Mejorar la detección de spam con SpamAssassin

• Comprobación del encabezado y el cuerpo del correo electrónico con el servidor SMTP Postfix

• header_checks
• mime_header_checks
• nested_header_checks
• body_checks

/etc/spamassassin/local.cf

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

#auto_learn 1
bayes_auto_learn 1
bayes_auto_learn 1


# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]


score MISSING_FROM   5.0
score MISSING_DATE   5.0

score MISSING_HEADERS 3.0

score PDS_FROM_2_EMAILS 3.0

score EMPTY_MESSAGE 4.0

score FREEMAIL_DISPTO 2.0
score FREEMAIL_FORGED_REPLYTO 3.5


score FORGED_GMAIL_RCVD 2.5

score DKIM_ADSP_NXDOMAIN 5.0


header   FROM_SAME_AS_TO   ALL=~/\nFrom: ([^\n]+)\nTo: \1/sm
describe FROM_SAME_AS_TO   From address is the same as To address.
score    FROM_SAME_AS_TO   2.0


header    EMPTY_RETURN_PATH    ALL =~ /<>/i
describe  EMPTY_RETURN_PATH    empty address in the Return Path header.
score     EMPTY_RETURN_PATH    3.0

header    CUSTOM_DMARC_FAIL   Authentication-Results =~ /dmarc=fail/
describe  CUSTOM_DMARC_FAIL   This email failed DMARC check
score     CUSTOM_DMARC_FAIL   3.0


body      SUBSCRIPTION_SPAM   /(unsubscribe|u n s u b s c r i b e|Un-subscribe)/i
describe  SUBSCRIPTION_SPAM   I didn't subscribe to your spam.
score     SUBSCRIPTION_SPAM   3.0

header    LIST_UNSUBSCRIBE   ALL =~ /List-Unsubscribe/i
describe  LIST_UNSUBSCRIBE   I didn't join your mailing list.
score     LIST_UNSUBSCRIBE   2.0

header    MAILJET_IMPOSTER   From =~ /mailjet/i
describe  MAILJET_IMPOSTER   I don't have a mailjet account for this email address.
score     MAILJET_IMPOSTER   2.5

score FROM_DOMAIN_NOVOWEL 4.0

score HTML_IMAGE_RATIO_02 4.0


header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
describe __RCVD_IN_ZEN Received via a relay in Spamhaus Zen
tflags RCVD_IN_ZENSPAMHAUS        net
score RCVD_IN_SBL 5.0


#header MISSING_HEADERS       eval:check_for_missing_to_header()
#describe MISSING_HEADERS     Missing To: header


header CUSTOM_LOOKUP_1 eval:check_rbl('all.s5h.net','all.s5h.net.')
describe CUSTOM_LOOKUP_1 Entries listed in all.s5h.net RBL
score CUSTOM_LOOKUP_1 0.5

header CUSTOM_LOOKUP_2 eval:check_rbl('b.barracudacentral.org','b.barracudacentral.org.')
describe CUSTOM_LOOKUP_2 Entries listed in b.barracudacentral.org RBL
score CUSTOM_LOOKUP_2 0.5

header CUSTOM_LOOKUP_3 eval:check_rbl('blackholes.five-ten-sg.com','blackholes.five-ten-sg.com.')
describe CUSTOM_LOOKUP_3 Entries listed in blackholes.five-ten-sg.com RBL
score CUSTOM_LOOKUP_3 0.5

header CUSTOM_LOOKUP_4 eval:check_rbl('blacklist.woody.ch','blacklist.woody.ch.')
describe CUSTOM_LOOKUP_4 Entries listed in blacklist.woody.ch RBL
score CUSTOM_LOOKUP_4 0.5

header CUSTOM_LOOKUP_5 eval:check_rbl('bl.drmx.org','bl.drmx.org.')
describe CUSTOM_LOOKUP_5 Entries listed in bl.drmx.org RBL
score CUSTOM_LOOKUP_5 0.5

header CUSTOM_LOOKUP_6 eval:check_rbl('bl.mailspike.net','bl.mailspike.net.')
describe CUSTOM_LOOKUP_6 Entries listed in bl.mailspike.net RBL
score CUSTOM_LOOKUP_6 0.5

header CUSTOM_LOOKUP_7 eval:check_rbl('bl.spamcop.net','bl.spamcop.net.')
describe CUSTOM_LOOKUP_7 Entries listed in bl.spamcop.net RBL
score CUSTOM_LOOKUP_7 0.5

header CUSTOM_LOOKUP_8 eval:check_rbl('bl.spamcop.net','bl.spamcop.net.')
describe CUSTOM_LOOKUP_8 Entries listed in bl.spamcop.net RBL
score CUSTOM_LOOKUP_8 0.5

header CUSTOM_LOOKUP_9 eval:check_rbl('bl.spameatingmonkey.net','bl.spameatingmonkey.net.')
describe CUSTOM_LOOKUP_9 Entries listed in bl.spameatingmonkey.net RBL
score CUSTOM_LOOKUP_9 0.5

