Some basic lines for using Spamassassin in Linux

 

Preface: It requires some understand to install spamassassin correctly and not least how to improve your filter inside the spamassassin process. The following instructions will give you some hints.

The easy way to explain is assuming, let us assume that your userid is abc and your homedir is ~abc (do a "cd /tmp" and a "pwd" and a "cd ~" and a "pwd" then you know what I mean)

Let stop the spam:

Not like any notorious assassins Spamassassin can not work alone, it needs backup from behind the red line. Someone who can clean up the job, the choice is the well-known and powerful application procmail.

Procmail works like a filter between your mail box and the mail server. Procmail greps/finds predefined strings/word that you defined in your .procmailrc configuration file, if it successes the mail can be moved/deleted before it reaches your mail box.

By taking this advantage from procmail, Spamassassin's mission is to analyse and to put its own string/word (just like "X-Spam-Status", "X-Spam-Level:" etc) in the incoming mail to indicate whether the mail is a spam or not. The analyzing (by using the spam rules defined at /usr/share/spam*) happens in the background before the mail reaches your mailserver or your mail box. When the mail reaches the mailserver or your mail box, the procmail takes over and then decide whether it deletes or moves the mail from the mail box.

If you have a mailserver you need to configure it to call the application procmail, if you just have an email account from an ISP (Internet Service Provider) you need two hidden files called .forward and .procmailrc in your home directory (from the assuming from the beginning it should be at ~abc).

It was the theory, let get some practices.

The process:
Please following the steps.
1) If you want to know more about procman, please read "man procman", "man procmanrc" and "man procmanex"

2) read carefully the README file from the Spamassassin package. You can find it at /usr/share/doc/spamassassin-2.XXXX/README. Try to find the word "procmail"

NB: If you have a mail server (say postfix) please put "mailbox_command = /usr/bin/procmail" in /etc/postfix/main.cf and skip to step 4.

3) create a file called ~abc/.forward containing "|/usr/bin/procmail"
The next command will do the job for you: echo "|/usr/bin/procmail" > ~abc/.forward
After analyzing the mail the spamassassin forwards the mail to your mail box, when it happens the hidden file .forward calls the application procmail. Next we create some rules for procmail

4) Put the following in ~abc/.procmailrc
:0fw
* < 25000
| spamc

:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\
almost-certainly-spam_$USER
:0:
* ^X-Spam-Status: Yes
probably-spam_$USER

5) Did you see the word "spamc"? it is the client for spamassassin daemon "spamd". Each procmail rule contains 3 sections: recipe, conditions and action (see "man procmanrc"). The second line from the above configuration is a "condition" line, which says if the size of the mail is smaller than 25000bytes (do not set it too high, there are no reasons to scan a huge mp3/avi file) then call spamc (the action line).

The next rule is for deleting huge mails from your mail box, add all the three lnes at the beginning of the file ~abc/.procmailrc:
:0fw
* > 1000000
/dev/null

6) According to the configuration file .procmailrc from step 4 spamassassin needs two files preparing for the spam. Do the following:
touch /var/spool/mail/almost-certainly-spam_abc
chown abc:mail /var/spool/mail/almost-certainly-spam_abc
chmod 660 /var/spool/mail/almost-certainly-spam_abc

touch /var/spool/mail/probably-spam_abc
chown abc:mail /var/spool/mail/probably-spam_abc
chmod 660 /var/spool/mail/probably-spam_abc

Type then ls -l /var/spool/mail/*abc you will get something like:

-rw-rw---- 1 abc mail 1230 Apr 24 21:07 abc
-rw-rw---- 1 abc mail 0 Apr 24 21:00 almost-certainly-spam_abc
-rw-rw---- 1 abc mail 5262 Apr 24 21:28 probably-spam_abc

7) It is time to start the service spamassassin: service spamassassin start (try then "pgrep -l spam")

