LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Articles > Jeremy's Magazine Articles
User Name
Password

Notices

By jeremy at 2006-12-04 17:53

Stop More Spam
Features - Power Tools
Written by Jeremy Garcia

The December 2003 “Tech Support” showed you how to install SpamAssassin (SA), a free, open source, and effective spam filter.

After installing SA, you should immediately notice a dramatic decrease in the amount of spam that makes it to your Inbox. The SA developers do a tremendous job of writing and thoroughly testing the rules that determine each incoming message’s spam score. Moreover, a default install of SA incorporates several means of detecting spam, including Bayesian-style probabilistic classification, email header and body analysis, and much more. (For a full list of rules, see http://spamassassin.apache.org/tests_3_1_x.html.)

While the default SA rules are comprehensive, spammers are extremely tenacious and inventive. By utilizing the modular nature of SA, you can enable additional plug-ins to help you catch a significant amount of additional spam, while keeping false positives relatively low.

To ensure you’re getting the most out of SA, verify that you’re using the package appropriately. Do you have bayes enabled and working properly? Just as importantly, are you training it? Are your network tests running properly? A cursory check should be able to verify all this, and can make a substantial difference.

Next, look at the “Optional Modules” section of the INSTALL file. This section details which CPAN modules are needed to enable additional SA functionality. Some of them, such as Net::DNS are absolutely vital (Net::DNS is used for all DNS-based tests including SBL, XBL, SpamCop, and DSBL, among a variety of other DNS-related tasks). Once you have the required CPAN modules installed, it’s time to move to SA plug-ins. For a myriad of reasons, including licensing and terms of service issues, some SA plugins are disabled by default. Among the plugins disabled by default are DCC and Razor2.

DCC, or Distributed Checksum Clearinghouse, is an anti-spam content filter that uses fuzzy checksums to recognize unsolicited bulk mail. Available from http://www.rhyolite.com/anti-spam/dcc/, you should read the DCC license before you deploy it as it is not Open Source software.
In-depth installation instructions are beyond the scope of this column, but for a client-only setup, it’s essentially as easy as…

$ ./configure ––disable-dccm \
––disable-server && make
$ sudo make install

Once installed, edit the appropriate configuration files per DCC’s INSTALL.txt, start dccifd, and uncomment the line loadplugin Mail::SpamAssassin::Plugin::DCC in the SA v310.pre file.
Similar to DCC, Vipul’s Razor is a distributed, collaborative, spam detection and filtering network. Through user contribution, Razor establishes a distributed and constantly updating catalog of spam in propagation that is consulted by email clients to filter out known spam. Available from http://razor.sourceforge.net/, Razor2 is distributed under the Artistic License.

While Razor2 has a few CPAN module requirements, they’ve all been conveniently bundled in the razor-agents-sdk package. You can choose to install it via whichever mechanism you are comfortable with. Once the prerequisites are installed, razor-agents can be installed as most Perl modules are:


$ perl Makefile.PL
$ make; make test
$ sudo make install
$ razor-admin -create
$ razor-admin -register

Finally, you must uncomment the loadplugin Mail::SpamAssassin::Plugin::Razor2 line in v310.pre.
With DCC and Razor2 now installed, you look though the SA *.pre files for other disabled-by-default tests that you feel may help in your environment.

With SA properly tuned and running with some optional modules, you should notice less spam. If you want to take things a step further, you’ll want to look into adding additional SA rules. The best place for this is http://www.rulesemporium.com/, which has a vast repository of tested SA rules. Be sure to carefully read the notes before implementing any third-party rules, and keep in mind what impact they may have on legitimate mail. Being overzealous can cause you as much grief as it saves.

Your goal should be getting as little spam as possible, while keeping false positives to an absolute minimum. Always test the rules you add thoroughly and keep a close eye on things after you make changes. If you notice that you consistently get a kind of spam that SA lets through, even with the additional modules enabled and 3rd party rules added, don’t be afraid to come up with a custom rule that targets your specific problem exactly.


by derxob on Mon, 2006-12-04 18:22
Here's a small script I wrote for automatically fetching and updating some SA rule files that update often. It's nice to keep these rule files up to date because as we know, spammers are finding new ways to outsmart spam filters on a daily basis.

