Sharing custom SpamAssassin Rules
I've been spending a long time lately on spam improvements on the Cloudron mail server. I've made a ton of improvements and while still not perfect (it never will be) it's a giant leap over how it was a few weeks ago.
I already made some updates in the other post on DNSBLs, for anyone who hasn't seen that already.
I've also improved the spam classifications for anything that gets past the DNSBLs. It was already pretty decent at classifying spam that was spam with no false-positives, however there was still a good amount getting to the inbox for some users in particular. I've trained them to use the spam folder and archive folder accordingly to train the filter for their account, but I also made a whole bunch of tweaks in the custom rules to overwrite scoring server-wide.
I thought I'd share what I have currently which adds in a few new providers as well as increasing the scores from their defaults. Here is what I've got currently and it seems to be working very well for me and my users with no false-positives that I can find and much more in the spam box where they should be. Feel free to adapt of course for your own servers.
The main highlights of the changes I made was the following:
- Increasing the scores for various DNSBLs where appropriate from their defaults
- Increasing the scores for SPF failures but keeping them still reasonable as not ever mail server has setup SPF correctly even if legitimate
- Modifying the scores for the BAYES_ learning ones, scoring them according to their confidence levels (and a bit above the default in most cases)
- Added three new DNSBLs for SpamAssassin (seen at the bottom of the list) which when combined with the overall scoring changes for DNSBLs built-in has provided a noticeable improvement in spam recognition
# scoring DNSBLs (blocklists & allowlists) score RCVD_IN_BL_SPAMCOP_NET 2.0 score RCVD_IN_DNSWL_NONE 0.5 score RCVD_IN_DNSWL_LOW -0.5 score RCVD_IN_DNSWL_MED -2.5 score RCVD_IN_DNSWL_HI -5.0 score RCVD_IN_GBUDB 4.0 score RCVD_IN_JMF_BL 3.0 score RCVD_IN_MSPIKE_H3 -2.0 score RCVD_IN_MSPIKE_H4 -3.0 score RCVD_IN_MSPIKE_H5 -3.5 score RCVD_IN_MSPIKE_L3 2.0 score RCVD_IN_MSPIKE_L4 3.0 score RCVD_IN_MSPIKE_L5 3.5 score RCVD_IN_MSPIKE_WL 0 score RCVD_IN_MSPIKE_ZBI 4.0 score RCVD_IN_SBL 3.0 score RCVD_IN_SORBS_BLOCK 2.0 score RCVD_IN_SORBS_DUL 2.0 score RCVD_IN_SORBS_HTTP 2.0 score RCVD_IN_SORBS_MISC 2.0 score RCVD_IN_SORBS_SMTP 2.0 score RCVD_IN_SORBS_SOCKS 2.0 score RCVD_IN_SORBS_SPAM 2.0 score RCVD_IN_SORBS_WEB 2.0 score RCVD_IN_SORBS_ZOMBIE 2.0 score RCVD_IN_SPAMRATS 4.0 score RCVD_IN_XBL 3.5 score RCVD_IN_PBL 3.5 score RCVD_IN_SBL_CSS 3.5 score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.5 score RCVD_IN_ZEN_BLOCKED 0.5 # scoring URIBLs score URIBL_ABUSE_SURBL 3.0 score URIBL_BLACK 3.0 score URIBL_CR_SURBL 3.0 score URIBL_CSS 2.0 score URIBL_CSS_A 2.0 score URIBL_DBL_ABUSE_BOTCC 2.0 score URIBL_DBL_ABUSE_MALW 2.0 score URIBL_DBL_ABUSE_PHISH 2.0 score URIBL_DBL_ABUSE_REDIR 2.0 score URIBL_DBL_ABUSE_SPAM 2.0 score URIBL_DBL_BLOCKED 2.0 score URIBL_DBL_BLOCKED_OPENDNS 