BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 300
Suggested SA Adjustments
John,
You may want to include these in the future. Of course our OS is Freebsd 6 and adjustments may differ slightly for RH. (beware of wordwrapping below like on the spamass.pid line)
Added to NewSyslog.conf
/var/log/spamassasin 640 7 300 * J /var/run/spamass.pid
Added to /usr/local/etc/rc.d/exim
Where:
then /usr/bin/spamd -d -c -m 5
Changed to:
then /usr/bin/spamd -d -s /var/log/spamassasin -r /var/run/spamass.pid -c -m 5
Where:
killall -9 spamd
Changed to:
kill `cat /var/run/spamass.pid`
The outcomes....
I now have a /var/log/spamassasin log that I can tail and so forth to keep good track of things. The newsyslog rolls it over when it gets to 300 and keeps 7 bzip2ed archives. This is of course adjustable to your taste.
Also the previous problem I had of not being able to easily restart spamd is fixed. The killall -9 spamd wasn't working on freebsd systems.
Last but not least the stock rules that come with SA are REALLY insufficient for todays systems and spam traffic. I have added the following rules to /usr/share/spamassasin.
http://www.rulesemporium.com/rules/70_sare_adult.cf
http://www.rulesemporium.com/rules/70_sare_html1.cf
http://www.rulesemporium.com/rules/70_sare_uri0.cf
http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf
http://www.rulesemporium.com/rules/70_sare_obfu.cf
http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf
http://www.rulesemporium.com/rules/70_sare_obfu0.cf
http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf
http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf
http://www.rulesemporium.com/rules/70_sare_oem.cf
http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf
http://www.rulesemporium.com/rules/70_sare_random.cf
http://www.rulesemporium.com/rules/70_sare_html0.cf
http://www.rulesemporium.com/rules/70_sare_unsub.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf
http://www.rulesemporium.com/rules/70_sare_specific.cf
http://www.rulesemporium.com/rules/70_sare_header_eng.cf
http://www.rulesemporium.com/rules/70_sare_stocks.cf
http://www.rulesemporium.com/rules/70_sare_header0.cf
http://www.rulesemporium.com/rules/70_sare_spoof.cf
http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf
http://www.rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_headers.cf
http://www.rulesemporium.com/rules/88_FVGT_rawbody.cf
http://www.rulesemporium.com/rules/88_FVGT_subject.cf
http://www.rulesemporium.com/rules/88_FVGT_uri.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf
http://www.rulesemporium.com/rules/backhair.cf
http://www.rulesemporium.com/rules/chickenpox.cf
http://www.rulesemporium.com/rules/mangled.cf
http://www.rulesemporium.com/rules/weeds.cf
http://www.timj.co.uk/linux/bogus-virus-warnings.cf
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf
And a simple restart of exim/spamd puts them into effect. We are now blocking the near majority of spam that gets past spamblocker and we haven't seen any false positives.
Big Wil
John,
You may want to include these in the future. Of course our OS is Freebsd 6 and adjustments may differ slightly for RH. (beware of wordwrapping below like on the spamass.pid line)
Added to NewSyslog.conf
/var/log/spamassasin 640 7 300 * J /var/run/spamass.pid
Added to /usr/local/etc/rc.d/exim
Where:
then /usr/bin/spamd -d -c -m 5
Changed to:
then /usr/bin/spamd -d -s /var/log/spamassasin -r /var/run/spamass.pid -c -m 5
Where:
killall -9 spamd
Changed to:
kill `cat /var/run/spamass.pid`
The outcomes....
I now have a /var/log/spamassasin log that I can tail and so forth to keep good track of things. The newsyslog rolls it over when it gets to 300 and keeps 7 bzip2ed archives. This is of course adjustable to your taste.
Also the previous problem I had of not being able to easily restart spamd is fixed. The killall -9 spamd wasn't working on freebsd systems.
Last but not least the stock rules that come with SA are REALLY insufficient for todays systems and spam traffic. I have added the following rules to /usr/share/spamassasin.
http://www.rulesemporium.com/rules/70_sare_adult.cf
http://www.rulesemporium.com/rules/70_sare_html1.cf
http://www.rulesemporium.com/rules/70_sare_uri0.cf
http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf
http://www.rulesemporium.com/rules/70_sare_obfu.cf
http://www.rulesemporium.com/rules/71_sare_redirect_pre3.0.0.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf
http://www.rulesemporium.com/rules/70_sare_obfu0.cf
http://www.rulesemporium.com/rules/72_sare_bml_post25x.cf
http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj1.cf
http://www.rulesemporium.com/rules/70_sare_oem.cf
http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj2.cf
http://www.rulesemporium.com/rules/70_sare_random.cf
http://www.rulesemporium.com/rules/70_sare_html0.cf
http://www.rulesemporium.com/rules/70_sare_unsub.cf
http://www.rulesemporium.com/rules/70_sare_genlsubj3.cf
http://www.rulesemporium.com/rules/70_sare_specific.cf
http://www.rulesemporium.com/rules/70_sare_header_eng.cf
http://www.rulesemporium.com/rules/70_sare_stocks.cf
http://www.rulesemporium.com/rules/70_sare_header0.cf
http://www.rulesemporium.com/rules/70_sare_spoof.cf
http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf
http://www.rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_headers.cf
http://www.rulesemporium.com/rules/88_FVGT_rawbody.cf
http://www.rulesemporium.com/rules/88_FVGT_subject.cf
http://www.rulesemporium.com/rules/88_FVGT_uri.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf
http://www.rulesemporium.com/rules/backhair.cf
http://www.rulesemporium.com/rules/chickenpox.cf
http://www.rulesemporium.com/rules/mangled.cf
http://www.rulesemporium.com/rules/weeds.cf
http://www.timj.co.uk/linux/bogus-virus-warnings.cf
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf
And a simple restart of exim/spamd puts them into effect. We are now blocking the near majority of spam that gets past spamblocker and we haven't seen any false positives.
Big Wil
Last edited:
