(r3) ConfigureSpamAssassin < Main

Main Web>Computing>Mail>ConfigureSpamAssassin (revision 3) (raw view)~~EditAttach~~
---+ Configuring [[https://spamassassin.apache.org/][SpamAssassin]] at Nevis

---++ Short version

Look at =~seligman/.spamassassin/user_prefs=. Copy what's relevant to your own =~/.spamassassin/user_prefs= and edit to suit your needs.

Details: See [[https://cwiki.apache.org/confluence/display/spamassassin/UsingSpamAssassin][this page]] and/or the tips below. 

---++ You can skip this page if...

   * If you're not comfortable logging into the Nevis [[Linux cluster]] and editing a file, then you won't be able to apply the following suggestions.

   * If you don't use your mail account at Nevis, then nothing here applies to you directly. 
      * _However_, if there's any chance that someone might send email to your Nevis account, then there might be a reason to think about your  [[https://spamassassin.apache.org/][SpamAssassin]] configuration. 
      * In particular, if your mail is forwarded via Nevis to some other account, then our !SpamAssassin configuration will still be applied before the mail is forwarded. 

---++ Why bother?

_Why should I bother configuring !SpamAssassin on the Nevis mail server? The mail reader on my laptop ([[https://www.thunderbird.net/en-US/][Thunderbird]], [[https://support.apple.com/mail][Apple Mail]], [[https://products.office.com/en-us/outlook/][Outlook]]) already has a spam filter._

   * Speed: The mail server is faster at processing your email than your laptop/desktop. 

   * Configuration: In general, !SpamAssassin provides a greater level of control than your mail reader. _(Boast: It certainly provides a greater level of control than Gmail or Columbia's !LionMail.)_

   * Punishment: If !SpamAssassin assigns an email message with a [[https://250ok.com/knowledge-base/what-is-the-spamassassin-score/][score]] of 10 or more (the =blacklist= options below add 100.0 to the score), the our mail server doesn't even accept the email. It gets rejected with a ="Blocked by !SpamAssassin"= error. It doesn't get stored on our mail server, which saves disk space and makes backups easier. (It becomes a problem for the mail server that sent it to us, but those are the breaks if one is a spam relay.)

---++ Basic configuration

The key file is =~/.spamassassin/user_prefs=. It's created for you automatically when you receive your first email at Nevis. 

As noted above, a good starting point is =~seligman/.spamassassin/user_prefs=. Here are a few common options:

   * Assume =uncleharry@gmail.com= keeps forwarding you all the cool jokes he gets, and the Nevis mail server keeps flagging them as spam. You can prevent that happening by including the following line in =~/.spamassassin/user_prefs=:

<pre>      whitelist_from uncleharry@gmail.com</pre>

   * You got spam from =PamelaS@ecorp.com=. You don't ever want to hear from this email address again. Include this in =~/.spamassassin/user_prefs=:

<pre>      blacklist_from PamelaS@ecorp.com</pre>

   * It occurs to you that you don't want to hear from =ecorp.com= at all. Fortunately, the =blacklist_from= option accepts wildcards:

<pre>      blacklist_from *@ecorp.com</pre>

   * But the evil spammers at Ecorp are clever. They continue to send you spam from =ecorp.org=, =ecorp.net=, =ecorp.us=, =ecorporation.com=, and so on. So let's get more aggressive with our wildcards:

<pre>      blacklist_from *@ecorp*.*</pre>

In fact, I usually don't wait for the situation to escalate. If I receive an email from =gavin@nanotechconferences.org=, I'm probably just going to add this to my =~/.spamassassin/user_prefs=:

<pre>      blacklist_from *@nanotech*.*</pre>

After all, a nanotech company has no reason to send me email, since I'm a computer systems administrator at a particle-physics lab. Indeed, every such email from a purported nanotech company or conference has been spam of one sort or another. 

---++ Advanced configuration

As the years have passed, the spammers grow ever more evil. They register temporary domains like =xyzzy123.com= with dubious Internet providers, and generate appropriate [[https://blog.returnpath.com/how-to-explain-spf-in-plain-english/][SPF]] and [[https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/][DKIM]] keys to get through some of !SpamAssassin's tests. I have occasionally found the need to write my own rules. 

Here's an example: I started getting frequent solicitations to appear in something called "Who's Who of American Scientists". Apart of the fact that I have no business being listed in such a book, it was clear that this was a scam to get money from me. The emails came from a variety of source email addresses and with variations in the title in order to get through spam filters. A legitimate organization would have no reason to do this!

I started with this:

<pre>      blacklist_from *@whoswho*.*</pre>

That should have been enough. But the spammers kept varying the "From" address, so I created a new !SpamAssassin rule to scan the name of the sender in the "From" section of the email:

<pre>header FROM_WHOS_WHO From =~ /Who\'*s.*Who/
describe FROM_WHOS_WHO From used in spam messages
score FROM_WHOS_WHO 100.0</pre>

These options are described in more detail in the [[http://www.nevis.columbia.edu/cgi-bin/man.sh?man=Mail::SpamAssassin::Conf][Mail::SpamAssassin::Conf]] man page. The most cryptic line, =header=, defines a [[https://www.geeksforgeeks.org/perl-regular-expressions/][Perl regular expression]] that matches "Whos Who", "Who's Who", "WhosWho", and other variations. 

That was still not enough! I had to also scan the "Subject" header line to capture the rest of this spam:

<pre>header SUBJECT_WHOS_WHO Subject =~ /Who\'*s.*Who/
describe SUBJECT_WHOS_WHO Subject used in spam messages
score SUBJECT_WHOS_WHO 100.0</pre>

Finally, these scammers were blocked. 

If you've gotten this far, your reaction probably is that this is a lot of work to block one spam source. Bear in mind that while it took a while for me to compose my first rule, all the rest are just copy/paste/edit of the basic formula. For example, when I started getting too many message about bespoke suits made in Hong Kong from a "Sandy Hira", I just copied one of the above rules and edited it:

<pre>header FROM_TAILOR From =~ /Sandy.+Hira/i
describe FROM_TAILOR From used in spam messages
score FROM_TAILOR 100.0</pre>

The regular expression =/Sandy.+Hira/i= means a case-insensitive match (the final =i=) against "Sandy" followed by "Hira" with one or more of any character separating them. 

It now takes me less than a minute to block messages about keto diets, biotech, solar panels, and reverse mortgages. I was even able to come up with a rule that blocked anything that mentioned =vixra.org=:

<pre>full BODY_VIXRA_LINK /http:\/\/.*vixra\.org/i
describe BODY_VIXRA_LINK No interest in vixra.org
score BODY_VIXRA_LINK 100.0</pre>
Topic revision: r3 - 2019-09-16 - WilliamSeligman
Main