This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
internet:mail:smeserver_spam [2013/03/24 11:27] 127.0.0.1 external edit |
— (current) | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Spam Filter Configuration for SME 8 ====== | ||
- | |||
- | This is a quick configuration howto, not an in-depth look at SpamAssassin. Much more can be done beyond this document, but this will take a big dent out of your spam and free up CPU cycles on your server. | ||
- | |||
- | :!: If you upgraded your SME server to version 7.2 (or later) from 7.1.3 (or earlier), follow the instructions [[http:// | ||
- | |||
- | ===== More Information ===== | ||
- | |||
- | **[[http:// | ||
- | |||
- | **[[http:// | ||
- | |||
- | ==== Informative URLs ==== | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | ==== Spamassassin Documentation ==== | ||
- | |||
- | Enter this command at a console: | ||
- | |||
- | < | ||
- | perldoc Mail:: | ||
- | </ | ||
- | |||
- | ===== Server-Manager ===== | ||
- | |||
- | ==== Basic Settings ==== | ||
- | |||
- | Using the Server-Manager Configuration/ | ||
- | |||
- | ^Option | ||
- | |Virus scanning | ||
- | |Spam filtering | ||
- | |Spam sensitivity | ||
- | |Custom spam tagging level |4 | | ||
- | |Custom spam rejection level |12 | | ||
- | |Sort spam into junkmail folder |Enabled | ||
- | |Modify subject of spam messages|Enabled | ||
- | |||
- | I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (**control-click all but the last two**). | ||
- | |||
- | Click **Save**. | ||
- | |||
- | :!: These Server-Manager settings alone will do a reasonably adequate job of filtering junkmail. | ||
- | |||
- | ==== Adjustments ==== | ||
- | |||
- | If you think you are losing misclassified mail, adjust the ' | ||
- | |||
- | If too much spam is making through to your Inbox, carefully adjust the ' | ||
- | |||
- | If too much spam is building up in your (IMAP) junkmail folder, adjust the ' | ||
- | |||
- | ===== How It Works ===== | ||
- | |||
- | When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. | ||
- | |||
- | With the above configuration: | ||
- | |||
- | * The spammiest messages, those marked as 12 or above, will be rejected at the SMTP level | ||
- | * Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) ' | ||
- | * Users may check their junkmail folders for false-positives (valid messages that were classified as spam by SpamAssassin) via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client. | ||
- | |||
- | https:// | ||
- | |||
- | ===== Advanced Filter Configuration ===== | ||
- | |||
- | ==== Clam Antivirus ==== | ||
- | |||
- | Update and check your Clam Antivirus with this command. | ||
- | |||
- | < | ||
- | freshclam -v | ||
- | </ | ||
- | |||
- | or | ||
- | |||
- | < | ||
- | freshclam --debug | ||
- | </ | ||
- | |||
- | Verify hourly update checking by viewing the " | ||
- | |||
- | ==== Realtime Blackhole Lists and DNS Blacklists ==== | ||
- | |||
- | :!: The DNSBL and RBL lists are not enabled by default but are an important addition to the spam filter configuration. | ||
- | |||
- | :!: Enabling both of these checks should probably be the first steps you take beyond the Basic Settings listed above. | ||
- | |||
- | :!: Note: here in the US, we have had problems with the (European) Level 2 list at uceprotect.net. | ||
- | |||
- | To specify multiple RBLs, use commands like these: | ||
- | |||
- | < | ||
- | config setprop qpsmtpd RBLList zen.spamhaus.org: | ||
- | config setprop qpsmtpd SBLList bogusmx.rfc-ignorant.org: | ||
- | config setprop qpsmtpd DNSBL enabled RHSBL enabled | ||
- | |||
- | config show qpsmtpd | ||
- | |||
- | signal-event email-update | ||
- | svc -t / | ||
- | </ | ||
- | |||
- | ==== Enable/ | ||
- | |||
- | This procedure doesn' | ||
- | |||
- | Per-user filtering is enabled by default. | ||
- | |||
- | < | ||
- | db accounts setprop USERNAME SortSpam disabled | ||
- | signal-event user-modify USERNAME | ||
- | |||
- | db accounts show USERNAME | ||
- | </ | ||
- | |||
- | ==== SPAM Retention Period ==== | ||
- | |||
- | The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. | ||
- | |||
- | Where 15 is the number of days you want to keep messages, do: | ||
- | |||
- | < | ||
- | db configuration setprop spamassassin MessageRetentionTime 15 | ||
- | signal-event email-update | ||
- | svc -t / | ||
- | |||
- | config show spamassassin | ||
- | </ | ||
- | |||
- | ==== Bayesian Autolearning ==== | ||
- | |||
- | The default SME settings do not include bayesian filtering in spamassassin to allow spamassassin to learn from received email and improve over time. | ||
- | |||
- | The following command will enable the bayesian learning filter and set thresholds for the bayesian filter. | ||
- | |||
- | < | ||
- | config setprop spamassassin UseBayes 1 | ||
- | config setprop spamassassin BayesAutoLearnThresholdSpam 4.00 | ||
- | config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10 | ||
- | expand-template / | ||
- | sa-learn --sync --dbpath / | ||
- | chown spamd.spamd / | ||
- | chown spamd.spamd / | ||
- | chmod 640 / | ||
- | config setprop spamassassin status enabled | ||
- | config setprop spamassassin RejectLevel 12 | ||
- | config setprop spamassassin TagLevel 4 | ||
- | config setprop spamassassin Sensitivity custom | ||
- | signal-event email-update | ||
- | </ | ||
- | |||
- | These commands will: | ||
- | |||
- | * Enable spamassassin | ||
- | * Configure spamassassin to reject any email with a score above 12 | ||
- | * Tag spam scored between 4 and 12 in the email header | ||
- | * Enable bayesian filter | ||
- | * ' | ||
- | * ' | ||
- | |||
- | ==== Bayesian Filter Training and Statistics ===== | ||
- | |||
- | <note important> | ||
- | |||
- | Install the LearnAsSpam.pl and mailstats scripts, and configure nightly cron jobs like this: | ||
- | |||
- | < | ||
- | cd /usr/bin | ||
- | wget http:// | ||
- | cd /etc/cron.d | ||
- | wget http:// | ||
- | / | ||
- | </ | ||
- | |||
- | Using an IMAP mail client, create a new folder called ' | ||
- | |||
- | If any spam messages make it past the filter and into your inbox, just move them into the LearnAsSpam folder. | ||
- | Manual Training | ||
- | |||
- | You can manually train the bayesian filter with commands like these: | ||
- | |||
- | < | ||
- | sa-learn --ham / | ||
- | sa-learn --spam / | ||
- | </ | ||
- | |||
- | If you save real mail in other folders, you could also teach SA about those emails. | ||
- | |||
- | ==== Mail Statistics ==== | ||
- | |||
- | <note important> | ||
- | |||
- | See [[http:// | ||
- | |||
- | < | ||
- | yum install --enablerepo=smecontribs smeserver-mailstats | ||
- | </ | ||
- | |||
- | ==== Testing and Troubleshooting ==== | ||
- | |||
- | Check the log of SMTP events using a command like: | ||
- | |||
- | < | ||
- | tail / | ||
- | </ | ||
- | |||
- | You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results. | ||
- | |||
- | < | ||
- | sa-learn --dump magic | ||
- | </ | ||
- | |||
- | You can check the spam filter log with this command: | ||
- | |||
- | < | ||
- | tail -50 / | ||
- | </ | ||
- | |||
- | Check spamassassin configuration like this: | ||
- | |||
- | < | ||
- | spamassassin -D --lint | ||
- | </ | ||
- | |||
- | If you ever see an error such as: | ||
- | |||
- | < | ||
- | warn: bayes: cannot open bayes databases / | ||
- | </ | ||
- | |||
- | Try adjusting some permissions with these commands: | ||
- | |||
- | < | ||
- | chown :spamd / | ||
- | chmod g+rw / | ||
- | </ | ||
- | |||
- | ==== Whitelist and Blacklist ==== | ||
- | |||
- | If mail comes in and it is misclassified as spam, you can add the sender to the whitelist so that future messages coming in from that sender are not filtered. | ||
- | |||
- | Conversely, you can add a spammer to the blacklist so you never see their spam again. | ||
- | |||
- | Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root): | ||
- | |||
- | < | ||
- | db spamassassin setprop wbl.global *@vonage.com White | ||
- | db spamassassin setprop wbl.global *domain2.com White | ||
- | db spamassassin setprop wbl.global user@domain3.com White | ||
- | db spamassassin setprop wbl.global spammer@spamdomain.com Black | ||
- | expand-template / | ||
- | svc -t / | ||
- | </ | ||
- | |||
- | You can view the white/black lists with this command: | ||
- | |||
- | < | ||
- | db spamassassin show | ||
- | </ | ||
- | |||
- | If you have a text file of e-mail addresses and/or domains (one per line and with entries formatted as above) that you want to whitelist, here is a command line to be run as root that will parse the list and add them to the database all at one time. | ||
- | |||
- | < | ||
- | dos2unix / | ||
- | for id in `cat / | ||
- | </ | ||
- | |||
- | The Horde webmail whitelisting feature does not have the desired effect. | ||
- | |||
- | ==== Greylisting ==== | ||
- | |||
- | http:// | ||
- | |||
- | Greylisting is an incredibly efficient way to cut back on spam. It does so by delaying messages from new senders. Valid senders will always retry later and spammers most often will not. | ||
- | |||
- | :!: Greylisting performs its miracles with an absolute minimum of server resources, so if your server is old, slow or light on resources, this is a very useful technique. | ||
- | |||
- | < | ||
- | mkdir -p / | ||
- | chown qpsmtpd: | ||
- | mkdir -p / | ||
- | cat >> / | ||
- | 127.0.0.1 # Of course we don't want to delay ourselves or local users | ||
- | 192.168 # Don't delay our private networks either | ||
- | 10 # Private net (class A) | ||
- | 172.16 # Another private net (inidividual entries, since can't | ||
- | 172.17 # do a /12 netmask easily | ||
- | 172.18 | ||
- | 172.19 | ||
- | 172.20 | ||
- | 172.21 | ||
- | 172.22 | ||
- | 172.23 | ||
- | 172.24 | ||
- | 172.25 | ||
- | 172.26 | ||
- | 172.27 | ||
- | 172.28 | ||
- | 172.29 | ||
- | 172.30 | ||
- | 172.31 | ||
- | |||
- | # Public Servers | ||
- | |||
- | 12.5.136.141 # Southwest Airlines (unique sender, no retry) | ||
- | 12.5.136.142 # Southwest Airlines (unique sender, no retry) | ||
- | 12.5.136.143 # Southwest Airlines (unique sender, no retry) | ||
- | 12.5.136.144 # Southwest Airlines (unique sender, no retry) | ||
- | 12.107.209.244 # kernel.org mailing lists (high traffic, unique sender per mail) | ||
- | 63.82.37.110 # SLmail | ||
- | 63.169.44.143 # Southwest Airlines (unique sender, no retry) | ||
- | 63.169.44.144 # Southwest Airlines (unique sender, no retry) | ||
- | 64.7.153.18 # sentex.ca (common pool) | ||
- | 64.12.137 # AOL (common pool) - http:// | ||
- | 64.12.138 # AOL (common pool) | ||
- | 64.124.204.39 # moveon.org (unique sender per attempt) | ||
- | 64.125.132.254 # collab.net (unique sender per attempt) | ||
- | #64.233.162 # zproxy.gmail.com (common server pool, bad 451 handling?) | ||
- | #64.233.170 # rproxy.gmail.com (common server pool, bad 451 handling?) | ||
- | #64.233.182 # nproxy.gmail.com (common server pool, bad 451 handling?) | ||
- | #64.233.184 # wproxy.gmail.com (common server pool, bad 451 handling?) | ||
- | # | ||
- | 66.94.237 # Yahoo Groups servers (common pool, no retry) | ||
- | 66.100.210.82 # Groupwise? | ||
- | 66.135.209 # Ebay (for time critical alerts) | ||
- | 66.135.197 # Ebay (common pool) | ||
- | 66.162.216.166 # Groupwise? | ||
- | 66.206.22.82 # PLEXOR | ||
- | 66.206.22.83 # PLEXOR | ||
- | 66.206.22.84 # PLEXOR | ||
- | 66.206.22.85 # PLEXOR | ||
- | 66.218.66 # Yahoo Groups servers (common pool, no retry) | ||
- | 66.218.67 # Yahoo Groups servers (common pool, no retry) | ||
- | 66.218.69 # Yahoo Groups servers (common pool, no retry) | ||
- | #66.249.82 # gmail (common server pool, bad 451 handling) | ||
- | 66.27.51.218 # ljbtc.com (Groupwise) | ||
- | # | ||
- | # | ||
- | #72.14.204 # qproxy.gmail.com (common server pool, bad 451 handling?) | ||
- | 152.163.225 # AOL (common pool) | ||
- | 194.245.101.88 # Joker.com (email forwarding server) | ||
- | 195.235.39.19 # Tid InfoMail Exchanger v2.20 | ||
- | 195.238.2 # skynet.be (wierd retry pattern, common pool) | ||
- | 195.238.3 # skynet.be (wierd retry pattern, common pool) | ||
- | # | ||
- | 204.107.120.10 # Ameritrade (no retry) | ||
- | 205.188.139.136 # AOL (common pool) | ||
- | 205.188.139.137 # AOL (common pool) | ||
- | 205.188.144.207 # AOL (common pool) | ||
- | 205.188.144.208 # AOL (common pool) | ||
- | 205.188.156.66 # AOL (common pool) | ||
- | 205.188.157 # AOL (common pool) | ||
- | 205.188.159.7 # AOL (common pool) | ||
- | 205.206.231 # SecurityFocus.com (unique sender per attempt) | ||
- | 205.211.164.50 # sentex.ca (common pool) | ||
- | 207.115.63 # Prodigy (broken software that retries continually with no delay) | ||
- | 207.171.168 # Amazon.com (common pool) | ||
- | 207.171.180 # Amazon.com (common pool) | ||
- | 207.171.187 # Amazon.com (common pool) | ||
- | 207.171.188 # Amazon.com (common pool) | ||
- | 207.171.190 # Amazon.com (common pool) | ||
- | #209.104.63 # Ticketmaster (poor retry config) | ||
- | 209.132.176.174 # sourceware.org mailing lists (high traffic, unique sender per mail) | ||
- | 211.29.132 # optusnet.com.au (wierd retry pattern and more than 48hrs) | ||
- | 213.136.52.31 # Mysql.com (unique sender) | ||
- | # | ||
- | # | ||
- | #216.239.56 # proxy.gmail.com (common server pool, bad 451 handling?) | ||
- | 217.158.50.178 # AXKit mailing list (unique sender per attempt) | ||
- | EOF | ||
- | expand-template / | ||
- | mkdir -p / | ||
- | echo whitelist_soft > / | ||
- | echo greylisting black_timeout 60 db_dir / | ||
- | expand-template / | ||
- | signal-event email-update | ||
- | </ | ||