header CUSTOM_LOOKUP_10 eval:check_rbl('bogons.cymru.com','bogons.cymru.com.')
describe CUSTOM_LOOKUP_10 Entries listed in bogons.cymru.com RBL
score CUSTOM_LOOKUP_10 0.5

header CUSTOM_LOOKUP_11 eval:check_rbl('bsb.empty.us','bsb.empty.us.')
describe CUSTOM_LOOKUP_11 Entries listed in bsb.empty.us RBL
score CUSTOM_LOOKUP_11 0.5

header CUSTOM_LOOKUP_12 eval:check_rbl('cbl.abuseat.org','cbl.abuseat.org.')
describe CUSTOM_LOOKUP_12 Entries listed in cbl.abuseat.org RBL
score CUSTOM_LOOKUP_12 0.5

header CUSTOM_LOOKUP_13 eval:check_rbl('cdl.anti-spam.org.cn','cdl.anti-spam.org.cn.')
describe CUSTOM_LOOKUP_13 Entries listed in cdl.anti-spam.org.cn RBL
score CUSTOM_LOOKUP_13 0.5

header CUSTOM_LOOKUP_14 eval:check_rbl('combined.abuse.ch','combined.abuse.ch.')
describe CUSTOM_LOOKUP_14 Entries listed in combined.abuse.ch RBL
score CUSTOM_LOOKUP_14 0.5

header CUSTOM_LOOKUP_15 eval:check_rbl('db.wpbl.info','db.wpbl.info.')
describe CUSTOM_LOOKUP_15 Entries listed in db.wpbl.info RBL
score CUSTOM_LOOKUP_15 0.5

header CUSTOM_LOOKUP_16 eval:check_rbl('dnsbl-1.uceprotect.net','dnsbl-1.uceprotect.net.')
describe CUSTOM_LOOKUP_16 Entries listed in dnsbl-1.uceprotect.net RBL
score CUSTOM_LOOKUP_16 0.5

header CUSTOM_LOOKUP_17 eval:check_rbl('dnsbl-2.uceprotect.net','dnsbl-2.uceprotect.net.')
describe CUSTOM_LOOKUP_17 Entries listed in dnsbl-2.uceprotect.net RBL
score CUSTOM_LOOKUP_17 0.5

header CUSTOM_LOOKUP_18 eval:check_rbl('dnsbl-3.uceprotect.net','dnsbl-3.uceprotect.net.')
describe CUSTOM_LOOKUP_18 Entries listed in dnsbl-3.uceprotect.net RBL
score CUSTOM_LOOKUP_18 0.5

header CUSTOM_LOOKUP_19 eval:check_rbl('dnsbl.anticaptcha.net','dnsbl.anticaptcha.net.')
describe CUSTOM_LOOKUP_19 Entries listed in dnsbl.anticaptcha.net RBL
score CUSTOM_LOOKUP_19 0.5

header CUSTOM_LOOKUP_20 eval:check_rbl('dnsbl.calivent.com.pe','dnsbl.calivent.com.pe.')
describe CUSTOM_LOOKUP_20 Entries listed in dnsbl.calivent.com.pe RBL
score CUSTOM_LOOKUP_20 0.5

header CUSTOM_LOOKUP_21 eval:check_rbl('dnsbl.cobion.com','dnsbl.cobion.com.')
describe CUSTOM_LOOKUP_21 Entries listed in dnsbl.cobion.com RBL
score CUSTOM_LOOKUP_21 0.5

header CUSTOM_LOOKUP_22 eval:check_rbl('dnsbl.cyberlogic.net','dnsbl.cyberlogic.net.')
describe CUSTOM_LOOKUP_22 Entries listed in dnsbl.cyberlogic.net RBL
score CUSTOM_LOOKUP_22 0.5

header CUSTOM_LOOKUP_23 eval:check_rbl('dnsbl.dronebl.org','dnsbl.dronebl.org.')
describe CUSTOM_LOOKUP_23 Entries listed in dnsbl.dronebl.org RBL
score CUSTOM_LOOKUP_23 0.5

header CUSTOM_LOOKUP_24 eval:check_rbl('dnsbl.inps.de','dnsbl.inps.de.')
describe CUSTOM_LOOKUP_24 Entries listed in dnsbl.inps.de RBL
score CUSTOM_LOOKUP_24 0.5

header CUSTOM_LOOKUP_25 eval:check_rbl('dnsbl.kempt.net','dnsbl.kempt.net.')
describe CUSTOM_LOOKUP_25 Entries listed in dnsbl.kempt.net RBL
score CUSTOM_LOOKUP_25 0.5

header CUSTOM_LOOKUP_26 eval:check_rbl('dnsbl.rv-soft.info','dnsbl.rv-soft.info.')
describe CUSTOM_LOOKUP_26 Entries listed in dnsbl.rv-soft.info RBL
score CUSTOM_LOOKUP_26 0.5

header CUSTOM_LOOKUP_27 eval:check_rbl('dnsbl.sorbs.net','dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_27 Entries listed in dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_27 0.5

