SpamAssassin Channel

reading time ( words)

Over the years I’ve compiled a collection of rules to improve the effectiveness of SpamAssassin for stopping spam leaking into my servers. This post summarizes the steps required to add my channel to your SpamAssassin setup.

What’s a channel anyway?

Channels are a way to ship updates to the SpamAssassin rules so that as spam evolves, your defenses follow. There’s a large population of volunteers that write new rules to keep up with the latest in spam. This is an important effort which results in a powerful filter that will easily get rid of around 90% of your spam out of the box. That remaining 10% or so is a much harder problem because spammers are pervasive.

Some spammers operate within a defined region, so anti-spam researchers might not have access to spam samples with which to tune specific rules. Rule authors also have a time budget, so they choose to work in those spam flows that interests them, for whatever reason. This conspires to create that 10% gap.

The channel mechanism allows rule authors to publish custom sets of rules for SpamAssassin easily. Rules are downloaded only when needed and their contents are cryptographically signed so that they cannot be tampered with or otherwise altered.

Enabling my channel in your configuration

Below, I’ll go through the steps required to get my channel — https://sa.lem.link/ — working with a standard installation of SpamAssassin in Debian Linux. The steps should be similar for other distributions.

To start, you need to ensure you have the right GPG key in your installation. This key is used to sign the contents of the channel and guarantees that you’re not getting rules that have been tampered with. Follow these steps to get the new keys into the sa-update keyring.

1
2
wget --quiet https://sa.lem.link/GPG.KEY
sudo sa-update --import GPG.KEY

Line 1 fetches the GPG public key which sa-update can use to verify the contents of the updates prior to installing them. Line 2 instructs sa-update to import the just downloaded GPG key into the keyring. If all goes well, there won’t be any errors.

The next step is to test the channel updating process. This will show whether the update is working correctly. Note the use of the --gpgkey to indicate that you trust the key — the one you just downloaded — to sign channel updates.

sudo sa-update -D --gpgkey 278F00292AF72510DAFE5937C6704A0D241CA52B --channel sa.lem.link
⋮
Dec  9 01:17:30.866 [10846] dbg: gpg: adding key id 278F00292AF72510DAFE5937C6704A0D241CA52B
⋮
Dec  9 01:17:30.882 [10846] dbg: channel: attempting channel sa.lem.link
⋮
Dec  9 01:17:31.166 [10846] dbg: channel: reading MIRRORED.BY file /var/lib/spamassassin/3.004001/sa_lem_link/MIRRORED.BY
Dec  9 01:17:31.166 [10846] dbg: channel: parsing MIRRORED.BY file for channel sa.lem.link
Dec  9 01:17:31.166 [10846] dbg: channel: found mirror https://sa.lem.link/ weight=100
Dec  9 01:17:31.166 [10846] dbg: channel: selected mirror https://sa.lem.link
Dec  9 01:17:31.167 [10846] dbg: http: url: https://sa.lem.link/1544344964.tar.gz
⋮
Dec  9 01:17:32.494 [10846] dbg: gpg: gpg: Good signature from "SA update channel sa.lem.link <sa-updates@lem.link>" [ultimate]
⋮
Dec  9 01:17:32.597 [10846] dbg: diag: updates complete, exiting with code 0

These logs show how the GPG key id is added to the set of acceptable signature keys, a mirror is selected using the MIRRORED.BY file, the channel contents are downloaded, the GPG signature is verified and finally, the update is completed. These logs emit copious amounts of diagnosting information. Be wary of firewall rules and file permissions that might be affecting your ability to download the channel update.

If all went well, your instance of SpamAssassin now has the sa.lem.link channel rules added to its local configuration. You can now restart SpamAssassin — either spamd or amavisd-new, the two most popular ways to use SpamAssassin as a persistent daemon.

All that’s left to do is to ensure the channel rules will be checked periodically. I’ve prepared a skeleton crontab(5) file to ease this task. Simply download this to your cron(8) directory as follows:

wget -O /etc/cron.d/sa-lem-link-channel https://sa.lem.link/sa-lem-link.crontab

After the file is in place, use your favorite text editor to uncomment or tweak the file, so as to restart the right service after updating the channel.

emacs /etc/cron.d/sa-lem-link-channel

Using this channel

I’m releasing these rules for others to use. Your results will of course vary — and this is a great place to insert the usual disclaimers about not being responsible for whatever happens as a consequence of you using this channel. I’m providing these rules as they are. They work for me and the sites where I use them. That said, I’ll of course be happy to review the rules and make additions.

Please do not run sa-update on this channel more than once every two hours. Also stay away from the minute boundaries. The crontab(5) file I provide has a randomized sleep to prevent everybody from trying to fetch the updates at the same time.

Of note, I’m trying to normalize the rules for an environment where the spam threshold is set between 5 and 6.5 points. If your threshold is lower, you’ll likely find the rules too aggressive — and likely, you’re already increasing your false positive rate.