Tip of the Trade: Fine-Tuning SpamAssassin

The war on spam is pretty much about building bigger umbrellas and higher waders. For various reasons, little is done to cut spam off at the source. A powerful tool in the battle to divert the tides of spam from swamping networks is SpamAssassin. A stock SpamAssassin installation is only about 80 percent effective, however, and its effectiveness decreases over time as spammers craft their messages to elude SpamAssassin’s rules.

The cure for this is to either run sa-update regularly to download new rulesets or customize SpamAssassin’s rules to meet your needs.

sa-update lets you download updated rules without waiting for a SpamAssassin upgrade. You can stick with the defaults or add “channels,” which are third-party rulesets. SpamAssassin can then run globally in conjunction with a mail server, with the rules in /etc/mail/spamassassin/local.cf, or you can run it as an ordinary unprivileged user with your rules in ~/.spamassassin/user_pref. Some e-mail clients, such as KMail, include SpamAssassin integration, so a mail server is unnecessary when using SpamAssassin.

Using the SpamAssassin rules and channels should be enough for most admins, but if you want to customize your rules yourself it’s not very hard. The trick is to monitor the results and tune the rules accordingly. This is an example of a real rule:

rawbody       viagra  /viagra/i
score         viagra  5.0
description   messages that contain the word viagra

i means case-insensitive, the score determines how much weight the rule gets, and the description is optional, to help you remember what the rule does. Every time you change a rule, run spamassassin –lint to check your rule syntax and catch errors. Rules can contain specific words and regular expressions, and you can blocklist domains. After making changes to rules you must restart spamd. Visit SpamAssassin for a lot of good documentation and links to third-party channels.