Ratcheting up SpamAssassin to block even more spam

You wrote a column on 5/1 about controlling spam with SpamAssassin. We have taken the steps you suggested but we still have an amount of spam getting through greater than we think would be the norm. Are there any other steps that we can take?

You wrote a column on 5/1 about controlling spam with SpamAssassin. We have taken the steps you suggested but we still have an amount of spam getting through greater than we think would be the norm. Are there any other steps that we can take?

-- Via the internet

Yes there are more steps that you can take. There are so many things that you can do with SpamAssassin that a book could be written about it. One that I am familiar with has been published by O'Reilly. For even more, I would suggest subscribing to listservs for SpamAssassin and any other related addons such as Razor that might be present on your particular SA setup. It would also be a good idea to subscribe to the listserv for the MTA (i.e. Postfix or something else) that you are using.

The spammers are getting better at sending though low-scored spam that will fly under the radar and still get through. Sometimes you have to take a more direct assault. A while back I was seeing quite a bit of spam getting through saying is was from admin@fbi.gov, admin@cia.gov or emails that were claiming to be sent by admin mailbox of my own system. This is where blacklisting comes into play. It will automatically block the email addresses you list regardless of how low or high that they score. You would put blacklist_from followed by a space and the email address that you want to block. You can either put in an explicit address or by using *@domain.name (replace this with the actual domain name you want to block and every email that claims to be sent from listed domain will be blocked.

There is another option called greylisting. Without getting into the details, you basically tell SpamAssassin to lie to the incoming mail server and give it a try again later message. This will put a slight delay in emails coming in. A valid mail server will try again a little bit later and the mail should get through at that point. Depending on the sophistication of the spammer, this stands a chance of helping to reduce some of the spam that tries to get through. Greylisting can be done with either SpamAssassin or the MTA that you are using. www.greylisting.org is one place where you can get information on implementing greylisting. The SpamAssassin listserv will help you get information on doing it with SA as well.

If you are using postfix as your MTA with SpamAssassin, subscribe to the listserv for postfix and watch for real time blacklist sites. Althought this will take your MTA a little longer to work with, you get the the bonus of being able to block spam as soon as it gets listed on one of these sites without having to continually tweak your rulesets to accomplish the same thing. Since some of the sites come and go, a quick question on the listserv will get you several replies of what ones are the current best ones to use. What I have described here are a few additional ways to make it a little harder for spam to get through. Watching the listservs are a good way to keep an eye out on what the best ways to get SA to do its best for you.

Join the discussion
Be the first to comment on this article. Our Commenting Policies