Critical Eye on SpamAssassin

ErrorBase writes "In this Infoworld article, Logan G. Harbaugh makes a great deal about an ancient (2.44) version of SpamAssassin comparing it with newer comercial variants. Quote : You get what you pay for. [...] However, it took more than 10 times as long to install and configure SpamAssassin as it did any of the other products. " Why did he not ask Kevin Railsback who had the whole thing working some while ago?)"

Version?

"SpamAssassin 2.44, an open source spam filter included with Red Hat Linux 9." Included with RedHat 9 is spamassassin v. 2.54, not 2.44

Re:What is a good client-side spam filter for Outl

[reaper20]

SpamBayes, by far.

Re:Is there a gui tool for configuring SpamAssassi

[PhilippeT]

Webmin is great for setting up just about anything you can think of.

Logan You Better Run

Great - compare generation or more older open source to fresh shrinkwrap. Who's zooming (or shilling) for who.

My ISP (souther NH) runs SpamAssassin 2.6 - and I can tell you that at the default settings it catches 90-95% with .01% (yes Bucko, less than 1/1000) false positives. When they implemented it several versions ago it was just as good.

I've got one client where the run NO filter - some folks (the names GOTTA be on the web site) get up to 100 spams a day. IT are basically monkeys with hands. I have no idea what the CEO thinks. They wouldn't even think OS as they're a total MS shop.

Re:Logan You Better Run

[shis-ka-bob]

From the home page of Spam Assassin:
Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it.

From the review:
All the products except Brightmail and SpamAssassin allow end-users to add senders to the domain whitelist themselves. Brightmail allows users to forward misidentified e-mails to the administrator, who can choose to add the sender to the whitelist. SpamAssassin allows only the administrator to add to the whitelist, with no direct access for users.

Who is missing something here? Me or the reviewer? It looks like Razor does exactly what he wants to do and claims that SpamAssassin doesn' t do. It seems to me you are right ... selectively comparing old OS with newer commercial software so that he can make claims that are factually correct about SpamAssassin 2.44 but completely missleading about the current version.

Re:Logan You Better Run

[mrex]

This "journalist" is a grade-A moron as has been demonstrated sufficiently already in this thread. The one new thing I have to add to this conversation is that, contrary to the following statement:

SpamAssassin allows only the administrator to add to the whitelist, with no direct access for users.

SpamAssassin (anything remotely resembling a current version) supports per-user whitelists and other preferences. It takes a little more skill to set up, but frankly the end result is way better than anything you're likely to achieve with a commercial product. The users of my ISP can simply log into a secure space on our website, where they can then view their assassinated spam, change their default score, and create individual white and black lists. This is accomplished with nothing but SpamAssassin, Apache, MySQL, and a few glue scripts. I would put our OSS-based solution in a head to head with any of those commercial offerings.

I get what I pay for too from reading the article.

[reaper20]

I don't understand why he's so critical of a free product. I upgraded to 2.60 and it's running near flawless, and since the program is so simple, you just upgrade it, no need to change configuration options if you don't need to, you just call it from procmail.

Yeah all those GUI options look nice, but 90% of the time, why do I need to change my spamblocking settings? The Bayesian filter autoadjusts itself with little or no user intervention -- it's near transparent.

Works for me

[perlionex]

I run a mail server at home on a Linux box, with Postfix and Spamassassin 2.60. I have it configured to label mail as spam once it hits 8 points, and to automatically chuck it into /dev/null once it hits 12 (using Postfix's header_checks).

It works pretty well for me -- the mail server's only for my personal use so I don't really have to worry about irate subscribers sueing me for dropping them legit mail =p and the 8-12 point range in the spam marking gives me a chance to vet through those suspicious mails briefly before deleting them.

I've never tried any other spam filters on the server-side, so I can't really compare. I guess I'm also a bit of a Linux hacker so I don't mind tweaking all those config files along the lines of the FAQ and other hints on forums to get it to work the way I want it to.

Re:Works for me

[perlionex]

Inside /etc/postfix/main.cf:

# The header_checks parameter specifies an optional table with patterns
header_checks = regexp:/etc/postfix/header_checks

Inside /etc/postfix/header_checks (note: replace "*" with "[backslash]*"):

/^X-Spam-Level: ************/ REJECT

Inside /etc/mail/spamassassin/local.cf:

rewrite_subject 1
report_header 1
ok_languages en
ok_locales en
required_hits 8
subject_tag [SUSPECTED SPAM]

Re:What is a good client-side spam filter for Outl

I know people have been recommending SpamBayes but be warned - it is very slow to parse and move the emails. Only bother with this if you receive only a small volume of spam or have a pretty fast computer.

