recommended SA rules to stop SPAM

Matt Kettler mkettler at EVI-INC.COM
Tue Apr 5 20:00:20 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Jason wrote:

>Specifically, the ones that have recently come out about buying certain pieces
>of stock.
>
>Currently running SA 2.63.
>
>

upgrade to 2.64 or higher ASAP.. 2.63 is vulnerable to a DoS attack by
sending it a message with malformed mime sections.

This is a remote exploit. Anyone can exploit it by sending you a
carefully crafted email.

Admittedly it's just a DoS, but still not something you want on any kind
of production server.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

This is not exactly new news. It's from August of last year.

>Was skimming the SARE this morning, trying to see if there are any additional
>rules that are good ones to add.
>
>I am also using surbl_uri.cf and chickenpox.cf. (made a few of my own, but
>need better ones)
>

surbl is a VERY good one to be using, provided of course you added the
Mail::SpamAssassin::SpamCopURI plugin. Also note, when you upgrade to
2.64 you'll need to re-install spamcopURI. SpamCopURI installs as a
source-code patch to SA's evaltests.pm, and upgrading SA will clobber it.

Not to toot my own horn, but another ruleset I'd recommend is antidrug.
It was incorporated into SA 3.0 and works fairly well on pill-spam. A
few of the latest ones evade it, but it catches a LOT of common
obfuscations of drug names.

http://mywebpages.comcast.net/mkettler/sa/antidrug.cf

Note: if you upgrade to SA 3.x instead of 2.64, you won't need to mess
with SpamCopURI or antidrug, both are built-in with 3.0. However, 3.x
does have a minimum perl version of 5.6.1. If you're on an older version
of perl, you'll have to stick to 2.64.

I also like SARE's fraud, random and specific rulesets.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list