I've been wrestling with a huge amount of spam coming through Linux mail servers that I manage, and I was stuck every morning entering new keywords into a keyword-based anti-spam filter, and it was just getting worse and worse.

Today I saw a review for SpamAssassin 2.6 on Slashdot and I decided to try it out. After some messing with some required libraries that I had to hunt down and install and messing with the procmail rules, I have SpamAssassin 2.6 running on three mail servers I administer, and it's like a miracle.

I have the email identified as spam going into a "spam" mail account, and after SpamAssassin catches some email, it puts in comments that explain why the email was tagged:

Content analysis details: (11.5 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.5 X_MSMAIL_PRIORITY_HIGH Sent with 'X-Msmail-Priority' set to high
0.5 X_PRIORITY_HIGH Sent with 'X-Priority' set to high
2.8 CHINA_HEADER Involves 'china.com'
0.4 HTML_FONT_INVISIBLE BODY: HTML font color is same as background
0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.3 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
0.5 HTML_40_50 BODY: Message is 40% to 50% HTML
0.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 600-800 bytes of words
0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text
1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
2.7 FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO
1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts

Each "weirdness" it finds has a score; if all the scores add up to more than five, then the email is tagged as spam and you can have procmail put it wherever you want.

It does such a good job, all I have to do is to sit back and watch the logs. Truly amazing

SpamAssassin is really great.

I myself did a little tweak: setup a procmail rule that discards spam getting more than 9 points from spamassassin. This rule never stopped anything but spam, though I use it for months now.

For me, spamassassin is set to allow all mails through, but mark spams. However, I reduced the default spam sensitivity from 5 to 3 points. This could result in more false positives, so I prepared a little script that scans the maillog and puts on the whitelist every single mail address to whom our users sent mail.

It would be also reasonable to put the from address of each received mail on the whitelist: since most of the spammers continuously change the from address in their mails, their addresses would never match an existing whitelist rule. However, if a spammer does not change the from address from time to time, that address could be easily denied with e.g. a separate sendmail rule. This seems logical.

The accummulated whitelist might give you the possibility to further increase the sensitivity of spamassassin.