#header CUSTOM_LOOKUP_28 eval:check_rbl('dnsbl.spfbl.net','dnsbl.spfbl.net.')
#describe CUSTOM_LOOKUP_28 Entries listed in dnsbl.spfbl.net RBL
#score CUSTOM_LOOKUP_28 0.5

header CUSTOM_LOOKUP_29 eval:check_rbl('dnsrbl.org','dnsrbl.org.')
describe CUSTOM_LOOKUP_29 Entries listed in dnsrbl.org RBL
score CUSTOM_LOOKUP_29 0.5

header CUSTOM_LOOKUP_30 eval:check_rbl('drone.abuse.ch','drone.abuse.ch.')
describe CUSTOM_LOOKUP_30 Entries listed in drone.abuse.ch RBL
score CUSTOM_LOOKUP_30 0.5

header CUSTOM_LOOKUP_31 eval:check_rbl('drone.abuse.ch','drone.abuse.ch.')
describe CUSTOM_LOOKUP_31 Entries listed in drone.abuse.ch RBL
score CUSTOM_LOOKUP_31 0.5

header CUSTOM_LOOKUP_32 eval:check_rbl('duinv.aupads.org','duinv.aupads.org.')
describe CUSTOM_LOOKUP_32 Entries listed in duinv.aupads.org RBL
score CUSTOM_LOOKUP_32 0.5

header CUSTOM_LOOKUP_33 eval:check_rbl('dul.dnsbl.sorbs.net','dul.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_33 Entries listed in dul.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_33 0.5

header CUSTOM_LOOKUP_34 eval:check_rbl('dyna.spamrats.com','dyna.spamrats.com.')
describe CUSTOM_LOOKUP_34 Entries listed in dyna.spamrats.com RBL
score CUSTOM_LOOKUP_34 0.5

header CUSTOM_LOOKUP_35 eval:check_rbl('dynip.rothen.com','dynip.rothen.com.')
describe CUSTOM_LOOKUP_35 Entries listed in dynip.rothen.com RBL
score CUSTOM_LOOKUP_35 0.5

header CUSTOM_LOOKUP_36 eval:check_rbl('exitnodes.tor.dnsbl.sectoor.de','exitnodes.tor.dnsbl.sectoor.de.')
describe CUSTOM_LOOKUP_36 Entries listed in exitnodes.tor.dnsbl.sectoor.de RBL
score CUSTOM_LOOKUP_36 0.5

header CUSTOM_LOOKUP_37 eval:check_rbl('http.dnsbl.sorbs.net','http.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_37 Entries listed in http.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_37 0.5

header CUSTOM_LOOKUP_38 eval:check_rbl('ips.backscatterer.org','ips.backscatterer.org.')
describe CUSTOM_LOOKUP_38 Entries listed in ips.backscatterer.org RBL
score CUSTOM_LOOKUP_38 0.5

header CUSTOM_LOOKUP_39 eval:check_rbl('ix.dnsbl.manitu.net','ix.dnsbl.manitu.net.')
describe CUSTOM_LOOKUP_39 Entries listed in ix.dnsbl.manitu.net RBL
score CUSTOM_LOOKUP_39 0.5

header CUSTOM_LOOKUP_40 eval:check_rbl('korea.services.net','korea.services.net.')
describe CUSTOM_LOOKUP_40 Entries listed in korea.services.net RBL
score CUSTOM_LOOKUP_40 0.5

header CUSTOM_LOOKUP_41 eval:check_rbl('mail-abuse.blacklist.jippg.org','mail-abuse.blacklist.jippg.org.')
describe CUSTOM_LOOKUP_41 Entries listed in mail-abuse.blacklist.jippg.org RBL
score CUSTOM_LOOKUP_41 0.5

header CUSTOM_LOOKUP_42 eval:check_rbl('misc.dnsbl.sorbs.net','misc.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_42 Entries listed in misc.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_42 0.5

header CUSTOM_LOOKUP_43 eval:check_rbl('noptr.spamrats.com','noptr.spamrats.com.')
describe CUSTOM_LOOKUP_43 Entries listed in noptr.spamrats.com RBL
score CUSTOM_LOOKUP_43 0.5

header CUSTOM_LOOKUP_44 eval:check_rbl('orvedb.aupads.org','orvedb.aupads.org.')
describe CUSTOM_LOOKUP_44 Entries listed in orvedb.aupads.org RBL
score CUSTOM_LOOKUP_44 0.5

