I have found that the following set of SpamAssassin custom scores on my email server work well when combined with SpamList running on a pfSense or OPNsense firewall.
score AC_FROM_MANY_DOTS 2
score ADMITS_SPAM 4
score AXB_X_FF_SEZ_S 4
score BODY_ENHANCEMENT 2
score BODY_ENHANCEMENT2 5
score DATE_IN_FUTURE_06_12 4
score DATE_IN_PAST_12_24 2
score DIET_1 2
score DKIM_ADSP_NXDOMAIN 2
score DKIMWL_WL_MED 0
score FREEMAIL_FORGED_REPLYTO 1
score FROM_FMBLA_NEWDOM 5
score FROM_FMBLA_NEWDOM28 4
score FSL_HELO_NON_FQDN_1 4
score FSL_THIS_IS_ADV 3
score FUZZY_SAVINGS 4
score GAPPY_SUBJECT 3
score HELO_DYNAMIC_IPADDR 3
score HTTPS_HTTP_MISMATCH 3
score LOTS_OF_MONEY 1
score MALFORMED_FREEMAIL 3
score MIME_QP_LONG_LINE 1
score MISSING_HEADERS 1
score MISSING_MID 2
score MONEY_FROM_41 2
score NO_DNS_FOR_FROM 3
score PLING_QUERY 3
score RCVD_DOUBLE_IP_SPAM 4
score RCVD_IN_BL_SPAMCOP_NET 4
score RCVD_IN_BRBL_LASTEXT 6
score RCVD_IN_DNSWL_HI 0
score RCVD_IN_MSPIKE_BL 4
score RCVD_IN_MSPIKE_H2 0
score RCVD_IN_MSPIKE_H5 0
score RCVD_IN_PSBL 4
score RCVD_IN_RP_RNBL 5
score RCVD_IN_SBL 3
score RCVD_IN_SBL_CSS 4
score RCVD_IN_SORBS_SOCKS 4
score RCVD_IN_SORBS_WEB 5
score RCVD_IN_VALIDITY_RPBL 2
score RCVD_IN_XBL 4
score RCVD_NUMERIC_HELO 2
score RDNS_NONE 5
score RDNS_DYNAMIC 4
score SERGIO_SUBJECT_PORN014 6
score SHORTENER_SHORT_SUBJ 4
score SPF_FAIL 4
score SPF_HELO_SOFTFAIL 1
score SPF_NEUTRAL 2
score SPF_SOFTFAIL 1
score T_DKIM_INVALID 5
score T_KAM_HTML_FONT_INVALID 1
score T_SPF_HELO_PERMERROR 3
score T_SPF_PERMERROR 6
score T_SPF_TEMPERROR 4
score TVD_RCVD_IP 3
score UNPARSEABLE_RELAY 2
score URI_WP_HACKED_2 4
score URIBL_ABUSE_SURBL 5
score URIBL_BLACK 3
score URIBL_DBL_ABUSE_SPAM 4
score URIBL_GREY 3
score URIBL_DBL_SPAM 5
score URIBL_SBL 2
score URIBL_SBL_A 2
score URIBL_JP_SURBL 6
score USER_IN_DEF_DKIM_WL 0
score USER_IN_DEF_SPF_WL 0
score WORD_INVIS 2
These scores are applied in /etc/spamassassin/local.cf
after the required_score
entry, which I have set to 2.0
.
Note that these scores will block emails from servers that have configured SPF incorrectly. They will also block servers that do not have reverse DNS setup correctly, which eliminates most compromised machines that are being used to send out spam.
If you haven’t already seen it, you should check out the list of why all spam filtering will fail. My personal favorite is, “Specifically, your plan fails to account for … willingness of users to install OS patches received by email.”