2.0 score URIBL_DBL_BOTNETCC 2.0 score URIBL_DBL_ERROR 2.0 score URIBL_DBL_MALWARE 2.0 score URIBL_DBL_PHISH 2.0 score URIBL_DBL_SPAM 2.0 score URIBL_GREY 1.5 score URIBL_MW_SURBL 2.0 score URIBL_PH_SURBL 2.0 score URIBL_RED 2.5 score URIBL_RHS_DOB 2.0 score URIBL_SBL 2.0 score URIBL_SBL_A 2.0 score URIBL_WS_SURBL 2.0 score URIBL_ZEN_BLOCKED 2.0 score URIBL_ZEN_BLOCKED_OPENDNS 2.0 # scoring SPF & DKIM score DKIM_INVALID 1.0 score DKIM_SIGNED -0.5 score DKIM_VALID -0.5 score DKIM_VALID_AU -0.5 score DKIM_VALID_EF -0.5 score DKIM_VERIFIED -1.0 score SPF_FAIL 2.0 score SPF_HELO_FAIL 2.0 score SPF_HELO_NEUTRAL 0.5 score SPF_HELO_NONE 0.5 score SPF_HELO_PASS -0.5 score SPF_HELO_SOFTFAIL 1.0 score SPF_NEUTRAL 0.5 score SPF_NONE 0.5 score SPF_PASS -0.5 score SPF_SOFTFAIL 1.5 # scoring BAYES score BAYES_00 -1.5 score BAYES_05 -1.0 score BAYES_20 -0.5 score BAYES_40 0.5 score BAYES_50 1.0 score BAYES_60 1.5 score BAYES_80 2.0 score BAYES_95 3.0 score BAYES_99 4.5 score BAYES_999 5.0 # additional scoring tweaks score BILLION_DOLLARS 2.0 score FREEMAIL_FROM 0.5 score HEADER_FROM_DIFFERENT_DOMAINS 3.5 score HTML_FONT_LOW_CONTRAST 2.0 score HTML_MESSAE 0.5 score LOTS_OF_MONEY 1.5 score MISSING_HEADERS 1.0 # add GDUB TRUNCATE DNSBL header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.') describe RCVD_IN_GBUDB Listed in truncate.gbudb.net tflags RCVD_IN_GBUDB net # add JMF-Black DNSBL header RCVD_IN_JMF_BL eval:check_rbl('jmfbl', 'black.junkemailfilter.com.') describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com tflags RCVD_IN_JMF_BL net # add Spamrats DNSBL header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.') describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com tflags RCVD_IN_SPAMRATS net
I made a small update as I continue forwards on this project. Here's an updated list. Feel free to use something like diffchecker.com to determine what specifically was changed between them so far.
The highlights include (but not limited to):
- Correcting the scores for SPF & DKIM passes to not be as high as I had them (in fact I basically nullified them now) as it's easy for spammers to fool those, while having a harsher score for any SPF & DKIM failures still, as generally recommended by SpamAssassin
- Updated the BAYES learning scores - mostly corrected the BAYES_999 one as that is meant to be on top of BAYES_99, in other words they are always scored together if it's that confident, it won't be BAYES_999 ever on its own so I didn't need to have that score be so high, among a couple other scoring tweaks to them
- Added a few SpamEatingMonkey DNSBLs / URIBLs to the list for extra scoring - this has seemingly helped a lot by having extra checks done which all compound usually with the other DNSBLs that get triggered too
- I tweaked the scores a bit for some of the DNSBLs & URIBLs, making some a little more aggressive and some a little bit less aggressive depending on any false-positive rates and the description of each check, etc
- Updated and added in more HTML & HEADER & MISSING related scores
