hergy80

Well-Known Member
Sep 4, 2004
64
1
158
I had Chirpy's Co. install the mailscanner package on our servers a while back, and recently the spam has been getting worse (which I understand happens as they find new ways to get through).

What I'm wondering are there any specific tweaks to spamassassin or the other filters that has helped people? We're getting a lot of the e-mails that look like just a bunch of words put together as well as "buy this company's stock". I've tried the auto learning in mail watch, but that doesn't seem to help much. I know there are rules lists and rbls and dcc, etc.. so what has helped others?

Thanks!
 

elitewebninja

Active Member
Jan 2, 2004
43
0
156
Atlanta Ga!
We were having this same problem. Nothing worked, even the autolearn (like your attempt).

It turns out that SARE released a ruleset for these stock email spams:

Do this: (assuming you got the RulesDuJour addition with Chirpy's package like we did).
Get the latest RulesDuJour script
http://sandgnat.com/rdj/rules_du_jour

Go here and get the stock ruleset:
http://www.rulesemporium.com/rules.htm#stocks (70_sare_stocks.cf)
and put it in the /etc/mail/spamassassin/RulesDuJour/ directory

Then go to /etc/rulesdujour/config and in your TRUSTED RULESETS, add: SARE_STOCKS

We did this and it shut these spams DOWN! I've only seen like 3 get through so far when we WERE getting an all but unbearable amount of these things.

Hope this helps :)
Scott
 

hergy80

Well-Known Member
Sep 4, 2004
64
1
158
Thanks for the info. I've installed the ruleset and we'll see how it goes!

I'm also going to look through what else is offered and any other lists we may use!

Thanks for the help!
 

SageBrian

Well-Known Member
Jun 1, 2002
416
2
318
NY/CT (US)
cPanel Access Level
Root Administrator
I've found, even with Chirpy's tremendous service, that no matter what you do, those spammers are deligently working to get thru.

The spam always comes thru in waves. They come up with a new technique, then the anti-spam community finds and does it's best to block it, with either new rules, or spamcop blocks, etc.

You can drive yourself crazy trying to stay on top of it everyday.
 

sanderson

Registered
Oct 23, 2006
2
0
151
Durham
There is another way to keep watch on it. If you can find the IPs from where all these mails are coming you will see most of the IPs are same with different email addresses. If this is the case then ask your admin to block those IP addresses. However they keep sending junk through different IPs. But surely the junk will get reduced.
 

hergy80

Well-Known Member
Sep 4, 2004
64
1
158
SageBrian said:
I've found, even with Chirpy's tremendous service, that no matter what you do, those spammers are deligently working to get thru.

The spam always comes thru in waves. They come up with a new technique, then the anti-spam community finds and does it's best to block it, with either new rules, or spamcop blocks, etc.

You can drive yourself crazy trying to stay on top of it everyday.
Yeah, I know. I just wanted to make sure I was updating everything I needed to so I was on top as best as possible. So far the stock e-mails haven't returned!

I can't image if we didn't have some filters in place. We generally stop about 70% of mail because it's spam (and I haven't yet had a false positive!). And we deal with a modest amount of mail - only between a 1-2 thousand a day.
 

jdstallings

Well-Known Member
Jul 27, 2003
60
1
158
USA
cPanel Access Level
Root Administrator
Spam Rules

Thanks for the STOCK info.. I just updated our servers with this new rule. Thank God!! ;)

We also had Chirpy update our server with MailScanner, Rules-du-Jour, etc and they all have worked GREAT!! We do about 8-9K per day in emails and with MailScanner we catch 50-59% as score 20 for KNOWN SPAM. Then SpamAss catches about another 23% of the left overs.

First... Chirpy services are MORE THEN GREAT! Support him... between the CSF firewall, explorer, and MailScanner support... You can not go wrong and the price is great!!

Now to the question... LOL

There are a limited number of rules that Chirpy uses in the TRUSTED. Here are the ones:

SARE_REDIRECT_POST300 SARE_EVILNUMBERS0 SARE_BAYES_POISON_NXM SARE_HTML0 SARE_HEADER0 SARE_SPECIFIC SARE_ADULT SARE_BML SARE_FRAUD SARE_SPOOF SARE_RANDOM SARE_OEM SARE_GENLSUBJ0 SARE_UNSUB SARE_URI0 SARE_WHITELIST SARE_OBFU0

I have added the SARE_STOCKS today by doing the upgrade, etc...

My question is have any of you found any additional ones that we should add that will help stop more spam, but not really increase false-positives? Example 80_sare_stocks

What works best for most of you?

Thanks!
 

meganet

Well-Known Member
Mar 28, 2005
46
0
156
I'm also interested in knowing what else you need to keep up to date after getting the Configservers services applied.

What is a typical break down of services I should be monitoring and upgrading on my own after Chripy's team has installed them? So far I've gathered:
  • RulesDeJour
  • SpamAssassin *.cf's

Anyone else have input on this?
 

jdstallings

Well-Known Member
Jul 27, 2003
60
1
158
USA
cPanel Access Level
Root Administrator
Logwatch
Mailscanner
Mailwatch
Csf
Lfd
Tripwire
Rootkit
Chkroot

I kust upgraded logwatch from 3.1 to 7.1 also upgraded rules-du-dour and other stuff

It is a lot of work

Good luck!