Add SpamAssassin-related tweaks.

11 files changed, 331 insertions, 34 deletions

diff --git a/spamassassin/default/spamass-milter b/spamassassin/default/spamass-milter
new file mode 100644
index 0000000..aacf2de
--- /dev/null
+++ b/spamassassin/default/spamass-milter
@@ -0,0 +1,31 @@
+# spamass-milt startup defaults
+
+# OPTIONS are passed directly to spamass-milter.
+# man spamass-milter for details
+
+# Non-standard configuration notes:
+# See README.Debian if you use the -x option with sendmail
+# You should not pass the -d option in OPTIONS; use SOCKET for that.
+
+# Default, use the spamass-milter user as the default user, ignore
+# messages from localhost
+OPTIONS="-u spamass-milter"
+
+# Reject emails with spamassassin scores > 10.
+OPTIONS="${OPTIONS} -r 10"
+
+# Do not modify Subject:, Content-Type: or body.
+#OPTIONS="${OPTIONS} -m"
+
+# Use UNIX socket
+OPTIONS="${OPTIONS} -- --socket=/var/run/spamassassin/spamd.sock"
+
+######################################
+# If /usr/sbin/postfix is executable, the following are set by
+# default. You can override them by uncommenting and changing them
+# here.
+######################################
+# SOCKET="/var/spool/postfix/spamass/spamass.sock"
+# SOCKETOWNER="postfix:postfix"
+# SOCKETMODE="0660"
+######################################
diff --git a/spamassassin/default/spamass-milter.diff b/spamassassin/default/spamass-milter.diff
new file mode 100644
index 0000000..aab7c18
--- /dev/null
+++ b/spamassassin/default/spamass-milter.diff
@@ -0,0 +1,23 @@
+--- spamass-milter.orig	2015-08-07 04:59:17.000000000 +0200
++++ spamass-milter	2016-10-24 22:36:41.000000000 +0200
+@@ -9,14 +9,17 @@
+ 
+ # Default, use the spamass-milter user as the default user, ignore
+ # messages from localhost
+-OPTIONS="-u spamass-milter -i 127.0.0.1"
++OPTIONS="-u spamass-milter"
+ 
+-# Reject emails with spamassassin scores > 15.
+-#OPTIONS="${OPTIONS} -r 15"
++# Reject emails with spamassassin scores > 10.
++OPTIONS="${OPTIONS} -r 10"
+ 
+ # Do not modify Subject:, Content-Type: or body.
+ #OPTIONS="${OPTIONS} -m"
+ 
++# Use UNIX socket
++OPTIONS="${OPTIONS} -- --socket=/var/run/spamassassin/spamd.sock"
++
+ ######################################
+ # If /usr/sbin/postfix is executable, the following are set by
+ # default. You can override them by uncommenting and changing them
diff --git a/spamassassin/default/spamassassin b/spamassassin/default/spamassassin
new file mode 100644
index 0000000..561380f
--- /dev/null
+++ b/spamassassin/default/spamassassin
@@ -0,0 +1,34 @@
+# /etc/default/spamassassin
+# Duncan Findlay
+
+# WARNING: please read README.spamd before using.
+# There may be security risks.
+
+# If you're using systemd (default for jessie), the ENABLED setting is
+# not used. Instead, enable spamd by issuing:
+# systemctl enable spamassassin.service
+# Change to "1" to enable spamd on systems using sysvinit:
+ENABLED=0
+
+# Options
+# See man spamd for possible options. The -d option is automatically added.
+
+# SpamAssassin uses a preforking model, so be careful! You need to
+# make sure --max-children is not set to anything higher than 5,
+# unless you know what you're doing.
+
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u debian-spamd -g debian-spamd --nouser-config --listen /var/run/spamassassin/spamd.sock --socketowner debian-spamd --socketgroup debian-spamd --socketmode 0660"
+
+# Pid file
+# Where should spamd write its PID to file? If you use the -u or
+# --username option above, this needs to be writable by that user.
+# Otherwise, the init script will not be able to shut spamd down.
+PIDFILE="/var/run/spamd.pid"
+
+# Set nice level of spamd
+#NICE="--nicelevel 15"
+
+# Cronjob
+# Set to anything but 0 to enable the cron job to automatically update
+# spamassassin's rules on a nightly basis
+CRON=1
diff --git a/spamassassin/default/spamassassin.diff b/spamassassin/default/spamassassin.diff
new file mode 100644
index 0000000..960310e
--- /dev/null
+++ b/spamassassin/default/spamassassin.diff
@@ -0,0 +1,17 @@
+--- spamassassin.orig	2014-10-14 06:21:29.000000000 +0200
++++ spamassassin	2016-10-24 21:10:39.000000000 +0200
+@@ -17,7 +17,7 @@
+ # make sure --max-children is not set to anything higher than 5,
+ # unless you know what you're doing.
+ 
+-OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
++OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u debian-spamd -g debian-spamd --nouser-config --listen /var/run/spamassassin/spamd.sock --socketowner debian-spamd --socketgroup debian-spamd --socketmode 0660"
+ 
+ # Pid file
+ # Where should spamd write its PID to file? If you use the -u or
+@@ -31,4 +31,4 @@
+ # Cronjob
+ # Set to anything but 0 to enable the cron job to automatically update
+ # spamassassin's rules on a nightly basis
+-CRON=0
++CRON=1
diff --git a/spamassassin/init.sh b/spamassassin/init.sh
new file mode 100755
index 0000000..431e66e
--- /dev/null
+++ b/spamassassin/init.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+mkdir -p /var/run/spamassassin
+chown debian-spamd: /var/run/spamassassin
+
+adduser spamass-milter debian-spamd || true
diff --git a/spamassassin/local.cf b/spamassassin/local.cf
index 1d65b9e..b6b9af0 100644
--- a/spamassassin/local.cf
+++ b/spamassassin/local.cf
@@ -1,44 +1,88 @@
-# Add your own customisations to this file.  See 'man Mail::SpamAssassin::Conf'
-# for details of what can be tweaked.
-# 
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+#
+# rewrite_header Subject *****SPAM*****
+
+
+#   Save spam messages as a message/rfc822 MIME attachment instead of
+#   modifying the original message (0: off, 2: use text/plain instead)
+#
+# report_safe 1
+
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers)
+#
+# trusted_networks 212.17.35.
+
+
+#   Set file-locking method (flock is not safe over NFS, but is faster)
+#
+# lock_method flock
 
