How to Fight Spam Using Spamassassin, Dnsbl, and Procmail

I run my own mail server, and I check my email most of the time using pine. Over the years I had set up spam filters in pine to weed out spam. But I have also been known to use my blackberry to check email using squirrelmail. Well my pine filters did not work on squirrelmail. Plus more spam had been coming through lately.

This instructable will show you how to set up spamassassin on Fedora using procmail to move messages marked as spam to a spam folder automatically.

You'll want to install your prerequisites:

joe@fletcher ~$ sudo yum install sendmail-cf sendmail procmail spamassassin spammass-milter

You want to check that sendmail is using the DNS Blacklist.

Edit sendmail.mc and add the lines below

joe@fletcher ~$ vi /etc/mail/sendmail.mc
FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl', `cbl.abuseat.org', `"Spam blocked see: http://cbl.abuseat.org/lookup.cgi?ip="$&{client_addr}')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `"Spam blocked see: http://spamhaus.org/query/bl?ip="$&{client_addr}')dnl
FEATURE(`dnsbl', `list.dsbl.org', `"Spam blocked see: http://dsbl.org/listing?"$&{client_addr}')dnl

While you have that open, add procmail as the default mailer:
MAILER(procmail)dnl

After you have made your changes to sendmails mc file you should restart the sendmail service to rebuild the config file (sendmail.cf)

joe@fletcher ~$ sudo service sendmail restart

joe@fletcher ~$ sudo vi /etc/procmailrc
LOGFILE=/var/log/procmail.log
#Uncomment below for troubleshooting
#VERBOSE=YES
#LOGABSTRACT=YES

You can check procmail now by tailing the log file under /var/log

joe@fletcher ~$ tail /var/log/procmail

Create a .procmailrc in your home directory
joe@fletcher ~$ vi .~/procmailrc
:0:

• ^{X-Spam-Status: Yes}

/home/joe/mail/spam

You will want to create a set of custom filters/miters.

Apache.org has a great write up on creating your own custom rules here:
Wiki Page

I am sure you have noticed that spam is follows patterns. For instance I get the same spam about candy deals with similar subject lines for a few months at a time. You could write a rule looking for a few of these things.

joe@fletcher ~$ sudo vi /etc/mail/spamassassin/local.cf
header CANDY_1 From =~ /hard/i
header CANDY_2 From =~ /candy/i
header CANDY_3 Subject =~ /hard/i
header CANDY_4 Subject =~ /candy/i
header CANDY_5 Subject =~ /urban decay/i
meta CANDY_MULTI_TEST ((CANDY_1 + CANDY_2 + CANDY_3 + CANDY_5) > 1.0 )
score CANDY_MULTI_TEST 5.0

If any two of the above conditions are met, then mark it as spam.

Another option is to blacklist certain domains:
blacklist_from *@citylinenews.com

Or if you know the subject you do not want to receive:
header WARRANTY_CHECK Subject =~ /Home Warranty/i
score WARRANTY_CHECK 5.0

Check the rules you have created:

joe@fletcher ~$ spamassassin --lint -D

If it has no errors, restart spamassassin:
joe@fletcher ~$ sudo service spamassassin restart

You can train spamassassin to identify spam using bayesian filters.

First point it at your spam folder:
joe@fletcher ~$ sa-learn --mbox --spam /home/joe/mail/spam

Then your inbox:
joe@fletcher ~$ sa-learn --mbox --nonspam /var/mail/joe

It will begin using the filters when you have > 200 spams and hams.

At this point you have completed your first step towards a spam free inbox.

You'll have to keep looking in your spam folder for the first week or so to see if everything marked as spam is in fact spam. If spam is getting through be sure to look at the headers and see if there is anything you can identify as a pattern and write a new rule for it.

I usually just tail /var/log/procmail and check to see if any non spam has been incorrectly marked.

Good luck!

-Joe