Part 12. SpamAssassin Antispam

The list of articles cycle

SpamAssassin installing

To install anti-spam, execute the command:

# apt install spamassassin

 

The program will not work after installation. It is disabled by default. To activate it, it is necessary to change the value enable to 1 in /etc/default/spamassassin file.

Connecting SpamAssassin to Postfix

Make changes to the file /etc/postfix/master.cf.

Immediately after the line

smtp inet n - - - - smtpd

Add

  -o content_filter=spamassassin

 

Do not forget that this new line should deviate from the beginning of the line

This way we indicate that all the messages must be passed to the analysis to the spamassassin filter.

 

Now, at the end of this file, you must describe this filter. To do this, we will add lines:

spamassassin unix - n n - - pipe

  user=virtual argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

 

SpamAssassin Configuration File

The main antispam configuration file is /etc/spamassassin/local.cf.  Bring it to the form:

rewrite_header Subject *****SPAM*****

report_safe 0

trusted_networks 192.168.0.0/24

required_score 5.0

use_bayes 1

bayes_auto_learn 1

bayes_ignore_header X-Bogosity

bayes_ignore_header X-Spam-Flag

bayes_ignore_header X-Spam-Status

bayes_min_ham_num 1

bayes_min_spam_num 1

report_charset koi8-r

ok_locales ru en uk

 

bayes_path /var/spool/bayes/bayes

bayes_file_mode 0666

 

score SUBJ_FULL_OF_8BITS 0

score FROM_ILLEGAL_CHARS 0

score SUBJ_ILLEGAL_CHARS 0

score HEAD_ILLEGAL_CHARS 0

score HABEAS_SWE 0

score FORGED_IMS_TAGS 1

score BAYES_00 0.0001 0.0001 -2.312 -2.599

score BAYES_05 0.0001 0.0001 -1.110 -1.110

score BAYES_20 0.0001 0.0001 -0.740 -0.740

score BAYES_40 0.0001 0.0001 -0.185 -0.185

score BAYES_50 0.0001 0.0001 0.001 0.001

score BAYES_60 0.0001 0.0001 2.0 2.0

score BAYES_80 0.0001 0.0001 3.0 3.0

score BAYES_95 0.0001 0.0001 3.5 3.5

score BAYES_99 0.0001 0.0001 5.0 5.0

score ALL_TRUSTED -3.360 -3.440 -3.665 -3.800

 

Main parameters

rewrite_header show string that will be added to the subject

trusted_networks 192.168.0.0/24 trusted network where spam check is not performed

required_score 5.0 the threshold for spam operation, by default 5 points, if 5 points or more, then the letter is marked as spam

use_bayes 1 enable bayes-algorithm (self-learning)

ok_locales ru en uk the list of admissible languages

 

Parameters for rating emails for spam, as well as the number of points for each strike, are indicated after the keyword score. For more information on these options, see the documentation on the developer site at the link

https://spamassassin.apache.org/old/tests_3_3_x.html

 

There can be any number of rules and they are added to the column. For each rule a certain number of points is assigned. The rules are not described in this file will use a default score. That is, all the rules at the link are working, and in the file we only list the rules for which we change scores. To disable the rule, we needs to assign 0 scores to it.

 

Create addresses whitelist

The addresses whitelist is filled out with addresses that can not be spammer. In the /etc/spamassassin/local.cf file, write the whitelist_from parameter and then write the list of addresses. For example:

whitelist_from user@mail.ru *@gmai.com

 

All addresses are separated by a space. You can use regular expressions. For convenience you can break a long line into multiple lines.

 

Antispam training

The self-learning mechanism is an bayes-algorithm. This is not part of the spamassassin static rules, but a separate algorithm. It adds or removes additional points based on its own experience of learning from the messages and make it dynamically. You need to be careful when creating a learning message database, because the database can be easily corrupted by mistakenly added messages. The developer's opinion is that, messages already marked as spam(--spam) must never be included in the spam learning database and you must not include messages that are not marked as spam in false positives (--ham) training database.

Any anti-spam system can skip spam emails and generate false positives (that is, a normal email may be marked as spam). If you want to send unidentified spam mails to the training mechanism (the system did not marked them as spam), then use the command:

/usr/bin/sa-learn --spam

For training on messages with false positives use the command:

/usr/bin/sa-learn --ham

 

Anti-spam training automation

Manual antispam teaching is not productive, so we will automate the process.
We will create two folders in each mailbox,

  1. Spam - User manually move messages not detected by antispam to this folder.
  2. Nospam - User manually move messages wrongly marked as spam to this folder.

 

In the /root folder we create two subfolders - spam and nospam

It should be noted that in the file system, Spam and Nospam folders in the user's mailbox (/var/mail/domain/user) will be named .Spam and .Nospam. This is due to the nuances of dovecot's work
In addition, keep in mind that the
messages are stored not in the directory itself (for example .Spam), but in the .Spam/cur (read messages) and .Spam/new (unread messages).

Next, we
will write a script to automate the process.

In the directory /root create a script file spam.sh with the following contents:

 

#!/bin/bash

MAILDIR=/var/mail/study.local #define in the variable the folder of the mail storage

#Spam

for filename in $MAILDIR/* # Bypass all files in the folder.

do

if [ -d $filename ]; then

if [ -e $filename/.Spam ]; then

ssp=$filename'/.Spam/cur/';

ssp2=$filename'/.Spam/new/';

sp1=`ls $ssp`

 

if [ "$sp1" != "" ];

then

mv -f $ssp/* /root/spam && chmod 777 -R /root/spam;

mv -f $ssp2/* /root/spam && chmod 777 -R /root/spam;

fi;

fi;

fi;

done

date >>/var/log/spam-learn.log

/usr/bin/sa-learn --spam /root/spam >>/var/log/spam-learn.log

 

MDIR=/var/mail/peopleandlaw.ru

#NoSpam

for filename in $MDIR/* # Bypass all files in the folder.

do

if [ -d $filename ]; then

if [ -e $filename/.Nospam ]; then

ssp=$filename'/.Nospam/cur/';

ssp2=$filename'/.Nospam/new/';

 

sp1=`ls $ssp`

 

if [ "$sp1" != "" ];

then

mv -f $ssp/* /root/nospam && chmod 777 -R /home/root/nospam;

mv -f $ssp2/* /root/nospam && chmod 777 -R /home/root/nospam;

fi;

fi;

fi;

done

date >>/var/log/spam-learn.log

/usr/bin/sa-learn --ham /root/nospam >>/var/log/spam-learn.log

 

Now set permission to execute for this file

chmod +x /root/spam.sh

 

We add to the cron scheduler (file /etc/crontab) the rule for periodic launch of this script

10 1 * * * root /root/spam.sh

 

Now, this script will run daily at night at 1 hour 10 minutes

 

The list of articles cycle

 

You can buy the book

"Mail server based on Postfix,

Dovecot and RoundCube"

in electronic form in the store

ХinХii