Created
July 17, 2015 07:26
-
-
Save sneak/df70af030d4bb88179b9 to your computer and use it in GitHub Desktop.
spamassassin config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # datavibe.net spamassassin local config as of 2015-07-17 | |
| # Add *****SPAM***** to the Subject header of spam e-mails | |
| rewrite_header Subject *****SPAM***** | |
| # Save spam messages as a message/rfc822 MIME attachment instead of | |
| # modifying the original message (0: off, 2: use text/plain instead) | |
| report_safe 1 | |
| add_header all RelaysUntrusted _RELAYSUNTRUSTED_ | |
| add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ | |
| add_header all Relay-Country _RELAYCOUNTRY_ | |
| # Set the threshold at which a message is considered spam (default: 5.0) | |
| required_score 5.0 | |
| # Use Bayesian classifier (default: 1) | |
| use_bayes 1 | |
| # Bayesian classifier auto-learning (default: 1) | |
| bayes_auto_learn 1 | |
| bayes_ignore_header X-Bogosity | |
| bayes_ignore_header X-Spam-Flag | |
| bayes_ignore_header X-Spam-Status | |
| # hetzner | |
| dns_server 213.133.98.98 | |
| header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6') | |
| describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source | |
| tflags RCVD_IN_SORBS_SPAM net | |
| score RCVD_IN_SORBS_SPAM 0.9 | |
| header RCVD_IN_SORBS_DUL eval:check_rbl('sorbsdul','dul.dnsbl.sorbs.net') | |
| describe RCVD_IN_SORBS_DUL SORBS: sender is an end-user | |
| tflags RCVD_IN_SORBS_DUL net | |
| score RCVD_IN_SORBS_DUL 0.7 | |
| header RCVD_IN_SC_SPAM eval:check_rbl('spamcannibal', 'bl.spamcannibal.org.') | |
| describe RCVD_IN_SC_SPAM SpamCannibal: sender is a spam source | |
| tflags RCVD_IN_SC_SPAM net | |
| score RCVD_IN_SC_SPAM 2.2 | |
| # UCEPROTECT1 (open relays/proxys/dialups) http://uceprotect.net | |
| header RCVD_IN_UCEPROTECT1 eval:check_rbl_txt('uceprotect1', 'dnsbl-1.uceprotect.net') | |
| describe RCVD_IN_UCEPROTECT1 Listed in dnsbl-1.uceprotect.net | |
| tflags RCVD_IN_UCEPROTECT1 net | |
| score RCVD_IN_UCEPROTECT1 2.2 | |
| # UCEPROTECT2 (open relays/proxys/dialups networks) http://uceprotect.net | |
| header RCVD_IN_UCEPROTECT2 eval:check_rbl_txt('uceprotect1', 'dnsbl-2.uceprotect.net') | |
| describe RCVD_IN_UCEPROTECT2 Network listed in dnsbl-2.uceprotect.net | |
| tflags RCVD_IN_UCEPROTECT2 net | |
| score RCVD_IN_UCEPROTECT2 1.9 | |
| # UCEPROTECT3 (bad networks) http://uceprotect.net | |
| header RCVD_IN_UCEPROTECT3 eval:check_rbl_txt('uceprotect1', 'dnsbl-3.uceprotect.net') | |
| describe RCVD_IN_UCEPROTECT3 Network listed in dnsbl-3.uceprotect.net | |
| tflags RCVD_IN_UCEPROTECT3 net | |
| score RCVD_IN_UCEPROTECT3 1.3 | |
| header RCVD_IN_LB_SPAM eval:check_rbl('lashback', 'ubl.lashback.com') | |
| describe RCVD_IN_LB_SPAM LASHBACK: sender is a spam source | |
| tflags RCVD_IN_LB_SPAM net | |
| score RCVD_IN_LB_SPAM 1.9 | |
| header RCVD_IN_BS_SPAM eval:check_rbl('backscatterer', 'ips.backscatterer.org') | |
| describe RCVD_IN_BS_SPAM BACKSCATTERER: sender is a spam source | |
| tflags RCVD_IN_BS_SPAM net | |
| score RCVD_IN_BS_SPAM 1.9 | |
| header RCVD_IN_UNSUBSCORE eval:check_rbl('unsubscore-lastexternal','ubl.unsubscore.com.') | |
| describe RCVD_IN_UNSUBSCORE Listed in Lashback unsubscore.com | |
| tflags RCVD_IN_UNSUBSCORE net | |
| score RCVD_IN_UNSUBSCORE 1.9 | |
| header RCVD_IN_TRUNC eval:check_rbl('truncate','truncate.gbudb.net') | |
| describe RCVD_IN_TRUNC Listed in truncate.gbudb.net rbl | |
| tflags RCVD_IN_TRUNC net | |
| score RCVD_IN_TRUNC 1.9 | |
| header RCVD_IN_S5HBL eval:check_rbl('s5hbl', 'all.s5h.net') | |
| describe RCVD_IN_S5HBL Listed at all.s5h.net rbl | |
| tflags RCVD_IN_S5HBL net | |
| score RCVD_IN_S5HBL 1.9 | |
| # http://www.dnsbl.manitu.net/index.php?language=en | |
| header RCVD_IN_NIX eval:check_rbl('nix', 'ix.dnsbl.manitu.net.') | |
| describe RCVD_IN_NIX Listed at all.s5h.net rbl | |
| tflags RCVD_IN_NIX net | |
| score RCVD_IN_NIX 1.9 | |
| body HASH_IX eval:ixhashtest('ix.dnsbl.manitu.net') | |
| describe HASH_IX body-hash classified as spam by iX Magazine, Germany | |
| tflags HASH_IX net | |
| score HASH_IX 1.9 | |
| header RCVD_IN_APEWS eval:check_rbl('apews', 'l2.apews.org') | |
| describe RCVD_IN_APEWS Listed at APEWS | |
| tflags RCVD_IN_APEWS net | |
| score RCVD_IN_APEWS 1.9 | |
| header RCVD_IN_CHILE eval:check_rbl('dnsblchile', 'dnsblchile.org') | |
| describe RCVD_IN_CHILE Listed at dnsblchile | |
| tflags RCVD_IN_CHILE net | |
| score RCVD_IN_CHILE 1.9 | |
| header RCVD_IN_MCAFEE eval:check_rbl('mcafee', 'cidr.bl.mcafee.com') | |
| describe RCVD_IN_MCAFEE Listed at cidr.bl.mcafee.com | |
| tflags RCVD_IN_MCAFEE net | |
| score RCVD_IN_MCAFEE 1.9 | |
| # Spam sources | |
| header __RCVD_IN_MSPIKE eval:check_rbl('mspike-lastexternal', 'bl.mailspike.net.') tflags __RCVD_IN_MSPIKE net | |
| # Bad senders | |
| header __RCVD_IN_MSPIKE_Z eval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.2$') | |
| describe __RCVD_IN_MSPIKE_Z Spam wave participant | |
| tflags __RCVD_IN_MSPIKE_Z net | |
| header RCVD_IN_MSPIKE_L5 eval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.10$') | |
| describe RCVD_IN_MSPIKE_L5 Very bad reputation (-5) | |
| tflags RCVD_IN_MSPIKE_L5 net | |
| header RCVD_IN_MSPIKE_L4 eval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.11$') | |
| describe RCVD_IN_MSPIKE_L4 Bad reputation (-4) | |
| tflags RCVD_IN_MSPIKE_L4 net | |
| header RCVD_IN_MSPIKE_L3 eval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.12$') | |
| describe RCVD_IN_MSPIKE_L3 Low reputation (-3) | |
| tflags RCVD_IN_MSPIKE_L3 net | |
| header RCVD_IN_MSPIKE_L2 eval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.13$') | |
| describe RCVD_IN_MSPIKE_L2 Suspicious reputation (-2) | |
| tflags RCVD_IN_MSPIKE_L2 net | |
| # Good senders | |
| header RCVD_IN_MSPIKE_H5 eval:check_rbl_sub('mspikeg-firsttrusted', '^127\.0\.0\.20$') | |
| describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5) | |
| tflags RCVD_IN_MSPIKE_H5 nice net | |
| header RCVD_IN_MSPIKE_H4 eval:check_rbl_sub('mspikeg-firsttrusted', '^127\.0\.0\.19$') | |
| describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4) | |
| tflags RCVD_IN_MSPIKE_H4 nice net | |
| header RCVD_IN_MSPIKE_H3 eval:check_rbl_sub('mspikeg-firsttrusted', '^127\.0\.0\.18$') | |
| describe RCVD_IN_MSPIKE_H3 Good reputation (+3) | |
| tflags RCVD_IN_MSPIKE_H3 nice net | |
| header RCVD_IN_MSPIKE_H2 eval:check_rbl_sub('mspikeg-firsttrusted', '^127\.0\.0\.17$') | |
| describe RCVD_IN_MSPIKE_H2 Average reputation (+2) | |
| tflags RCVD_IN_MSPIKE_H2 nice net | |
| # *_L and *_Z may overlap, so account for that | |
| meta __RCVD_IN_MSPIKE_LOW RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3 || RCVD_IN_MSPIKE_L2 | |
| meta RCVD_IN_MSPIKE_ZBI __RCVD_IN_MSPIKE_Z && !__RCVD_IN_MSPIKE_LOW | |
| # Scores | |
| score RCVD_IN_MSPIKE_ZBI 4.1 | |
| score RCVD_IN_MSPIKE_L5 5.2 | |
| score RCVD_IN_MSPIKE_L4 4.2 | |
| score RCVD_IN_MSPIKE_L3 3.9 | |
| score RCVD_IN_MSPIKE_L2 0.8 | |
| score RCVD_IN_MSPIKE_H2 -0.5 | |
| score FROM_LOCAL_NOVOWEL 1.1 # was 3.1 | |
| score FROM_LOCAL_HEX 0.5 # was 1.399 | |
| score RCVD_IN_SORBS_DUL 2.5 | |
| score RCVD_IN_SBL 2.7 | |
| score SUBJ_ALL_CAPS 2.5 # was 2.077 | |
| score RCVD_IN_NJABL_SPAM 3.0 # orig 2.7 | |
| score RCVD_IN_PBL 1.5 # orig 0.905 | |
| score FH_DATE_PAST_20XX 0.0 | |
| score INVALID_MSGID 2.3 # orig 1.9 | |
| score HTML_FONT_SIZE_LARGE 0.5 # orig 0.001 | |
| score FORGED_YAHOO_RCVD 3.5 # orig 2.297 | |
| score RCVD_IN_BL_SPAMCOP_NET 3.5 # orig 1.96 | |
| score BAD_CREDIT 2.5 # orig 0.001 | |
| score NA_DOLLARS 2.5 # orig 1.329 | |
| score ADVANCE_FEE_2 2.5 # orig 1.234 | |
| score RDNS_NONE 2.0 # orig 0.1 | |
| score URIBL_BLACK 3.9 # orig 1.955 | |
| score FH_HELO_EQ_D_D_D_D 1.5 # orig 0.001 | |
| score RDNS_DYNAMIC 1.5 # orig 0.1 | |
| score RCVD_IN_SORBS_WEB 2.5 # orig 0.619 | |
| score RCVD_IN_PBL 2.0 # orig 1.5 | |
| score HABEAS_ACCREDITED_SOI 0.5 # was -4.3, is complete bullshit | |
| score RCVD_IN_BSP_TRUSTED 0.5 # was -4.3, is bullshit | |
| score BAYES_60 1.2 # was 1.0 | |
| score SPF_SOFTFAIL 1.596 # was 0.596 | |
| score MISSING_MID 1.5 # was 0.001 | |
| score URIBL_RHS_DOB 2.7 # was 1.083 | |
| score URIBL_OB_SURBL 2.6 # was 1.5 | |
| score URIBL_SC_SURBL 1.6 # was 0.474 | |
| score HTML_MESSAGE 0.6 # was 0.001 | |
| score US_DOLLARS_3 2.0 # was 0.63 | |
| score FORGED_HOTMAIL_RCVD2 2.502 # was 1.502 | |
| score MISSING_HEADERS 2.0 # was 1.292 | |
| score SPF_PASS -0.5 # was -0 | |
| score HTML_IMAGE_RATIO_02 1.5 # was 0.383 | |
| score SUBJECT_NEEDS_ENCODING 0.3 # was 0.001 | |
| score HTML_IMAGE_RATIO_04 0.5 # was 0.172 | |
| score MONEY_BACK 1.0 # was 0.001 | |
| score HTML_SHORT_LINK_IMG_3 0.75 # was 0.001 | |
| score HTML_IMAGE_ONLY_24 1.8 # was 1.552 | |
| score URIBL_JP_SURBL 3.0 # was 1.501 | |
| score BAYES_80 2.5 # was 2.0 | |
| score BAD_CREDIT 3.5 # was 2.5 | |
| score RCVD_IN_BRBL_LASTEXT 2.0 # was 1.644 | |
| score URIBL_DBL_SPAM 1.9 # was 1.7 | |
| score URIBL_SBL 0.8 #was 0.644 | |
| score HTML_FONT_LOW_CONTRAST 0.5 # was 0.001 | |
| score RCVD_IN_DNSWL_HI 0 # was -5 | |
| score RCVD_IN_DNSWL_MED 0 # was -2 or something | |
| score FILL_THIS_FORM 0.06 # was 0.001 | |
| score T_REMOTE_IMAGE 0.1 # was 0.01 | |
| score HK_SPAMMY_FILENAME 0.9 # was 0.001 | |
| score MIME_HTML_MOSTLY 0.9 # was 0.001 | |
| score T_FREEMAIL_DOC_PDF 1.0 # was 0.01 | |
| score FREEMAIL_ENVFROM_END_DIGIT 1 # was 0.1 | |
| score FREEMAIL_FROM 0.8 # was 0.001 | |
| score HTML_MESSAGE 0.8 # was 0.6 | |
| score RCVD_IN_NJABL_PROXY 1.5 # was 0.208 | |
| score UNPARSEABLE_RELAY 1.0 # was 0.001 | |
| score RDNS_DYNAMIC 2.5 #was .5 | |
| score T_OBFU_JPG_ATTACH 0.9 #w was 0.01 | |
| score T_REMOTE_IMAGE 0.7 # was 0.1 | |
| score DEAR_BENEFICIARY 1.451 # was 0.451 | |
| score LOTS_OF_MONEY 0.501 # was 0.001 | |
| score MONEY_LOTTERY 1.2 # was 0.001 | |
| score RCVD_IN_DNSWL_BLOCKED 0.3 # was 0.001 | |
| #score BAYES_99 3.3 # was 3.5 | |
| score DNS_FROM_OPENWHOIS 0.0 # was 1.1 | |
| score RCVD_IN_BRBL_LASTEXT 3.1 # was 2 | |
| score URIBL_WS_SURBL 1.9 # was 1.659 | |
| score URIBL_BLOCKED 3.5 # was 0.001 | |
| score DNS_FROM_AHBL_RHSBL 0 #ahbl no longer exists | |
| score URI_NO_WWW_INFO_CGI 2.6 # was 2.299 | |
| score HTML_IMAGE_RATIO_06 0.3 # was 0.001 | |
| score BAYES_999 2.0 # was 0.2 | |
| score BAYES_00 -1.1 # was -1.9 |
That is actually nonsense, Darxus. Most others are scams. UCE level 1 has the least false positives I've ever seen, and I'm running my own mailservers for about 25 years now.
This file is 7 years old.
So?
dns_server 213.133.98.98
Here this yields
warn: config: failed to parse line, skipping, in "/etc/spamassassin/local.cf": dns_server 213.133.98.98
Any idea?
That is actually nonsense, Darxus. Most others are scams. UCE level 1 has the least false positives I've ever seen, and I'm running my own mailservers for about 25 years now.
I'm also using UCE Protect Level 1and it is great to use even directly on Postfix.
Those blacklisted IPs that reach L1 are usually listed at another BL too sooner or later.
UC Level 2 & 3 shall be used in SpamAssassin with low score as you suggest.
Many people complain about UCE because L2 & L3 list full IP blocks including some non spammers and it is not possible for a innocent user to be removed from L2 & L3.
It would be great if UCE Protect starts listing specific IP with L1 first instead of listing full block at L3. Currrently UCE start with L3, then L2 and finally L1. This allows spammers to send more spam until they reach L1, doing the other way around it will stop a lot more spam.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
UCEPROTECT is not a legitimate blacklist, it is a scam. The first google hit on "uceprotect spamassassin" is this. I would very much appreciate you deleting those rules.
This is an article about it: https://securityboulevard.com/2021/02/uceprotect-when-rbls-go-bad/
This is a related wikipedia page: https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists#Suspect_RBL_Providers