Your mileage may vary, but I believe this new list is an improvement over the previous one.
# scoring DNSBLs (blocklists & allowlists) score RCVD_IN_BL_SPAMCOP_NET 3.0 score RCVD_IN_DNSWL_HI -5.0 score RCVD_IN_DNSWL_LOW -0.5 score RCVD_IN_DNSWL_MED -2.5 score RCVD_IN_DNSWL_NONE 0.5 score RCVD_IN_GBUDB 4.0 score RCVD_IN_IADB_DK -0.5 score RCVD_IN_IADB_DOPTIN_GT50 -0.5 score RCVD_IN_IADB_DOPTIN_LT50 -0.5 score RCVD_IN_IADB_EDDB -0.5 score RCVD_IN_IADB_EPIA -0.5 score RCVD_IN_IADB_GOODMAIL -0.5 score RCVD_IN_IADB_LISTED -0.5 score RCVD_IN_IADB_LOOSE -0.5 score RCVD_IN_IADB_MI_CPEAR 0 score RCVD_IN_IADB_MI_CPR_30 0 score RCVD_IN_IADB_MI_CPR_MAT 0.0 score RCVD_IN_IADB_NOCONTROL -0.5 score RCVD_IN_IADB_OOO -0.5 score RCVD_IN_IADB_OPTIN -0.5 score RCVD_IN_IADB_OPTIN_GT50 -0.5 score RCVD_IN_IADB_OPTIN_LT50 -0.5 score RCVD_IN_IADB_OPTOUTONLY -0.5 score RCVD_IN_IADB_RDNS -0.5 score RCVD_IN_IADB_SENDERID -0.5 score RCVD_IN_IADB_SPF -0.5 score RCVD_IN_IADB_UNVERIFIED_1 -0.5 score RCVD_IN_IADB_UNVERIFIED_2 -0.5 score RCVD_IN_IADB_UT_CPEAR 0 score RCVD_IN_IADB_UT_CPR_30 0 score RCVD_IN_IADB_UT_CPR_MAT 0 score RCVD_IN_JMF_BL 3.5 score RCVD_IN_MSPIKE_BL 0.0 score RCVD_IN_MSPIKE_H2 0.0 score RCVD_IN_MSPIKE_H3 -0.5 score RCVD_IN_MSPIKE_H4 -2.0 score RCVD_IN_MSPIKE_H5 -3.0 score RCVD_IN_MSPIKE_L2 1.5 score RCVD_IN_MSPIKE_L3 3.5 score RCVD_IN_MSPIKE_L4 4.5 score RCVD_IN_MSPIKE_L5 5.0 score RCVD_IN_MSPIKE_WL 0.0 score RCVD_IN_MSPIKE_ZBI 4.0 score RCVD_IN_PBL 3.5 score RCVD_IN_SBL 3.5 score RCVD_IN_SBL_CSS 3.5 score RCVD_IN_SEM_BLACK 3.5 score RCVD_IN_SEM_NET_BLACK 2.5 score RCVD_IN_SORBS_BLOCK 2.5 score RCVD_IN_SORBS_DUL 2.5 score RCVD_IN_SORBS_HTTP 2.5 score RCVD_IN_SORBS_MISC 2.5 score RCVD_IN_SORBS_SMTP 2.5 score RCVD_IN_SORBS_SOCKS 2.5 score RCVD_IN_SORBS_SPAM 2.5 score RCVD_IN_SORBS_WEB 2.5 score RCVD_IN_SORBS_ZOMBIE 2.5 score RCVD_IN_SPAMRATS 3.5 score RCVD_IN_XBL 3.5 score RCVD_IN_ZEN_BLOCKED 0.0 score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0 # scoring URIBLs score URIBL_ABUSE_SURBL 4.0 score URIBL_BLACK 4.0 score URIBL_CR_SURBL 4.0 score URIBL_CSS 2.0 score URIBL_CSS_A 2.0 score URIBL_DBL_ABUSE_BOTCC 3.5 score URIBL_DBL_ABUSE_MALW 3.5 score URIBL_DBL_ABUSE_PHISH 3.5 score URIBL_DBL_ABUSE_REDIR 3.5 score URIBL_DBL_ABUSE_SPAM 3.5 score URIBL_DBL_BLOCKED 0.0 score URIBL_DBL_BLOCKED_OPENDNS 0.0 score URIBL_DBL_BOTNETCC 3.5 score URIBL_DBL_ERROR 3.5 score URIBL_DBL_MALWARE 3.5 score URIBL_DBL_PHISH 3.5 score URIBL_DBL_SPAM 3.5 score URIBL_GREY 2.0 score URIBL_MW_SURBL 4.0 score URIBL_PH_SURBL 4.0 score URIBL_RED 2.5 score URIBL_RHS_DOB 2.0 score URIBL_SBL 2.0 score URIBL_SBL_A 2.0 score URIBL_SEM 2.5 score URIBL_SEM_FRESH30 2.0 score URIBL_WS_SURBL 3.0 score URIBL_ZEN_BLOCKED 0.0 score URIBL_ZEN_BLOCKED_OPENDNS 0.0 # scoring DKIM & SPF score DKIM_INVALID 1.5 score DKIM_SIGNED 0.0 score DKIM_VALID 0.0 score DKIM_VALID_AU 0.0 score DKIM_VALID_EF 0.0 score DKIM_VERIFIED 0.0 score FORGED_SPF_HELO 3.0 score SPF_FAIL 1.5 score SPF_HELO_FAIL 1.5 score SPF_HELO_NEUTRAL 1.0 score SPF_HELO_NONE 0.5 score SPF_HELO_PASS 0.0 score SPF_HELO_SOFTFAIL 1.5 score SPF_NEUTRAL 0.5 score SPF_NONE 0.5 score