Spamfilter - Policy - use result of DKIM verifikation to delete incoming mail/spam

Discussion in 'Installation/Configuration' started by mli, May 2, 2020.

  1. mli

    mli New Member

    I've used the "normal" policy on both domain and email mailboxes for domain "A" to get rid of most spam, after tweaking of
    Amavis: SPAM tag level 1, SPAM tag2 level 2.4, SPAM kill level 3,2 and
    Rspamd: Greylisting level 2, SPAM tag level 3, SPAM reject level 5
    I still get some spam through that hasn't been scored, these mail are delivered right into the user mailbox in domain A as they should, but are addressed to a recipient email Email Alias for domain "B" that is also present on the server. This domain B also use the "Normal" policy, but only applied to domain since there is no mailbox to apply it on.

    The common denominator of all spam mail passed through and not scored is that they fail DKIM verification so my question is if there is a way to kill emails that fail DKIM verification. (like google).

    Last edited: May 2, 2020
  2. Steini86

    Steini86 Active Member

    I am confused. Are you using amavis AND rspamd on the same server? Are you using two different servers?
    Yes, there is a way. That depends on the software you are using (amavis/rspamd)
  3. mli

    mli New Member

    Hi Steini86,
    I've made a vanilla installation of ISPconfig 3.1 on Debian 10 Buster following the howto here in HowtoForge (The Perfect Server - Debian 10 (Buster). In that you install amavisd-new & SpamAssassin but directly unload and disable SpamAssasin.
    - ..."amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM"...
    So I guess I only use amavisd with some librarys from spamassasin.

    Other than that nothing else has been installed or disabled when it comes to anti-spam. In the config under the policy you have both tabs so I just assumed that both were used o_O.

    I would really like to hear what solution(s) you have up your sleeve :).
  4. Steini86

    Steini86 Active Member

  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    So in short, you need to improve your spam scanning? And you're currently using amavis (spamassassin).

    There is a lot you can do, but this:
    is a bad idea, the default spamassassin rules are tuned for level 5 being spam, and you will catch a tremendous amount of false positives by setting your level that low (ie. you will loose valid mail). What you want to do is improve the spam scanning effectiveness, not just toss everything out at a lower threshold.

    Also this:
    will result in some valid mail being killed, it's safer to handle it how spamassassin does (in general as a meta test, so eg. an email that claims to be from paypal and fails dkim is scores very high). But if you want to make DKIM failure a kill switch via spamassassin, you could just score the DKIM_INVALID rule very high (eg. in /etc/mail/spamassassin/ But before you do so, try searching your existing mail for DKIM_INVALID and see what all you would have killed.

    As for improving spamassassin, there is a lot of discussion on the spamassassin-users group. Make sure your version is current (note buster-backports has a much newer 3.4.4 with many new features). Make sure your rules update nightly. Run a caching dns resolver right on your mail server (install unbound if you don't already run bind there) and use that for spamassassin (and postfix rbl) lookups. Go through the /etc/spamassassin/*.pre config files and enable additional modules (read the comments and docs on each one, some of them need configured, not merely enabled). Train your scanner with a corpus of many hand-sorted spam/ham mail. Install additional rule sets (eg. is usually pretty good). Utilize additional rbls (though current spamassassin versions should have a decent set of rbls already available with it), just don't score too high for the lesser quality rbls.

    That's the low-hanging fruit, though there is a lot more you can do. I'd also configure postscreen to use weighted rbls and you can block a lot of junk ahead of even hitting spamassassin.
    Steini86 likes this.
  6. mli

    mli New Member

    Agree, check and done. :)

    Im not sure if ISPconfig loads additional rulesets. my is almost empty except for a Shortcircuit-plugin being called. Im sure there are lots of examplefiles out there but if ISPConfig dosn't use the file im busted. (states in the install that it uses some librarys and to kill & Disable Spamassassin (SAPMD?)

    I'm grateful for all the tips you added, updated to backportversion, and ofc a local DNS running. As for the additional rulesets I need to find out which is used if its the generic and not another ISPconfig specific one. any idea?

    good thing there's alot of time to play around with this atm :)
    Last edited: May 7, 2020
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Your questions are actually not specific to ISPConfig as ISPConfig uses a fairly standard amavis and spamassain setup which reads all the default spamassassin and amavis files of your operating system.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    For example if you want to add additional filter rules, you can use e.g. the ones from Florian:

    and as you can see, they are loaded just as in any spamassassin setup on an ispconfig server with:

    sa-update --nogpg --channel

    so nothing ispconfig specific at all in your mail setup, just plain amavis and spamassassin.
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Spamassassin will read/load any .cf file found in /etc/mail/spamassassin/; is a standard one (mostly comments), but you can create as many as you like. Eg. I run this to add the KAM rules:
    # Download KAM rules
    wget -q -N -O /etc/spamassassin/
    wget -q -N -O /etc/spamassassin/

Share This Page