8) Let test it local (directly from your computer), without having ANY mail systems. Type:
echo "Subject: S.P.A.M FREE LUNCH"| spamc | procmail
If you have done everything correctly, you will get something like below at /var/mail/probably-spam_abc:

Subject: [SPAM] S.P.A.M    FREE LUNCH
X-Spam-Status: Yes, hits=5.0 required=5.0
        tests=DATE_MISSING,FROM_MISSING,GAPPY_SUBJECT,MISSING_HEADERS,
              SPAM_PHRASE_00_01,SUBJ_ALL_CAPS,SUBJ_FREE_CAP,
              UPPERCASE_50_75
        version=2.44
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.44 (1.115.2.24-2003-01-30-exp)

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (5.00 hits, 5 required)
SPAM: FROM_MISSING       (-0.0 points) Missing From: header
SPAM: GAPPY_SUBJECT      (1.3 points)  'Subject' contains G.a.p.p.y-T.e.x.t
SPAM: DATE_MISSING       (0.8 points)  Missing Date: header
SPAM: SUBJ_FREE_CAP      (0.4 points)  Subject contains "FREE" in CAPS
SPAM: SPAM_PHRASE_00_01  (0.8 points)  BODY: Spam phrases score is 00 to 01 (low)
SPAM: MISSING_HEADERS    (1.0 points)  Missing To: header
SPAM: SUBJ_ALL_CAPS      (0.5 points)  Subject is all capitals
SPAM: UPPERCASE_50_75    (0.2 points)  message body is 50-75% uppercase
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

NB: Notice the line "X-Spam-Status".

9) Let test it from the internet. Send a mail from a client which has access to a mailserver/mail-gateway (you can of course test it from Hotmail/Yahoo too, see below). echo AMAZING GUARANTEE PROFITS|mail -s "S.P.A.M TESTING" abc

NB: abc is the mail account of the user abc on the PC. For a POP account (which you get from an ISP) you need to use the command aliases (mail aliases) and the application fetchmail to configure your mail system.
NB2: you can test it from Yahoo-mail too. Put "S.P.A.M TESTING" in subject and "AMAZING GUARANTEE PROFITS" in mail body.

10) If it works, the mail from the step above will move directly to the file /var/mail/probably-spam_abc (see the definition from .procmailrc) and nothing goes into your mail box.
If you have done everything correctly, you will get something like the below in /var/mail/probably-spam_abc:

Date: Thu, 24 Apr 2003 17:11:11 -0400 (EDT)
From: root@tng.com (root)
X-Spam-Status: Yes, hits=7.0 required=5.0
        tests=AMAZING,GUARANTEE,LINES_OF_YELLING,PROFITS,
              SPAM_PHRASE_00_01,SUBJ_ALL_CAPS,SUBJ_HAS_SPACES,
              UPPERCASE_75_100
        version=2.44
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 2.44 (1.115.2.24-2003-01-30-exp)

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (7.00 hits, 5 required)
SPAM: SUBJ_HAS_SPACES    (2.6 points)  Subject contains lots of white space
SPAM: GUARANTEE          (0.8 points)  BODY: Contains word 'guarantee' in all-caps
SPAM: AMAZING            (0.4 points)  BODY: Contains word 'amazing' in all-caps
SPAM: PROFITS            (0.3 points)  BODY: Contains word 'profits' in all-caps
SPAM: SPAM_PHRASE_00_01  (0.8 points)  BODY: Spam phrases score is 00 to 01 (low)
SPAM: LINES_OF_YELLING   (0.2 points)  BODY: A WHOLE LINE OF YELLING DETECTED
SPAM: SUBJ_ALL_CAPS      (0.5 points)  Subject is all capitals
SPAM: UPPERCASE_75_100   (1.4 points)  message body is 75-100% uppercase
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

AMAZING GUARANTEE PROFITS AMAZING

NB:Notice carefully the line "X-Spam-Status", what do you see?

Voila
Good luck
Copenhagen April 2003, Tuan Nguyen