-# Revert CHARSET_FARAWAY scores to upsream default
-score CHARSET_FARAWAY                0.80
-score CHARSET_FARAWAY_BODY           2.06
-score CHARSET_FARAWAY_HEADERS        1.00
 
-# Lower Razor score (from 3.0) to let more mailinglist mail through
-score RAZOR_CHECK		     2.0
+#   Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 3.0
 
-# The below was found at http://flakshack.com/anti-spam/wiki/index.php?page=Debian
 
-report_safe 0
+#   Use Bayesian classifier (default: 1)
+#
+# use_bayes 1
+
+
+#   Bayesian classifier auto-learning (default: 1)
+#
+# bayes_auto_learn 1
+
+
+#   Set headers which may provide inappropriate cues to the Bayesian
+#   classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST       on
+# shortcircuit USER_IN_DEF_WHITELIST   on
+# shortcircuit USER_IN_ALL_SPAM_TO     on
+# shortcircuit SUBJECT_IN_WHITELIST    on
 
-use_bayes 1
-bayes_path /var/lib/amavis/.spamassassin/bayes_seen
+#   the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST       on
+# shortcircuit USER_IN_BLACKLIST_TO    on
+# shortcircuit SUBJECT_IN_BLACKLIST    on
 
-skip_rbl_checks 0
-use_razor2 1
-use_dcc 1
-use_pyzor 1
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED             on
 
-dns_available yes
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
 
-header LOCAL_RCVD Received =~ /.*\(\S+\.mydomain\.bogus\s+\[.*\]\)/
-describe LOCAL_RCVD Received from local machine
-score LOCAL_RCVD -50
+endif # Mail::SpamAssassin::Plugin::Shortcircuit
 
-## Optional Score Increases
-score DCC_CHECK 4.000
-score SPF_FAIL 10.000
-score SPF_HELO_FAIL 10.000
-score RAZOR2_CHECK 2.500
-score BAYES_99 4.300
-score BAYES_90 3.500
-score BAYES_80 3.000
+use_bayes 0
 
-# Added by jsu2
-# refer to http://flakshack.com/anti-spam/wiki/index.php?page=Testing
-body LOCAL_TEST1 /myspamtest12341234/
-describe LOCAL_TEST1 This is a unique phrase to trigger a positive score
-score LOCAL_TEST1 50
+dns_query_restriction deny barracudacentral.org
diff --git a/spamassassin/local.cf.diff b/spamassassin/local.cf.diff
new file mode 100644
index 0000000..44f7324
--- /dev/null
+++ b/spamassassin/local.cf.diff
@@ -0,0 +1,19 @@
+--- local.cf.orig	2014-10-14 06:23:36.000000000 +0200
++++ local.cf	2016-10-24 23:17:21.000000000 +0200
+@@ -31,7 +31,7 @@
+ 
+ #   Set the threshold at which a message is considered spam (default: 5.0)
+ #
+-# required_score 5.0
++required_score 3.0
+ 
+ 
+ #   Use Bayesian classifier (default: 1)
+@@ -82,3 +82,7 @@
+ # shortcircuit BAYES_00                ham
+ 
+ endif # Mail::SpamAssassin::Plugin::Shortcircuit
++
++use_bayes 0
++
++dns_query_restriction deny barracudacentral.org
diff --git a/spamassassin/v320.pre b/spamassassin/v320.pre
new file mode 100644
index 0000000..1b2a961
--- /dev/null
+++ b/spamassassin/v320.pre
@@ -0,0 +1,64 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.2.0,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+
+# Check - Provides main check functionality
+#
+loadplugin Mail::SpamAssassin::Plugin::Check
+
+# HTTPSMismatch - find URI mismatches between href and anchor text
+#
+loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
+
+# URIDetail - test URIs using detailed URI information
+#
+loadplugin Mail::SpamAssassin::Plugin::URIDetail
+
+# Shortcircuit - stop evaluation early if high-accuracy rules fire
+# 
+# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
+
+# Plugins which used to be EvalTests.pm
+# broken out into separate plugins
+loadplugin Mail::SpamAssassin::Plugin::Bayes
+loadplugin Mail::SpamAssassin::Plugin::BodyEval
+loadplugin Mail::SpamAssassin::Plugin::DNSEval
+loadplugin Mail::SpamAssassin::Plugin::HTMLEval
+loadplugin Mail::SpamAssassin::Plugin::HeaderEval
+loadplugin Mail::SpamAssassin::Plugin::MIMEEval
+loadplugin Mail::SpamAssassin::Plugin::RelayEval
+loadplugin Mail::SpamAssassin::Plugin::URIEval
+loadplugin Mail::SpamAssassin::Plugin::WLBLEval
+
+# VBounce - anti-bounce-message rules, see rules/20_vbounce.cf
+#
+loadplugin Mail::SpamAssassin::Plugin::VBounce
+
+# Rule2XSBody - speedup by compilation of ruleset to native code
+#
+loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
+
+# ASN - Look up the Autonomous System Number of the connecting IP
+# and create a header containing ASN data for bayes tokenization.
+# See plugin's POD docs for usage info.
+#
+loadplugin Mail::SpamAssassin::Plugin::ASN
+
+# ImageInfo - rules to match metadata of image attachments
+#
+loadplugin Mail::SpamAssassin::Plugin::ImageInfo
+
diff --git a/spamassassin/v320.pre.diff b/spamassassin/v320.pre.diff
new file mode 100644
index 0000000..07d973f
--- /dev/null
+++ b/spamassassin/v320.pre.diff
@@ -0,0 +1,18 @@
+--- v320.pre.orig	2012-08-14 07:32:06.000000000 +0200
++++ v320.pre	2008-11-28 13:52:06.000000000 +0100
+@@ -50,13 +50,13 @@
+ 
+ # Rule2XSBody - speedup by compilation of ruleset to native code
+ #
+-# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
++loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
+ 
+ # ASN - Look up the Autonomous System Number of the connecting IP
+ # and create a header containing ASN data for bayes tokenization.
+ # See plugin's POD docs for usage info.
+ #
+-# loadplugin Mail::SpamAssassin::Plugin::ASN
++loadplugin Mail::SpamAssassin::Plugin::ASN
+ 
+ # ImageInfo - rules to match metadata of image attachments
+ #
diff --git a/spamassassin/v341.pre b/spamassassin/v341.pre
new file mode 100644
index 0000000..37723cb
--- /dev/null
+++ b/spamassassin/v341.pre
@@ -0,0 +1,28 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 3.4.1,
+# and contains plugin loading commands for the new plugins added in that
+# release.  It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read.  Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read.  As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+
+# TxRep - Reputation database that replaces AWL
+loadplugin Mail::SpamAssassin::Plugin::TxRep
+
+# URILocalBL - Provides ISP and Country code based filtering as well as
+# quick IP based blocks without a full RBL implementation - Bug 7060
+
+# loadplugin Mail::SpamAssassin::Plugin::URILocalBL
+
+# PDFInfo - Use several methods to detect a PDF file's ham/spam traits
+# loadplugin Mail::SpamAssassin::Plugin::PDFInfo
diff --git a/spamassassin/v341.pre.diff b/spamassassin/v341.pre.diff
new file mode 100644
index 0000000..63643a1
--- /dev/null
+++ b/spamassassin/v341.pre.diff
@@ -0,0 +1,11 @@
+--- v341.pre.orig	2016-10-24 21:29:11.000000000 +0200
++++ v341.pre	2016-10-24 22:57:05.000000000 +0200
+@@ -17,7 +17,7 @@
+ ###########################################################################
+ 
+ # TxRep - Reputation database that replaces AWL
+-# loadplugin Mail::SpamAssassin::Plugin::TxRep
++loadplugin Mail::SpamAssassin::Plugin::TxRep
+ 
+ # URILocalBL - Provides ISP and Country code based filtering as well as
+ # quick IP based blocks without a full RBL implementation - Bug 7060