Sharing custom SpamAssassin Rules
-
@d19dotca Many thanks for sharing this. I'd like to suggest another addition based on one nasty abuse I've seen: unsubscribe links that use http instead of https, hoping that browser security blocks/warnings will cause users not to follow through and unsubscribe. Anyone not using https for anything these days is not worthy of my time:) This puts them where they belong:
# Rule to detect unsubscribe links that do not use HTTPS body UNSUB_LINK_HTTP /unsubscribe.*http:\/\//i describe UNSUB_LINK_HTTP Unsubscribe link does not use HTTPS score UNSUB_LINK_HTTP 10.0 -
@d19dotca Many thanks for sharing this. I'd like to suggest another addition based on one nasty abuse I've seen: unsubscribe links that use http instead of https, hoping that browser security blocks/warnings will cause users not to follow through and unsubscribe. Anyone not using https for anything these days is not worthy of my time:) This puts them where they belong:
# Rule to detect unsubscribe links that do not use HTTPS body UNSUB_LINK_HTTP /unsubscribe.*http:\/\//i describe UNSUB_LINK_HTTP Unsubscribe link does not use HTTPS score UNSUB_LINK_HTTP 10.0@crazybrad Excellent pattern!
-
@d19dotca Many thanks for sharing this. I'd like to suggest another addition based on one nasty abuse I've seen: unsubscribe links that use http instead of https, hoping that browser security blocks/warnings will cause users not to follow through and unsubscribe. Anyone not using https for anything these days is not worthy of my time:) This puts them where they belong:
# Rule to detect unsubscribe links that do not use HTTPS body UNSUB_LINK_HTTP /unsubscribe.*http:\/\//i describe UNSUB_LINK_HTTP Unsubscribe link does not use HTTPS score UNSUB_LINK_HTTP 10.0@crazybrad said in Sharing custom SpamAssassin Rules:
@d19dotca Many thanks for sharing this. I'd like to suggest another addition based on one nasty abuse I've seen: unsubscribe links that use http instead of https, hoping that browser security blocks/warnings will cause users not to follow through and unsubscribe. Anyone not using https for anything these days is not worthy of my time:) This puts them where they belong:
# Rule to detect unsubscribe links that do not use HTTPS body UNSUB_LINK_HTTP /unsubscribe.*http:\/\//i describe UNSUB_LINK_HTTP Unsubscribe link does not use HTTPS score UNSUB_LINK_HTTP 10.0Oh I like that! That’s a great idea!
-
I'm getting a ton of spam from @gmail addresses. It's not possible to address those via rules without affecting all incoming gmail delivery, right?
Also, what DNSBL zones other than Zen.Spamhaus is everyone using?
-
I'm getting a ton of spam from @gmail addresses. It's not possible to address those via rules without affecting all incoming gmail delivery, right?
Also, what DNSBL zones other than Zen.Spamhaus is everyone using?
@humptydumpty Unfortunately there isn’t a way (that I’m aware of at least) to filter out Gmail spam from normal Gmail messages, as Gmail servers tend to be whitelisted. That’s where the freemail rules can play a part though, and also the Bayesian learning scores too. Eventually the Bayesian learning will realize the contents of the spammy messages from Gmail and I have the scores set in such a way that once it’s fairly confident in it from past user interactions, similar emails even from Gmail will go to spam where it belongs, keeping the non-spam Gmail in the inbox.
I’m sure there may be better ways to improve it, but that’s all I’ve found that works decently for now on the free email providers like Gmail.
For a DNSBL drop list at connection time, I use Abusix which has been reliable but definitely on the conservative side (as you’d want on the connection drop list part to avoid false-positives), that might help a bit overall if it’s an email pretending to be from Gmail but not actually sent via Gmail.
--
Dustin Dauncey
www.d19.ca -
@humptydumpty Unfortunately there isn’t a way (that I’m aware of at least) to filter out Gmail spam from normal Gmail messages, as Gmail servers tend to be whitelisted. That’s where the freemail rules can play a part though, and also the Bayesian learning scores too. Eventually the Bayesian learning will realize the contents of the spammy messages from Gmail and I have the scores set in such a way that once it’s fairly confident in it from past user interactions, similar emails even from Gmail will go to spam where it belongs, keeping the non-spam Gmail in the inbox.
I’m sure there may be better ways to improve it, but that’s all I’ve found that works decently for now on the free email providers like Gmail.
For a DNSBL drop list at connection time, I use Abusix which has been reliable but definitely on the conservative side (as you’d want on the connection drop list part to avoid false-positives), that might help a bit overall if it’s an email pretending to be from Gmail but not actually sent via Gmail.
@d19dotca Thanks for the clarification. Yeah, I signed up for Abusix when I added the latest rules. I'm seeing less spam in my inbox overall. Much more manageable now. Thank you!
-
Still tons you can do by looking at how then usernames are structured. Many underscores or dashes, long ones, more numbers than letters, etc.
@robi Yes! I've noticed a pattern. No numbers though, at least for the gmail ones. It's first lastname+one random letter@gmail. Non-gmail addresses do have multiple numbers at the end with the same first last name format.
-
@humptydumpty Happy to try to find a possible pattern and rule using AI. Post the gmail addresses if you want me to try.
