Spam Filter

Add a rule to local.cf if you are using spamassassin:

Code:

header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000

Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!

 

We use 70_sare_stocks from http://www.rulesemporium.com/rules.htm

If you implement Rules Du Jour it will make your life much easier! Highly recommended.

 

A decent auto installer is located here, or you can check out their how to page here.

I also highly recommend Chirpy's MailScanner setup here, which includes it. For $35 they install Mailscanner with clamAV; they set up SA, Vipul's Razor and DCC; plus they install a WHM front end for you and your hosting customers. WELL worth the cost!

 

it doesnt effect :S

i use mailscanner should i do different think ?

 

can anybody give advise about this

 

After adding that rule, restart exim and MailScanner and check again. I use MailScanner as well...

 

Where did you put the rule?
local.cf ??

 

Messages that contain "Name wrote:" are still getting by. Any advice?

I added the code to /etc/mail/spamassassin/local.cf

Thanks,
Mike

 

Not working for me either, using Chirpy's MailScanner installation.

 

I'm trying to capture these damned "xxx wrote:" e-mail as well.

I've added a rule to the global local.cf file, which as you can see from the following header extract it is picking up. What it's not doing though is marking it as SPAM. I've set the score to 6.0 in the rule...

X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
xeon.intonet-technology.co.uk
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_00,LOCAL_WROTE_RULE
autolearn=no version=3.1.7

Any ideas folks?

- Tim

 

You can stop them getting through using etc/antivirus.exim.

Find:

if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif

#Than right under it put:

if $header_subject: contains "wrote"
then
seen finish
endif

It should look like this.

if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif

if $header_subject: contains "wrote"
then
seen finish
endif

 

Great!

Remember to make sure your WHM->System Configuration->Exim Configurator Editor has the /etc/antivirus.exim selected (Use the Default)

 

Sure did on 3 of my servers.

 

Wont this stop any email that has the word "wrote" in the subject?

 

It will stop all mail with 'wrote' in the subject.

 

We need to figure out why that rule isn't hitting your spam. When you look at the headers, what is the SA score on those that are getting through? If you see that it's not hitting for some reason, something is wrong with the set up. If you see it is hitting, then you might have a higher spam score requirement then what we are assigning in that rule. Sometimes I will write several rules, just to make sure that legit mail can still sneak past.

It's probably because of my custom set up, however, that mine are getting blocked. I have an extensively trained Bayesian database, plus I raise some rules scores as well - giving that little extra push for these annoying messages. Right now the "(name) wrote:" spam is hitting these rules for our servers:

3.50 BAYES_99 Bayesian spam probability is 99 to 100%
2.86 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
4.50 NAMEWROTE
1.00 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
2.40 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50%
1.00 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

So the only "wrote:" spam rule I have is this:

Code:

## (NAME) WROTE:
header  NAMEWROTE       Subject =~ /.*wrote\:/i
score   NAMEWROTE       4.500

You could also add another like so:

Code:

## (NAME) WROTE2:
header  NAMEWROTE2       Subject =~ /.*wrote/i
score   NAMEWROTE2       2.200

This way if the "wrote:" (with the colon) is there, it hits both and ups the score. If someone puts in their legit mail subject "I wrote to you yesterday!" it will only hit the smaller score and lessen the chance for a false positive. But for those that it is not hitting, check your High Spam Score on those email accounts that these are slipping past. If you have a high spam score of 12 needed, and the spam is hitting a score of 9 only, they will come through. Use the tools you have (bayesian database, DCC, Razor, etc) to get your system to the point that these will be blocked. Hope this helps...