spamassassin-users December 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: A SpamAssassin Crash Course for Admins

Re: A SpamAssassin Crash Course for Admins

From: Bowie Bailey <Bowie_Bailey_at_nospam>
Date: Tue Dec 06 2011 - 15:39:00 GMT

On 12/6/2011 12:59 AM, Dorian Chan wrote:
> Hello all,
> I've attached a newer version with Windows info. Thanks Daniel,
> Patrick, and Ted.

A few comments:

1) There are multiple types of blacklists and whitelists. IP
blacklists, URL blacklists, and address blacklists. IP and URL
blacklists (and whitelists) are usually public and checked via DNS
queries. Address blacklists (and whitelists) are usually stored on the
local machine or shared in a local network rather than being public.

2) (Address) whitelists can trust emails pretending to be from
whitelisted addresses, but this can be mitigated in SA by checking IP
address, DKIM, SPF, or other methods to verify that the email is
actually from the user it claims.

3) Recommended threshold (required_hits) is 5.0. All of the default
scores are geared toward this. If you lower it, you will increase false
positives. If you raise it, you will increase false negatives.

4) whitelist_from is not recommended, however if you know where the mail
should be coming from, you can use whitelist_from_rcvd. If the sender
uses DKIM or SPF, you can use whitelist_auth.

5) When checking rules, use 'spamassassin --lint'. This should give no
output if the rule syntax is correct. Adding the '-D' option gives a
bunch of extra debug information, which can make it more difficult
(especially for a new user) to see whether the lint succeeded. Also,
please use a font for command samples which can easily distinguish
between '-' (a single dash) and '--' (a double dash). It is common to
use courier or some other monospaced font for command samples in
documents such as this. And make sure your editor does not
automatically change the double dash to a long hyphen. The '--lint'
option should start with two dashes.

6) You should note that 'spamassassin -t' will always claim that the
message is spam. You should ignore that and refer to the score and rule
hits instead.

-- Bowie A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?