Over the years I’ve compiled a collection of rules to improve the effectiveness of SpamAssassin for stopping spam leaking into my servers. This post summarizes the steps required to add my channel to your SpamAssassin setup.
What’s a channel anyway?
Channels are a way to ship updates to the SpamAssassin rules so that as spam evolves, your defenses follow. There’s a large population of volunteers that write new rules to keep up with the latest in spam. This is an important effort which results in a powerful filter that will easily get rid of around 90% of your spam out of the box. That remaining 10% or so is a much harder problem because spammers are pervasive.
Some spammers operate within a defined region, so anti-spam researchers might not have access to spam samples with which to tune specific rules. Rule authors also have a time budget, so they choose to work in those spam flows that interests them, for whatever reason. This conspires to create that 10% gap.
The channel mechanism allows rule authors to publish custom sets of rules for SpamAssassin easily. Rules are downloaded only when needed and their contents are cryptographically signed so that they cannot be tampered with or otherwise altered.
Enabling my channel in your configuration
Below, I’ll go through the steps required to get my channel — https://sa.lem.link/ — working with a standard installation of SpamAssassin in Debian Linux. The steps should be similar for other distributions.
To start, you need to ensure you have the right GPG key in your installation. This key is used to sign the contents of the channel and guarantees that you’re not getting rules that have been tampered with. Follow these steps to get the new keys into the
Line 1 fetches the GPG public key which
sa-update can use to verify the contents of the updates prior to installing them. Line 2 instructs
sa-update to import the just downloaded GPG key into the keyring. If all goes well, there won’t be any errors.
The next step is to test the channel updating process. This will show whether the update is working correctly. Note the use of the
--gpgkey to indicate that you trust the key — the one you just downloaded — to sign channel updates.
sudo sa-update -D --gpgkey 278F00292AF72510DAFE5937C6704A0D241CA52B --channel sa.lem.link
Dec 9 01:17:30.866  dbg: gpg: adding key id 278F00292AF72510DAFE5937C6704A0D241CA52B
Dec 9 01:17:30.882  dbg: channel: attempting channel sa.lem.link
Dec 9 01:17:31.166  dbg: channel: reading MIRRORED.BY file /var/lib/spamassassin/3.004001/sa_lem_link/MIRRORED.BY
Dec 9 01:17:31.166  dbg: channel: parsing MIRRORED.BY file for channel sa.lem.link
Dec 9 01:17:31.166  dbg: channel: found mirror https://sa.lem.link/ weight=100
Dec 9 01:17:31.166  dbg: channel: selected mirror https://sa.lem.link
Dec 9 01:17:31.167  dbg: http: url: https://sa.lem.link/1544344964.tar.gz
Dec 9 01:17:32.494  dbg: gpg: gpg: Good signature from "SA update channel sa.lem.link <firstname.lastname@example.org>" [ultimate]
Dec 9 01:17:32.597  dbg: diag: updates complete, exiting with code 0
These logs show how the GPG key id is added to the set of acceptable signature keys, a mirror is selected using the
MIRRORED.BY file, the channel contents are downloaded, the GPG signature is verified and finally, the update is completed. These logs emit copious amounts of diagnosting information. Be wary of firewall rules and file permissions that might be affecting your ability to download the channel update.
If all went well, your instance of SpamAssassin now has the
sa.lem.link channel rules added to its local configuration. You can now restart SpamAssassin — either
amavisd-new, the two most popular ways to use SpamAssassin as a persistent daemon.
All that’s left to do is to ensure the channel rules will be checked periodically. I’ve prepared a skeleton
crontab(5) file to ease this task. Simply download this to your
cron(8) directory as follows:
wget -O /etc/cron.d/sa-lem-link-channel https://sa.lem.link/sa-lem-link.crontab
After the file is in place, use your favorite text editor to uncomment or tweak the file, so as to restart the right service after updating the channel.
Using this channel
I’m releasing these rules for others to use. Your results will of course vary — and this is a great place to insert the usual disclaimers about not being responsible for whatever happens as a consequence of you using this channel. I’m providing these rules as they are. They work for me and the sites where I use them. That said, I’ll of course be happy to review the rules and make additions.
Please do not run
sa-update on this channel more than once every two hours. Also stay away from the minute boundaries. The
crontab(5) file I provide has a randomized
sleep to prevent everybody from trying to fetch the updates at the same time.
Of note, I’m trying to normalize the rules for an environment where the spam threshold is set between 5 and 6.5 points. If your threshold is lower, you’ll likely find the rules too aggressive — and likely, you’re already increasing your false positive rate.