@crazybrad Here are some that showed up in the recent logs.
enchantedjewelsjpr@gmail.com dzamoludinh@gmail.com chcbpcgi@gmail.com nellefredrickson@gmail.com generalcontact555@gmail.com somnathmaity9292@gmail.com khadijaaa242@gmail.com alisa17217@gmail.com dayalray11199@gmail.com sanjocaleb259@gmail.com sajidsad044@gmail.com orcfgoyorlr@gmail.com liis1757@gmail.com conslt.khange@gmail.com obonsidibe2022@gmail.com ashuuindarkar2001@gmail.com finn.baseestimation1@gmail.com pankaj7323946133@gmail.com susan83imbing@gmail.com nqewirghmna@gmail.com -
@murgero said in Sharing custom SpamAssassin Rules:
@d19dotca does this just go into email -> Spam Filter -> Custom Spam Assassin Settings?
Yes, it goes right there. Basically from the Mail page > Spam filtering > Custom Spamassassin Rules box.
You can copy & paste the entire thing, but do note a few items just in case:
- You will need to likely remove the
blocklist_fromorwelcomelist_fromlines unless you have emails to place in those two sections already, I left those there just for an example. - If you want to use the DNSBLs from Abusix then you'll need to use your own API key (it's free for under 5,000 queries per day averaged over 7 days, it seems to work great and I highly recommend it).
The rest though you can basically copy & paste directly. Of course YMMV as they say, but this list works pretty well for me, or at least is a noticeable improvement over the rule tweaks I was using last year.
- You will need to likely remove the
-
@d19dotca great and thanks! for abusix I just have to put in the api key without <>, right?
Done but don't get queries shown in the dashboard (though I sent some mails).
Using zen.spamhaus.org as DNSBL@sponch said in Sharing custom SpamAssassin Rules:
@d19dotca great and thanks! for abusix I just have to put in the api key without <>, right?
Done but don't get queries shown in the dashboard (though I sent some mails).
Using zen.spamhaus.org as DNSBLThat’s correct, no angle brackets. The full URL to use is shown in the Abusix dashboard but it’s really just the API key plus the subdomain parts.
I didn’t see queries until the following day I think, if I’m remembering correctly. So maybe give it another day or two? Also maybe make sure you don’t have any spaces or blank characters in the DNSBL just in case that’s throwing off the DNS queries to it.
Also I saw you mentioned that you didn’t see on the dashboard “though [you] sent some mails”… just to clarify, the queries will be done when you receive mail rather than send mail. I’m sure you knew that, but just in case, I thought I should clarify that part.
If you don’t see anything in a couple of days on the dashboard then let me know, and I can try to help. If it’s set correctly in Cloudron though then it could be something more on the Abusix side, maybe something needs to get confirmed or activated first (I don’t remember having to do that though but I’ve been using it for a while so I can’t remember the full on-boarding workflow).
-
7 days recap after applying your rules.
I believe not one spam mail has hit my spam folder or inbox so far.
normally I'd get ~20x+ spam mails a day since my Inbox also redirects my old legacy mailboxes from web.de which have been leaked and abused over and over again.I must say, this feels very good.
-
@humptydumpty So I asked my favorite tool for some help on your list of "bad Gmail actors" and here is a detailed analysis for your consideration: https://www.perplexity.ai/search/please-review-the-attached-gma-BjXGrt4qR_er6c45dse5Vw .
I found myself curious as to whether those email addresses even exist. Unfortunately Gmail does not have a "finger" API and there are limited options within Spam Assassin for handling this directly. There were some ideas on combining Spam Assassin's rule-based tagging with a Sieve filter. Here are the details for your consideration: https://www.perplexity.ai/search/does-gmail-have-the-ability-to-jePfq628TDeod5jDVoYU2Q
-
@humptydumpty So I asked my favorite tool for some help on your list of "bad Gmail actors" and here is a detailed analysis for your consideration: https://www.perplexity.ai/search/please-review-the-attached-gma-BjXGrt4qR_er6c45dse5Vw .
I found myself curious as to whether those email addresses even exist. Unfortunately Gmail does not have a "finger" API and there are limited options within Spam Assassin for handling this directly. There were some ideas on combining Spam Assassin's rule-based tagging with a Sieve filter. Here are the details for your consideration: https://www.perplexity.ai/search/does-gmail-have-the-ability-to-jePfq628TDeod5jDVoYU2Q
@crazybrad That was an interesting read! I'm going to test the gmail spam rules and see how it goes. I'll add my gmail based clients to the whitelist to be on the safe side though. TYVM!
-
7 days recap after applying your rules.
I believe not one spam mail has hit my spam folder or inbox so far.
normally I'd get ~20x+ spam mails a day since my Inbox also redirects my old legacy mailboxes from web.de which have been leaked and abused over and over again.I must say, this feels very good.
@BrutalBirdie still get them in my spam folder but at least not in my inbox
-
@murgero said in Sharing custom SpamAssassin Rules:
@d19dotca does this just go into email -> Spam Filter -> Custom Spam Assassin Settings?
Yes, it goes right there. Basically from the Mail page > Spam filtering > Custom Spamassassin Rules box.
You can copy & paste the entire thing, but do note a few items just in case:
- You will need to likely remove the
blocklist_fromorwelcomelist_fromlines unless you have emails to place in those two sections already, I left those there just for an example. - If you want to use the DNSBLs from Abusix then you'll need to use your own API key (it's free for under 5,000 queries per day averaged over 7 days, it seems to work great and I highly recommend it).
The rest though you can basically copy & paste directly. Of course YMMV as they say, but this list works pretty well for me, or at least is a noticeable improvement over the rule tweaks I was using last year.
- You will need to likely remove the
-
@d19dotca Heyo! Finally got around to applying this - do I need to add anything to Mail ACL or just to custom spamassassin rules?
-
I've been getting a LOT of spam lately.
@girish Any chances we can have this implemented but the core app? Save everyone having to discoverer this thread and do the same.
