Scope of the document

This document will help you set up your SpamAssassin installation with the same configuration used for the VBSpam email security tests carried out by Virus Bulletin. See the latest report.

This configuration is known to achieve excellent spam blocking results with low false positives without the need of other data or products.

Prerequisites

You need to have a Datafeed Query Service (DQS) key valid for both IP addresses and domains. This configuration can not work with a DQS key enabled for IP lookups only, or for domain lookups only.

These instructions apply to SpamAssassin 3.4.1+ and do not cover the initial SpamAssassin installation. To correctly install SpamAssassin please refer to instructions applicable to your distribution.

Conventions

We are going to use some abbreviations and placeholders:

  • SA: SpamAssassin
  • SH: Spamhaus
  • configuration directory: whenever you’ll find these italic words, we will refer to SA’s configuration directory. Depending on your distribution it may be /etc/spamassassin or /etc/mail/spamassassin or other
  • whenever you find the box below, it means that you need to enter the command on your shell.
	# command

Installation instructions

	# tar xvfz SA-spamhaus.tgz

A subdirectory called SA-spamhaus-20190325 will be created. Within it, besides licensing information, you will find three files:

  • SH.pm. This is a dedicated SA plugin written by SH that overcomes some of SA’s limitations
  • sh.cf. This file contains lookup redefinitions and will need to be edited (see below)
  • sh_scores.cf. In this file we override some of SA’s default rule scoring
  • Make a copy of these files into the SA configuration directory (it may require root privileges).

Now, assuming your DQS key is for instance aip7yig6sahg6ehsohn5shco3z, execute the following command inside the configuration directory

	# sed -i -e 's/your_DQS_key/aip7yig6sahg6ehsohn5shco3z/g' sh.cf

There will be no output, but your key will be placed inside sh.cf in all the needed places.

Finally, edit sh.cf with your editor of choice, and take a look at the first line:

loadplugin       Mail::SpamAssassin::Plugin::SH <config_directory\>/SH.pm

You will need to replace <config_directory\> with your actual configuration directory. So, for example, if your configuration directory is /etc/mail/spamassassin, the line will become:

loadplugin       Mail::SpamAssassin::Plugin::SH /etc/mail/spamassassin/SH.pm

Now test the setup by running:

	# spamassassin --lint

This command checks the whole SA installation; if you don’t see any output then congratulations! You successfully installed SH’s SA setup.

Plugin internals

While we undoubtedly recognize Spamassassin’s abilities at stopping spam with only minor tweakings to the default config, there are some key uses of our datasets that can be fully taken advantage of only by writing some special SA functions. This is why we decided to develop this special plugin that includes these functions:

  • check_sh_helo. This function checks the domain used in the HELO/EHLO string against DBL and ZRD.
  • check_sh_headers. This function takes the domain out of the From: and Reply-to: header lines and then checks the domain against DBL and ZRD.
  • check_sh_body. This function scans the email body looking for email addresses. For all email addresses found, it extracts the domain and check it against DBL and ZRD. This approach has been proven useful, for example, in some dating scams campaign.

Final recommendations

The configuration in the VBSpam survey makes use exclusively of our data, as our goal was certifying their quality and keep an eye on how we perform in the field. So, malware is blocked using just IP addresses and domain real-time data.

While the results are reasonably good, the malware/phishing scoring can certainly be improved through some additional actions that we recommend.

Nowadays the rule of thumb for receiving email should be to stay defensive, that is why we recommend to do basic attachment filtering by dropping all emails that contains potentially hazardous attachments, like at least all file extensions that match this regex:

(exe|vbs|pif|scr|bat|cmd|com|cpl|dll|cpgz|chm|js|jar|wsf)

You should also drop, by default, all Office documents with macros.

The second recommendation is to run an AV (Anti-Virus) engine on your server, to scan all mail attachments. This can be easily done with SpamAssassin, using the AV product of your choice.