Better spam filters than Apache SpamAssassin?

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
Is there any better (paid/free) spam filters which can easily be added into the Exim setup?
We have been using SpamAssassin (SA) for a very long time and we find it very effective in purging spam. Make sure these filters are also installed and configured properly: Razor-agents (although a little out-date), DCC, SPF, and Pyzor.

ASSP is another good spam blocker. That will be my choice, if I am looking for a different program than SpamAssassin.

I'll definitely put MailScanner at the end of my list.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Servertune,

Isn't MailScanner just a more efficient way of running SpamAssassin?

Spirit:

There's detailed instructions for installing a mature setup for MailScanner/SpamAssassin at www.configserver.com. Be warned though, SpamAssassin is a CPU hog and word is out that ASSP is a lot more efficient and effective than SpamAssassin.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
Isn't MailScanner just a more efficient way of running SpamAssassin?
MailScanner (MS) is not tied to any particular virus scanner, but can be used with any combination of about 14 different virus scanners. MS is the resource hog and that's one of the reasons we'll put it at the end of our list. For more information about MS, go to: http://www.mailscanner.info/

On other hand, SpamAssassin, without MS, is flexible, easy to extend, uses a wide-spectrum of tests, and is CPU friendly. Everything that you could ever want from an anti-spam program.


Be warned though, SpamAssassin is a CPU hog
I think you meant MailScanner is 'a CPU hog'.
 

kens6139

Active Member
Dec 21, 2003
27
0
151
Chattanooga, Tennessee, United
cPanel Access Level
Root Administrator
Is there any better (paid/free) spam filters which can easily be added into the Exim setup?
Check out ASSP it is way better. and Free

There are a a couple of packages to integrate it with CPanel

ASSPX it is a free product and ASSP Deluxe it is 15 per server but a little more robust.

There is plenty of information in these forums - search ASSP
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
No, I meant SpamAssassin.
That's interesting. How can you prove that 'SpamAssassin is a CPU hog'? Did you use any tool(s) to reach that conclusion? If yes, what are they? When we talk about 'CPU hog', what is the projected CPU load SA will exert on the server? ;)
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
No, I meant SpamAssassin.
I havn't found spamassassin to be a problem on any of my machines.
there have been moments (like right after someone sends out a bulk mailing) that all the bouncebacks will zip through the machine, but even in those times, it's never been too severe.

if you can help it, put your mail spool on a separate hard drive from the one where the mail ultimately gets delivered.

from what i've heard ASSP is a bit better.. SA can be a memory hog if you have a lot of large and complex rulesets--and also can take slightly longer per message to process (again, if you have large and complex rulesets).

I've found most of the bulky rulesets didn't really catch much that weren't already caught by the RBL's, so I've removed them, and on most of my systems, even in peak web use, my uptime rarely goes above 0.9
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
MailScanner doesn't have to be a hog if you tune it correctly. As Brionoz has said, I have also seen spamd as a resource hog on many servers and running MailScanner actually used fewer resources. The main function of MailScanner that can cause performance degredation is/was ClamAV which has been improved greatly in recent times, especially if you use the Mail::ClamAV perl module and not clamscan directly.

I also agree with freedman, large and complex SpamAssassin rules can add significant load to a server regardless of how SA is used.
 

erick_paper

Well-Known Member
Apr 19, 2005
245
0
166
Chirpy, so what installation do you recommend? I do have SA rules that are becoming big by the day. My main problem is that at any time I have like 1800 queued messages on Exim. If the messages that are sent to non-existent email IDs are set to ":fail:" and the rest are being caught by SA, then why are they queued up? Would ASSP or MailScanner help in clearing my queue?
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
Chirpy, so what installation do you recommend? I do have SA rules that are becoming big by the day. My main problem is that at any time I have like 1800 queued messages on Exim. If the messages that are sent to non-existent email IDs are set to ":fail:" and the rest are being caught by SA, then why are they queued up? Would ASSP or MailScanner help in clearing my queue?
if you have that many piling up, then it's for one (or more) of a number of reasons:
1) you're allowing open relaying--very bad, fix this if you are.
2) you're clients are running mailing lists which aren't cleaned up very often...some mail hosts dont properly reject things to bad email addresses, so they get queued for redelivery until the 4(or so) day timeout.
3) the return address on bulk emails isn't working right, so the bounces are going back to your server, youre trying to forward them on to somewhere else which isn't working right.
4) your server load is often high, in which case, exim will go into queue only mode. then it'll start to process the queue, load will go up, it'll stop and go queue only again. (if this is the case, raise the 'deliver_queue_load_max' to 3 or 4 or 5, until the queue flushes out.
allso consider: smtp_load_reserve and queue_only_load

(do these through whm if you wish them permanent, otherwise make the change and cpanel will set it back randomly at some point it does an upcp--which is fine if you dont want to have to remember to do it yoruself).

run through your mail logs, they'll provide a wealth of information.

