SpamAssassin Konfigurationsdatei für spamd & spamd-isbg-main

Ich habe hier eine Konfigurationsdatei vorbereitet und wieder zu den einzelnen Parametern eine kurze Beschreibung hinzugefügt. Im Gegensatz zu den Standardeinstellungen, verfahren ich hier allerdings sehr streng mit der Spambewertung. Wird bereits eine Regel verletzt, stuft SpamAssassin die Mail als Spam ein. Über den Quelltext der E-Mail kann der Grund für die Einstufung als Spam ausgelesen werden. Wurde unter Score ein Absender oder eine URL als Spam eingestuft kann diese in der Konfigurationsdatei unter Whiteliste hinzugefügt oder unter Spamregeln die entsprechende Regel entfernt werden.

/home/spamd/.spamassassin/user_prefs

oder

/home/spamd-isbg-main/.spamassassin/user_prefs

### SPF-Fail

# -all ... Direktive für Fail
# Wenn der Sendeserver nicht im SPF-Record steht.
score SPF_FAIL 51
describe SPF_FAIL spf-fail-yes

score SPF_HELO_FAIL 51
describe SPF_HELO_FAIL spf-fail-yes

# Wenn bei Office 365 ein SPF-Fail erkannt wurde,
# die Nachricht aber trotzdem im Posteingang liegt.
header SPF_FAIL_OFFICE Received-SPF =~ /Fail/i
score SPF_FAIL_OFFICE 51
describe SPF_FAIL_OFFICE SPF detected from Office 365 but not deleted.

### Bayes

# Wenn eine Spamwahrscheinlichkeit nach dem Byes-Algorithmus von 80%, 95% oder 99% erkannt wird.
score BAYES_80 51
score BAYES_95 51
score BAYES_99 51


### Whiteliste

## Sichere Absender-IP-Adressen hinzufügen

# IT-MK-Server
header IP_1 Received=~ /\[185.11.139.166\]/
score IP_1 -102
tflags IP_1 net
describe IP_1 Allows relays from 185.11.139.166 it-mk.at

# VNCServer
header IP_2 Received=~ /\[92.60.39.173\]/
score IP_2 -102
tflags IP_2 net
describe IP_2 Allows relays from 92.60.39.173 vncserver.it-mk.at

## Über Empfangsserver

# GMX
header HOST_GMX1 Received=~ /mout.gmx.net/
score HOST_GMX1 -51
tflags HOST_GMX1 net
describe HOST_GMX1 Allows relays from mout.gmx.net

header HOST_GMX2 Received=~ /mout-bounce.gmx.net/
score HOST_GMX2 -51
tflags HOST_GMX2 net
describe HOST_GMX2 Allows relays from mout-bounce.gmx.net

header HOST_GMX3 Received=~ /mout-xforward.gmx.net/
score HOST_GMX3 -51
tflags HOST_GMX3 net
describe HOST_GMX3 Allows relays from mout-xforward.gmx.net


## Über regulärer Ausdruck oder URLs im Mailbody

# UNI Wien - unet.univie.ac.at
rawbody RAW_BODY_RULE_UNI /unet.univie.ac.at/i
score RAW_BODY_RULE_UNI -102
describe RAW_BODY_RULE_UNI unet.unive.ac.at URL in Body

# DHL https://www.dhlpaket.at/
rawbody RAW_BODY_RULE_DHLAT /https:\/\/www.dhlpaket.at\//i
score RAW_BODY_RULE_DHLAT -51
describe RAW_BODY_RULE_DHLAT https://www.dhlpaket.at/ URL in Body

# lserv.cardsys.at
rawbody RAW_BODY_RULE_cardsys /lserv.cardsys.at/i
score RAW_BODY_RULE_cardsys -51
describe RAW_BODY_RULE_cardsys lserv.cardsys.at URL in Body