SPF_PASS 0.0 score SPF_SOFTFAIL 1.5 # scoring BAYES score BAYES_00 -2.5 score BAYES_05 -1.0 score BAYES_20 0.5 score BAYES_40 1.5 score BAYES_50 2.0 score BAYES_60 3.0 score BAYES_80 4.0 score BAYES_95 4.5 score BAYES_99 5.0 score BAYES_999 1.5 # scoring HTML score HTML_FONT_LOW_CONTRAST 1.0 score HTML_IMAGE_ONLY_04 1.5 score HTML_IMAGE_ONLY_08 2.0 score HTML_IMAGE_ONLY_12 2.0 score HTML_IMAGE_ONLY_16 2.0 score HTML_IMAGE_ONLY_20 2.0 score HTML_IMAGE_ONLY_24 2.5 score HTML_IMAGE_ONLY_28 2.5 score HTML_IMAGE_ONLY_32 3.0 score HTML_IMAGE_RATIO_02 0.0 score HTML_IMAGE_RATIO_04 0.0 score HTML_IMAGE_RATIO_06 0.0 score HTML_IMAGE_RATIO_08 0.0 score HTML_MESSAGE 0.0 # scoring HEADER & MISSING score HEADER_FROM_DIFFERENT_DOMAINS 1.0 score HEADER_SPAM 2.5 score MISSING_DATE 3.0 score MISSING_FROM 1.5 score MISSING_HB_SEP 0.0 score MISSING_HEADERS 1.5 score MISSING_MID 1.0 score MISSING_MIMEOLE 2.0 score MISSING_SUBJECT 2.0 # scoring FREEMAIL score FORGED_GMAIL_RCVD 2.5 score FORGED_YAHOO_RCVD 2.5 score FREEMAIL_ENVFROM_END_DIGIT 0.5 score FREEMAIL_FORGED_REPLYTO 2.5 score FREEMAIL_FROM 0 score FREEMAIL_REPLY 1.0 score FREEMAIL_REPLYTO 1.0 score FREEMAIL_REPLYTO_END_DIGIT 0.5 score MALFORMED_FREEMAIL 4.0 # additional scoring tweaks score BILLION_DOLLARS 2.0 score EMPTY_MESSAGE 1.5 score HK_RANDOM_ENVFROM 1.0 score HK_RANDOM_FROM 1.0 score LOTS_OF_MONEY 1.0 score MPART_ALT_DIFF 2.5 score MPART_ALT_DIFF_COUNT 2.5 score NO_DNS_FOR_FROM 0.5 score RDNS_NONE 1.0 score REPLYTO_WITHOUT_TO_CC 2.5 score UNPARSEABLE_RELAY 0.5 score URI_DQ_UNSUB 2.0 # add GDUB TRUNCATE DNSBL header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.') describe RCVD_IN_GBUDB Listed in truncate.gbudb.net tflags RCVD_IN_GBUDB net # add JMF-Black DNSBL header RCVD_IN_JMF_BL eval:check_rbl('jmfbl', 'black.junkemailfilter.com.') describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com tflags RCVD_IN_JMF_BL net # add Spamrats DNSBL header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.') describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com tflags RCVD_IN_SPAMRATS net # add SpamEatingMonkey DNSBL header RCVD_IN_SEM_NET_BLACK eval:check_rbl('sem', 'netbl.spameatingmonkey.net') tflags RCVD_IN_SEM_NET_BLACK net describe RCVD_IN_SEM_NET_BLACK Received from an IP listed by SpamEatingMonkeys # add second SpamEatingMonkey DNSBL header RCVD_IN_SEM_BLACK eval:check_rbl('sem', 'bl.spameatingmonkey.net') tflags RCVD_IN_SEM_BLACK net describe RCVD_IN_SEM_BLACK Received from an IP listed by SpamEatingMonkeys # add SpamEatingMonkey URIBL urirhssub URIBL_SEM uribl.spameatingmonkey.net. A 2 body URIBL_SEM eval:check_uridnsbl('URIBL_SEM') describe URIBL_SEM Contains a URI listed by SpamEatingMonkeys tflags URIBL_SEM net # add second SpamEatingMonkey URIBL urirhssub URIBL_SEM_FRESH30 fresh30.spameatingmonkey.net. A 2 body URIBL_SEM_FRESH30 eval:check_uridnsbl('URIBL_SEM_FRESH30') describe URIBL_SEM_FRESH30 Contains a domain registered less than 30 days ago tflags URIBL_SEM_FRESH30 net
robi last edited by
This is great work!
Can you add a reminder in the top post of how to install them?