#header CUSTOM_LOOKUP_45 eval:check_rbl('pbl.spamhaus.org','pbl.spamhaus.org.')
#describe CUSTOM_LOOKUP_45 Entries listed in pbl.spamhaus.org RBL
#score CUSTOM_LOOKUP_45 0.5

header CUSTOM_LOOKUP_46 eval:check_rbl('proxy.bl.gweep.ca','proxy.bl.gweep.ca.')
describe CUSTOM_LOOKUP_46 Entries listed in proxy.bl.gweep.ca RBL
score CUSTOM_LOOKUP_46 0.5

header CUSTOM_LOOKUP_47 eval:check_rbl('psbl.surriel.com','psbl.surriel.com.')
describe CUSTOM_LOOKUP_47 Entries listed in psbl.surriel.com RBL
score CUSTOM_LOOKUP_47 0.5

header CUSTOM_LOOKUP_48 eval:check_rbl('rbl.abuse.ro','rbl.abuse.ro.')
describe CUSTOM_LOOKUP_48 Entries listed in rbl.abuse.ro RBL
score CUSTOM_LOOKUP_48 0.5

header CUSTOM_LOOKUP_49 eval:check_rbl('rbl.interserver.net','rbl.interserver.net.')
describe CUSTOM_LOOKUP_49 Entries listed in rbl.interserver.net RBL
score CUSTOM_LOOKUP_49 0.5

header CUSTOM_LOOKUP_50 eval:check_rbl('recent.spam.dnsbl.sorbs.net','recent.spam.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_50 Entries listed in recent.spam.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_50 0.5

header CUSTOM_LOOKUP_51 eval:check_rbl('relays.bl.gweep.ca','relays.bl.gweep.ca.')
describe CUSTOM_LOOKUP_51 Entries listed in relays.bl.gweep.ca RBL
score CUSTOM_LOOKUP_51 0.5

header CUSTOM_LOOKUP_52 eval:check_rbl('relays.nether.net','relays.nether.net.')
describe CUSTOM_LOOKUP_52 Entries listed in relays.nether.net RBL
score CUSTOM_LOOKUP_52 0.5

header CUSTOM_LOOKUP_53 eval:check_rbl('sbl.spamhaus.org','sbl.spamhaus.org.')
describe CUSTOM_LOOKUP_53 Entries listed in sbl.spamhaus.org RBL
score CUSTOM_LOOKUP_53 0.5

header CUSTOM_LOOKUP_54 eval:check_rbl('sbl-xbl.spamhaus.org','sbl-xbl.spamhaus.org.')
describe CUSTOM_LOOKUP_54 Entries listed in sbl-xbl.spamhaus.org RBL
score CUSTOM_LOOKUP_54 0.5

header CUSTOM_LOOKUP_55 eval:check_rbl('short.rbl.jp','short.rbl.jp.')
describe CUSTOM_LOOKUP_55 Entries listed in short.rbl.jp RBL
score CUSTOM_LOOKUP_55 0.5

header CUSTOM_LOOKUP_56 eval:check_rbl('singular.ttk.pte.hu','singular.ttk.pte.hu.')
describe CUSTOM_LOOKUP_56 Entries listed in singular.ttk.pte.hu RBL
score CUSTOM_LOOKUP_56 0.5

header CUSTOM_LOOKUP_57 eval:check_rbl('smtp.dnsbl.sorbs.net','smtp.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_57 Entries listed in smtp.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_57 0.5

header CUSTOM_LOOKUP_58 eval:check_rbl('socks.dnsbl.sorbs.net','socks.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_58 Entries listed in socks.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_58 0.5

header CUSTOM_LOOKUP_59 eval:check_rbl('spam.abuse.ch','spam.abuse.ch.')
describe CUSTOM_LOOKUP_59 Entries listed in spam.abuse.ch RBL
score CUSTOM_LOOKUP_59 0.5

header CUSTOM_LOOKUP_60 eval:check_rbl('spambot.bls.digibase.ca','spambot.bls.digibase.ca.')
describe CUSTOM_LOOKUP_60 Entries listed in spambot.bls.digibase.ca RBL
score CUSTOM_LOOKUP_60 0.5

header CUSTOM_LOOKUP_61 eval:check_rbl('spam.dnsbl.anonmails.de','spam.dnsbl.anonmails.de.')
describe CUSTOM_LOOKUP_61 Entries listed in spam.dnsbl.anonmails.de RBL
score CUSTOM_LOOKUP_61 0.5

header CUSTOM_LOOKUP_62 eval:check_rbl('spam.dnsbl.sorbs.net','spam.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_62 Entries listed in spam.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_62 0.5

header CUSTOM_LOOKUP_63 eval:check_rbl('spamguard.leadmon.net','spamguard.leadmon.net.')
describe CUSTOM_LOOKUP_63 Entries listed in spamguard.leadmon.net RBL
score CUSTOM_LOOKUP_63 0.5

header CUSTOM_LOOKUP_64 eval:check_rbl('spamrbl.imp.ch','spamrbl.imp.ch.')
describe CUSTOM_LOOKUP_64 Entries listed in spamrbl.imp.ch RBL
score CUSTOM_LOOKUP_64 0.5

header CUSTOM_LOOKUP_65 eval:check_rbl('spamsources.fabel.dk','spamsources.fabel.dk.')
describe CUSTOM_LOOKUP_65 Entries listed in spamsources.fabel.dk RBL
score CUSTOM_LOOKUP_65 0.5

header CUSTOM_LOOKUP_66 eval:check_rbl('spam.spamrats.com','spam.spamrats.com.')
describe CUSTOM_LOOKUP_66 Entries listed in spam.spamrats.com RBL
score CUSTOM_LOOKUP_66 0.5

