SA rules. Sometimes not applied?

BurakUeda · Post by **BurakUeda** » 25 Apr 2008, 05:13

Sometimes I receive spam emails with extremely obvious keywords both in header and the body, with no obfuscation or anything. For example I just received this:
(Sorry for the language)
Subject: Bisexual Boys On Bed Jerking Off Hardcore
Body: Dark Haired Teen Interracial Gives Head Hardcore

And here is the SA rules involved:

spam, SpamAssassin (not cached, score=14.405, required 9, BAYES_99 5.50, DOS_OE_TO_MX 7.00, JM_REACTOR_MAILER 1.00, RCVD_IN_PBL 0.91)

And mind you that I raised the DOS_OE_TO_MX and BAYES_99 score significantly, but still it has only spam score of 14 (with default scores it would be somewhere like 6-8)

I mean come on! How obvious it can be. Do I really need to define a custom rule for this obvious adult spam?

Altough SA filters most of the spam, sometimes obvious spam mails passed like this one. Anyone else expreiencing this?

Post by **Sarah** » 25 Apr 2008, 14:55

SA does not necessarily scan subjects and text for specific keywords. If you want to do this you will have to search for and/or write your own rules. Just because it looks like spam to you (and of course I agree with you that it does) doesn't mean that the SA tests will catch it.

One SA plugin we've found useful is botnet, which you might try installing to help catch those spams that are sent from zombie PCs. If google for botnet you should find it easily.

Regards,
Sarah

nabuhonodozor · Post by **nabuhonodozor** » 26 Apr 2008, 09:08

Hi Sarah,
Can You tell how to install botnet plugin for SA. Ive googled and found information (http://people.ucsc.edu/~jrudd/spamassassin/) but firstly I would like to know Your way which, I hope, will last during updates and wont break whole MS/SA/CSF installation.

Best regards,
Piotr

BurakUeda · Post by **BurakUeda** » 26 Apr 2008, 10:02

nabuhonodozor wrote:Hi Sarah,
Can You tell how to install botnet plugin for SA. Ive googled and found information (http://people.ucsc.edu/~jrudd/spamassassin/) but firstly I would like to know Your way which, I hope, will last during updates and wont break whole MS/SA/CSF installation.

Best regards,
Piotr

It's not that difficult really.
First download the .tar file:
# wget http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

Extract the file:
tar -xvf Botnet.tar

Copy all .pm and .cf files to your spamassassin plugin folder:
cp *.pm /etc/mail/spamassassin
cp *.cf /etc/mail/spamassassin

and restart the spamassassin (or mailscanner)

Post by **Sarah** » 26 Apr 2008, 11:10

The instructions BurakUeda has provided are correct. You can either restart MailScanner at the command line or in the WHM MailScanner front-end if you have it installed. Thanks, BurakUeda!

Regards,
Sarah

nabuhonodozor · Post by **nabuhonodozor** » 27 Apr 2008, 07:53

Thanks alot Sarah and BurakUeda!