SpamAssassin blacklisted score?

[IMRJS]

Hi all,

In my local.cf I have blacklisted domains, senders, and a few subject lines. All I would like to do is reject those. Now they just come in marked SPAM. So I have set "Apache SpamAssassin reject spam score threshold" to 100 in Exim settings is that correct? I'm having a hard time finding default scores for SpamAssassin but I did find an older post saying anything blacklisted is a score of 100.

Thank you,

Ryan

 

[cPanelLauren]

Hell Ryan,

All blacklisted addresses in SpamAsassin should be immediately rejected. You should see in /home/$user/.spamassassin/user_prefs -

blacklist_from domain.tld

If you're modifying Exim's Reject Spam score threshold the following should be referenced:

Apache SpamAssassin™ reject spam score threshold

This option sets the spam score that Apache SpamAssassin™ uses to reject incoming messages. Enter a positive or negative number, which may contain a single decimal point. Important: If you enter a value that contains an integer greater than or less than 0 and a decimal point, Apache SpamAssassin multiplies the value that you enter by a measure of ten. For example, if you enter a spam score threshold of 1.6, Apache SpamAssassin sets the threshold to 16. For example, if you enter a spam score threshold of 1.0, Apache SpamAssassin sets the threshold to 10. Select No reject rule by spam score to disable this option. For more information, visit Apache SpamAssassin's documentation.

So, with what you have set right now, it's most likely not going to actually reject anything. What you should set if you're trying to reject mail with score X or higher is a number ike 5.0 if you're conservative or 10.0 if you're wanting to be a bit more lenient.

If you set this to 5 this would mean that if SpamAssassin scan's the mail and it receives a score of 5 or higher (the higher the score the more likely it's spam) it will automatically be rejected.

In my local.cf I have blacklisted domains, senders, and a few subject lines

Can you show me what you're putting in local.cf?

All I would like to do is reject those. Now they just come in marked SPAM.

What are you adding specifically? I used *@gmail.com and found that the mail was automatically attributed a score of 104.8:

Warning: "SpamAssassin as myuser detected message as spam (104.8)"

(the 4.8 is a result of some other test's I have added on this server for spam assassin testing purposes, normal gmail email shouldn't come through with this high of a score)

I also see that the filter that is setup to reject mail when it's got a high score (like this does) is being flagged:

2019-12-10 17:52:40.929 [3526] 1iepJ2-0000un-Bl => /dev/null <[email protected]> F=<[email protected]> R=central_filter T=[B]bypassed[/B] S=0 QT=0.565s DT=0.000s

Which means that it just sent the email to /dev/null (essentially deleted it)

 

[IMRJS]

Hi, thanks for the reply. I'm trying to do it global and i'm using /etc/mail/spamassassin/local.cf. I don't see a user_prefs file. In my local.cf I have
blacklist_from *@creatensend.com
blacklist_from [email protected]
blacklist_subject Viagra, etc...

I have been playing around tonight with my @outlook.com email address by using blacklist_from @outlook.com if I have Apache SpamAssassin reject spam score threshold "No reject rule by spam score default" in WHM/Exim Config Manager the outlook email gets delivered but its marked SPAM if I set it to 90 or greater it is rejected.

Thank you,

Ryan

 

[cPanelLauren]

I have been playing around tonight with my @outlook.com email address by using blacklist_from @outlook.com if I have Apache SpamAssassin reject spam score threshold "No reject rule by spam score default" in WHM/Exim Config Manager the outlook email gets delivered but its marked SPAM if I set it to 90 or greater it is rejected.

Blacklisted email gets attributed a score off 100 automatically. I'd wager that none of the accounts are auto-deleting spam and that's why when you set the score to 90 in the exim configuration you find that it does finally delete/reject the mail.

When you go to cPanel>>Email>>Spam Filters>>Automatically Delete New Spam (Auto-Delete) is this disabled? If not what is the score set to? This needs to see a score under 100

To be completely honest, I set this pretty conservatively on my servers, anything with a score of 6 or higher is automatically deleted and anything with a score of 3 or higher is flagged as spam.

 

[IMRJS]

Yes "Automatically Delete New Spam" is disabled. All I want to do is reject email that is in my global local.cf that I have blacklisted. It seems to be working with Apache SpamAssassin reject spam score threshold set at 90. Is it ok to leave this or should I enable auto-delete?

I don't have a huge spam problem on my domains and I don't want to reject or delete something important. Also can cPanel>>Email>>Spam Filters>>Automatically Delete New Spam be turned on global for all domains?

Thanks,

Ryan

 

[cPanelLauren]

Yes "Automatically Delete New Spam" is disabled. All I want to do is reject email that is in my global local.cf that I have blacklisted. It seems to be working with Apache SpamAssassin reject spam score threshold set at 90. Is it ok to leave this or should I enable auto-delete?

Yes, leaving it at that is completely fine, I was trying to stress that could be an even lower number as well. Rejecting high scoring spam at SMTP time like this can also help with backscatter and misdirected bounces. Anything scoring over 6 or 7 is almost always spam - in fact I've not seen legitimate email ever score this high as far as I can recall.

Also can cPanel>>Email>>Spam Filters>>Automatically Delete New Spam be turned on global for all domains?

It can't be turned on globally, no. That's on purpose because it will delete email and could cause some issues if set incorrectly globally.

 

[IMRJS]

So if I set Apache SpamAssassin reject spam score threshold to 7 you believe this is safe? Can I still leave "Automatically Delete New Spam" disabled and just have everything over a score of 7 be rejected? Why bother having it delivered to just delete it? My thought is at least if it was important they get a bounce back and can contact us by phone or online contact form.

I also have a extensive whitelist_from of addresses and domains that are important in my local.cf. Does a list exist of basic scoring? blacklist =100, etc...

Thanks,

Ryan

 

[cPanelLauren]

So if I set Apache SpamAssassin reject spam score threshold to 7 you believe this is safe?

I believe it's safe, scoring a 7 is pretty high, in the UI you'd put 7.0 - if you want to confirm that most of your obvious spam scores start around 5 you can check the headers of messages that were clearly flagged as SPAM by SpamAssassin to view their scores. Even setting this to 8.0 would be beneficial in my opinion and the likelihood you'll flag legitimate mail would extremely slim (unless they had some sort of grossly misconfigured server that was also blacklisted)

Can I still leave "Automatically Delete New Spam" disabled and just have everything over a score of 7 be rejected?

You sure can! This way anything flagged as spam will be under a spam score of 7

 

[IMRJS]

OK thank you... I set it for 8.0 last night and lowered it today to 7.0... I noticed when inputted into Exim it's actually 80 with SpamAssassin... I'm assuming that's normal?

"Updating “Apache SpamAssassin™ reject spam score threshold” from “80” to “70”.
“Apache SpamAssassin™ reject spam score threshold” was updated."

You mentioned to check the headers of the messages that were flagged as SPAM to view the scores? Where can I do that if I'm just rejecting them?

Thanks,

Ryan

 

[cPanelLauren]

Yes, that's fine, In WHM the SpamAssassin scores are multiplied by 10. Any actual SA score is x out of a total of 100

You mentioned to check the headers of the messages that were flagged as SPAM to view the scores? Where can I do that if I'm just rejecting them?

I meant you could do this prior to making that change to confirm what I was noting that you were not getting any legitimate mail which had a score of 7 or higher.

 

[Fagner]

@cPanelLauren

In an environment where the score is set to 2.0 and in the message the score was -0.2 (letting the spam message pass), which rule do I define to reach a number higher than 2.0?

RP_MATCHES_RCVD
DKIM_SIGNED
T_DKIM_INVALID
HTML_MESSAGE

 

[cPanelLauren]

Well that would depend on what the score for each of those are and which of those were flagged on the message. You can see this in the message headers as well as in the maillog at /var/log/maillog