header CUSTOM_LOOKUP_67 eval:check_rbl('tor.dan.me.uk','tor.dan.me.uk.')
describe CUSTOM_LOOKUP_67 Entries listed in tor.dan.me.uk RBL
score CUSTOM_LOOKUP_67 0.5

header CUSTOM_LOOKUP_68 eval:check_rbl('truncate.gbudb.net','truncate.gbudb.net.')
describe CUSTOM_LOOKUP_68 Entries listed in truncate.gbudb.net RBL
score CUSTOM_LOOKUP_68 0.5

header CUSTOM_LOOKUP_69 eval:check_rbl('ubl.unsubscore.com','ubl.unsubscore.com.')
describe CUSTOM_LOOKUP_69 Entries listed in ubl.unsubscore.com RBL
score CUSTOM_LOOKUP_69 0.5

header CUSTOM_LOOKUP_70 eval:check_rbl('virbl.bit.nl','virbl.bit.nl.')
describe CUSTOM_LOOKUP_70 Entries listed in virbl.bit.nl RBL
score CUSTOM_LOOKUP_70 0.5

header CUSTOM_LOOKUP_71 eval:check_rbl('virus.rbl.jp','virus.rbl.jp.')
describe CUSTOM_LOOKUP_71 Entries listed in virus.rbl.jp RBL
score CUSTOM_LOOKUP_71 0.5

header CUSTOM_LOOKUP_72 eval:check_rbl('virus.rbl.jp','virus.rbl.jp.')
describe CUSTOM_LOOKUP_72 Entries listed in virus.rbl.jp RBL
score CUSTOM_LOOKUP_72 0.5

header CUSTOM_LOOKUP_73 eval:check_rbl('web.dnsbl.sorbs.net','web.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_73 Entries listed in web.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_73 0.5

header CUSTOM_LOOKUP_74 eval:check_rbl('xbl.spamhaus.org','xbl.spamhaus.org.')
describe CUSTOM_LOOKUP_74 Entries listed in xbl.spamhaus.org RBL
score CUSTOM_LOOKUP_74 0.5

header CUSTOM_LOOKUP_75 eval:check_rbl('zen.spamhaus.org','zen.spamhaus.org.')
describe CUSTOM_LOOKUP_75 Entries listed in zen.spamhaus.org RBL
score CUSTOM_LOOKUP_75 0.5

header CUSTOM_LOOKUP_76 eval:check_rbl('zombie.dnsbl.sorbs.net','zombie.dnsbl.sorbs.net.')
describe CUSTOM_LOOKUP_76 Entries listed in zombie.dnsbl.sorbs.net RBL
score CUSTOM_LOOKUP_76 0.5



# scoring BAYES
score BAYES_00 -5.0
score BAYES_05 -4.0
score BAYES_20 1.0
score BAYES_40 2.0
score BAYES_50 2.5
score BAYES_60 3.0
score BAYES_80 3.5
score BAYES_95 4.0
score BAYES_99 4.5
score BAYES_999 1.0

# scoring DNSBLs & DNSWLs
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_BLOCKED 0
score RCVD_IN_DNSWL_HI -6.0
score RCVD_IN_DNSWL_LOW -2.0
score RCVD_IN_DNSWL_MED -4.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_HOSTKARMA_BL 2.0
score RCVD_IN_HOSTKARMA_BR 0.5
score RCVD_IN_HOSTKARMA_W -5.0
score RCVD_IN_MSPIKE_BL 0.0
score RCVD_IN_MSPIKE_H2 -0.5
score RCVD_IN_MSPIKE_H3 -0.5
score RCVD_IN_MSPIKE_H4 -2.0
score RCVD_IN_MSPIKE_H5 -3.0
score RCVD_IN_MSPIKE_L3 0.5
score RCVD_IN_MSPIKE_L4 2.0
score RCVD_IN_MSPIKE_L5 3.0
score RCVD_IN_MSPIKE_WL 0.0
score RCVD_IN_MSPIKE_ZBI 2.0
score RCVD_IN_PBL 3.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SBL_CSS 3.0
score RCVD_IN_SPAMRATS_DYNA 2.0
score RCVD_IN_SPAMRATS_NOPTR 2.0
score RCVD_IN_SPAMRATS_SPAM 3.0
score RCVD_IN_XBL 3.0
score RCVD_IN_ZEN_BLOCKED 0.0
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0

# scoring URIBLs
score URIBL_ABUSE_SURBL 4.5
score URIBL_BLACK 4.5
score URIBL_CR_SURBL 3.5
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 3.0
score URIBL_DBL_ABUSE_MALW 3.0
score URIBL_DBL_ABUSE_PHISH 3.0
score URIBL_DBL_ABUSE_REDIR 1.0
score URIBL_DBL_ABUSE_SPAM 3.0
score URIBL_DBL_BLOCKED 0.0
score URIBL_DBL_BLOCKED_OPENDNS 0.0
score URIBL_DBL_BOTNETCC 3.0
score URIBL_DBL_ERROR 0.0
score URIBL_DBL_MALWARE 3.0
score URIBL_DBL_PHISH 3.0
score URIBL_DBL_SPAM 3.0
score URIBL_GREY 1.0
score URIBL_MW_SURBL 3.5
score URIBL_PH_SURBL 3.5
score URIBL_RED 0.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 3.0
score URIBL_SBL_A 3.0
score URIBL_ZEN_BLOCKED 0.0
score URIBL_ZEN_BLOCKED_OPENDNS 0.0