I add this script to my daily cron jobs.


Code:
#!/bin/sh

# adam@foogazi.com
# http://www.foogazi.com

# DO NOT IMPLEMENT THIS WITHOUT CHOOSING WHICH RULES TO USE AND DECIDING IF THEY WILL BE OF BENEFIT OR NOT.
# This script was created on a Slackware 10.0 machine.

# Implementing:
# CONFIG_PATH should be changed to the path of your local.cf file
# BACKUP_PATH should be changed to the path you want files to be backed up to - this path must be present before executing # this script.
# SCRIPT_PATH should be changed to the location of your spamd init script, used to start/restart spamassassin.


CONFIG_PATH=/etc/mail/spamassassin
BACKUP_PATH=/etc/mail/spamassassin/backup
SCRIPT_PATH=/etc/rc.d/rc.spamd

# Back up the current configs

cd $CONFIG_PATH
cp * $BACKUP_PATH

# Stop spamassassin
$SCRIPT_PATH stop

rm *.*

#Download rules:
# Uncomment the rules you want - see http://www.rulesemporium.com/ for more info.
# NOTE: You must uncomment at least one for this to work.

#wget http://www.rulesemporium.com/rules/70_sare_stocks.cf

#wget http://mywebpages.comcast.net/mkettler/sa/antidrug.cf

#wget http://www.emtinc.net/includes/backhair.cf

#wget http://www.timj.co.uk/linux/bogus-virus-warnings.cf

#wget http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf

#wget http://www.emtinc.net/includes/chickenpox.cf

#wget http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf

#wget http://www.rulesemporium.com/rules/70_sare_evilnum0.cf

#wget http://www.rulesemporium.com/rules/70_sare_evilnum1.cf

#wget http://www.rulesemporium.com/rules/70_sare_evilnum2.cf

#wget http://www.rulesemporium.com/rules/70_sare_html.cf

#wget http://www.rulesemporium.com/rules/70_sare_html4.cf

#wget http://www.rulesemporium.com/rules/70_sare_html_arc.cf

#wget http://www.rulesemporium.com/rules/70_sare_html_eng.cf

#wget http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf

#wget http://www.ccert.edu.cn/spam/sa/Chinese_rules.cf

#wget http://www.geewhiz.ca/images/b/b2/99_geewhizg_zh.cf

#wget http://www.geewhiz.ca/images/3/35/50_scores_geewhizg_zh.cf

#wget http://www.nospamtoday.com/download/mime_validate.cf

#wget http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf

#wget http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf

#wget http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf

#wget http://maxime.ritter.eu.org/Spam/french_rules.cf

#wget http://www.rulesemporium.com/rules/70_sare_header0.cf

#wget http://www.rulesemporium.com/rules/70_sare_specific.cf

#wget http://www.rulesemporium.com/rules/70_sare_ratware.cf

#wget http://www.rulesemporium.com/rules/70_sare_adult.cf

#wget http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf

#wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf

#wget http://www.rulesemporium.com/rules/70_sare_spoof.cf

#wget http://www.rulesemporium.com/rules/70_sare_random.cf

#wget http://www.rulesemporium.com/rules/70_sc_top200.cf

#wget http://www.rulesemporium.com/rules/70_sare_oem.cf

#wget http://www.rulesemporium.com/rules/70_sare_genlsubj.cf

#wget http://www.rulesemporium.com/rules/70_sare_highrisk.cf

#wget http://www.rulesemporium.com/rules/70_sare_unsub.cf

#wget http://www.rulesemporium.com/rules/70_sare_uri0.cf

#wget http://www.rulesemporium.com/rules/70_sare_whitelist.cf

cp $BACKUP_PATH/local.cf .
cp $BACKUP_PATH/init.pre .
cp $BACKUP_PATH/rolex.cf .
cp $BACKUP_PATH/stock.cf .
cp $BACKUP_PATH/v310.pre .

# Start Spamassassin
$SCRIPT_PATH start
Side note:
Jeremy, fix: "...additional SA rules. he best place for this is http://www.rulesemporium.com/, .."

Nice article!

by jeremy on Mon, 2006-12-04 20:23
Updated - thanks derxob.

--jeremy


  



All times are GMT -5. The time now is 06:47 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration