[BlueOnyx:24207] Re: AVSpam

[Michael Stauber]

Hi Richard,

> x-spam-status: No, score=4.7 required=5.0 tests=BAYES_00,DCC_CHECK,
> DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,FSL_BULK_SIG,
> HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,
> MIME_HTML_ONLY,RATS_SPAM,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_NONE,SPF_PASS,
>                 TXREP,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no

Yeah, this one rattled the fence quite a bit. The sender is listed in
the RBL RATS_SPAM and in RCVD_IN_BL_SPAMCOP_NET, plus he had URLs in the
email body that are listed in URIBL_BLOCKED. Oh, and it's also listed in
DCC.

The thing here is: While the AV-SPAM assignes a positive score to all
these indicators, none of them is high enough to warrant an outright
marking as SPAM.

But you can easily throw in your own scores for existing rules.

For example, create /etc/mail/spamassassin/richard.cf and then put this
into it:

score RATS_SPAM 2.5
score DCC_CHECK 2.5
score RCVD_IN_BL_SPAMCOP_NET 2.5
score UNPARSEABLE_RELAY 2.5

Save it and restart spamassassin: "systemctl restart spamassassin".

That assigns scores of 2.5 to each of these three rules. In that case
these would have given the email a score of 10.0, even though some
negative modifiers like DKIM_SIGNED, DKIM_VALID_EF and the BAYES_00
might lower it to about 8.0. Which would still be enough to clearly mark
it as SPAM.

I also recommend adding a small custom rule. Here is a favorite of mine:

meta     DCC_AND_HTML (DCC_CHECK && HTML_MESSAGE)



score    DCC_AND_HTML 10.00



describe DCC_AND_HTML Listed in DCC and sending HTML messages.

If it's a HTML message *and* it's listed in DCC, then it gets a SPAM
score of 10.00 and nothing but a straight whitelist of the sender will
put it back into good graces again.

-- 
With best regards

Michael Stauber