# www.sharelatex.com
rawbody RAW_BODY_RULE_sharelatex /www.sharelatex.com/i
score RAW_BODY_RULE_sharelatex -51
describe RAW_BODY_RULE_sharelatex www.sharelatex.com URL in Body



# Erkennt eine Co.KG (Gesellschaftform einer Firma) als SPAM-URL
rawbody RAW_BODY_RULE_cokg /co.kg/i
score RAW_BODY_RULE_cokg -102
describe RAW_BODY_RULE_cokg Co.KG Gesellschaftformt in Body




### Spamregeln

# E-Mail enthält
rawbody RAW_BODY_RULE_AUT_BETRUG /austriadomainhosting/i
score RAW_BODY_RULE_AUT_BETRUG 51
describe RAW_BODY_RULE_AUT_BETRUG austriadomainhosting Betrug in Body


# Absender ist GMX Magazin
header FROM_GMX_MAGAZIN From=~ /GMX Magazin/i
score FROM_GMX_MAGAZIN 102
tflags FROM_GMX_MAGAZIN net
describe FROM_GMX_MAGAZIN Absender ist GMX Magazin

# Absender ist GMX FreeMail Plus Werbung
header FROM_GMX_FREEMAIL From=~ /FreeMail Plus/i
score FROM_GMX_FREEMAIL 51
tflags FROM_GMX_FREEMAIL net
describe FROM_GMX_FREEMAIL Absender ist GMX FreeMail Plus Werbung


## Die Absender-IP ist in einer Blackliste eingetragen

## Blacklist dnsbl

# zen.spamhaus.org.
header RCVD_IN_ZEN eval:check_rbl('zen-notfirsthop','zen.spamhaus.org.')
describe RCVD_IN_ZEN Received from an IP listed by zen.spamhaus.org
tflags RCVD_IN_ZEN net
score RCVD_IN_ZEN 51 # adjust the score value as desired

# dnsbl.inps.de
header RCVD_IN_DNSBL_INPS_DE eval:check_rbl('inps.de','dnsbl.inps.de.')
describe RCVD_IN_DNSBL_INPS_DE Received from an IP listed by inps.de DNSBL
tflags RCVD_IN_DNSBL_INPS_DE net
score RCVD_IN_DNSBL_INPS_DE 51 # adjust the score value as desired

# VIRBL (virus sender blacklist) http://virbl.bit.nl
header RCVD_IN_VIRBL eval:check_rbl_txt('virbl', 'virbl.dnsbl.bit.nl.')
describe RCVD_IN_VIRBL Received from an IP listed by virbl.dnsbl.bit.nl
tflags RCVD_IN_VIRBL net
score RCVD_IN_VIRBL 51.0 # adjust the score value as desired

# b.barracudacentral.org.
header RCVD_IN_BARRA eval:check_rbl('barracudacentral-notfirsthop','b.barracudacentral.org.')
describe RCVD_IN_BARRA Received from an IP listed by b.barracudacentral.org.
tflags RCVD_IN_BARRA net
score RCVD_IN_BARRA 51 # adjust the score value as desired



## Die IP einer URL im Body oder sogar der Nameserver (NS) bei welchem die Domain gehostet ist, ist in einer Blackliste eingetragen

uridnsbl URIBL_BARRA b.barracudacentral.org. TXT
body URIBL_BARRA eval:check_uridnsbl('URIBL_BARRA')
describe URIBL_BARRA Contains an URL listed in the URIBL_BARRA blacklist bla
tflags URIBL_BARRA net
score URIBL_BARRA 51