He already sent an open letter to SAtalk

[damian]

He sent a long open letter to SAtalk. You can find it in the mailing list archive

Re:He already sent an open letter to SAtalk

[Joseph+Vigneau]

Wow. Considering he probably got a lot of nasty emails from the zealot crowd, this is a well reasoned response. He laid out his review criteria, and how SA can be improved to fare better against its commercial competitors. Well done, and a good challenge for the committers of SA.

Re:He already sent an open letter to SAtalk

[vondo]

Did you not read his post to the mailing list where he says he had words to that effect in the article he submitted but *the editor* took them out?

Re:I get what I pay for too from reading the artic

[gl4ss]

you need to change them because the easy install solutions suck(and have default installs that somebody can try to get around and test untill it goes through).

Critical Eye on Tech Journalists

[abulafia]

In true form for throwaway articles like this, products are compared poorly:

Each product was tested with a different stream of mail, so the number of messages received varied, but all received enough messages to assess their capabilities.

Can you imagine someone writing "Oracle, Sybase and Postgres were compared. While the data and workloads were different, all products performed enough work to assess thier capabilities."

All the products except Brightmail and SpamAssassin allow end-users to add senders to the domain whitelist themselves.

I don't know anything about Brightmail. Spamassassin end user whitelists entries can be set up in a number of ways.

And all the products but SpamAssassin use dynamic updates to keep up with the evolving technologies spammers use to circumvent less sophisticated filters.

As aluded to in the summary, this is false with modern versions of Spamassassin, which uses Baysian filtering. (The author later says he couldn't get it working.

However, it took more than 10 times as long to install and configure SpamAssassin as it did any of the other products. [...] But just because the software is installed does not mean it will work -- filtering criteria must be added manually, and until that's done nothing is filtered out. Getting the various configuration files edited properly so that the whole package worked was not simple. Documentation was difficult to find, and not always easy to follow.

While it is true that one must be comfortable with a text editor to configure Spamassassin, thus perhaps putting it out of reach of point-and-click admins and technical journalists, I also wouldn't be prone to put my mail servers in the hands of either of those groups of people.

It looks for keywords in the subject or body of e-mails, but is frustrated by words not in the dictionary, such as "V!agra," or words that contain invisible HTML characters.

While I am not sure what tests appeared in which version, I'm pretty sure 2.44 handled off-by-one works such as V!agra. I have no idea what he's talking about when he says "invisible HTML characters", but it does seem to point to a certain technical incompetence, similar to the ostritch belief - "If I can't see you, then you can't see me."

This is not to say Spamassassin is the easiest thing in the world to deal with. I happen to love it, because of the extreme flexibility.

I just get sick of tech journos who decide that because a tool doesn't have a gui and they don't want to take the time to configure it, it sucks.

Re:Critical Eye on Tech Journalists

[ceejayoz]

I have no idea what he's talking about when he says "invisible HTML characters", but it does seem to point to a certain technical incompetence, similar to the ostritch belief - "If I can't see you, then you can't see me."

If you look at the source of most HTML spam, you'll see things like:

v<!-- the -->i<!-- brown -->a<!-- cow -->g<!-- is -->r<!-- dead -->a

The <!-- --> parts are HTML comments and thus won't be displayed to the user, but they can mess up some spam filters that don't account for them.

SpamAssassin should deal with them just fine, though - it did when I was using it over a year ago.

You think 2.44 is ancient?

[ryanvm]

You think 2.44 is ancient? Feh - Debian 'stable' is still stuck with 2.20.

Re:You think 2.44 is ancient?

[Tom]

Try http://www.backports.org for woody packets of SpamAssassin 2.60 (and other software)

Aside from that, installing 2.60 into your home directory is absolutely painless. Just did that, before I learned about the backports.org website.

it's a matter of proper configuiration!

[dummkopf]

i have been using spamassassin for a year and it works great! granted, in the beginnings about 18% of the spam (in my case 18% of about 30 emails per day) would get trough. BUT if you read the manpage and tweak with the different scores a bit, you can get that down to 1 - 2% with about the same amount of false positives. as an admin, you should be able to tweak any spam filter to match your needs best.

what i can highly recommend is to increase the score of MICROSOFT_EXECUTABLE as it generally is a piece of spam. in addition the bayesian statistics are a great idea: a spam filter that learns!

as for the reviewer: if it takes this person 10 times longer to read a manpage and punch in some trivial scores into a trivially set up configuration file, then you should take his review with a HUGE grain of salt... especially since he reviewed an ancient version of the software.

finally a general comment about spamassassin: EXCELLENT software, especially for the bargain price of $0.

Re:sixty-two percent?

[Tom]

The version he's using might make the difference.

I was using 2.20 until recently. After updating to 2.60, the level of spam still coming through the filter dropped right off. It's about 1 msg. per day now, used to be at least 5 times that.

SA+MailScanner works for me

[cyways]

I've found the easiest way to implement SpamAssassin is to invoke it through MailScanner. MailScanner uses third-party virus scanners and can optionally invoke SpamAssassin as well. With the free ClamAV antivirus product, you can build a powerful open source mail scanner. Even without a virus scanner, MailScanner detects and quarantines executable attachments and other dangerous content which represent the most common types of mail-borne viruses and worms.

RedHat installs the daemonized version of SA as well as the SA Perl scripts. Using the daemon, the easiest implementation is to invoke SA in /etc/procmailrc on the mail delivery host; for mail gateways running sendmail, you need to use the milter interface. I've found the MailScanner+SpamAssassin approach much easier to configure than either of these methods, and you get virus scanning to boot!

I suspect if the reviewer had compared SA 2.60+ to the commercial products, rather than the older 2.44 version used in the review, SA would have shown better results.

I'd agree with the reviewer that one of the things SA lacks is an easy method for users to interact directly with the program. (Part of the issue has to do with security; SA runs as root. As I read the review, I wondered how the other products allow users to interact directly with the scanners without sacrificing security.) It's not easy to maintain per-user Bayesian filtering, for instance, but I generally recommend having the mail client, e.g., Mozilla, handle these tasks.

Old, and on the list

[satyap]

Not only is this somewhat old news, it's been discussed on the spamassassin mailing list. Apparently, the article was edited so that it's more anti-spamassassin than the reviewer intended, but Mr. Harbaugh also defends his review of an older version of spamassassin as "it came with my Redhat 9" (NOT a direct a quote). He also claims it took nearly an hour to install and set up. (I counter that it took seconds to install and minutes to set up).

The current version of spamassassin is 2.60.

Try the Custom Rule Emporium!

[sillypixie]

I have SA 2.6 running as a plugin to the SunONE Messaging Server (v5.2), in BAREBONES mode (ie no RBL, no Bayesian, nothing but perl regex) and it filtered 591 spam from my bosses mailbox alone on the first weekend. 12 or 13 managed to sneak through.

Since then, I've downloaded a bunch of rules from The SA Custom Rule Emporium and almost nothing gets through.

If this guy had trouble, it is the fault of the documentation, not the product. Either that, or he was dumb enough not to upgrade to perl 5.8 or above, and spent forever installing modules.

He says:

SpamAssassin is the perfect example of first-generation techniques becoming outmoded by advances in spamming technology

Funny how when you install an old version of the product, it seems outmoded, hmmm?

Sheesh.

Pixie

Re:a problem with reviewers

[AKnightCowboy]

This was just a setup to make commercial software look better or just a incompetent reviewer. Next.

Spamassassin didn't seem that hard to install. I just typed "apt-get install spamassassin" and just piped my mail through it with a procmail recipe:

:0fw
| spamassassin -P

:0:
* ^X-Spam-Status: Yes
spam

Seemed simple and straight forward. Granted, if you're doing it on an entire machine basis you'd just use spamd/spamc and setup a filter on the mail server itself. For one user though I'm not sure how it could be any simpler. If I want to whitelist people I just add them to my ~/.spamassassin/whitelist file. *shrug*

Re:a problem with reviewers

[aug24]

Bollocks, the reviewer said in the damn article why he used it. It's cos that's what comes with RH9. I've just checked on the RH web site, and 9 is their current release.

So if you want to whinge at anyone, whinge at RH. At least this shows that reviewers now think they should include FOSS in their reviews.

Justin.

POPFile

I don't know anything about SpamBayes so I cannot comment on it at all.

POPFile is easy to use. It also performs Bayesian filtering. It is what I use.

http://popfile.sourceforge.net/

My current POPFile statistics:
Messages classified: 1,440
Classification errors: 19
Accuracy: 98.68%

Re:Is there a gui tool for configuring SpamAssassi

[Salo2112]

saconf works for the Windows versions of spam assassin.

http://www.openhandhome.com/saconf.html

Re:What is a good client-side spam filter for Outl

[jpmrst]

Spamagogo doesn't have quite the same setup, but it is good, and free for now.

