Tag Archives: SpamAssassin

Another DNSBL lost, NJABL shutdown

Posted on by No Comments ↓

Accordnig to NJABL’s website, they’re shutting down effective immediately:

March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After “the Internet” has had some time to remove NJABL from server configs, the NS’s will be pointed off into unallocated space to hopefully make the shutdown obvious to those who were slower to notice.

If you have NJABL listed in your MDaemon or SecurityGateway configuration, you should probably remove it immediately. MDaemon’s SpamAssassin automatically uses NJABL as well, but as long as you have automatic updates enabled no action is required, SpamAssassin will be disabling NJABL per bug 6913.

To NJABL’s operators: Thanks for all your time and efforts, it was appreciated!

Image-only adult themed spam

Posted on by 1 Comment ↓

Lately there is a new batch of spam going out that tends to use adult themed subjects, but has no content in the body aside from a single image.

It has been reported that this SpamAssassin rule helps:

header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
score MIME_IMAGE_ONLY 2.00
describe MIME_IMAGE_ONLY Image body part but no text body parts

To use it, copy these five lines into the bottom of your \MDaemon\SpamAssassin\rules\local.cf file, then either restart MDaemon or create a mdspamd.sem file in the \MDaemon\App\ directory.

You may want to tweak the “Score”, but start with 2.0 as this rule hasn’t been aggressively tested so there is a higher risk of false positives then with the default SpamAssassin rules.

Lastly, it’s also worth mentioning that Outbreak Protection (part of SecurityPlus 4 and higher) is flagging these messages as spam.

UPDATE 2009/05/19: The above rule only works in MDaemon 10 and higher, for earlier versions, you’ll need one more line:

mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
(Thanks goes to “Greg Vancardo” for tracking this one down)

Relying on upstream ISP spamassassin

Posted on by 2 Comments ↓

In a default configuration, MDaemon automatically removes the existing X-Spam-Flag header on inbound mail so that pre-inserted headers don’t interfere with your local SpamAssassin configuration.

In certain cases, such as where your ISP inserts a trusted X-Spam-Flag header of their own, you may want to change this behaviour.

Changing this is pretty simple; Go to Setup –> Misc Options –> [Headers] tab, uncheck the “Strip ‘X-Spam-Flag’ option” and MDaemon will stop stripping the header.

Now, be aware you can’t use this header as input to SpamAssassin if it’s the same header that your SpamAssassin outputs, but you could use the content filter if you wanted to set this to yes if the ISP *or* local MDaemon say “Yes”

So, if you’re running a local copy of SpamAssassin too, you’ll need to make some changes.

First, edit the 10_misc.cf file and comment or change the “add_header spam Flag _YESNOCAPS_” line.

If you changed it to “add_header spam FlagX _YESNOCAPS_” then you’ll get a header called X-Spam-FlagX instead and you can use this internally.

NOTE: Normally I would not recommend editing the built-in files, normally we suggest you use local.cf or your own CF file. This is an exception as there is no way to “undo” this command, you need to remove it entirely. Also be aware that whenever you upgrade MDaemon, these changes will need to be re-done.

Once the appropriate “add_header” entry is changed, you can either use the content filter or your local SpamAssassin itself to filter on the X-Spam-Flag header.