SpamFilter

From ConShell
Jump to: navigation, search

In a nutshell, this is how I filter spam on my mail server --Delimiter 22:28, 21 September 2008 (PDT)

I follow the concept of defense in depth. There are multiple (3+) layers of defense.

Install postfix-tls, amavisd-new, clamav and spamassassin.

Note: I am also considering pyzor but not sure how much effect this would have.

Layer 1

This is the first line of defense. Roughly half of the spam is turned away by DNS block lists (DNS BL).

I configure postfix to check the following blocklists:

  • cbl.abuseat.org
  • bl.spamcop.net
smtpd_client_restrictions = permit_mynetworks, 
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org

Example rejection (from /var/log/mail.log)

Sep 23 08:13:20 durango postfix/smtpd[26956]: NOQUEUE: reject: RCPT from
ip67-153-103-44.z103-153-67.customer.algx.net[67.153.103.44]: 554 5.7.1
Service unavailable; Client host [67.153.103.44] blocked using bl.spamcop.net;
Blocked - see http://www.spamcop.net/bl.shtml?67.153.103.44;
from=<i907@qop-re.com> to=<mark@foster.cc> proto=ESMTP
helo=<ip67-153-103-44.z103-153-67.customer.algx.net>

Layer 2

Configure postfix to use amavisd as a content/virus filter (re-injection technique). This utilizes both spamassassin and clamav to determine if the message is "spammy" or has a virus, in which case it will be quarantined (see /var/lib/amavis/virusemails/) Postfix uses 127.0.0.1:10024 to forward e-mail internally to amavisd, which checks the content and routes back to postfix via 127.0.0.1:10025

Example rejection (from /var/log/mail.log)

Sep 23 08:11:19 durango amavis[26713]: (26713-05) Blocked SPAM, [89.178.85.219]
[89.178.85.219] <ghay@wcc.net> -> <mark@foster.cc>, quarantine: I/spam-IfTmYIbq993T.gz,
Message-ID: <01c91da9$90a23d80$db55b259@ghay>, mail_id: IfTmYIbq993T, Hits: 31.469,
size: 4809, 4774 ms

To maximize effectiveness, it is possble to train spamassassin to differentiate between ham and spam using bayesian filters - see SpamAssassin. I do this with a relearn script that aggregates users' mailboxes and feeds to sa-learn. However this should be done cautiously as this is a sytem-wide filter. Amavisd-new will not rewrite the message unless it is a rejection (quarantined) so there is less visibility here than might otherwise be desired. Alternatively, customized user filter can be done in 3rd-line.

Layer 3

Postfix is configured use procmail for local delivery. Procmail will do further processing and route or rewrite the message based on spam scores or other e-mail header data, for instance. This is optional, but if /home/user/.procmailrc contains the hook to spamassassin, further processing can be done.

Example procmail configuration $HOME/.procmailrc:

# SpamAssassin
:0fw
* < 256000
| spamassassin
# messages tagged as spam by spamassassin go into SpamTrap
:0:
* ^X-Spam-Flag: YES
$HOME/mail/Junk


Note that this also may require some tweaks to $HOME/.spamassassin/user_prefs, e.g.

# How many points before a mail is considered spam.
required_score		3.5
score SUBJ_ILLEGAL_CHARS      1.0