Increasing SPAMassassin’s accuracy (4 tips)
SPAMassassin has become an extremely efficient SPAM filtering solution and is currently the most accurrate way to eliminate the majority of SPAM coming into a corporate network. The problem is that you can configure SPAMassassin in MANY ways and depending on how it is done, you can go from filtering 75% of the SPAM to filtering 99.9% of the SPAM. I’ve configured a fair number of SPAMassassin installations in my time for a wide variety of organizations and here are my tips for getting closer to 99.9% accuracy.
1. Keep up to date
The best tip I can give you to have better results is to use the latest version of SPAMassassin. You don’t need to have bleeding edge, but just make sure you aren’t using a version which is a year or two old. Update your installation every few months if you can. The newer versions of SPAMassassin are always adding new detection techniques and rules which help cut out a vast majority of SPAM. I’ve found that newer features such as the URIBL are able to cut your false negatives down by 80%.
2. Use a third party ruleset.
The SPAMers find ways around the base rules in SPAMassassin all the time, so the more rules you can add, the better (as long as they are good rules). SARE is a great resource for a constantly updated set of third party rules. These rules are all tested and help to greatly increase the accuracy of your filter. A script called RulesDuJour is also available which automatically downloads these rules for you and updates your installation with the latest ruleset at a scheduled time every day. Having a constantly changing ruleset makes it difficult for the SPAMers to get around the filter.
3. Train your Bayes engine
SPAMassassin comes with a bayesian learning engine which allows it to use statistical methods to categorize a message a SPAM or HAM (not SPAM). This engine is extremely accurate as long as it has the proper training. In order to train the bayes engine you need to provide it with messages that have been reviewed by a human and are confirmed to be either SPAM or HAM. You can manually train the engine using the sa-learn command, however it is far more efficient to use a front end to SPAMassassin like Maia Mailguard. With Maia, it keeps a copy of all messages that pass through it so that if a message either gets filtered when it shouldn’t have or doesn’t get filtered when it should have, you can go back and mark the message as either SPAM or HAM. This will then train the Bayes engine and it will then filter similar messages in the future. I’ve really just touched on the Bayes engine in SPAMassassin and therefore you should look it up online and read more about it to find out what the best method would be for your environment.
4. Use the SPAM network detection methods
There are several blacklists and hash detection methods that can be used in SPAMassassin. The two that I highly recommend are DCC and Razor. These two products will help to increase the accuracy of your SPAM filter again by a large percentage. Support for the products is builtin to SPAMassassin by default but they do require a client to be installed in order for them to start working. A quick search online will provide many tutorials for getting them going.
Those are the big four tips I have. There is a lot of other tuning you can do, but by making sure you are doing the above four things, your accuracy should easily be above 98%. Using this configuration, I am currently seeing about 99.4% accuracy for detecting SPAM and only about 0.01% false positives. If you have any other good tips for SPAMassassin, please leave a comment.
TrackBack to 'Increasing SPAMassassin’s accuracy (4 tips)'.
Top 5 ways to get hacked
I’ve done up this list to help other IT professionals avoid the mistakes I’ve made and the mistakes I’ve seen others make. These tips are for both corporate and home users because both can fall into the trap. If you’re an IT administrator, be sure to read through the list and double check to see if your network is vulnerable.
5. Doing day-to-day work as an administrator
Logging into your system as an administrator/root just to check your email or surf the web is a very bad thing. You should only be using administrative privileges when you need them. Using commands like su in *nix or runas in Windows is the best way to get admin privileges only when you need them. If you’re logging in as an administrator, an attacker simply has to send you a malicious email or lure you to a bad website to gain complete control over your system and maybe even your network.
4. Vulnerable email client
If your e-mail client is not fully patched with the latest vendor security patches, you’re asking for a world of trouble. When someone is able to simply send you an email and have it auto-execute whatever code they want, this is a bad thing! Patch your email client often and if you’re using a common email client like Microsoft Outlook, it’s even more important.
3. FTP server with simple account passwords.
In one of the companies I used to work for, we ran a small webhosting server farm. The logs on these servers would show invalid FTP login attempts. At least once a week (if not more), we would see an attacker probe usernames/passwords. They would try a few hundred common username/password combinations to attempt to get in. The result when they do get in is usually several hidden directories in which they put movies/music/pirated software. Make sure your FTP server doesn’t have any “default” accounts and all of your common accounts have strong passwords.
2. Vulnerable web browser.
Using an unpatched web browser is like leaving the keys to your parked car on the hood. You won’t definitely have your car stolen, but the odds are good. The internet has become a breading ground for spyware and viruses. A large majority of spyware infects people’s system using web browser vulnerabilities. Make sure to always download and install recent Firefox updates, visit Windows Update to patch Internet Explorer or download all security updates for whatever browser you do use.
1. Blank local administrator or root password.
The number one easiest way to get hack is to have a blank local administrator or root password set on your system. You may think that it is quite obvious, but it can be easily overlooked. I’ve seen systems hacked in less than an day when the Citrix server went online with a blank local administrator password. This kind of thing was easily missed because the system was only logged into using domain accounts and the manufacturer installation CD had set the administrator password to blank. Always double check all accounts that have access to your system for reasonable passwords. No system in your network should have a blank administrative password!
TrackBack to 'Top 5 ways to get hacked'.
