Still lots of Spam hitting RT after filtering via Procmail/Spamassasin/Rules Du Jour

RT Users
1

Hi list!

My RT instance still receives lots of SPAM even with procmail
filtering, with Spamassasin updated with “rules du jour” script.

My procmail logs show that some of the mail is filtered but still gets
trough lots of spam. Any suggestions.

Thanks in advance.

Pedro Machado Santa

RT 3.4.1

Here are my configuration files:

/etc/aliases:

rt: | “/usr/bin/procmail -m /etc/procmailrcs/rt-helpdesk”

rt-comment: | “/usr/bin/perl /usr/bin/rt-mailgate --queue helpdesk
–action comment --url http://gestao.dec.uc.pt/rt/

gestor-info: | “/usr/bin/perl /usr/bin/rt-mailgate --queue gestor-info
–action correspond --url http://gestao.dec.uc.pt/rt/

/etc/procmailrcs/rt-helpdesk

PATH=/usr/local/bin:/bin:/usr/bin
LOGFILE=/var/log/procmail.log
INCLUDERC=/etc/procmailrcs/_spamfilter

All mails bigger than 300000 characters are sent to an administrator instead

:0fwbh

#if the spam trigger is fired send to spam queue
#:0fwbh
:0:

:0:

  • ^Subject: RHN Errata Alert:
    !gestor-info@dec.uc.pt

#if the spam trigger is not fired then send to expected destination
:0wbh
|/usr/bin/rt-mailgate --queue helpdesk --action correspond --url
http://gestao.dec.uc.pt/rt

/etc/procmailrcs/_spamfilter

The lock file ensures that only 1 spamassassin invocation happens

at 1 time, to keep the load down.

:0fw: spamassassin.lock

  • < 256000
    | /usr/bin/spamassassin

Mails with a score of 15 or higher are almost certainly spam (with 0.05%

false positives according to rules/STATISTICS.txt). Let’s put them in a

different mbox. (This one is optional.)

:0:

  • ^X-Spam-Level: ***************
    /dev/null
    #/local/mailcopy/almost-certainly-spam

Work around procmail bug: any output on stderr will cause the “F” in “From”

to be dropped. This will re-add it.

:0

  • ^^rom
    {
    LOG="*** Dropped F off From_ header! Fixing up. "

    :0 fhw
    | sed -e ‘1s/^/F/’
    }

:0 c
/var/mail/admin
#/local/mailcopy/unconfirmed-ham

2

Alle 17:03, giovedì 10 maggio 2007, Pedro Santa ha scritto:

My RT instance still receives lots of SPAM even with procmail
filtering, with Spamassasin updated with “rules du jour” script.

I think an MTA level configuration for using some block lists can help you.

Like this, for our postfix+postgrey mailservers:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access_rejected,
hash:/etc/postfix/access,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
check_recipient_maps,
reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client combined.njabl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
check_policy_service inet:127.0.0.1:10030,
permit_mx_backup

Luca Villani Mobile Team, Dada S.p.A.
Tel: +39 055 2267220 Mob: +39 335 8753086
ICQ: 76272621 Skype: luca.villani
GPG key fingerprint: 7FC9 E2FE 0BEE 9DF8 1719 8761 1B79 82CC F0B5 B7CF

3

Hi list!

My RT instance still receives lots of SPAM even with procmail
filtering, with Spamassasin updated with “rules du jour” script.

My procmail logs show that some of the mail is filtered but still gets
trough lots of spam. Any suggestions.

Thanks in advance.

Pedro Machado Santa

RT 3.4.1

Here are my configuration files:

< SNIPPED >

Looks like you used my configs :slight_smile:

I would review the headers of the ones getting through. Most likely you
can “turn down” the SPAM assassins rating number.

Review the X-SPAM-SCORE: header of all the spam getting through, then
look over the same headers of “good” email getting through. Problably
will not take look to see a pattern. You can then change your spam
assassin config to reflect what you have found.

Also note that SPAM assassin needs some time to learn. Do a bit of
googling for “sa-learn --ham” and “sa-learn --spam” to get a better
idea.

For what it is worth, here is top portion of my /etc/

Added by KDS on 1/10/05

Lowered to catch a little more then necessary

required_hits 3.5

ok_languages en

ok_locales en
rewrite_header subject [*** SPAM ***]

Next line adds info to top of email body

report_safe 0

fold_headers 1

next line should be all one line, watch for wrapping

add_header all Status YESNO, hits=HITS required=REQD tests=TESTS
autolearn=AUTOLEARN version=VERSION

http://gentgeen.homelinux.org

Associate yourself with men of good quality if you esteem
your own reputation; for 'tis better to be alone then in bad
company. - George Washington, Rules of Civility