SPAM Assassin

Baszler baszler at leo.basz.org
Sat May 18 14:53:36 UTC 2024 

On Fri, May 10, 2024 at 11:25:18AM -0600, Bob Proulx wrote:
> Hello Michael,
> 
> Michael D Wailes wrote:
> > My inbox is getting bombed with SPAM right now -- so bad that I've had to
> > set the SPAM Assassin Threshold Score to 1 and am still getting 40-60 emails
> > a day that are slipping through.
> 
> Ouch!


In general I am a disciple of the "Great Bob" but do add a few wrinkles....
(Bob was my mentor when I was first hired out of college and the relationship
hasn't changed much...).   Thus my postfix is very very close to Bob's and
its a really good start.

I run spamassassin as a final and last resort.  In the past it was running
so hard on the spam load it slowed my machine down.   The first step is
to reject the email at the door (port).  Spamassassin is really just a final
last resort and with procmail, I filter out most (99%) of my good email
before it even makes it to spamassassin.  The goal is things that end
up in my inbox (unclassified) are the only things check, everything else 
gets tucked into its folder before getting to spamassassin.

So for  (following Bob's setup)
smtpd_recipient_restrictions
...
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
..

I add a few more rejection hosts.   Some of these are more suspect. And
run by "assholes" but they are much more aggressive.   In general, I don't
care if they block all of China or Russia (or large chucks of the same). I'm
not running mailing lists and my email is strictly USA companies and friends.
If they sweep in a few extra parts of the internet, I don't care.  As a
purest of freedom, this is a compromise.

Now to make the realtime-black-list more effective, I run "postgrey".  You will
hate and love this.   What postgey does is maintain a list of common hosts 
that send you email.  If the host is not in the list, it rejects it for 15mins,
(says your server is busy and to try again later).  Per the mail protocol
the sender will try later and will get the mail through at which point it
is added to your postgrey whitelist.  Now what makes this so effective is
that the reject_rbl are slow to update their databases and that 15mins is
what they need to get the block up.   Once the block is up, your mail
server will just reject it before giving postgrey a chance to whitelist
the host.  Thus most spam mail that hits the rbl honeypots never makes it
in your box (or past the port).  This really minimizes your compute.
The negative (and this is huge!!) is that if you start a new mail 
conversation with something you normally don't do business with,
(ie. verification of a website w/ email address), there is a 15min delay
in you getting the verification code and it will most likely expire.

I will completely agree that training Spamassassin is the only way to go.
But I train, once a year.  So little email gets past the rbl that its not
worth my time (to sort good from bad in my inbox ie. unclassified email)
for training purposes.  But the training is what is required to clear that 
last 1% that makes it to the inbox. I typically only get 1 spam email in 
my inbox every month and it drives me nuts.

Now for some theoretical stuff..   The rbl's will update in about ~7mins
from when I get the spam email.  This is the average time it takes for
the honeypot to hit and the database to update.  It's also a function of
where in the spammer's list my machine is and where the honeypot is in the
list.  Its an average.  I've taken the email that gets through and rechecked
it with the rbl and sure enough 90% of those would have been blocked by
the rbl.  It was just a matter of time/speed of the spammer going through 
their list.   Thus most spamers know that speed defeats the rbl but some of
them are on poor hardware which surprisingly also helps them defeat me.

I have thought about running my inbox by cron through a rbl check but in
general, its not worth the compute.  I move my one message a month into 
the spam bucket for my annual spamassassin training.

My system works well if and only if you get ads from companies you have signed
up for and from a close group of friends (ie. your postgrey database matches,
those who you regularly email with).  If you are interacting with the
world as a whole with random people, then I might consider something else.
As I mentioned, Spamassassin is really a last resort since its a compute
hog and burns a lot of resources but there are those that don't make a rbl
for whatever reason and they need to be stopped too.

Hope that helps,
-Frank

More information about the NCLUG mailing list