netflap.com Blog

SPAMassassin has become an extremely efficient SPAM filtering solution and is currently the most accurrate way to eliminate the majority of SPAM coming into a corporate network.  The problem is that you can configure SPAMassassin in MANY ways and depending on how it is done, you can go from filtering 75% of the SPAM to filtering 99.9% of the SPAM.  I’ve configured a fair number of SPAMassassin installations in my time for a wide variety of organizations and here are my tips for getting closer to 99.9% accuracy.

1. Keep up to date
The best tip I can give you to have better results is to use the latest version of SPAMassassin.  You don’t need to have bleeding edge, but just make sure you aren’t using a version which is a year or two old.  Update your installation every few months if you can.  The newer versions of SPAMassassin are always adding new detection techniques and rules which help cut out a vast majority of SPAM.  I’ve found that newer features such as the URIBL are able to cut your false negatives down by 80%.

2. Use a third party ruleset.
The SPAMers find ways around the base rules in SPAMassassin all the time, so the more rules you can add, the better (as long as they are good rules).  SARE is a great resource for a constantly updated set of third party rules.  These rules are all tested and help to greatly increase the accuracy of your filter.  A script called RulesDuJour is also available which automatically downloads these rules for you and updates your installation with the latest ruleset at a scheduled time every day.  Having a constantly changing ruleset makes it difficult for the SPAMers to get around the filter.

3. Train your Bayes engine
SPAMassassin comes with a bayesian learning engine which allows it to use statistical methods to categorize a message a SPAM or HAM (not SPAM).  This engine is extremely accurate as long as it has the proper training.  In order to train the bayes engine you need to provide it with messages that have been reviewed by a human and are confirmed to be either SPAM or HAM.  You can manually train the engine using the sa-learn command, however it is far more efficient to use a front end to SPAMassassin like Maia Mailguard.  With Maia, it keeps a copy of all messages that pass through it so that if a message either gets filtered when it shouldn’t have or doesn’t get filtered when it should have, you can go back and mark the message as either SPAM or HAM.  This will then train the Bayes engine and it will then filter similar messages in the future.  I’ve really just touched on the Bayes engine in SPAMassassin and therefore you should look it up online and read more about it to find out what the best method would be for your environment.

4. Use the SPAM network detection methods
There are several blacklists and hash detection methods that can be used in SPAMassassin.  The two that I highly recommend are DCC and Razor.  These two products will help to increase the accuracy of your SPAM filter again by a large percentage.  Support for the products is builtin to SPAMassassin by default but they do require a client to be installed in order for them to start working.  A quick search online will provide many tutorials for getting them going.

Those are the big four tips I have.  There is a lot of other tuning you can do, but by making sure you are doing the above four things, your accuracy should easily be above 98%.  Using this configuration, I am currently seeing about 99.4% accuracy for detecting SPAM and only about 0.01% false positives.  If you have any other good tips for SPAMassassin, please leave a comment.

TrackBack to 'Increasing SPAMassassin’s accuracy (4 tips)'.