Also, try to determine, if you can, which of your larger SA rulesets account for the least number of detections... if you're getting less than a 2-3% hit rate, then you might do well to just do without that set.
 

erick_paper

Well-Known Member
Apr 19, 2005
245
0
166
Thanks freedman, very informative! I think for me it may be a combination of those, but no.3 is the most common. This is because the email address I have for one of my domains keeps getting spam that is like something has bounced (which it could not have, because I never sent those emails). To counter this, in my Exim config, I checked the "Exim Verify the existence of email senders" but it hasn't helped at all. What can I do to stop these bounces, or make sure that these fake emails are killed but the email address remains intact?
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
Thanks freedman, very informative! I think for me it may be a combination of those, but no.3 is the most common. This is because the email address I have for one of my domains keeps getting spam that is like something has bounced (which it could not have, because I never sent those emails). To counter this, in my Exim config, I checked the "Exim Verify the existence of email senders" but it hasn't helped at all. What can I do to stop these bounces, or make sure that these fake emails are killed but the email address remains intact?
ahhh.. these types of bounces are caused by spammers sending mail from their own servers, but listing "FROM" as an email address @YOURDOMAIN.

if you set the catchall address for each of your domains to ":fail:" then it should just toss all these in the garbage.

(dont use :blackhole: and, I think, you have to just have :fail: all by itself .. if you have ":fail: REASON" then exim wont treat it the same, as I understand it.

so, check the /etc/valiases/ file for this domain, make sure the catchall is either a valid address or:
*: :fail:
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
That's interesting. How can you prove that 'SpamAssassin is a CPU hog'? Did you use any tool(s) to reach that conclusion? If yes, what are they? When we talk about 'CPU hog', what is the projected CPU load SA will exert on the server? ;)
OK OK I retreat in defeat :)

Let me be more precise. I can only say empirically that SA appears to be a resource hog. In fact, if I'm to be entirely accurate with what I've observed I'd have to say that I've observed that MS/SA combined is a hog, which is not at all inconsistent with what you're saying. I do like some MS features - one of the nicest is that it keeps a log of incoming email and that has proven invaluable in tracking email on the odd occasion. I promise - I wasn't meaning to cast fair aspersions, apologies for the loose speaking! ;)

ASSP looks interesting, in particular because it's clear it's not a CPU/resource hog.
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
I can only say empirically that SA appears to be a resource hog. In fact, if I'm to be entirely accurate with what I've observed I'd have to say that I've observed that MS/SA combined is a hog
As Chirpy said, it doesn't have to be. Our setup has Exim blocking a large percentage of spam before either SA or ClamAV even touches it. It's made all the difference in the world and allowed us to run Mailscanner (and have all those great features) with no problems.
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
As Chirpy said, it doesn't have to be. Our setup has Exim blocking a large percentage of spam before either SA or ClamAV even touches it. It's made all the difference in the world and allowed us to run Mailscanner (and have all those great features) with no problems.
about 70% of our spam is blocked by RBL's upon connection:
here are a few to consider:
dnslists =

list.dsbl.org
multi.surbl.org
zen.spamhaus.org
relays.ordb.org
blackholes.mail-abuse.org

check each ones site, .. some of them have more targeted lists which may be more suitable for your environment.
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
about 70% of our spam is blocked by RBL's upon connection:
here are a few to consider:
dnslists =

list.dsbl.org
multi.surbl.org
zen.spamhaus.org
relays.ordb.org
blackholes.mail-abuse.org

check each ones site, .. some of them have more targeted lists which may be more suitable for your environment.
Thanks, I should have mentioned what we use as standard set up. Exim with ACLs for Host/Helo checks, RBL checks, Chirpy's Dictionary attack rules, faked sender checks, message size and date checks, plus a couple of custom rules for backscatter and some other common tricks. With Exim handling these pre-anything scanning it the loads stay extremely small. :)