Customising SpamAssassin
Written by Cian Davis
Spamassassin is a very powerful tool and can be easily customised to make sure that it catches what is spam and lets through what isn't. By combining it with procmail, you can automatically delete any e-mail you get over a certain spamassassin score. You need to read Stopping Spam with Procmail & SpamAssassin guide before this guide.
Custom Spamasssassin config
Each user has their own spamassassin configuration. It is stored in .spamassassin/ in your home directory. The main file in this directory is called user_prefs. This stores all your preferences - it lets you say which addresses are definitely OK and which are definitely SPAM as well as reset the points each positive tests gets.
This file and directory need to be readable by SpamAssassin. By default, it is but if you're having problems issue these commands:
chmod 711 /mailconfig/$USER/.spamassassin
chmod 644 /mailconfig/$USER/.spamassassin/user_prefs
Addresses which are definitely not spam are whitelist addresses and those that are definitely spam are blacklist addresses. Both blacklist and whitelist can either be to or from. Only 1 wildcard can be used here in the form of *@thisdomain.com - this means everyone at thisdomain.com *@student.ul.ie would mean every student account in UL.
The most useful one is blacklist_from. Use this if you are getting spam from a particular address or domain. For instance, two viruses that generate e-mail to anyone they can find send e-mails from hahaha@sexyfun.net and the other support@mircosoft.com. You can blacklist these addresses by adding:
blacklist_from hahaha@sexyfun.net
blacklist_from support@microsoft.com
to your .spamassassin/user_prefs file
Problem is that spammers rarely use the same from e-mail address all the time - however, they can often use the same domain. attbi.com (AT&T Broadband) in the US went bust a while ago but spammers still generate e-mails from that domain because most people think that only legitimate e-mail comes from there. You can block this by adding:
blacklist_from *@attbi.com
to your .spamassassin/user_prefs file
You do need to be careful though that no legitimate e-mail is coming from that domain. For instance, a huge amount of spam seems to come from *@hotmail.com but blacklist_from *@hotmail.com will also catch any of your friends that e-mail from hotmail.
blacklist_to can sometimes be useful. Spammers often send an e-mail to 10 skynet users at a time. If you notice that the only time and joebloggs@skynet.ie receive the same e-mail is spam, you can add:
blacklist_to joebloggs@skynet.ie
to your .spamassassin/user_prefs file
whitelist works in the exact same way. It's a good idea to add friends as whitelist_from.
whitelist_from *@staffmail.ul.ie
is also a safe enough bet so that no e-mail from your lecturer gets eaten!
Spamassassin works by running hundreds of tests on each e-mail looking for characteristics of spam e-mails. A list of these tests is here. You might find that only spam triggers a certain test but doesn't score it high enough for it to be marked as spam. A number of sites out there keep a look out for spam and supply spam addresses to anyone who wants them so they can stop spam. A few are called SBL, RFCI and OPM. If an e-mail hits one of these tests, it's a pretty good bet that it is spam. However, spamassassin doesn't give it many points by default. To reset this, add this to your .spamassassin/user_prefs file.
SCORE RCVD_IN_DFCI 6
This will give 6 points to any e-mail that triggers that test. To find out what tests your e-mails are triggering, you need to view the full headers (if the e-mail is marked as spam by spamassassin, it will tell you what tests it triggered in the main body of the e-mail). To do this, press h in pine, click "View full header" in WebMail, open the e-mail in a new window in Outlook and click View -> Options or click View -> Headers -> All in Mozilla/Netscape/Thunderbird. You are looking for lines like this:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
holly.csn.ul.ie
X-Spam-Status: Yes, hits=10.3 required=6.0 tests=HTML_50_60,
HTML_IMAGE_ONLY_02,HTML_MESSAGE,HTML_TAG_BALANCE_BODY,
MANY_EXCLAMATIONS autolearn=no version=2.61
X-Spam-Level: **********
This tells us that SpamAssassin thinks it is spam, was checked by SpamAssassin version 2.61 and received 10.3 spam points (which is over the 6 required to be marked as spam) by testing positive for 5 tests. X-Spam-Level is the spam score with a * for each point - we will use this in a short while.
Using procmail to delete spam
So now we have SpamAssassin working how we want it. But do we really want to bother with e-mails that have 15 points from SpamAssassin? Chances are that anything with over 15 points is definitely spam. By using procmail, you can automatically delete it.
Procmail is configured by a file in your home directory called .procmailrc. Editing it to put spam recognised by SpamAssassin into a particular folder was covered in the Stopping Spam with Procmail & SpamAssassin guide.
First off, edit your .spamassassin/user_prefs file and add this line:
add_header all Level _STARS(*)_
SpamAssassin is likely not to add the stars header by default in the next version. It is this header we will use to catch the spam.
Now edit your /mailconfig/$USER/.procmailrc file and add the following:
:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*
/dev/null
This is known as a procmail recipe. :0 tells procmail you are starting a recipe. * tells it you are starting a condition - i.e. something it has to look out for. ^X-Spam-Level: tells procmail to look for a line in the e-mail headers staring with X-Spam-Level Since * is regarded as a wildcard (it usually mean any number of the previous character - including 0), we need to use \* to tell procmail we mean literally an * .* at the end of the line means "and anything else after that". Once we match the 15 stars, we don't care what comes after it. The third line is what it should do if it find an e-mail with that header. We want it to be deleted to we sent it to the generic linux rubbish bin - /dev/null.
WARNING!! Any e-mail that goes to /dev/null is not coming back! So check and make sure that the chances of legitimate e-mail getting high SpamAssassin scores is low - by resetting scores for the tests or whitelisting people. This is also why everything with 6 points isn't deleted. Means that you can check stuff getting between 6 and 15 spam points. Having said that, in the last 3 months, I have received 8803 e-mails. 4487 were identified by SpamAssassin and had over 12 points and were immediately deleted. No e-mail was incorrectly deleted. (another 485 were put into my SPAM folder for me to check and about 10 of these were incorrectly marked as SPAM)
