recommended SA rules to stop SPAM

Gerry Doris gdoris at rogers.com
Thu Apr 7 16:39:55 IST 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> Jason wrote:
>
>>Specifically, the ones that have recently come out about buying certain
>> pieces
>>of stock.
>>
>>Currently running SA 2.63.
>>
>>
>
> upgrade to 2.64 or higher ASAP.. 2.63 is vulnerable to a DoS attack by
> sending it a message with malformed mime sections.
>
> This is a remote exploit. Anyone can exploit it by sending you a
> carefully crafted email.
>
> Admittedly it's just a DoS, but still not something you want on any kind
> of production server.
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796
>
> This is not exactly new news. It's from August of last year.
>
>>Was skimming the SARE this morning, trying to see if there are any
>> additional
>>rules that are good ones to add.
>>
>>I am also using surbl_uri.cf and chickenpox.cf. (made a few of my own,
>> but
>>need better ones)
>>
>
> surbl is a VERY good one to be using, provided of course you added the
> Mail::SpamAssassin::SpamCopURI plugin. Also note, when you upgrade to
> 2.64 you'll need to re-install spamcopURI. SpamCopURI installs as a
> source-code patch to SA's evaltests.pm, and upgrading SA will clobber it.
>
> Not to toot my own horn, but another ruleset I'd recommend is antidrug.
> It was incorporated into SA 3.0 and works fairly well on pill-spam. A
> few of the latest ones evade it, but it catches a LOT of common
> obfuscations of drug names.
>
> http://mywebpages.comcast.net/mkettler/sa/antidrug.cf
>
> Note: if you upgrade to SA 3.x instead of 2.64, you won't need to mess
> with SpamCopURI or antidrug, both are built-in with 3.0. However, 3.x
> does have a minimum perl version of 5.6.1. If you're on an older version
> of perl, you'll have to stick to 2.64.
>
> I also like SARE's fraud, random and specific rulesets.


Lately, I've also noticed more spam getting through.  I've moved the Bayes
and spamcop scores up especially for high end bayes in
spam.assassin.prefs.conf as well as spamcop.  This has virtually
eliminated spam again.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list