Despite the emergence of numerous instant messengers, it is email that is by far the most inexpensive way to send information, and given that emails support attachments in the form of files and embedding HTML scripts, it is email that is extremely often used to send spam. In addition to the obvious risks to the information security of the enterprise, spam also creates a significant load on the mail server. If it enters the user’s mailbox, it begins to take up space in the mail server’s data storage, and a business letter can simply be lost in useless spam.
This article shows how an administrator can set up SpamAssassin, one of the most advanced mail-filtering solutions, to filter spam, in Carbonio CE servers. SpamAssassin can block important emails or miss potentially critical ones if configured incorrectly.
SpamAssassin is installed with Carbonio CE and is enabled by default. It starts filtering incoming mail immediately based on its built-in dictionaries. The way SpamAssassin works is simple – each incoming mail message is subjected to a whole series of checks, and each time it passes, the letter is assigned spam points. For example, if an email starts with the word Dear, SpamAssassin automatically adds one spam score to it. The same happens in cases where the letter contains other signs typical for spam mailings. There are also checks, during the passage of which spam points are deducted.
Creating Basic Rules
SpamAssassin evaluates emails by analyzing their headers and body, according to rules such as certain words or phrases. This is done by assigning points to an email based on the number of rules met. If the email’s total score exceeds a predetermined limit, it is tagged as spam or deleted if the points are above a certain level.
Rules consist of test criteria and a score followed by a description (the description is not mandatory). It uses Perl regular expressions and looks for specific content inside the email. Rules should be added to the /opt/zextras/conf/salocal.cf.in
file as follows:
body CUSTOM_RULE /sale/ score CUSTOM_RULE 1.5
Which creates a rule under the name CUSTOM_RULE and searches for the word “sale” in lowercase in the body of the email. If the word exists in the body (at least once), it adds 1.5 to the total score of the email (even in case of multiple instances of finding the word).
To search for a case-insensitive form of the same word you can use
body CUSTOM_RULE /sale/i
To search for any 4 capital letters in a row like a stock symbol you can use
body CUSTOM_RULE /[A-Z][A-Z][A-Z][A-Z]/
To search for 3 digits with two decimal points treated as a word you can use
body CUSTOM_RULE /\d?\d?\d?.\d\d\b/
To know more about Perl regular expressions refer to Perl regular expressions quick start page.
Custom Rule for the Header
To check the email header use the header
header HEADER_SUSPICIOUS Subject =~ /sale, limited/i
score HEADER_SUSPICIOUS 1.5
describe HEADER_SUSPICIOUS Bad Word in the Subject
Here we create a rule under the name HEADER_SUSPICIOUS that checks for the presence of case-insensitive words “sale” and “limited” in the subject line, which is typical for spam emails. We also indicate how many points an email with such words will receive, as well as a description of the rule.
Custom Rule for the Body
To check the email body use the body
body BODY_SUSPICIOUS /, discount/i
score BODY_SUSPICIOUS 1.5
describe BODY_SUSPICIOUS Bad Word in the Body
Here we create a rule under the name BODY_SUSPICIOUS
that checks for the presence of the case-insensitive word “discount” in the email body, which is typical for spam mailings. We also indicate how many points an email with such a word will receive, as well as a description of the rule.
How It Works
SpamAssassin supports Bayesian machine learning, which means it can be manually pointed to emails it mistook for spam, as well as emails it misidentified as spam. Based on these emails, it automatically generates algorithms that will be used later to filter spam.
You can control this process using spam and ham service mailboxes. They are created when Carbonio CE is installed, and their names are intentionally obfuscated with a random set of letters and numbers. Emails that end up in spam and are moved by the user to another mail folder are automatically redirected to the ham mailbox, while messages that end up in the mail folder and are then moved to spam by the user are redirected to the spam mailbox.
The learning process is to place in the appropriate mailboxes letters that are known to be spam and that are known not to be spam. The normal amount is considered to be the download of 200 emails to each of the service mailboxes.