# scoring HEADER & MISSING
score HEADER_FROM_DIFFERENT_DOMAINS 0.5
score MISSING_DATE 3.0
score MISSING_FROM 1.5
score MISSING_HEADERS 2.0
score MISSING_SUBJECT 1.0



# additional scoring tweaks
score HELO_DYNAMIC_SPLIT_IP 3.0
score LOTS_OF_MONEY 0.5
score MPART_ALT_DIFF 0.5
score MPART_ALT_DIFF_COUNT 0.5
score RDNS_NONE 0.5
score T_FILL_THIS_FORM_SHORT 0.5
score UNPARSEABLE_RELAY 0.5

# add JunkEmailFilter HostKarma DNSBL & DNSWL
header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net
header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net

# add Spamrats DNSBL
header __RCVD_IN_SPAMRATS eval:check_rbl('spamrats-lastexternal','all.spamrats.com.')
describe __RCVD_IN_SPAMRATS SPAMRATS: sender is listed in SpamRats
tflags __RCVD_IN_SPAMRATS net
reuse __RCVD_IN_SPAMRATS
header RCVD_IN_SPAMRATS_DYNA eval:check_rbl_sub('spamrats-lastexternal','127.0.0.36')
describe RCVD_IN_SPAMRATS_DYNA RATS-Dyna: sent directly from dynamic IP address
tflags RCVD_IN_SPAMRATS_DYNA net
reuse RCVD_IN_SPAMRATS_DYNA
header RCVD_IN_SPAMRATS_NOPTR eval:check_rbl_sub('spamrats-lastexternal','127.0.0.37')
describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
tflags RCVD_IN_SPAMRATS_NOPTR net
reuse RCVD_IN_SPAMRATS_NOPTR
header RCVD_IN_SPAMRATS_SPAM eval:check_rbl_sub('spamrats-lastexternal','127.0.0.38')
describe RCVD_IN_SPAMRATS_SPAM RATS-Spam: sender is a spam source
tflags RCVD_IN_SPAMRATS_SPAM net
reuse RCVD_IN_SPAMRATS_SPAM




#--------------------------------------------------
# The only RBL I trust, UCEPROTECT1 (single IP, not IP-ranges or entire ISPs) http://uceprotect.net
#--------------------------------------------------
header          RCVD_IN_UCEPROTECT1     eval:check_rbl_txt('uceprotect1', 'dnsbl-1.uceprotect.net')
describe        RCVD_IN_UCEPROTECT1     Listed in dnsbl-1.uceprotect.net
tflags          RCVD_IN_UCEPROTECT1     net
score           RCVD_IN_UCEPROTECT1     1.8

#--------------------------------------------------
# top level domain matching, and no, not Russia or China; In 2022 I got the absolute most spam from .cz and .ua actually!
#--------------------------------------------------
header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.cz|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i
score SPAMMY_TLD_IN_RCVD 0.3
describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line

header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.cz|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i
score SPAMMY_TLD_IN_FROM 0.3
describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line

header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
score HIGH_SPAMMY_TLD 1.1
describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link

#--------------------------------------------------
# Header matching
#--------------------------------------------------
header X_ORG_REAL_CAPITAL       X-Organization =~ /RealCapitalMarkets\.com/i
score X_ORG_REAL_CAPITAL        3.0

#--------------------------------------------------
# Subject matching
#--------------------------------------------------
header __SUBJECT_NEIGHBOR Subject =~ /Neighbou?r/i
header __SUBJECT_NEXT_DOOR Subject =~ /next door/i
meta SUBJECT_NEIGHBOUR (__SUBJECT_NEIGHBOR || __SUBJECT_NEXT_DOOR)
score SUBJECT_NEIGHBOUR 0.3

header __SUBJECT_VIAGRA Subject =~ /viagra/i
header __SUBJECT_PILLS Subject =~ /pills/i
header __SUBJECT_HEALTH_SECRET Subject =~ /health secret/i

meta SUBJECT_HEALTH (__SUBJECT_VIAGRA || __SUBJECT_PILLS || __SUBJECT_HEALTH_SECRET)
score SUBJECT_HEALTH 0.4
describe SUBJECT_HEALTH health-related subject

header SUBJECT_DARLEHEN Subject =~ /Darlehen Angebot jetzt bewerben/i
score SUBJECT_DARLEHEN 0.2

header __FROM_DAVIS_WRIGHT From =~ /Davis Wright/i
header __SUBJECT_LEG_DARLEHEN Subject =~ /Legitimes Darlehen Angebot/i
meta DAVIS_WRIGHT_DARLEHEN (__FROM_DAVIS_WRIGHT && __SUBJECT_LEG_DARLEHEN)
score DAVIS_WRIGHT_DARLEHEN 1.0

header __FROM_KEVIN_PAGE From =~ /Kevin Page/i
meta KEVIN_PAGE_DARLEHEN (__FROM_KEVIN_PAGE && SUBJECT_DARLEHEN)
score KEVIN_PAGE_DARLEHEN 1.0