## Eine URL in der E-Mail ist in einer Blackliste eingetragen

# URL ist in Spamhaus eingetragen

uridnsbl URIBL_SBL_A sbl.spamhaus.org. A
body URIBL_SBL_A eval:check_uridnsbl('URIBL_SBL_A')
describe URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist
tflags URIBL_SBL_A net a
score URIBL_SBL_A 51

urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2
body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM')
describe URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_SPAM net domains_only
score URIBL_DBL_SPAM 51

urirhssub URIBL_DBL_PHISH dbl.spamhaus.org. A 127.0.1.4
body URIBL_DBL_PHISH eval:check_uridnsbl('URIBL_DBL_PHISH')
describe URIBL_DBL_PHISH Contains a Phishing URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_PHISH net domains_only
score URIBL_DBL_PHISH 51

urirhssub URIBL_DBL_MALWARE dbl.spamhaus.org. A 127.0.1.5
body URIBL_DBL_MALWARE eval:check_uridnsbl('URIBL_DBL_MALWARE')
describe URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_MALWARE net domains_only
score URIBL_DBL_MALWARE 51

urirhssub URIBL_DBL_BOTNETCC dbl.spamhaus.org. A 127.0.1.6
body URIBL_DBL_BOTNETCC eval:check_uridnsbl('URIBL_DBL_BOTNETCC')
describe URIBL_DBL_BOTNETCC Contains a botned C&C URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_BOTNETCC net domains_only
score URIBL_DBL_BOTNETCC 51

urirhssub URIBL_DBL_ABUSE_SPAM dbl.spamhaus.org. A 127.0.1.102
body URIBL_DBL_ABUSE_SPAM eval:check_uridnsbl('URIBL_DBL_ABUSE_SPAM')
describe URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_SPAM net domains_only
score URIBL_DBL_ABUSE_SPAM 51

urirhssub URIBL_DBL_ABUSE_REDIR dbl.spamhaus.org. A 127.0.1.103
body URIBL_DBL_ABUSE_REDIR eval:check_uridnsbl('URIBL_DBL_ABUSE_REDIR')
describe URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_REDIR net domains_only
score URIBL_DBL_ABUSE_REDIR 51

urirhssub URIBL_DBL_ABUSE_PHISH dbl.spamhaus.org. A 127.0.1.104
body URIBL_DBL_ABUSE_PHISH eval:check_uridnsbl('URIBL_DBL_ABUSE_PHISH')
describe URIBL_DBL_ABUSE_PHISH Contains an abused phishing URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_PHISH net domains_only
score URIBL_DBL_ABUSE_PHISH 51

urirhssub URIBL_DBL_ABUSE_MALW dbl.spamhaus.org. A 127.0.1.105
body URIBL_DBL_ABUSE_MALW eval:check_uridnsbl('URIBL_DBL_ABUSE_MALW')
describe URIBL_DBL_ABUSE_MALW Contains an abused malware URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_MALW net domains_only
score URIBL_DBL_ABUSE_MALW 51

urirhssub URIBL_DBL_ABUSE_BOTCC dbl.spamhaus.org. A 127.0.1.106
body URIBL_DBL_ABUSE_BOTCC eval:check_uridnsbl('URIBL_DBL_ABUSE_BOTCC')
describe URIBL_DBL_ABUSE_BOTCC Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_BOTCC net domains_only
score URIBL_DBL_ABUSE_BOTCC 51

Zum testen

## URL

#uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
#body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
#describe URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist
#tflags URIBL_SBL net
#reuse URIBL_SBL
#score URIBL_SBL 51

## Absender-IP

# truncate.gbudb.net.
#
# header RCVD_IN_TRUNCATE eval:check_rbl('truncate-notfirsthop','truncate.gbudb.net.')
# describe RCVD_IN_TRUNCATE Received from an IP listed by truncate.gbudb.net.
# tflags RCVD_IN_TRUNCATE net
# score RCVD_IN_TRUNCATE 51 # adjust the score value as desired

# dnsbl.justspam.org
#header RCVD_IN_JUSTSPAM eval:check_rbl('justspam.org','dnsbl.justspam.org.')
#describe RCVD_IN_JUSTSPAM Received from an IP listed by dnsbl.justspam.org.
#tflags RCVD_IN_JUSTSPAM net
#score RCVD_IN_JUSTSPAM 51 # adjust the score value as desired

