How to block more spam locally using SpamAssassin

Mail.baby recommends Rspamd for spam blocking. Unfortunately some popular panels like cPanel fail to innovate and lag behind – keeping users sub par spam filtering. If you are unable to move to a more modern panel like DirectAdmin or AnsiCP that support rspamd there are still some options available to block spam leaving your server.

When using cPanel set the option in Web Host Manager to scan outgoing email with spamassassin. this config can be added to local.cf or your own NAME.cf file in /etc/spamassassin folder.

iXhash

iXhash can be used to block additional spam. This is similar to a fuzzy hash where certain parts of the email body are dropped and a md5 hash is generated. A dns lookup is done for this hash and a score can be given to the email. Mail.baby publishes common spam under a DNS list for iXhash and you are free to integrate this into your spam filtering. Please see https://cwiki.apache.org/confluence/display/SPAMASSASSIN/iXhash for more information on setting up iXhash. Note: IXHASH must be installed into spamassassin before using the below config. Once set up use the following config:

body            MAILBABY_IXHASH eval:ixhashtest('mailbaby.ixhash.interserver.net')
describe        MAILBABY_IXHASH iXhash found @ mailbaby.ixhash.interserver.net
tflags          MAILBABY_IXHASH net
# adjust as you see fit
score           MAILBABY_IXHASH 3.0

Adjust MAILBABY_IXHASH 3.0 to a score you deem appropriate. For MAILBABY_IXHASH listed emails are manually built from spam traps making a high score ok.

A second generic set up can also be used

body MAILBABY_GENERIC_IXHASH eval:ixhashtest('mailbaby.ixhashgeneric.interserver.net')
describe MAILBABY_GENERIC_IXHASH iXhash found @ mailbaby.ixhashgeneric.interserver.net
tflags MAILBABY_GENERIC_IXHASH net
# adjust as you see fit
score MAILBABY_IXHASH 1.0

For GENERIC the list is auto populated from spam traps. A lower score should be used due to the automatic nature of this list. The same has must appear multiple times reducing false positives.

As if this writing additional ixhash systems available appear to be ix.dnsbl.manitu.net and generic.ixhash.net

Real time DNS block lists

Mail.baby uses both URL and IP based DNS block lists. These add to an email score and make adjustments based on the list. Email is not simply blocked due to being in any particular list but affects the overall score of an email, which at a certain point does get blocked. We do not recommend simply blocking email based on a listing on a RBL list, but instead score it appropriately. Below are lists that are available for use and their configs:

rbluri.interserver.net

Domains appear in this list have appeared in SPAM emails, such as phishing, whois scraping and spamtraps.

urirhssub MAILBABY_RULE_URIBL_RBLINT rbluri.interserver.net. A 127.0.0.2
body MAILBABY_RULE_URIBL_RBLINT eval:check_uridnsbl('URIBL_RBLINT')
describe MAILBABY_RULE_URIBL_RBLINT Contains a URL listed in the uribl at sigs.interserver.net
tflags MAILBABY_RULE_URIBL_RBLINT net
score MAILBABY_RULE_URIBL_RBLINT 3.0

rbl.interserver.net

An automatic aggregated list of ips that have brute forced logins such as email or ssh, are blocked by Web Application Firewalls for malicious activity, or have sent email to spam traps accross multiple systems. After 5 days of no activity the ip is delisted.

header MAILBABY_INTERSERVER_BLOCKLIST rbleval:check_rbl('int', 'rbl.interserver.net.')
describe MAILBABY_INTERSERVER_BLOCKLIST IP appears on rbl.interserver.net block list
tflags MAILBABY_INTERSERVER_BLOCKLIST net
score MAILBABY_INTERSERVER_BLOCKLIST 2.0

rblspamassassin.interserver.net

IPs in this list appear in spam traps, send email with very high spam scores and other malicious activity. Automatic listing and delistings. The overall score should be lower than rbl.interserver.net as this list is more broad (unless of course you are a BOFH then score away).

header MAILBABY_RULE_SPAMMY_NETWORK rbleval:check_rbl(‘int’, ‘rblspamassassin.interserver.net.’)
describe MAILBABY_RULE_SPAMMY_NETWORK IP found in rblspamassassin spammy network list
tflags MAILBABY_RULE_SPAMMY_NETWORK net
score MAILBABY_RULE_SPAMMY_NETWORK 1.0

goodrbl.interserver.net

A reverse / good list. IPs appearing in this list should have their scored lowered

header MAILBABY_RULE_GOOD_NETWORK rbleval:check_rbl('int', 'goodrbl.interserver.net.')
describe MAILBABY_RULE_GOOD_NETWORK Good or wellknown network decrease score by 1.0
tflags MAILBABY_RULE_GOOD_NETWORK net
score MAILBABY_RULE_GOOD_NETWORK -1.0

please see https://github.com/mailbaby/spamassassin-rules for more info

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *