Spamassassin blacklist checks missing?

jeremy.morton · March 11, 2020, 12:43pm

I’ve recently switched my e-mail from using my own server to Runbox, and I’ve found quite a lot more spam is getting through. Having piped spam e-mails through my server’s Spamassassin, I’ve found that the main reason for this seems to be that Runbox is missing URL blacklist checks. Here’s an example spam mail that was run through my server’s Spamassassin filter:

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.5 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: erikaboros.net]
 2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the Spamhaus DBL
                            blocklist
                            [URIs: erikaboros.net]
 0.1 BAYES_05               BODY: Bayes spam probability is 1 to 5%
                            [score: 0.0307]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
 0.0 LOTS_OF_MONEY          Huge... sums of money
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 0.0 T_REMOTE_IMAGE         Message contains an external image
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
                            information

Runbox equivalent:

-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 0.0 HTML_MESSAGE BODY: HTML included in message
 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
      valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
     author's domain
 0.0 LOTS_OF_MONEY Huge... sums of money
 0.5 T_REMOTE_IMAGE Message contains an external image

It’s missing URIBL and Spamhaus checks. Why don’t you have these checks?

Dave · March 11, 2020, 1:08pm

Hello Jeremy,

Thanks for raising this with us. Spam systems are implemented differently and often for good reasons so it isn’t always useful to compare. Also, spam threshold scores can be different.

That said, we are already looking in to why we see fewer messages compared to Spamhaus lists as we do subscribe to those services but see fewer messages scoring against them than we might expect.

jeremy.morton · March 11, 2020, 1:24pm

But it’s pretty simple - the URL has to match against the blacklist. I’m not sure how your system would operate differently and miss this URL, other than to just not be checking against these lists.

Dave · March 11, 2020, 1:25pm

I agree in principle

Out of interest, what are the spam threshold scores in your system for when a message is regarded as spam?

jeremy.morton · March 11, 2020, 1:46pm

I think I set mine to 3, but I was being quite aggressive. 5 is probably OK if the URL blacklists are being checked.

Dave · March 13, 2020, 1:16pm

We’ve made some changes to the configuration in the last 24 hours. Hopefully this helps identify these URLs now. We will monitor the situation in case there are any negative effects observed.

bingobingolotto · October 25, 2020, 9:51am

Hi Dave, have you tried rspamd for spam filtering? It’s been working great for me!

Dave · October 26, 2020, 11:35am

Hi @bingobingolotto and welcome to the forum.

We’ve discussed rspamd before and its something we keep under review in case it could help.

At the moment we’re reasonably happy with our spam scanning. There are always possible improvements and what works for one account may not work for another.

Just as a general update of this topic… we did implement some URIBL checks with some mixed results. There are some websites with dubious marketing tactics that some customers want to receive emails from and so we are continuing to monitor the situation so we can make further adjustments.

jeremy.morton · June 25, 2021, 3:42pm

@Dave I am getting large amount of spam coming through with subjects like “Newly released, upmarket apartments in Greater Manchester from 153,250 pounds” and “Rare opportunity to buy completed student accommodation - from 59,950 pounds”. I get about 30 of these emails every single day. I believe the URIBL checks you did before blocked this stuff. Could you at least re-implement those checks and give them a score of zero, so they appear in the email headers? I can then configure my Runbox filters to block those emails.

Dave · June 25, 2021, 3:52pm

Hello @jeremy.morton It would probably be better to open a support ticket about this so we can look at it on an account specific basis. If you know which checks were previously catching them that would be useful to us because rule sets do change from time to time. URIBL checks are still in place, but what they are looking for may have changed.

jeremy.morton · June 25, 2021, 3:55pm

@Dave As mentioned at the top of this post, I used to run my own server before switching to Runbox and its SpamAssassin setup (which was pretty much the default that comes with SA) was catching it in:

 3.5 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: erikaboros.net]
 2.5 URIBL_DBL_SPAM         Contains a spam URL listed in the Spamhaus DBL
                            blocklist
                            [URIs: erikaboros.net]

Dave · June 25, 2021, 4:00pm

Please open a support ticket about this as requested.