Spam Filter

[mickalo]

Hello,

we have been working on cutting down our spam this past week, and thanks to all the great info provided on this forum, have reduced it greatly.

I recall a thread regard this new spam coming through, with the subject:
SomeNameHere wrote: , IE: Debra Wrote: which seems to still getting through. But can seem to find that thread that addressed this issue.

If someone knows how to caught this type of spam, would appreciate a rule or filter to caught these types.

TIA,
Mickalo

 

[mctDarren]

Add a rule to local.cf if you are using spamassassin:

header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000

Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!

 

[mickalo]

Add a rule to local.cf if you are using spamassassin:

header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000

Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!

thx's webtiva, we'll add this and see what happens, much appreciated.

where can one get these "stock rulesets" from. We already implemented the image rules which seem to be working great .... so far!!

Mickalo

 

[mctDarren]

We use 70_sare_stocks from http://www.rulesemporium.com/rules.htm

If you implement Rules Du Jour it will make your life much easier! Highly recommended.

 

[mickalo]

We use 70_sare_stocks from http://www.rulesemporium.com/rules.htm

If you implement Rules Du Jour it will make your life much easier! Highly recommended.

again, much appreciated

I tried to get that "Rules Du Jour" auto setup, but the link that was posted here to that earlier on this forum seems to be a dead link or incorrect. Do you happen to have that correct link for this setup ?

Thx's
Mickalo

 

[mctDarren]

A decent auto installer is located here, or you can check out their how to page here.

I also highly recommend Chirpy's MailScanner setup here, which includes it. For $35 they install Mailscanner with clamAV; they set up SA, Vipul's Razor and DCC; plus they install a WHM front end for you and your hosting customers. WELL worth the cost!

 

[mickalo]

A decent auto installer is located here, or you can check out their how to page here.

I also highly recommend Chirpy's MailScanner setup here, which includes it. For $35 they install Mailscanner with clamAV; they set up SA, Vipul's Razor and DCC; plus they install a WHM front end for you and your hosting customers. WELL worth the cost!

Much appreciate all the info, you've been a big help

I've been strongly considering having Chirpy do his setup w/MailScanner package, on our server, but just abit concerned about the load I've read alot about that this MailScanner can put on the server.

we only run about 45 domains on our server, with approx., 3-4000 emails daily and about 100 POP accounts. We do run 1GB mem., and average about 30-40% CPU usage daily, which I think the server should be able to handle. Gonna think about a bit more tho.

Again, appreciate you info,
Mickalo

P.S. to any one that may use the autoinstaller, they must edit two configurations settings, 1)location of spamassassin folder and 2) path to restart spam
this is for the Cpanel install.

 

[secretreal]

Add a rule to local.cf if you are using spamassassin:

header    WROTESPAM     Subject =~ /^wrote\:/i
score     WROTESPAM     9.000

Note that the spaces in-between are tabs. Afterward I would install a stocks ruleset and image rules so you can reduce the score or eliminate this. hope that helps!

it doesnt effect :S

i use mailscanner should i do different think ?

 

[secretreal]

can anybody give advise about this

 

[mctDarren]

After adding that rule, restart exim and MailScanner and check again. I use MailScanner as well...

 

[asmithjr]

Where did you put the rule?
local.cf ??

 

[Sash]

Messages that contain "Name wrote:" are still getting by. Any advice?

I added the code to /etc/mail/spamassassin/local.cf

Thanks,
Mike

 

[Adrnalnrsh]

Not working for me either, using Chirpy's MailScanner installation.

 

[intonet]

I'm trying to capture these damned "xxx wrote:" e-mail as well.

I've added a rule to the global local.cf file, which as you can see from the following header extract it is picking up. What it's not doing though is marking it as SPAM. I've set the score to 6.0 in the rule...

X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
xeon.intonet-technology.co.uk
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_00,LOCAL_WROTE_RULE
autolearn=no version=3.1.7

Any ideas folks?

- Tim

 

[cbwass]

You can stop them getting through using etc/antivirus.exim.

Find:

if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif

#Than right under it put:

if $header_subject: contains "wrote"
then
seen finish
endif

It should look like this.

if error_message and $header_from: contains "Mailer-Daemon@"
then
# looks like a real error message - just ignore it
finish
endif

if $header_subject: contains "wrote"
then
seen finish
endif

 

[asmithjr]

Great!

Remember to make sure your WHM->System Configuration->Exim Configurator Editor has the /etc/antivirus.exim selected (Use the Default)

 

[asmithjr]

Sure did on 3 of my servers.

 

[mctDarren]

if $header_subject: contains "wrote"
then
seen finish
endif

Wont this stop any email that has the word "wrote" in the subject?

 

[cbwass]

Wont this stop any email that has the word "wrote" in the subject?

It will stop all mail with 'wrote' in the subject.

 

[mctDarren]

We need to figure out why that rule isn't hitting your spam. When you look at the headers, what is the SA score on those that are getting through? If you see that it's not hitting for some reason, something is wrong with the set up. If you see it is hitting, then you might have a higher spam score requirement then what we are assigning in that rule. Sometimes I will write several rules, just to make sure that legit mail can still sneak past.

It's probably because of my custom set up, however, that mine are getting blocked. I have an extensively trained Bayesian database, plus I raise some rules scores as well - giving that little extra push for these annoying messages. Right now the "(name) wrote:" spam is hitting these rules for our servers:

3.50 BAYES_99 Bayesian spam probability is 99 to 100%
2.86 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
4.50 NAMEWROTE
1.00 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
2.40 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50%
1.00 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)

So the only "wrote:" spam rule I have is this:

## (NAME) WROTE:
header  NAMEWROTE       Subject =~ /.*wrote\:/i
score   NAMEWROTE       4.500

You could also add another like so:

## (NAME) WROTE2:
header  NAMEWROTE2       Subject =~ /.*wrote/i
score   NAMEWROTE2       2.200

This way if the "wrote:" (with the colon) is there, it hits both and ups the score. If someone puts in their legit mail subject "I wrote to you yesterday!" it will only hit the smaller score and lessen the chance for a false positive. But for those that it is not hitting, check your High Spam Score on those email accounts that these are slipping past. If you have a high spam score of 12 needed, and the spam is hitting a score of 9 only, they will come through. Use the tools you have (bayesian database, DCC, Razor, etc) to get your system to the point that these will be blocked. Hope this helps...