Note that the service mailboxes also receive those letters that the user has marked as spam or deleted from the spam folder in the mail client connected via IMAP.
Passing SpamAssassin checks is recorded in the Carbonio logs, as well as in the email fields. To view the spam check information in the fields of an email, select it in the Carbonio CE web client and view the contents of its fields using the Show original option.
In the window that opens, the fields with the names X-Spam-Flag, X-Spam-Score, X-Spam-Level, and X-Spam-Status will contain detailed information about the results of the SpamAssassin check.
Adjusting Thresholds
The main setting object in SpamAssassin is the score threshold at which SpamAssassin recognizes an email as spam. There are two thresholds. When the first one, which is usually lower, is reached, the email is marked as spam and sent to the recipient’s Spam folder. Upon reaching the second, which is usually much higher, the email is marked as spam and simply deleted.
You can adjust these thresholds from the command line. To change the upper threshold, use the command
carbonio prov modifyConfig zimbraSpamKillPercent 75
To change the lower threshold use the command
carbonio prov modifyConfig zimbraSpamTagPercent 20
It is also possible to change the signature that is added to the subject of a message recognized as spam, for example,
carbonio prov modifyConfig zimbraSpamSubjectTag "!!!SPAM!!!"
Please note that thresholds are adjusted as a percentage, while spam points are awarded in absolute numbers. To convert percentages to spam points, simply multiply by 0.2. In our case, the thresholds are set at 4 and 15 spam points.
Backing Up and Restoring Training
The rules that are formed as a result of training SpamAssassin can be preserved. This is done with the command
/opt/zextras/common/bin/sa-learn --dbpath /opt/zextras/data/amavisd/.spamassassin --backup >> /tmp/sa.db
After this operation, all rules will be saved to the /tmp/sa.db
file.
Restoring a backup is done using
/opt/zextras/common/bin/sa-learn --dbpath /opt/zextras/data/amavisd/.spamassassin --restore /tmp/sa.db
After restoring the backup, you need to restart Carbonio CE.
White/Black Listing
Carbonio CE also supports blacklisting and whitelisting, both at the user level and at the domain level. You can configure them using the following commands:
- To include user user@domain2.tld to user’s zextras@domain.tld whitelist
carbonio prov modifyAccount zextras@domain.tld +amavisWhitelistSender user@domain2.tld
- To exclude user user@domain2.tld from user’s zextras@domain.tld whitelist
carbonio prov modifyAccount zextras@domain.tld -amavisWhitelistSender user@domain2.tld
- To include user user@domain2.tld to user’s zextras@domain.tld blacklist
carbonio prov modifyAccount zextras@carbonio.tld +amavisBlacklistSender user@domain2.tld
- To exclude user user@domain2.tld from user’s zextras@domain.tld blacklistlist
carbonio prov modifyAccount zextras@carbonio.tld -amavisBlacklistSender user@domain2.tld
- To include user user@domain2.tld to domain’s domain.tld whitelist
carbonio prov modifyDomain domain.tld +amavisWhitelistSender user@domain2.tld
- To exclude user user@domain2.tld from domain’s domain.tld whitelist
carbonio prov modifyDomain domain.tld -amavisWhitelistSender user@domain2.tld
- To include user user@domain2.tld to domain’s domain.tld blacklist
carbonio prov modifyDomain carbonio.tld +amavisBlacklistSender user@domain2.tld
- To exclude user user@domain2.tld from domain’s domain.tld blacklist
carbonio prov modifyDomain domain.tld -amavisBlacklistSender user@domain2.tld
Disabling/Enabling the Service
Note that antispam, along with antivirus, is one of the main consumers of system resources. Therefore, if you are using an external spam filtering server, you can disable it with the command
carbonio prov modifyServer mail.domain.tld -zimbraServiceEnabled antispam
You can enable antispam again using the command
carbonio prov modifyServer mail.domain.tld +zimbraServiceEnabled antispam