Configuring SpamAssassin at Nevis

Short version

Look at ~seligman/.spamassassin/user_prefs. Copy what's relevant to your own ~/.spamassassin/user_prefs and edit to suit your needs.

Details: See this page and/or the tips below.

You can skip this page if...

• If you're not comfortable logging into the Nevis Linux cluster and editing a file, then you won't be able to apply the following suggestions.

• If you don't use your mail account at Nevis, then nothing here applies to you directly.
  • However, if there's any chance that someone might send email to your Nevis account, then there might be a reason to think about your SpamAssassin configuration.
  • In particular, if your mail is forwarded via Nevis to some other account, then our SpamAssassin configuration will still be applied before the mail is forwarded.

Why bother?

Why should I bother configuring SpamAssassin on the Nevis mail server? The mail reader on my laptop (Thunderbird, Apple Mail, Outlook) already has a spam filter.

• Speed: The mail server is faster at processing your email than your laptop/desktop.

• Configuration: In general, SpamAssassin provides a greater level of control than your mail reader. (Boast: It certainly provides a greater level of control than Gmail or Columbia's LionMail.)

• Multiple devices: If you read your mail on different devices (e.g., your laptop, a desktop, your phone) then the SpamAssassin rules will apply to all your incoming mail. If you set up spam filtering on Thunderbird on your laptop, that will have no effect on mail you receive via the Mail app on your iPhone.

• Punishment: If SpamAssassin assigns an email message with a score of 10 or more (the blacklist options below add 100.0 to the score), then our mail server doesn't even accept the email. It gets rejected with a "Blocked by SpamAssassin" error. It doesn't get stored on our mail server, which saves disk space and makes backups easier. (It becomes a problem for the mail server that sent it to us, but those are the breaks if one is a spam relay.)

Basic configuration

The key file is ~/.spamassassin/user_prefs. It's created for you automatically when you receive your first email at Nevis.

As noted above, a good starting point is ~seligman/.spamassassin/user_prefs. Here are a few common options:

• Assume uncleharry@gmail.com keeps forwarding you all the cool jokes he gets, and the Nevis mail server keeps flagging them as spam. You can prevent that happening by including the following line in ~/.spamassassin/user_prefs:

      whitelist_from uncleharry@gmail.com

• You got spam from PamelaS@ecorp.com. You don't ever want to hear from this email address again. Include this in ~/.spamassassin/user_prefs:

      blacklist_from PamelaS@ecorp.com

• It occurs to you that you don't want to hear from ecorp.com at all. Fortunately, the blacklist_from option accepts wildcards:

      blacklist_from *@ecorp.com

• But the evil spammers at Ecorp are clever. They continue to send you spam from ecorp.org, ecorp.net, ecorp.us, ecorporation.com, and so on. So let's get more aggressive with our wildcards:

      blacklist_from *@ecorp*.*

In fact, I usually don't wait for the situation to escalate. If I receive an email from gavin@nanotechconferences.org, I'm probably just going to add this to my ~/.spamassassin/user_prefs:

      blacklist_from *@nanotech*.*

After all, a nanotech company has no reason to send me email, since I'm a computer systems administrator at a particle-physics lab. Indeed, every such email from a purported nanotech company or conference has been spam of one sort or another.

Advanced configuration

As the years have passed, the spammers grow ever more evil. They register temporary domains like xyzzy123.com with dubious Internet providers, and generate appropriate SPF and DKIM keys to get through some of SpamAssassin's tests. I have occasionally found the need to write my own rules.

Here's an example: I started getting frequent solicitations to appear in something called "Who's Who of American Scientists". Apart of the fact that I have no business being listed in such a book, it was clear that this was a scam to get money from me. The emails came from a variety of source email addresses and with variations in the title in order to get through spam filters. A legitimate organization would have no reason to do this!

I started with this:

      blacklist_from *@whoswho*.*

That should have been enough. But the spammers kept varying the "From" address, so I created a new SpamAssassin rule to scan the name of the sender in the "From" section of the email:

header FROM_WHOS_WHO From =~ /Who\'*s.*Who/
describe FROM_WHOS_WHO From used in spam messages
score FROM_WHOS_WHO 100.0

These options are described in more detail in the Mail::SpamAssassin::Conf man page. The most cryptic line, header, defines a Perl regular expression that matches "Whos Who", "Who's Who", "WhosWho", and other variations.

That was still not enough! I had to also scan the "Subject" header line to capture the rest of this spam:

header SUBJECT_WHOS_WHO Subject =~ /Who\'*s.*Who/
describe SUBJECT_WHOS_WHO Subject used in spam messages
score SUBJECT_WHOS_WHO 100.0

Finally, these scammers were blocked.

If you've gotten this far, your reaction probably is that this is a lot of work to block one spam source. Bear in mind that while it took a while for me to compose my first rule, all the rest are just copy/paste/edit of the basic formula. For example, when I started getting too many message about bespoke suits made in Hong Kong from a "Sandy Hira", I just copied one of the above rules and edited it:

header FROM_TAILOR From =~ /Sandy.+Hira/i
describe FROM_TAILOR From used in spam messages
score FROM_TAILOR 100.0

The regular expression /Sandy.+Hira/i means a case-insensitive match (the final i) against "Sandy" followed by "Hira" with one or more of any character separating them.

It now takes me less than a minute to block messages about keto diets, biotech, solar panels, and reverse mortgages. I was even able to come up with a rule that blocked anything that mentioned vixra.org:

full BODY_VIXRA_LINK /http:\/\/.*vixra\.org/i
describe BODY_VIXRA_LINK No interest in vixra.org
score BODY_VIXRA_LINK 100.0