Spam getting through... which parameters to tweak?

This forum is for all copfilter support related questions in English.
Post Reply
marcw
Posts: 30
Joined: 24 Apr 2010 21:41

Spam getting through... which parameters to tweak?

Post by marcw » 25 Oct 2014 01:58

I've been getting a lot of spam that has managed to get past my SpamAssassin. I keep training the bayes filter with it, yet spam still comes through. Which parameters should I tweak? Do I need to install more mods since the SARE rules no longer work? Here is a typical report from one of these emails:

X-Spam-DCC: sonic.net: ipcop.localdomain 1117; Body=1 Fuz1=1 Fuz2=3
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
* See http://wiki.apache.org/spamassassin/Dns ... nsbl-block
* for more information.
* [URIs: eyeh.eu]
* 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
* [URIs: eyeh.eu]
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
* [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=l ... ocaldomain]
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Status: No, score=5.4 required=6.0 tests=BAYES_99,BAYES_999,
HTML_MESSAGE,SPF_FAIL,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no version=3.3.1
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on ipcop.localdomain
X-Filtered-With: Copfilter Version 0.85.3beta4 by Markus Madlener @ http://www.copfilter.org
X-Copfilter-Filtered-With: SpamAssassin 3.3.1
X-Copfilter-Virus-Scanned: F-PROT 6.7.10.6267 - Engine 4.6.5.141 - Virus Database 2014-06-25 20:20

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Spam getting through... which parameters to tweak?

Post by ShelbyGT500 » 25 Oct 2014 11:07

Hi,
marcw wrote:Do I need to install more mods since the SARE rules no longer work?
Yes, see : viewtopic.php?f=3&t=964
Note you will need to disable MalwarePatrol database, because it 's necessary now to register to download database.

You can use Clamav with 3rd party sigs , version 0.60.6 : viewtopic.php?f=3&t=215#p486
It adds databases to detect spam (spam mails will be detected as virus).

Last but not least, IPCOP 1.4.21 is obsolete and no longer supported. Spamassassin 3.3.1 is obsolete too.
It's higly recommanded to upgrade to IPCOP 2.1.5 (2.1.6 coming soon), and Copfilter 2.1.92beta4

Regards.

ShelbyGT500

EDIT:
Note F-prot database is obsolete too: X-Copfilter-Virus-Scanned: F-PROT 6.7.10.6267 - Engine 4.6.5.141 - Virus Database 2014-06-25 20:20 ;)
To solve: viewtopic.php?f=3&t=840#p4405

marcw
Posts: 30
Joined: 24 Apr 2010 21:41

Re: Spam getting through... which parameters to tweak?

Post by marcw » 25 Oct 2014 20:35

Thanks for the reply. I am running 3rd party clamav signatures. The issue is that my cop is running on REALLY outdated hardware. It only has 1GB of memory with no cheap option to upgrade. In other words I can't just turn on all the 3rd party sigs due to lack of memory. Which ones would you suggest are the best bang for the buck memory footprint wise? I realize my cop is old too, but when it just works it's hard to take it down and replace it with the newer version. I've been thinking about getting a Lenovo ThinkServer TS140 and put the newer 2.x version on it so I can configure it on my leisure and then have a drop in replacement for my old box. I work from home so having internet is essential for me and I can't afford for my cop to be down for a long time. Does the 2.x version have any issues with newer hardware like SATA3, PCIe, SSD etc etc?

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Spam getting through... which parameters to tweak?

Post by ShelbyGT500 » 25 Oct 2014 21:54

Hi Marcw,
marcw wrote: Which ones would you suggest are the best bang for the buck memory footprint wise? I
if you wanr to be more efficient with spam, have a try with :
-Sanesecurity: junk.ndb, phish.ndb, scam.ndb, spam.ldb, spamimg.hdb, spamattach.hdb
- Bofhland: bofhland_cracked_URL.ndb,bofhland_phishing_URL.ndb
-Porcupine : phishtank.ndb
marcw wrote: Does the 2.x version have any issues with newer hardware like SATA3, PCIe, SSD etc etc?
You will find more informations on IPCOP website (for hardware: http://www.ipcops.com/phpbb3/viewforum. ... f521103259).
The common issues are with Ethernet interface.

marcw wrote: I've been thinking about getting a Lenovo ThinkServer TS140 and put the newer 2.x version on it so I can configure it on my leisure and then have a drop in replacement for my old box.
Waoouu ! high quality for IPCOP ! :D
it should work without any issue, you only have to choose correct NIC.
In my case, I'm running IPCOP with Shuttle ds 61 (and intel pentium 2020) without any issue, high performance and low consumption.

Regards.

ShelbyGT500

Post Reply