Navigation

crypted · #1 30th August 2010, 21:55

Allirght, we have been inundated with an unreal amount of spam on the server lately.

So, I added the black URIBL to Spam Assassin. Still didn't help.

So, two questions:

1) I want to block specific @domain.tld from all email domains. Under Global Filters -> Postfix Blacklist do I select "Senders" to disable those domains from sending email to mailboxes? Or, no? In otherwords, I want to add a global filter to block @nutsviagrasex.ch from spamming any email address. Would I add @nutsviagrasex.ch as "sender" in that filter?

2) I've seen mention on the tutorials about DKIM. Would that be helpful?

till · #2 31st August 2010, 07:57

Please post the email headers of spam emails that had come trough. Also which scores do you use in the spamfilter policy?

crypted · #3 31st August 2010, 15:14

Okay. I have been receiving about 20 spam emails a day on average to my mailbox for the past three weeks. I went years without a single spam email getting to the Inbox on ISPCONFIG + Spam Assassin.

Currently, my mailbox uses ISPConfig's default settings for "NORMAL" spamfilter. It appears the default numbers are: tag = 1, tag2 = 4.5, kill = 50, dns = 0, quarantine = 0. I wonder what can be adjusted without throwing legit emails into the Junk folder. My Junk folder grows by about 140 emails a day...crazy spam!

Headers for this mornings spam area s follows:

Code:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=gamma; d=affiliateincomeadvantage.com;
	h=To:From;
	b=sUH4kw1ftqEVUnBhxmy1FheNz3yfZ6BmpMUSvqDUBCExeejaFTbklRMQQ95KET4n3
	4Pw0UugjDiVdjPIv7vV1I8aXy1vWYtb8+wmm3COO6uMRXLy4WzFJtv8lFEgsRoe;
To: crypted@mypersonaldomain.tld
From: "My AuraVie" <myauravie@affiliateincomeadvantage.com>
Subject: Save over $250 on top of the line AuraVie 3 in 1 Skincare
Date: 31 Aug 2010 06:19:13 -0400
Message-ID: <1283249953.hqolqnqdcubvlp@automatedwealthkit.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable



Return-Path: <taxsolutions@clickaffiliateincome.com>
Delivered-To: crypted@mypersonaldomain.tld
Received: from localhost (localhost.localdomain [127.0.0.1])
	by personalwebserver.tld (Postfix) with ESMTP id 0BF835416E
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 06:08:19 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at my.derekgordon.com
Received: from personalwebserver.tld ([127.0.0.1])
	by localhost (personalwebserver.tld [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id pQ3z2ba9ySGK for <crypted@mypersonaldomain.tld>;
	Tue, 31 Aug 2010 06:08:16 -0400 (EDT)
Received: from clickaffiliateincome.com (clickaffiliateincome.com [66.207.161.156])
	by personalwebserver.tld (Postfix) with SMTP id 86FC85416A
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 06:08:16 -0400 (EDT)
DKIM-Signature: v=1;
	a=rsa-sha1; c=relaxed/relaxed; d=clickaffiliateincome.com; s=gamma;
	t=1283249296; bh=EPnKqVsLlSv9DdiBghgezgo2w5k=; h=To:From;
	b=Jha9cB741nXRon7nxvIVm2TwMwxTyqZbsMaHkKlmXqbu1SzmKY1Hz8OIn3zH55p2L
	 QCHPaAS1pegNEjfXALefj1KQe6mEx8IcVOqmrxIZtfD7VYWeEeNrlUslDtUezoC
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=gamma; d=clickaffiliateincome.com;
	h=To:From;
	b=CCGcua5eXuUJLq9PNhIGnMlnw1pYvofODp/V9phxEsVecoq6ixrng3n+Ii+3EmkxE
	aGemY0f1EWz9PjbYsn9Qikep5miYjZLP2fFg8lusBjl83sQWI5qHK8I4/rD3LQC;
To: crypted@mypersonaldomain.tld
From: "Tax Solutions" <taxsolutions@clickaffiliateincome.com>
Subject: Settle your tax debt for fractions of whats owed
Date: 31 Aug 2010 06:08:16 -0400
Message-ID: <1283249296.frsaumqpkks@clickaffiliateincome.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable




Return-Path: <Jennifer@black-jackfaq.com>
Delivered-To: crypted@mypersonaldomain.tld
Received: from localhost (localhost.localdomain [127.0.0.1])
	by personalwebserver.tld (Postfix) with ESMTP id E16BC5416E
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 03:28:39 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at my.derekgordon.com
Received: from personalwebserver.tld ([127.0.0.1])
	by localhost (personalwebserver.tld [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id sahhjH1aBXZv for <crypted@mypersonaldomain.tld>;
	Tue, 31 Aug 2010 03:28:39 -0400 (EDT)
Received: from black-jackfaq.com (black-jackfaq.com [76.73.108.215])
	by personalwebserver.tld (Postfix) with ESMTP id 17AEB5416A
	for <crypted@mypersonaldomain.tld>; Tue, 31 Aug 2010 03:28:24 -0400 (EDT)
From: "Jennifer Cox" <Jennifer@black-jackfaq.com>
To: "derek" <crypted@mypersonaldomain.tld>
Reply-To: reply@black-jackfaq.com
Date: Tue, 31 Aug 2010 07:28:26 +0000
Subject: New bonus offer high roller heaven
MIME-Version: 1.0
List-Unsubscribe: <http://www3.black-jackfaq.com/0b02452e8b07f9c74e0401000/0000000000000/000/0/00.ZVSC>
Content-Type: multipart/related;
	boundary="_=aspNetEmail=_642a60b212244c86914b616ee36ce2b6"
X-Mailer: aspNetEmail ver 3.12.656.1861
X-MimeOLE: 944-ebe3a 43672.3916.1,309
Message-ID: <4367239161@black-jackfaq.com>

Mark_NL · #4 31st August 2010, 15:25

You might want to set the "SPAM tag level" to -1000 so all the mails you receive, you are able to see the spamassassin results.

crypted · #5 31st August 2010, 15:31

Mark, where would I see a description of what all of those #'s mean?

Mark_NL · #6 31st August 2010, 15:38

"#" ????

ehm, you can set is in ispconfig .. email -> policy -> click your policy -> tab Tag-level -> "SPAM tag level" set to -1000 .. save, and wait 1 minute for the changes to be done. then chek your incoming mail.

crypted · #7 31st August 2010, 18:04

Right, I know where the PROFILE numbers are found in the panel. :-)

I'm asking what each category means for tweaking purposes:
tag = 1, tag2 = 4.5, kill = 50, dns = 0, quarantine = 0

I have edited to tag = 1 to tag = -1000.

What else should be done?

I think kill = 50 was the default as 5.0 in ISPCONFIG 2 wasn't it?

I want to get this tweaked as best as possible to remove all of this new spam while at the same time not having a lot of false positives as missing important emails would be a bad deal.

till · #8 31st August 2010, 19:17

Quote:

What else should be done?

Post the header of spam emails that you received after changing the level.

Turbanator · #9 1st September 2010, 02:11

If it helps you, here are my settings...NOTE: very aggressive since this is a corporate server meant for business email only.

SPAM tag level -100
SPAM tag2 level 3.09
SPAM kill level 10
SPAM dsn cutoff level 0
SPAM quarantine cutoff level 0
SPAM modifies subject Yes
SPAM subject tag .
SPAM subject tag2 ***SPAM***

You should also post some of your postfix settings to make sure you have some blocklists included...I think the setting to post is the

smtpd_recipient_restrictions = xxxxx

another note: It helps to Move spam into the Junk folders in webmail and tell spamassasin to learn from those you select as spam to train the engine.

/usr/bin/sa-learn --spam /var/vmail/*/*/.Junk/*/*

crypted · #10 1st September 2010, 03:24

First, all I changed was tag level to -1000 and every email went to Junk all day. I was wondering why no one responded. Evidently, they did so. That was the only setting I altered.

Postfix main.cf smtpd_recipient_restrictions shows:

Code:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination

Also, I a few days ago I added URIBL to local.cf for Spam Assassin:

Code:

urirhssub       URIBL_BLACK  multi.uribl.com.        A   2
body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK  net       
score           URIBL_BLACK  3.0

Where can I find out what each setting is that Turbanator referred to? And their maximum and minimum values? That will be an assistance for playing around with them to tweak performance.

SA-LEARN runs twice a day. Sucks because it will now learn a bunch of GOOD email.

Navigation

Facebook

News

Recent comments

Newsletter