Parallels H-Sphere Documentation System Administrator Guide

 

Sa-update and Rules Du Jour: Automatic Update of SpamAssassin Rulesets

(version 2.4.3 and up)
 
 

Related Docs:   Qmail Configuration SPF and SRS (Admin Guide)

Last modified: 27 Dec 2007

 

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

In this document:

 

Sa-update Script

Starting with hsphere-mail-service-3-28 (HS 2.4.3+) and hsphere-mail-service-4-18 (HS 2.5.0+), sa-update script is supported by H-Sphere. Sa-update is a script aimed at the dynamic update of basic spam assassin rules to catch different kind of spam. It provides a possibility to add other channels, but at your own risk.

By default sa-update script is located at:

  • /hsphere/local/config/mail/spamassassin/sa-update-keys - pgp key-rings. It is automatically formed in the post install section for default chanel.
  • /hsphere/local/config/mail/spamassassin/sa-update - directory where updated rules are located.

The /hsphere/local/config/mail/spamassassin/scripts/saupdate script that updates/checks for new rules can be customized according to your own needs by adding new rules. This script remains untouched after further hsphere-mail-service updates.

 

Rules Du Jour Script

Starting with H-Sphere 2.4.3, mail service packages come with RulesDuJour, a bash script aimed at automatical download of new versions of SpamAssassin rulesets as the authors release new versions. As FreeBSD does not include bash by default, H-Sphere mail service package containing RulesDuJour also includes the bash installation for FreeBSD. This script must run daily as a cron task to keep additional custom SpamAssassin rules up to date.

At the mail server level, RulesDuJour is implemented by the following scripts:

  • Initialization script: /hsphere/local/config/mail/spamassassin/scripts/init_rules_du_jour
  • Deletion script: /hsphere/local/config/mail/spamassassin/scripts/delete_rules_du_jour
  • RulesDuJour SA ruleset update script: /hsphere/local/config/mail/spamassassin/scripts/rules_du_jour

Current RulesDuJour versions:

  • H-Sphere 2.4.3 and up to H-Sphere 2.5: version 1.22
  • H-Sphere 2.5 Patch 1 (planning): version 1.28

 

Initialization Script

Initialization script is launched upon enabling the Automatic Ruleset Update (Rules Du Jour) option in SpamAssassin Manager:

  1. It creates the default RulesDuJour config file /hsphere/local/config/mail/spamassassin/rulesdujour. The init script syntax (run it with the -h option to get help):

    # /hsphere/local/config/mail/spamassassin/scripts/init_rules_du_jour -h
    Usage: init_rules_du_jour [ -r rulesets ] [ -e email ]

    rulesets: list of comma separated ruleset; possible values: TRIPWIRE EVILNUMBERS SARE_RANDOM (default: all)
    email: address where e-mail notifications on SA rulesets update go (default: none)

    The script is used to set values for SA rulesets to be updated and the e-mail address where update notifications will be sent. See Configuration File for details.

  2. It adds the RulesDuJour SA ruleset update script /hsphere/local/config/mail/spamassassin/scripts/rules_du_jour to mail server cron jobs starting daily at 1:00 AM:

    0 1 * * * /hsphere/local/config/mail/spamassassin/scripts/rules_du_jour

 

Configuration File

Initialization forms the RulesDuJour config file /hsphere/local/config/mail/spamassassin/rulesdujour. It has the following format:

# cat rulesdujour.default
TRUSTED_RULESETS="TRIPWIRE EVILNUMBERS SARE_RANDOM"
SA_DIR=/hsphere/local/config/mail/spamassassin
EMAIL_RDJ_UPDATE_ONLY=
SINGLE_EMAIL_ONLY=true
MAIL_ADDRESS=
SA_LINT="/hsphere/shared/bin/spamassassin --lint"
SA_RESTART="/etc/rc.d/init.d/spamd restart"
TMPDIR="${SA_DIR}/RulesDuJour"

This sample config file is for Linux servers. For FreeBSD, it has a different spamd restart format:

SA_RESTART="/usr/local/etc/rc.d/spamd.sh restart"

Two config files variables - TRUSTED_RULESETS and MAIL_ADDRESS - can be set by the init script and via Control Panel at the SpamAssassin Manager page:

  • TRUSTED_RULESETS - choose under what categories custom rulesets need to be included and updated:
    • ANTIDRUG (deprecated since 3.0 Final) intended to detect common "pill spam" however, it is not appropriate for all environments. It may not be appropriate for a medical or pharmaceutical environment.
    • BLACKLIST a blacklist of spammers.
    • BLACKLIST_URI looks for these domains inside URL's in the message.
    • BOGUSVIRUS lists bogus virus warnings and similar.
    • RANDOMVAL list of tags spammers sometimes forget to convert in spam.
    • SARE_ADULT designed to catch spam with "Adult" material.
    • SARE_BAYES_POISON_NXM using lists of words with equal length.
    • SARE_BML designed to catch "business, marketing and educational" spam.
    • SARE_BML_PRE25X designed to catch "business, marketing and educational" spam.
    • SARE_FRAUD designed to catch "Nigerian 419", "International Lotto", etc. type scams.
    • SARE_FRAUD_PRE25X designed to catch "Nigerian 419", "International Lotto", etc. type scams.
    • SARE_HEADER contain Header rules that are not found in other SARE rulesets.
    • SARE_OEM tries to detect people selling OEM software to consumers.
    • SARE_RANDOM tries to detect common mis-fires on bulk mail software. Many signs are found like: %RND_NUMBER, etc.
    • SARE_SPECIFIC ruleset which flags specific spam and/or spam from specific spammers.
    • SARE_SPOOF tries to detect common spoofing attempts by spammers. Many use a Message-ID of one provider but the message was never passed through the suggested system.
    • TRIPWIRE searches for 3 characters that shouldn't be together. This is based on the English language.
    rulesets added in RulesDeJour 1.28 (implemented since H-Sphere 2.5 Patch 1):
    • RANDOMVAL lists tags spammers sometimes forget to convert in spam.
    • SARE_EVILNUMBERS lists addresses and phone numbers harvested from spam.
    • SARE_GENLSUBJ contains Subject header rules that are not found in other SARE rulesets.
    • SARE_HIGHRISK is developed because there are spam signs which readily detect spam, and which in our testing do not flag significant ham, but theoretically there is no reason for such rules not to flag ham. We therefore consider these to be "high risk" rules, useful for many systems at this time, but not suitable for systems that must be very conservative and cautious in their spam detection.
    • SARE_HTML contains HTML coding rules that detect various spammer tricks applied through HTML coding within messages.
    • SARE_OBFU looks for obfuscation within emails. It looks for the various tricks spammers use to hide their message from spam filters, while keeping their messages readable to humans. It treats these as spamsign.
    • SARE_REDIRECT detects commonly abused redirectors and uri obfuscation techniques.
    • SARE_SPAMCOP_TOP200 contains top 200 spam relays condensed into as few rules as possible.
    • SARE_STOCKS contains set of rules for stock spams.
    • SARE_UNSUB looks for common unsubscribe phrases and codes in spam.
    • SARE_URI contains files look for spamsign in URI links within emails. It is not intended to replace SURBL or BigEvil, but instead will use characteritics that these domain-based tests cannot track.
    • SARE_WHITELIST used to whitelist newsletters and mailing lists that are controlled/monitored to be free of spam, but might occasioanlly be flagged as spam by SpamAssassin because of "spammy" contents.
    • ZMI_GERMAN contains German ruleset.
    rulesets deprecated in RulesDeJour 1.28 (implemented since H-Sphere 2.5 Patch 1):
    • BIGEVIL looks for known spammer URLs in the spam (bigevil.cf).
    • SARE_CODING contains HTML coding rules that detect various spammer tricks applied through HTML coding within messages (70_sare_html.cf).
    • SARE_RATWARE (70_sare_ratware.cf)
    • EVILNUMBERS addresses and phone numbers harvested from spam (70_sare_evilnum0.cf).
    • EVILNUMBERS1 addresses and phone numbers harvested from spam (70_sare_evilnum1.cf).
    • EVILNUMBERS2 addresses and phone numbers harvested from spam (70_sare_evilnum2.cf).
  • MAIL_ADDRESS - the e-mail address where SA ruleset update notifications will be sent. If the field is empty, no notifications will be sent.

Related Docs:   Qmail Configuration SPF and SRS (Admin Guide)



© Copyright 2017. Parallels Holdings. All rights reserved.