# Spamassassin / RulesDuJour questions from a newbie

## SweepingOar

I've been running Spamassassin via spamd with qmail for a few years. Some slips, pretty frequent false positives due to a tight spam filter setting. Lately tons of those random words gif stock shill attachment spams have been getting through. I've updated RDJ manually (after the automatic run failed with some lint error I found a fix on this site for that).

The question is, where does spamassassin's config file tell it where to look for rules?  I can't find that in any of the .cf files in the sa directory.

Is there a rule to block the gif attachments?

Finally, what can one do about a "joe-job" attack where a spammer is using your domain in the return address?  I'm currently just filtering with .mailfilter, but that's pretty terrible and labor intensive.  Thanks.

----------

## plut0

By default spamassassin loads all .cf files in /etc/mail/spamassassin.  Some things you can do to tweak SA is by using bayesian filters and using the net checks: razor, dcc and pyzor (double check the license for these).  The following site makes a good set of filters for spamassassin: http://www.rulesemporium.com/

----------

## SweepingOar

Thanks. I manually added "70_sare_stocks" from rulesemporium to my /etc/mail/spamassassin dir. Then I changed the 0 to a 1 next to "score ALL_TRUSTED" in the local.cf file. Then I added "SARE_STOCKS" to ALL_TRUSTED_SAFE in my etc/rulesdujour/config file (and then restarted spamd of course).  Here is the last part of that file:

```
TRUSTED_RULESETS_SAFE=" TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 RANDOMVAL BOGUSVIRUS SARE_ADULT SAR

E_FRAUD SARE_BML SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER0 SARE_HEADER1 SARE_HEADER_ENG 

SARE_HTML1 SARE_HTML0 SARE_HTML_ENG SARE_SPECIFIC SARE_OBFU0 SARE_OBFU1 SARE_REDIRECT_POST300 SARE_GENLSUBJ0 SARE

_GENLSUBJ1 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI_ENG SARE_WHITELIST ZMI_GERMAN 

SARE_STOCKS"

TRUSTED_RULESETS_DANGEROUS="SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HEADER2 SARE_HEADER3 SARE_GENLSUBJ2 SARE_GENLSU

BJ3 SARE_URI3"

TRUSTED_RULESETS="${TRUSTED_RULESETS_SAFE}"

#TRUSTED_RULESETS="${TRUSTED_RULESETS_SAFE} ${TRUSTED_RULESETS_DANGEROUS}"

# if you want the ham rules in SARE_REDIRECT_POST300, then enable this

#CF_MUNGE_SCRIPTS[35]="sed -e s/#+#//g";

# do NOT change anything below this point

TAIL="tail -n1"

HEAD="head -n1"

SA_RESTART="/etc/init.d/spamd restart"

# read in extra rulesets

[ -s /etc/rulesdujour/rulesets ] && source /etc/rulesdujour/rulesets
```

Here is my /etc/mail/spamassassin/local.cf: (it's all comments prior to this part)

```
### 

###  Including old parameters

###

required_score          3.5

bayes_min_ham_num       50

use_auto_whitelist      0

use_auto_whitelist      0

score BAYES_50  2.0

score BAYES_60  2.5

score BAYES_80  3.0

score BAYES_95  3.5

score BAYES_99  7.0

score RAZOR2_CF_RANGE_51_100    1.0

score RAZOR2_CHECK      3.0

score ALL_TRUSTED 1
```

This still leaves me wondering a few things... Does SARE_STOCKS attempt to catch the gif spam? Is there a gif spam specific rule for spamassassin? I couldn't find one on rulesemporium and I've tried a few different ways to try to just filter them using the .mailfilter file in my pine directory. I don't want to join the rulesemporium email list.