# "Domain Expiration SEO" spam
header __SUBJECT_EXP_SEO Subject =~ /Expiration SEO/i
header __FROM_EXP_SEO From =~ /(Domain Expiration SEO|Final Reminder)/i
meta EXPIRATION_SEO (__SUBJECT_EXP_SEO && __FROM_EXP_SEO)
score EXPIRATION_SEO 0.3
describe EXPIRATION_SEO Variation of Domain SEO spam

# "SEO issue" spam
header __SUBJECT_SEO_ISSUE Subject =~ /SEO Issue/i
body __BODY_SEO_ISSUE /\s+(Search Specialist|Hello Team)/i
meta SEO_ISSUE (__SUBJECT_SEO_ISSUE && __BODY_SEO_ISSUE)
score SEO_ISSUE 0.4
describe SEO_ISSUE Variation of Domain SEO spam

# Domain Alert
header __SUBJECT_DOMAIN_ALERT Subject =~ /This is your Final (Reminder|Notice)/i
header __FROM_DOMAIN_ALERT From =~ /(Internet Services|Domain Notice|directimpactdesigns.com)/i
body __BODY_DOMAIN_ALERT /\s+search engine registration/i
meta DOMAIN_ALERT (__SUBJECT_DOMAIN_ALERT && __FROM_DOMAIN_ALERT && __BODY_DOMAIN_ALERT)
score DOMAIN_ALERT 0.5
describe DOMAIN_ALERT Variations of search engine registration spam

header __FROM_BITCOIN_CODE From =~ /bestofmesh.com/i
uri __BITCOIN_CODE_LINK /track.bestofmesh.com.*/i
meta BITCOIN_CODE (__FROM_BITCOIN_CODE && __BITCOIN_CODE_LINK)
score BITCOIN_CODE 0.8


# customlogobuilders.press
header FROM_CUSTOMLOGOBUILDERS From =~ /customlogobuilders.press/i
score FROM_CUSTOMLOGOBUILDERS 1.0


#--------------------------------------------------
# Text matching
#--------------------------------------------------
header __SUBJECT_FUCK Subject =~ /f[ua5\&\%]ck/i
body __BODY_FUCK /\s+(fuck|sex|masturbate|anal)\s+/i
meta FUCKED_MAIL (__SUBJECT_FUCK || __BODY_FUCK )
score FUCKED_MAIL 0.5
describe FUCKED_MAIL Contains variations of 'fuck' in the subject and/or body

header __SUBJECT_FAX_RECEIVED Subject =~ /You have 1 new fax, document/i
header __SUBJECT_FAX_RECEIVED2 Subject =~ /You have received a new fax, document /i
meta FAX_RECEIVED ((__SUBJECT_FAX_RECEIVED || __SUBJECT_FAX_RECEIVED2) && __ZIP_ATTACHED)
score FAX_RECEIVED 1.2


body __BODY_VIAGRA /viagra/i
body __BODY_PILLS /pills/i
body __BODY_HEALTH_SECRET /health secret/i

meta BODY_HEALTH (__BODY_VIAGRA || __BODY_PILLS || __BODY_HEALTH_SECRET)
score BODY_HEALTH 0.2
describe BODY_HEALTH health-related body text

body __LEAKED_PWD1a /(I know )?[a-zA-Z0-9]{1,99} one of your pass./i
body __LEAKED_PWD1b /I (do )?know [a-zA-Z0-9]{1,99} one of your pass word./i
body __LEAKED_PWD2 /I actually (installed|placed) a (malware|software) on the (18+|xxx) (streaming|videos|video clips) \((porn|porno|sexually graphic)\)/i
meta LEAKED_PWD ((__LEAKED_PWD1a || __LEAKED_PWD1b) && __LEAKED_PWD2)
score LEAKED_PWD 2.0



#--------------------------------------------------
# Some very persistent spammers
#--------------------------------------------------

header FROM_MUNGAI From =~ /MUNGAI KIHANYA TRAINING/i
score FROM_MUNGAI 2.0

header FROM_KINETIC From =~ /KINETIC (ENTERPRISES|TECHNOLOGIEZ)/i
score FROM_KINETIC 1.0

header FROM_KINETIC2 From =~ /\*\s*KINETIC/i
score FROM_KINETIC2 1.0

meta KINETIC_SCREAMING (FROM_KINETIC2 && SUBJ_ALL_CAPS)
score KINETIC_SCREAMING 2.0

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.3/
tflags DNSWL_DWL_HI nice net
describe DNSWL_DWL_HI dwl.dnswl.org high trust
score DNSWL_DWL_HI -4

askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.2/
tflags DNSWL_DWL_MED nice net
describe DNSWL_DWL_MED dwl.dnswl.org medium trust
score DNSWL_DWL_MED -2

askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.1/
tflags DNSWL_DWL_LOW nice net
describe DNSWL_DWL_LOW dwl.dnswl.org low trust
score DNSWL_DWL_LOW -1

askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.0/
tflags DNSWL_DWL_NONE nice net
describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust information available
score DNSWL_DWL_NONE -0.2

endif # Mail::SpamAssassin::Plugin::AskDNS

Comienza el entrenamiento

SpamAssassin utiliza un clasificador Bayesiano para tratar de identificar el spam.

