• Introduction to Spam Assassin
• What is 'white list'?
• Working with white/black lists
• What is 're-write subject'?
• defang_mime, rewrite_subject, report_header, use_terse_report
• What is Vipul's Razor?
• What is 'black list'?
• What is 'grey list'?
• What is 'required hits'?
• How are the spam tests setup?
• Outlook and Spam Assassin, Headers etc.

Each incoming e-mail is scanned for signs that it may be spam, and if it is determined that it's likely to be spam, it is altered to clearly reflect this, so that you -- the user -- can decide whether to delete or keep it.

The spam-identification tactics used by Spam Assassin include:

Header analysis: spammers use a number of tricks to mask their identities, fool you into thinking they've sent a valid mail, or fool you into thinking you must have subscribed at some stage. SpamAssassin tries to spot these.

Text analysis: again, spam mails often have a characteristic style (to put it politely), and some characteristic disclaimers and CYA text. SpamAssassin can spot these, too.

Blacklists: SpamAssassin supports many useful existing blacklists, such as mail-abuse.org, ordb.org or others.

Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it.

Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application.

SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. It accomplishes filtering without this knowledge, as much as possible.

Features:

Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.

Free software: it is distributed under the same terms and conditions as Perl itself.

Easy to extend: Rules, weights and user-visible text are stored in text configuration files as much as possible, which the user (or sysadmin) can edit to modify or add new rules.

Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API. As a result, it's not limited to the traditional local-delivery-to-spool case; using the Mail::SpamAssassin classes, it can be used in a wide variety of setups. This means that SpamAssassin support is available for a variety of mail systems -- traditional procmail, a Mail::Audit plugin, qmail, MIMEDefang, Postfix, and many others.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2002-12-19 14:57:37

Think of a "white list" as a list of good guys, whose email you want to set to always receive.

You should whitelist the e-mail addresses of well-known legitimate senders to avoid the chance of them being mis-identified by the SpamAssassin default rules.

For example:

whitelist_from   director_8345@hotmail.com   
whitelist_from   @advosys.ca                 # whitelist one specific sender
whitelist_from   @securityfocus.com          # whitelist an entire domain

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt

It's to your benefit to add to both your white list and black list, based upon your experience with the email you receive.

For example, SpamAssassin might mark a newsletter that you receive as spam, so if you want to continue to receive that newsletter, just add the "From" address of that newsletter to your whitelist box.

Or SpamAssassin might prove to be too sensitive, so you can increase the score a bit more. (the default setting is "5".)

Or you might discover that one of the tests (like, "contains html" - normally a good spam sign) isn't too good for your situation because all these girls keep sending you html love notes in different colors as email, and SpamAssassin marks these as 'sex spam', so you can find the name of the test that is adding to the score, and adjust that score entry specifically to be zero.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt

Checking this box enables the Spam Assassin filter to make changes to the headers of your email that it has tagged as spam. This, in turn, enables your email program to filter these tagged messages into a trash bin or other destination so you won't have to look at them.

Set your email program options to filter on
X-Spam-Status: Yes
or a Subject of
****SPAM****.

subject_tag:
When "rewrite_subject" is on, the subject stamp is *****SPAM*****.
This can be used to change it if you desire.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2002-12-19 14:54:29

These are primarily carry-overs from earlier versions, and can probably be left as is for best results.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt

What is Vipul's Razor?

Vipul's Razor is what you now commonly know as SpamNet. For nearly two years, Razor has been successfully fighting spam with the help of the Unix community and is the technology that has enabled build its windows counterpart, SpamNet, currently in use by more than 100,000 users.

Razor, or SpamNet, is a distributed, collaborative, spam detection and filtering network. It establishes a distributed and constantly updating catalogue of spam in propagation. This catalogue is used by clients to filter out known spam. Upon receiving a spam, a Reporting Agent (run by an end-user or a troll box) calculates and submits a 20-character unique identification of the spam (a SHA Digest) to its closest Catalogue Server. The Catalogue Server echoes this signature to other trusted servers after storing it in its database. Prior to manual processing or transport-level reception, Filtering Agents (end-users and MTAs) check their incoming mail against a Catalogue Server and filter out or deny transport in case of a signature match. Catalogued spam, once identified and reported by a Reporting Agent, can be blocked out by the rest of the Filtering Agents on the network.

Taken from SourceForge.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt

What is 'black list'?

The opposite of a "white list", a "black list" is obviously a place to include those specific email addresses you want to omit, or mark as spam.

The format would be:

somebody@someISP.com
or,
a single name such as "joespammer"
This would apply to that user name at any domain.

You can also use wildcards in your blacklist entries, for those spammers who include random numbers in their alleged email addresses:

somebody000@spammer.net
would become
somebody*@spammer.net

WHEN ENTERING MULTIPLE ADDRESSES, LEAVE A SINGLE SPACE BETWEEN EACH ONE.

Including an address in your Blacklist doesn't mean that you will no longer receive email from that address, just that the email received from that address will now be tagged as spam.

You can make use of this by creating a rule in your email client. Go to the Mail Control from the top of the forum, then Settings, and click on the Anti-Spam Preferences. Check off "Re-write subject" in the mail handling panel, and leave the next box blank if you want to use the default.



Now make a rule in your email client that if ****SPAM**** is found in the Subject line then the message will be moved to your spam folder, or your folder of choice.

Now when you put an email address in your Blacklist, any email received from this address is tagged as spam and ends up in your spam folder.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2005-01-22 15:15:28

What is 'grey list'?

Grey-listing tells newly seen emailers to "retry". They are not whitelisted until they come back with the same request, 300 or more seconds later. Spam delivery programs do not usually retry as it is expensive in CPU and disk resources for them to do so when they are delivering thousands of emails a minute. This should dramatically reduce the amount of spam.

Most spam is sent from infected home PCs in private homes. The spambots running on a PC do not have any logic for resending a failed message. These applications appear to adopt the "fire-and-forget" methodology. A decent mail server however, will try to deliver a message for at least three days.

Mail is transfered between mail servers using the protocol SMTP, defined in RFC2821. During delivery the receiving server will respond with three-digit codes:

* 2xx means OK
* 4xx notifies that a temporary error has occurred. The sending server should retry delivering the message.
* 5xx is a permanent rejection, ie "user unknown". The sending server should give up on the message, reporting the failed delivery to the sender.

While a real mail server will retry after the reception of a 421-message, spammers will not!

The mail server will reject a message the first time it is seen. After 3 minutes a message from the same sender and host to a local user will be accepted. After this reception all further mails will be accepted with no further delay.

There is more in-depth info at:
»projects.puremagic.com/greylisti···per.html

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2005-12-19 21:45:38

What is 'required hits'?

This refers to the number of items detected in an email message that match those set up in Spam Assassin before an item will be tagged as spam.

Normally, eight hits is a good target to use. Fewer than that risks normal email being tagged as spam when it isn't.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2003-01-04 21:01:35

How are the spam tests setup?

There is an extensive off-site FAQ listing all the test that SpamAssassin performs here:
http://spamassassin.org/tests.html

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt

Outlook and Spam Assassin, Headers etc.

If you receive email through DSLR and it contains SPAM that was caught by Spam Assassin and converted to an attachment, you may have difficulty seeing the original headers of the SPAM.

For some discussion of this situation, see this thread.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt