Brandon Fuller

Spam Killa

I seem to get a lot of spam. Sometimes a 100 messages per hour. So when I setup my own Exchange server, I needed a good spam solution.

I had been using the Cloudmark Outlook plugin. At that time, it was very good. Caught 99% of everything. Never made any mistakes.

But as the year went on, it got worse and worse. I could contact Cloudmark tech support. They would have me send in samples of the spam. They would usually report those were now being captured. Maybe I was on the “front line” of spam receivers but it was driving me nuts. When you have the Treo in your pocket and email is being instantly pushed to you, it tends to beep constantly. You seem real important when you go places but you really aren’t. Your just getting fucking Viagra ads over and over.

Sometime back I had installed SpamAssassin on one of my web servers that was handling random emails for me for another business purpose. I really did well. I was impressed. How could I get this over to Exchange?

Luckily, some dude figured out a good integration and released the Exchange SpamAssassin SMTP Sink. So I installed it very quickly and let it run 2nd after my Cloudmark does its work (or lack thereof). Within a day, SpamAssassin had started building a good memory of its spam and I was blocking nearly every piece of spam that came in. Now in the course of a day, I might get 1 or 2. And they usually are very close to the spam threshold for SpamAssassin but just under the bar.

If you haven’t seen SpamAssassin in action, it has a bunch of rules that it applies to each message. Each rule has points. If the total points for a message goes over the threshold, then its spam. Here is one sample of the rules in action:

Content analysis details:   (18.2 points, 5.0 required)

 pts rule name              description

---- ---------------------- --------------------------------------------------

 1.1 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type= entry

 4.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP addr 1)

 0.0 HTML_MESSAGE           BODY: HTML included in message

 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%

                            [score: 1.0000]

 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address

                            [217.42.82.122 listed in dnsbl.sorbs.net]

 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net

               [Blocked - see ]

 3.9 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL

                            [217.42.82.122 listed in zen.spamhaus.org]

 1.9 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP

                            [217.42.82.122 listed in combined.njabl.org]

 0.0 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL

                            [217.42.82.122 listed in zen.spamhaus.org]

Pretty cool. There are tons of rules and they are updated from time to time. Plus, you can (and I did) turn on the Bayesian checks. This means that SpamAssassin trains itself when its gets really bad spam. So when it sees other spam like that (usually meaning it contains similar words, phrases, etc.), it knows that is more likely to be spam too. Its always learning — and I don’t have to do anything.

So once my subscription to Cloudmark runs out, I think I am going to be just fine with SpamAssassin, my new friend.