Scope of the document¶
This configuration is known to achieve excellent spam blocking results with low false positives without the need of other data or products.
You need to have a Datafeed Query Service (DQS) key valid for both IP addresses and domains. This configuration can not work with a DQS key enabled for IP lookups only, or for domain lookups only.
These instructions apply to SpamAssassin 3.4.1+ and do not cover the initial SpamAssassin installation. To correctly install SpamAssassin please refer to instructions applicable to your distribution.
We are going to use some abbreviations and placeholders:
- SA: SpamAssassin
- SH: Spamhaus
- configuration directory: whenever you’ll find these italic words, we will refer to SA’s configuration directory. Depending on your distribution it may be
- whenever you find the box below, it means that you need to enter the command on your shell.
- Download the latest SA-SH package (20190325) into any directory of your choice
- Extract it by giving
# tar xvfz SA-spamhaus.tgz
A subdirectory called
SA-spamhaus-20190325 will be created. Within it, besides licensing information, you will find three files:
SH.pm. This is a dedicated SA plugin written by SH that overcomes some of SA’s limitations
sh.cf. This file contains lookup redefinitions and will need to be edited (see below)
sh_scores.cf. In this file we override some of SA’s default rule scoring
- Make a copy of these files into the SA configuration directory (it may require root privileges).
Now, assuming your DQS key is for instance
aip7yig6sahg6ehsohn5shco3z, execute the following command inside the configuration directory
# sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' sh.cf
There will be no output, but your key will be placed inside
sh.cf in all the needed places.
sh.cf with your editor of choice, and take a look at the first line:
loadplugin Mail::SpamAssassin::Plugin::SH <config_directory\>/SH.pm
You will need to replace
<config_directory\> with your actual configuration directory. So, for example, if your configuration directory is
/etc/mail/spamassassin, the line will become:
loadplugin Mail::SpamAssassin::Plugin::SH /etc/mail/spamassassin/SH.pm
Now test the setup by running:
# spamassassin --lint
This command checks the whole SA installation; if you don’t see any output then congratulations! You successfully installed SH’s SA setup.
While we undoubtedly recognize Spamassassin’s abilities at stopping spam with only minor tweakings to the default config, there are some key uses of our datasets that can be fully taken advantage of only by writing some special SA functions. This is why we decided to develop this special plugin that includes these functions:
check_sh_helo. This function checks the domain used in the HELO/EHLO string against DBL and ZRD.
check_sh_headers. This function takes the domain out of the From: and Reply-to: header lines and then checks the domain against DBL and ZRD.
check_sh_body. This function scans the email body looking for email addresses. For all email addresses found, it extracts the domain and check it against DBL and ZRD. This approach has been proven useful, for example, in some dating scams campaign.
The configuration in the VBSpam survey makes use exclusively of our data, as our goal was certifying their quality and keep an eye on how we perform in the field. So, malware is blocked using just IP addresses and domain real-time data.
While the results are reasonably good, the malware/phishing scoring can certainly be improved through some additional actions that we recommend.
Nowadays the rule of thumb for receiving email should be to stay defensive, that is why we recommend to do basic attachment filtering by dropping all emails that contains potentially hazardous attachments, like at least all file extensions that match this regex:
You should also drop, by default, all Office documents with macros.
The second recommendation is to run an AV (Anti-Virus) engine on your server, to scan all mail attachments. This can be easily done with SpamAssassin, using the AV product of your choice.