En teoría de la probabilidad y minería de datos, un clasificador Bayesiano ingenuo es un clasificador probabilístico fundamentado en el teorema de Bayes y algunas hipótesis simplificadoras adicionales. Es a causa de estas simplificaciones, que se suelen resumir en la hipótesis de independencia entre las variables predictoras, que recibe el apelativo de ingenuo.

Éste clasificador lo que hace es recolectar tokens, que son palabras o secuencias de caracteres que son comunes a los correos no deseados (spam) o los correos legítimos (ham). La pregunta ahora es ¿a partir de qué datos va a determinar si es spam o ham?. La respuesta: nuestros correos.

Hay varias maneras de que SpamAssassin aprenda, las más comunes son

• Aprendizaje sin supervisión con reglas de SA (auto-learning). El clasificador aprende de las propias reglas internas de filtrado.
• Supervisado. El clasificador aprende de mails previamente clasificados por el usuario como spam y ham.

La ventaja del entrenamiento sin supervisión es que (lógicamente) no requiere trabajo extra del usuario. Por otro lado, la tasa de éxito de detección de spam/ham puede ser menor que el supervisado. Entonces lo mejor es iniciar el entrenamiento con mails que ya hayamos marcado como spam y luego con la cantidad de datos suficientes pasemos al modelo de auto-learning.

Paso 1: Recolección de muestras

Nosotros utilizamos Thunderbird para realizar este trabajo preliminar. La estrategia es tener una carpeta llamada SPAM, en una de las cuentas, con todos los mails que manualmente marcamos como spam para entrenar al propio clasificador Bayesiano de Thunderbird y luego utilizar esas muestras para entrenar a SpamAssassin.

Para activar el filtro de Thunderbird hay que ir a Menú > Opciones > Configuración de cuenta y activar las opciones:

• Activar control adaptativos de correo no deseado para esta cuenta.
• Confiar en las cabeceras de correo no deseado enviadas por SpamAssassin. ⚠️ IMPORTANTE.
• Mover nuevos mensajes de correo no deseado a:, seleccionar Otra y luego seleccionar la carpeta SPAM.

En nuestro caso, en los puestos que tienen varias cuentas configuradas, movemos todos los correos de spam a una única carpeta SPAM de una sola cuenta de correo. De esta manera es más fácil tener todos los correos no deseados en un solo lugar. Una vez que esté todo configurado y los correos clasificados procedemos al entrenamiento de SpamAssassin.

Paso 2: Pasando conocimiento con sa-learn

El comando sa-learn nos permite ingresar la data recolectada al clasificador Bayesiano de SpamAssassin. Es recomendable tener una buena cantidad de correos clasificados para iniciar el entrenamiento. Nosotros comenzamos con una muestra de 2000 correos no deseados y 8000 legítimos. Entonces, para empezar el entrenamiento de spam:

sa-learn --spam /home/USER/mail/DOMINIO/CUENTA/.Spam/

Ahora sólo falta enseñarle cuales son los patrones de correos legítimos. Para ello se utiliza el comando

sa-learn --ham /home/USER/mail/DOMINIO/CUENTA/.CARPETA/

Si hay varias (muy probablemente) carpetas/cuentas de que queremos utilizar como muestra, podemos utilizar un archivo con la lista de directorios. Una manera para generarla puede ser:

ls -d /home/USER/mail/DOMINIO/CUENTA/.?* >> ~/HAM

Tendríamos que editar el archivo para quitar las carpetas .. y las que contengan spam y finalmente podemos volver a entrenar el clasificador con:

sa-learn --ham -f ~/HAM

Paso 3: Puesta en marcha

Una vez realizado el entrenamiento, verificamos que SA haya aprendido con el comando:

sa-learn --dump magic

Los datos más importantes son

0.000          0       1027          0  non-token data: nspam
0.000          0       6010          0  non-token data: nham

nspam es la cantidad de tokens identificados como spam y nham la cantidad para ham.

Para activar el filtrado hay que editar el archivo /etc/mail/spamassassin/local.cf y agregar las líneas

use_bayes 1
bayes_auto_learn 1

• use_bayes 1 indica que tiene que usar el clasificador Bayesiano.
• use_bayes_auto_learn 1 indica que tiene que usar el auto aprendizaje.

Finalmente reiniciar el servicio y verificar que todo está bien