I am running my own e-mail server. This also means, I have to fight spam by myself. I am using Spamassassin, like everybody else and it works fine most of the time. Recently, however, I have been getting quite a bit of spam that looks really sophisticated - it has SPF headers, proper formatting etc. One thing it has in common is, it’s sent from the newly added top level domains, like .icu, .club, .xyz and the like. And we can use that.
The spam massages I have been getting lately barely pass below the threshold. The spam report looks something like this:
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_99,BAYES_999,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RDNS_NONE,SPF_HELO_PASS,
SPF_PASS
autolearn=no autolearn_force=no version=3.4.0
I do not want to lower the threshold, because it’s not recommended and even now I am getting few false positives. I could also play with the individual test scores, but I trust the scores have been set reasonably by developers with more experience.
Blacklisting
One way to address this would be to completely blacklist a domain. This can be done even before the message enters Spamassassin, in Postfix. If you want to do that, you can specify the matching rule in a text file, I am using /etc/postfix/reject_domains and the content is:
/.icu$/ REJECT We reject all .icu domains
You can put multiple lines in this file. Then you can enable the usage of this filter in Postfix like this:
postconf smtpd_sender_restrictions="check_sender_access pcre:/etc/postfix/reject_domains"
However, this is quite harsh. Even though I do not know anyone with .icu e-mail, it’s possible I can lose some e-mail in the future.
Custom rules
Spamassassin also allows you to add a custom rule with an assigned score. When the rule matches, the score is added to the overall spam score of the message. If everything else with the message is fine, the message score will be below the threshold (default is 5.0) and the message will still pass. If it matches, combined with other tests, it will push the score over the threshold.
The custom rule can be added into /etc/mail/spamassassin/local.cf like this.
# Penalize domains originating a lot of spam
header LOCAL_FROM_TLD From =~ /@[a-z0-9\-\.]+\.(club|icu|xyz|online)/i
describe LOCAL_FROM_TLD Domain originates a lot of spam
score LOCAL_FROM_TLD 1.5
After that, we need to restart Spamassassin:
systemctl restart spamassassin
And that’s it. For now, this is sufficient to filter out the more sophisticated forms of spam. Of course, the spammers are also evolving, as they have demostrated, so your defense has to evolve with them.
Comments