# UCEPROTECT2 (open relays/proxys/dialups networks) http://uceprotect.net
#header RCVD_IN_UCEPROTECT2 eval:check_rbl_txt('uceprotect2-lastexternal', 'dnsbl-2.uceprotect.net.')
#describe RCVD_IN_UCEPROTECT2 Received from an IP listed by dnsbl-2.uceprotect.net
#tflags RCVD_IN_UCEPROTECT2 net
#score RCVD_IN_UCEPROTECT2 51 # adjust the score value as desired

# UCEPROTECT3 (bad networks) http://uceprotect.net
#header RCVD_IN_UCEPROTECT3 eval:check_rbl_txt('uceprotect3-lastexternal', 'dnsbl-3.uceprotect.net.')
#describe RCVD_IN_UCEPROTECT3 Received from an IP listed by dnsbl-3.uceprotect.net
#tflags RCVD_IN_UCEPROTECT3 net
#score

# UCEPROTECT1 (open relays/proxys/dialups) http://uceprotect.net
#header RCVD_IN_UCEPROTECT1 eval:check_rbl_txt('uceprotect1-lastexternal', 'dnsbl-1.uceprotect.net.')
#describe RCVD_IN_UCEPROTECT1 Received from an IP listed by dnsbl-1.uceprotect.net
#tflags RCVD_IN_UCEPROTECT1 net
#score RCVD_IN_UCEPROTECT1 51 # adjust the score value as desired

# spam.dnsbl.anonmails.de
#header RCVD_IN_ANONMAILS eval:check_rbl('anonmails-lastexternal', 'spam.dnsbl.anonmails.de.')
#describe RCVD_IN_ANONMAILS Received from an IP listed by spam.dnsbl.anonmails.de
#eceived via a relay in ILS net
#score RCVD_IN_ANONMAILS 51 # adjust the score value as desired

# SEM-BACKSCATTER
#header RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net.')
#tflags RCVD_IN_SEMBACKSCATTER net
#describe RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
#score RCVD_IN_SEMBACKSCATTER 51 # adjust the score value as desired

# SEM-BLACK
#header RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net.')
#tflags RCVD_IN_SEMBLACK net
#describe RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK
#score RCVD_IN_SEMBLACK 51 # adjust the score value as desired

# blockedservers.com
#header RCVD_IN_BLKSRV eval:check_rbl('blockedservers-lastexternal', 'rbl.blockedservers.com.')
#describe RCVD_IN_BLKSRV Received from an IP listed by rbl.blockedservers.com
#tflags RCVD_IN_BLKSRV net
#score RCVD_IN_BLKSRV 51 # adjust the score value as desired

## bogons.cymru.com

#header RCVD_IN_BOGON eval:check_rbl('bogons','bogons.cymru.com.')
#describe RCVD_IN_BOGON Received from an IP listed by bogons.cymru.com
#tflags RCVD_IN_BOGON net
#score RCVD_IN_BOGON 51 # adjust the score value as desired

Kommentare

Kommentar von Ekki |

Moin!
Sehr interessant! Gleich implementiert. Nur eine Zeile hat bei mir zu Problemen geführt:
header SPF_FAIL_OFFICE Received-SPF =~ /Fail/i
Einer meiner Kundenserver verschickt mails an eine Adresse fail@example.com. Die Regex greift auch dann. Also immer wenn in der Zeile irgendwo der string "fail" auftaucht.
Eine Kleine Änderung sollte das beheben /Fail(?!\S)/i will, dass nach dem string ein Leerzeichen kommt...

Ekki

Antwort von Kirchberger Christoph

Hi, danke für den Hinweis, werde ich bei Zeiten mal ausprobieren und aktualisieren.

Grüße
Christoph

Bitte rechnen Sie 9 plus 2.