The other strange thing is my /etc/mail/spamassassin directory.  It's got what looks like multiple copies of every rule, each named with a different number before the ".cf" extension.  Then in the /etc/mail/spamassassin/RulesDuJour directory there are more of the same kinds of files.  Can I delete them all and run RulesDuJour script (in cron.daily) to just restore the most current versions? (I'd leve 70_sare_stocks there though since it seems like that wasn't included in my rdj install for some reason).

```
70_sare_evilnum0.cf

70_sare_evilnum1.cf

70_sare_genlsubj.cf

70_sare_genlsubj0.cf

70_sare_genlsubj1.cf

70_sare_genlsubj2.cf

70_sare_genlsubj3.cf

70_sare_genlsubj_eng.cf

70_sare_header.cf

70_sare_header0.cf

70_sare_header1.cf

70_sare_header2.cf

70_sare_header3.cf
```

Thanks.

----------

## plut0

If you read through the website on SARE you will see that the numbers are parts of a whole.  Some of the rules were divided into parts because the file was getting to large.  Some of the parts are replaced by one file, some require all the parts or some parts add a particular filter you may never use.  You have to read through the website for all the details.

You may or may not want these in your local.cf also (version 3.1):

```
skip_rbl_checks         0

use_razor2              1

use_dcc                 1

use_pyzor               1

use_bayes               1

bayes_auto_learn        1
```

As for your .gif spam and local domain spoofing, I don't know off hand.

----------

## tomatopi

I think there's a "FuzzyOCR" plugin for SpamAssassin that's supposed to help with the .gif spam, but I haven't tried it. I'm lazy.

----------

## SweepingOar

Thanks. I didn't see several of those options in local.cf or even local.example.cf so I added the missing ones. No obvious change in filtering quality though. This morning I got the "lint failed" email with this error:

```
[25407] warn: config: failed to parse line, skipping: use_dcc 1

[25407] warn: lint: 1 issues detected, please rerun with debug enabled for more information
```

Also:

I'm using sbl/xbl as I mentioned above in the rblsmtpd, but supposedly spamassassin also uses the bl at njabl.org as well by default (presumably in the line skip_rbl_checks   0).  The problem is that the following ip sent us a message and it didn't get scored much.

220.77.177.107

Is there a way I can check to make sure that njabl.org is being checked - and scoring it higher if it is already? I don't see anywhere that would be configured.

----------

## magic919

You are probably not loading DCC module.

----------

## SweepingOar

Ok, I found the v310.pre config file where you turn on dcc, but now I'm getting this error when I run rdj:

```
No index found for ruleset named SARE_STOCKS.  Check that this ruleset is still valid.

No files updated; No restart required.

Rules Du Jour Run Summary:RulesDuJour Run Summary on www:

No index found for ruleset named SARE_STOCKS.  Check that this ruleset is still valid.
```

----------

## plut0

If you're using the RulesDuJour from portage, it is not the latest available and doesn't know about SARE_STOCKS.  The one in portage is at least 6 months old.

----------

## SweepingOar

Thanks.  As I mentioned above I manually downloaded the 70_sare_stocks.cf from rules emporium.  I assumed wrongly I guess that the rulesdujour script would get the latest rules despite the actual version of the script.  Can I just put the new version of the script into wherever the current one from portage is?  Will that cause my system to have some problem next time our real sysadmin runs emerge update or whatever he does to update the system?  Thanks.

----------

## Allochtoon

My god i too am getting purely those gif based stock spam. I never used to receive spam, but since some stupid &^&^% mailed to me _NOT_ in BCC at least 200 people saw my email. Great, now i have to solve the problem instead of structurally avoiding it.

----------

## figueroa

 *tomatopi wrote:*   

> I think there's a "FuzzyOCR" plugin for SpamAssassin that's supposed to help with the .gif spam, but I haven't tried it. I'm lazy.

 

It does!  And, you can enjoy FuzzyOCR and stay lazy.  Emerge fuzzyocr, restart spamd and your done.  Well, OK, you'll also need to add two things to your /etc/portage/package.keywords file:

mail-filter/spamassassin-fuzzyocr ~x86

dev-perl/String-Approx ~x86

While you are at it, you might also add mail-filter/spamassassin ~x86 which will get you version 3.1.7.  After emerging, run sa-update to get the latest rule set and then you won't have to delete so much spam.

----------

