Spam handling -- taking advantage of SpamAssassin

For more information:

• See the Email FAQ webpage.
• See the Spam webpage which describes a variety of techniques and resources for dealing with spam, email fraud and abuse.
• Contact the CCIT Help Desk located in Computer Center room 224 (Monday through Friday 8 a.m. to 5 p.m.)
• Call 621-HELP
• Use WebMail’s Problem? button to submit a question
• Send email to mail-admin@listserv.arizona.edu

SpamAssassin is a software program which is integrated with the new email system. All mail messages entering the email system are sent to SpamAssassin which determines, on the basis of a long set of rules, how likely it is that the message is spam (that is, commercial bulk email). Each rule adds to or subtracts from the spam hits of the message. Each message is assigned a number reflecting the number of rule hits. The higher the number of hits, the more likely it is that the message is spam. SpamAssassin labels all email that qualifies as spam according to its rules by prefixing the Subject: with [SPAM?].

SpamAssassin adds two new header lines to each message: X-Spam-Status and X-Spam-Level. In order to view these new headers, you will need to view the expanded email headers of the message. How to view expanded email headers depends on the email program you are using. In Webmail, the X-Spam-Level is shown as part of the limited headers. In Webmail, you can see all the headers by clicking on Show All Headers at the bottom of the limited header of a mail message you are reading.

The new X-Spam-Status line shows several thing:

• spam hits - the number arrived at by adding together all the rules that matched this message,
• tagged - shows that we add this header to all messages (that is: with spam hits greater than -999)
• required - hits necessary to mark mail as [SPAM?] on the Subject line
• tests - the names of the rules that this message exhibits. You can see a more detailed description of the rules at SpamAssassin (spamassassin.org/tests.html).

The new X-Spam-Level line is a graphical representation of the spam hits. It is a string of x's reflecting the positive integer number of hits. A message with 5.72 hits, for example, would have a X-Spam-Level: xxxxx (5 x's). It is easier to set up filters for this kind of a representation than on the numeric value on the X-Spam-Status line.

If the spam-hits score of a message is 7 or above, the message is marked [SPAM?] on the Subject: line and creates another header line which reads "X-Spam-Flag: YES". You do not (of course) need to expand the email headers to see this designation on the Subject: line.

How can I eliminate messages marked as [SPAM?] in the Subject:?

The easiest way to eliminate all messages marked as [SPAM?] by activating the Stop [SPAM?] filter in WebMail.

1. In Webmail click on Filters.
2. Enable the Stop [SPAM?] filter by clicking on the red banned circle. The red circle changes to a green check mark to indicate the filter is enabled. This filter will discard all subsequent messages marked as [SPAM?] before they ever enter your Inbox.

What if I don't want to eliminate [SPAM?] messages but I still don't want them in my Inbox?

If you want to get the messages marked as [SPAM?] out of your Inbox but you want to be able to verify that it is actually[SPAM?], you can change the Stop [SPAM?] rule in WebMail to move the messages to a folder instead of discarding them. The folder you want to save [SPAM?] to must already exist.

1. In Webmail create a folder if necessary, by clicking on Folders.
2. Click on Filters.
3. Click on the pad-and-pencil icon to edit the Stop [SPAM?] filter.
4. Change the drop-down under Do This: from Discard this message to Deliver to this mailbox.
5. Select the folder in which the questionable spam is to be stored.
6. Click Save.
7. If necessary, enable the new filter by clicking on the red banned circle.

WARNING: Spam moved to this folder will take up room in your email quota. You will need to clean it out occasionally to keep it from eventually using up your quota. If you are a POP user, you will have to use Webmail periodically to clean out this folder. This email is stopped and collected before it gets to your POP email system. Your POP mail program cannot do it since it cannot see any folders on the server.

What if most messages marked as [SPAM?] are spam but a few are not?

If not all messages marked as [SPAM?] on the Subject: line are spam in your estimation, you should not discard them using the default Stop [SPAM?] filter.

The simplest thing to do (but it will take more of your time): You can move all the [SPAM?] messages to a folder and sort out the non-spam at some later date. (See "What if I don't want to eliminate [SPAM?] messages but I still don't want them in my Inbox?" above.)

To automate this procedure, you may be able to tailor your filters to move (or discard) the real [SPAM?] while keeping the non-spam messages in your Inbox.

1. Examine the non-spam messages to find out if they have anything in common. If, for example, they all come from @k-mart.com, you can set up a filter above the Stop [SPAM?] filter to accept such messages.
2. Under Filters click on the New Rule button at the bottom of the list of rules.
3. Under For incoming messages that match, select From and Contains from the drop-down lists.
4. Fill in @k-mart.com in the data box to the right of the dropdown lists..
5. Under Do This, select Deliver this message to my INBOX.
6. Click Stop Checking if this rule matches.
7. You must put this filter above the the Stop [SPAM?] filter.
8. To move filters up or down, click the arrows to the right in the list of filters.

If you find that non-spam messages are coming in marked as [SPAM?] but there isn't any common thread to reliable identify them with a filter, you may want to change the Spam-Level of the messages you accept into your Inbox. See "What if I want to eliminate messages based on Spam-Level instead of those marked [SPAM?] ?" below.

What if I want to eliminate email by Spam-Level instead of those marked [SPAM?]?

It is possible in many mailer programs to tell it what header lines you want to see in the limited headers you see by default when you are reading your email. If you want to "customize" filters for levels of spam lower or higher than 7, you may want to set up your limited headers to show X-Spam-Level and/or X-Spam-Status. Before setting up filters to eliminate or otherwise deal with messages of a certain level, it is important that you have a feel for the Spam-Level of non-spam as well as for spam that you receive.

Once you have determined the level of spam that you would like to eliminate (either higher or lower than the system-wide level of 7), you can set up filters based on the Spam-Level header in the message. Note that the order of filters is significant. You need to be sure any filter you create is not below another filter which moves or discards the message you are trying to process. You can either disable the Stop [SPAM?] filter or integrate your filters with it. You can move filters up or down using the arrows at the right filter list.

When setting up filters that eliminate email, it is a good idea to first move the filtered mail to a folder to verify the filter is working as desired. It is pretty easy to accidentally set up a filter which eliminates all messages. You need to be sure your filter isn't doing this before changing the filter action to discard.

The Sieve filtering facility in the email system is very, very powerful and flexible. The example below barely scratches the surface of what you can accomplish with filters on spam and on other classes email messages. You can set up filters for patterns on most header lines. You can set up filters with simple wildcards (see "matches") or (if you are a true Unix geek) you can set up filters using "regular expressions".

An example of a simple filter to move all email with a Spam-Level of 6 to the folder SortaSpammy using Webmail:

1. Create the folder called SortaSpammy by clicking on the Folders icon and , from the Choose Action pulldown, select Create Folder.
2. Click on Filters.
3. Click the New Rule button.
4. Choose a name for this filter, for example Defer Spam.
5. Under For incoming messages that match: choose X-Spam-Level.
6. Set Contains from the drop-down list.
7. In the data box to the right fill in xxxxxx (6 x's for level 6).
8. Under Do this: select Deliver to this mailbox and select the folder SortaSpammy from the drop-down list.
9. Click on Stop Checking if this rule matches.

Your filter order is critical. By setting up several filters in the right order, you can move messages with a selected Spam Level to folders and eliminate messages with higher spam levels. If you use the Defer Spam filter (#4 above) in conjunction with the Stop [SPAM?] filter we set up for you which eliminates messages marked with [SPAM?] on the Subject line, but you put Defer Spam below the Stop [SPAM?] filter, the only thing that will go into the SortaSpammy folder are messages between 6 and 7 since the Stop [SPAM?] filter will already have removed all messages with Spam-Level 7 and above. If you put this filter above the Stop [SPAM]? filter, you might as well disable the Stop [SPAM]? filter since all messages it might have worked on will already be moved to the SortaSpammy folder.

For more information about spam filtering, see this webpage on spam and email abuse.