sleep -m " & Int(sec * 1000), 0, True
'     .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
   End With
End Function

Sub OnClientConnect(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)
End Sub

'   NOTE: Sub OnHELO(oClient) is not in the official build (YET!)
'
'   https://www.hmailserver.com/forum/viewtopic.php?f=10&t=30193
'   User RvdH is maintaining an up-to-date version of hMailServer with amongst others the OnHELO trigger.
'
Sub OnHELO(oClient)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)
End Sub

'   ********** SPAM test: DNSBlackLists, HeloHost, MXRecords, SPF

Sub OnSMTPData(oClient, oMessage)
   '
   '   Exclude local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)
End Sub

'   ********** SPAM test: SURBL, DKIM, SpamAssassin

' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

'   ********** Saving EML to DATA

' Sub OnDeliveryStart(oMessage)
' End Sub

'   ********** Antivirus check, Global rules

' Sub OnDeliverMessage(oMessage)
' End Sub

'   ********** Local rules, Message delivered to recipient(s)

' Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
' End Sub

' Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

' Sub OnError(iSeverity, iCode, sSource, sDescription)
' End Sub
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 398
Joined: 2017-09-12 17:57

Re: What are the best/required/optimal settings for SpamAssassin?

Post by palinka » 2018-12-05 12:21

SorenR wrote:
2018-12-04 02:37
ak18 wrote:
2018-12-04 00:33
Could it be that the new header entries of SpamAssassin fail the DKIM-check by the hMailServer?
DKIM checks are done before SpamAssassin.

My hMailServer only do DNSBL, SURBL and SPF checks, SpamAssassin do the rest.
^^^^ This...

This is one of the mysteries of life. I have researched this for hours. For whatever reason, hmail is very particular and very very strict with dkim. More so - it appears to me, anyway - than other MTAs. I could not resolve all the false positives I was getting from hmail failing dkim, so I just turned it off. Since then things have been going swimmingly.

User avatar
mattg
Moderator
Moderator
Posts: 19101
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: What are the best/required/optimal settings for SpamAssassin?

Post by mattg » 2018-12-05 15:45

ak18 wrote:
2018-12-05 09:06
mattg wrote:
2018-12-03 23:18
The point of signing is to ensure that the message doesn't get changed, and that includes new headers added.
You mean SpamAssassin is better, because it checks all headers and hMailServer not?
Not at all

If a message is digitally signed, it is signed as it is.
For the signature (Including DKIM) to be valid then the message should not have been altered in any way

For me when SPamAssassin accepts that any of multiple DKIM signaures could be correct then it is accepting the signature without checking the message. It'd be like a bank accepting a stamp in place of a signature.

I guess it depends on what you want the DKIM signature to mean really...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-06 03:39

I can give the all-clear. The problem with DKIM was found. :D

It was a matter of some name servers inserting spaces in the key in the TXT record. SpamAssessin seems to take these out before testing, but hMailServer does not. That's why there was a difference in SPAM rating.

Now everything is fine. Thanks to all. :D

palinka
Senior user
Senior user
Posts: 398
Joined: 2017-09-12 17:57

Re: What are the best/required/optimal settings for SpamAssassin?

Post by palinka » 2018-12-07 01:39

ak18 wrote:
2018-12-06 03:39
I can give the all-clear. The problem with DKIM was found. :D

It was a matter of some name servers inserting spaces in the key in the TXT record. SpamAssessin seems to take these out before testing, but hMailServer does not. That's why there was a difference in SPAM rating.

Now everything is fine. Thanks to all. :D
Would you mind expanding on that a bit? Thanks.

User avatar
SorenR
Senior user
Senior user
Posts: 2624
Joined: 2006-08-21 15:38
Location: Denmark

Re: What are the best/required/optimal settings for SpamAssassin?

Post by SorenR » 2018-12-07 02:44

ak18 wrote:
2018-12-06 03:39
I can give the all-clear. The problem with DKIM was found. :D

It was a matter of some name servers inserting spaces in the key in the TXT record. SpamAssessin seems to take these out before testing, but hMailServer does not. That's why there was a difference in SPAM rating.

Now everything is fine. Thanks to all. :D
This problem ??

https://forums.cpanel.net/threads/error ... rd.630191/

Code: Select all

- If your domain's DNS is hosted by the cPanel server, there's pretty much nothing to do. 
  You are set if you see the DKIM check pass.

- If your domain's DNS is hosted externally, here's what should be modified in the DKIM 
  key generated by cPanel:

  * Remove the trailing back slash and semi-colon at the end of the key such that your key 
    always ends with the letters QAB
  * Remove the end quote in the DKIM key generated by cPanel (occurs somewhere in the middle
    of the key)
  * Remove the the empty space between the end quote and the next letter
  * Copy the entire string, starting from v=DKIM and ending with QAB into the 'Value' field 
    of the DNS TXT record. The 'Name' field of the DNS record should have 'default._domainkey'
    in it (without the single quotes, of course)
  * Depending upon your external DNS provider, you may need to wrap the DKIM key string within
    double quotes, just like cPanel or exclude the double quotes - Linode DNS manager, for 
    example, doesn't need the double quotes and adds it behind the scene.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

ak18
New user
New user
Posts: 21
Joined: 2018-11-22 14:25
Location: Germany

Re: What are the best/required/optimal settings for SpamAssassin?

Post by ak18 » 2018-12-07 11:06

SorenR wrote:
2018-12-07 02:44
This problem ??

https://forums.cpanel.net/threads/error ... rd.630191/
No, I'm not using cpanel.

Post Reply