Scope of the document

This document will help you set up your Rspamd installation with a configuration similar to the SpamAssassin configuration used for the VBSpam email security tests carried out by Virus Bulletin. See the latest report.

This configuration is known to achieve excellent spam blocking results with low false positives without the need of other data or products.

Prerequisites

You need to have a Datafeed Query Service (DQS) key valid for both IP addresses and domains. This configuration can not work with a DQS key enabled for IP lookups only, or for domain lookups only.

These instructions apply to Rspamd 1.9+ and do not cover the initial Rspamd installation. To correctly install Rspamd please refer to instructions applicable to your distribution or see the instructions on the Rspamd site.

Conventions

We are going to use some abbreviations and placeholders:

  • SH: Spamhaus

  • configuration directory: whenever you’ll find these italic words, we will refer to the Rspamd configuration directory. It usually is /etc/rspamd, unless you installed it by using sources rather than a package.

  • whenever you find the box below, it means that you need to enter the command on your shell:

	$ command
  • whenever you find the box below, it means that you need to enter the command on a shell with root privileges:

	# command

Installation instructions

	$ tar xvfz Rspamd-spamhaus.tgz

A subdirectory called Rspamd-spamhaus-20190530 will be created. Within it you will find three files:

  • README. This is just a pointer to this document.

  • rbl.conf. This file contains lookup redefinitions for the IP-based lists.

  • surbl.conf. This file contains lookup redefinitions for the domain-based lists.

  • Make a copy of rbl.conf and surbl.conf into the override.d subdirectory of the configuration directory. If that subdirectory does not exist, create it. That is the particular place where you can do Rspamd personalizations that will stick between updates and override the default rules.

  • Now, assuming your DQS key is aip7yig6sahg6ehsohn5shco3z, execute the following command inside this override.d subdirectory:

	# sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' rbl.conf
	# sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' surbl.conf

There will be no output, but your key will be placed in all the needed places.

  • Restart rspamd.

Final recommendations

The configuration in the VBSpam survey and this one make use exclusively of our data, as our goal was certifying their quality and keep an eye on how we perform in the field. So, malware is blocked using just IP addresses and domain real-time data.

While the results are reasonably good, the malware/phishing scoring can certainly be improved through some additional actions that we recommend.

Nowadays the rule of thumb for receiving email should be to stay defensive, that is why we recommend to do basic attachment filtering by dropping all emails that contains potentially hazardous attachments, like at least all file extensions that match this regex:

(exe|vbs|pif|scr|bat|cmd|com|cpl|dll|cpgz|chm|js|jar|wsf)

You should also drop, by default, all Office documents with macros.

The second recommendation is to run an AV (Anti-Virus) engine on your server, to scan all mail attachments. This can be easily done with Rspamd, using the supported AV product of your choice.