Rules du Jour - spamassassin

[sturgis]

Hi,
I guess that I'm not the only one getting a lot of spam in my mailboxes.
I read about the "rules du jour" method to complement spamassassin and I was wondering if I implemented it in the right way.
I followed this wiki:

Howtos Spam Assassin Rules Du Jour Configuration
From 5dollarwhitebox.org Media Wiki
Jump to: navigation, search

This is the basics on how to install and configure Rules Du Jour for Spam Assassin:

Code:

install_rdj.pl: http://devel.5dollarwhitebox.org/scripts/install_rdj.pl

Code:

linuxbox #] wget http://devel.5dollarwhitebox.org/scripts/install_rdj.pl

linuxbox #] perl install_rdj.pl --install

Get Rules Du Jour:

Code:

linuxbox] # wget http://sandgnat.com/rdj/rules_du_jour

linuxbox] # mv rules_du_jour /usr/local/sbin/rules_du_jour

linuxbox] # chmod 750 /usr/local/sbin/rules_du_jour

Configure Rules Du Jour

Code:

linuxbox] # mkdir /etc/rulesdujour

linuxbox] # vi /etc/rulesdujour/config

The following is a basic configuration for Rules Du Jour

Code:

SA_DIR="/opt/zimbra/conf/spamassassin"
MAIL_ADDRESS="root"
SINGLE_EMAIL_ONLY="true";
SA_RESTART="/etc/init.d/psa-spamassassin restart"
TRUSTED_RULESETS="
        TRIPWIRE
        ANTIDRUG
        SARE_EVILNUMBERS0
        RANDOMVAL
        SARE_ADULT
        SARE_FRAUD
        SARE_BML
        SARE_SPOOF
        SARE_BAYES_POISON_NXM
        SARE_OEM
        SARE_RANDOM
        SARE_OBFU0
        SARE_SPAMCOP_TOP200
        "

Run Rules Du Jour

Code:

linuxbox] # rules_du_jour

Crontab it

run

'crontab -e -u root' and add something similar to the following:

Code:

1 1 * * * /usr/local/sbin/rules_du_jour 2&>1 > /dev/null

Do I have to do something differently to make it work with zimbra. I did this and it worked, but I don't know if it does actually the job.
Thanks!

[phoenix]

Quote:

Originally Posted by sturgis

.... I did this and it worked, but I don't know if it does actually the job.
Thanks!

That would depend on whether you see a reduction in spam in your inbox. Actuall the RDJ script only update files that you probably have in your Zimbra config anyway, those files are also not updated very often. You also don't say what other features of Zimbra that you use (such as RBL list) or if you tag/kill percentages have been changed.

FWIW, I see no spam in my inbox and the Junk folder has about 30 messages in it with a 30 day retention - so I guess 1 per day on average.

[sturgis]

Quote:

Originally Posted by phoenix

That would depend on whether you see a reduction in spam in your inbox. Actuall the RDJ script only update files that you probably have in your Zimbra config anyway, those files are also not updated very often. You also don't say what other features of Zimbra that you use (such as RBL list) or if you tag/kill percentages have been changed.

FWIW, I see no spam in my inbox and the Junk folder has about 30 messages in it with a 30 day retention - so I guess 1 per day on average.

Thanks for your answer.
I changed the tag kill to 66/20
I use
•reject_invalid_hostname
•reject_non_fqdn_hostname
•reject_non_fqdn_sender
And:
•reject_rbl_client dnsbl.njabl.org
•reject_rbl_client cbl.abuseat.org
•reject_rbl_client bl.spamcop.net
•reject_rbl_client sbl.spamhaus.org
•reject_rbl_client relays.mail-abuse.org

Nevertheless I get a lot of spam, specially those with pictures of pharmacy etc...

How do I eliminate those? Sometimes I have the feeling that trainsa does not work.

I thought that this rules du jour would help... but the wiki was not for zimbra.

I suggested to use Stop spam with the Anti-Spam-SMTP-Proxy (ASSP) in the next relese, to whitlist, blacklist and so... I hope zimbra guys consider my proposal...

By they way, my junk mail (and all users ones) are getting bigger and bigger. Is there a way to empty it automatically?

[phoenix]

You shouldn't see much spam with those settings, I don't use any of those I've just changed smtpd_reject_unlisted_recipient in the zmmta.cf file to 'yes'. and my tag/kill are set to 25/66. In current versions of Zimbra we have disabled DPSAM by default as there was a performance problem on larger sites, I've also re-enabled that.

The lifetime of mail in the Junk folder is controlled by the 'lifetime' option in the admin ui on the COS/Advanced tab. There is an article here about using RDJ with Zimbra, I did use it a while back but have since discontinued it.

[sturgis]

Quote:

Originally Posted by phoenix

You shouldn't see much spam with those settings, I don't use any of those I've just changed smtpd_reject_unlisted_recipient in the zmmta.cf file to 'yes'. and my tag/kill are set to 25/66. In current versions of Zimbra we have disabled DPSAM by default as there was a performance problem on larger sites, I've also re-enabled that.

The lifetime of mail in the Junk folder is controlled by the 'lifetime' option in the admin ui on the COS/Advanced tab. There is an article here about using RDJ with Zimbra, I did use it a while back but have since discontinued it.

Phoenix,
I have waited a couple of days and there are no results. I keep receiving an average of to image spam emails in my account every day. I don't know abut the rest of my users... but I know I do.
WHat do you think is wrong in the implementation above, and how could I get rid of these disturbing emails?
Thanks

[phoenix]

Well, it's impossible to say without seeing some headers from the message to see if the anti-spam is working. Did you also make this change "smtpd_reject_unlisted_recipient yes" to zmmta.cf that I mentioned earlier?

[LMStone]

Quote:

Originally Posted by sturgis

Thanks for your answer.

I use
•reject_rbl_client sbl.spamhaus.org

Change that to zen.spamhaus.org and you should get better results.

Also, our /etc/rulesdujour/config file looks like this:

#
# Configuration File for Updating SpamAssassin with the
# Rules Du Jour Script /usr/local/sbin/rules_du_jour.
# Script is run once a day via cron and will update
# spamassassin rule sets by adding the third-party
# rule sets listed below. See http://www.exit0.us/index.php?pagename=RulesDuJour
# for more information
#
# Version 1.00 - 2005-11-28 - L. Mark Stone - Initial configuration.
# Version 1.01 - 2006-10-11 - L. Mark Stone - Modified for use with Zimbra.
TRUSTED_RULESETS="TRIPWIRE SARE_BML SARE_FRAUD SARE_OEM SARE_STOCKS SARE_BAYES_POISON_NXM SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_REDIRECT_POST300 SARE_HTML0 SARE_HTML1 SARE_HTML_ENG SARE_HEADER0 SARE_HEADER1 SARE_SPECIFIC SARE_ADULT SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI0 SARE_URI1 SARE_OBFU0 SARE_OBFU1 SARE_SPOOF SARE_RANDOM"
SA_DIR="/opt/zimbra/conf/spamassassin"
RULES_DU_JOUR_SCRIPT="/usr/sbin/rules_du_jour"
MAIL_ADDRESS="Use_Your_Own_Address@Your_Own_Domain .com"
SA_RESTART="/opt/zimbra/bin/zmamavisdctl restart"
SA_LINT=" "



Hope that helps.

All the best,
Mark

[sturgis]

Quote:

Originally Posted by LMStone

Change that to zen.spamhaus.org and you should get better results.

Also, our /etc/rulesdujour/config file looks like this:

#
# Configuration File for Updating SpamAssassin with the
# Rules Du Jour Script /usr/local/sbin/rules_du_jour.
# Script is run once a day via cron and will update
# spamassassin rule sets by adding the third-party
# rule sets listed below. See http://www.exit0.us/index.php?pagename=RulesDuJour
# for more information
#
# Version 1.00 - 2005-11-28 - L. Mark Stone - Initial configuration.
# Version 1.01 - 2006-10-11 - L. Mark Stone - Modified for use with Zimbra.
TRUSTED_RULESETS="TRIPWIRE SARE_BML SARE_FRAUD SARE_OEM SARE_STOCKS SARE_BAYES_POISON_NXM SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_REDIRECT_POST300 SARE_HTML0 SARE_HTML1 SARE_HTML_ENG SARE_HEADER0 SARE_HEADER1 SARE_SPECIFIC SARE_ADULT SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI0 SARE_URI1 SARE_OBFU0 SARE_OBFU1 SARE_SPOOF SARE_RANDOM"
SA_DIR="/opt/zimbra/conf/spamassassin"
RULES_DU_JOUR_SCRIPT="/usr/sbin/rules_du_jour"
MAIL_ADDRESS="Use_Your_Own_Address@Your_Own_Domain .com"
SA_RESTART="/opt/zimbra/bin/zmamavisdctl restart"
SA_LINT=" "



Hope that helps.

All the best,
Mark

Thanks Mark,
I just changed it. I'll wait for a week and I'll post the results. For the time being already one image spam came...
sturgis

[LMStone]

IMHO, receiving a few spams a day is a good indication that you are not suffering from false positives.

We have doctors and lawyers on our system; they talk about drugs, illegal activities and other topics that in many systems are likely to get flagged as spam. That's not acceptable, so we have to be very careful about anti-spam configrations.

If you read the RDJ documentation, you will see that there are a lot of rules in the form "Rule0, Rule1, Rule2, Rule3", where the base rule checks for the same thing, but the higher the number the more messages will be flagged as spam and the greater the likelihood of false positives. We don't use anything higher than a 1, but many systems use 2s and a few 3s with few false positives. With our customers, we can't do that. YMMV of course. :-)

All the best,
Mark

[padraig]

Quote:

Originally Posted by phoenix

Well, it's impossible to say without seeing some headers from the message to see if the anti-spam is working. Did you also make this change "smtp_reject_unlisted_recipient yes" to zmmta.cf that I mentioned earlier?

Hi Bill,
should this be smtpd_reject_unlisted_recipient ( not smtp_reject_unlisted_recipient) & if this is not set to yes will RHL be ignored