Re:What is a good client-side spam filter for Outl

[junklight]

indeed - I've been using this for a while now. No false positives, I see bits and pieces in my unsure folder - including the "Hi, heres that link you asked for http://spam.spam.spamcorp, cheers .." that Paul Graham reckons is the future of spam.

Given I get over 100 spams a day and I see non of them I am very happy with this indeed.

SpamAssassin+PostFix vs Exchange+Comm'l Product

[texspeed]

We replaced an SMTP relay/spam filter/virus scanner based on Exchange and a commercial product (not one of the reviewed products) about a month ago with one using PostFix and SpamAssassin (and amavisd) on RH. Incoming spam levels have been reduced by about a factor of ten with no false positives to date. This solution was not much of a challenge to implement - for a primarily Windows-oriented admin for whom it was a learning exercise. I haven't tried the products reviewed, but am more than impressed with what we now have.

Re:What is a good client-side spam filter for Outl

[keath_milligan]

I'll third that - SpamBayes ROCKS. I use it at work where our IT department just wasted huge amounts of money on a back-end solution that stops less than half my spam while at the same giving me trouble with blocking legitimate messages. SpamBayes cleans up what the back-end commercial solution misses every time.

Re:What is a good client-side spam filter for Outl

Takes about 2 seconds per message on my 1 GHz Mini-ITX based machine.

Personalized Bayesian training

[gvc]

The Bayes filter in SA 2.6 works very well but unfortunately is not well-suited to site-wide learning.

-- casual readers may skip the following details

In an attempt to mitigate this, SA makes an unfortunate mistake in its unsupervised learning algorithm - it uses a different set of rules for training than it uses for marking mail as spam or not. So you can easily have email marked as spam but have the system trained as non-spam (or vice versa). This introduces systematic bias into the learning so that spam detection can get worse in the long run. As a further attempt to mitigate this problem, the learner uses a higher spam threshold, so many spams that are correctly marked do not contribute to the learning process. There is no way to set the SA configuration parameters to eliminate these biases (setting the learn threshold does *not* do it).

--- end of gory details

It is not too difficult to set up SA for personalized learning. Just pipe your mail to the following command:

spamassassin -e

If the return code is 0 (non-spam) also pipe the mail to

sa-learn --ham --single

If the return code is 1 (spam) pipe to

sa-learn --spam --single

If you do this you are guaranteed that the statistics recorded in your personal bayes db correspond exactly to the judgements made by SA.

In addition to this you must correct SA when it makes a mistake, by piping the message to sa-learn again with the right flag. You may be able to set up a macro in your mail reader to do this.

This isn't as easy to set up as it should be, but it is *very* effective.

In the last year I've received 20,000 non-spam and over 100,000 spam messages & viruses (30,000 if you eliminated the "Cumulative Update" messages, which SA caught just fine.) About 100 spams have gotten through (a couple a week) and about 10 false positives have occurred. All of the false positives have been 'weird' - advertising, automatic responses, or web pages that were forwarded to me. As far as I know (and I do check periodically) I've had no false positives in the last 50,000 spams.

My preliminary analysis indicates that personalized learning reduces both false negatives and false positives by a factor of ten. I'll report more systematic analysis in due course.

Re:SpamAssassin

[Brummund]

That is called scoring. Gnus and other good email/news clients have this. Very useful for reading high-volume lists and avoiding USENET kooks.

Re:What is a good client-side spam filter for Outl

I, my wife, and yes - even the inlaws - run PopFile

It can be used locally, or used at the mail server. Either way, I'm over 98% alltime accuracy - with thousands of mail's checked and its very easy to config via its web interface.

Re:The review isn't as bad as slashdotters make it

[dan14807]

I am sure he was as disappointed as me that the installation didn't follow the ./configure && make && make install standard procedure, and that it defaulted to /usr instead of /usr/local as installation directory.

• su -
• perl -MCPAN -e shell
• cpan> install Mail::SpamAssassin

Nice easy way to install and keep up to date with the latest version of SA. This might be why the ./configure method was neglected, although I agree it's disappointing.

And if I remember correctly, the CPAN method does install the programs to /usr/local/.

Better way to integrate postfix and SA

[cblack]

Two things, first, it is probably more proper to match the X-Spam: YES header than the number of asterisks in the X-Spam-Level header. Then you configure you can tweak your cutoff level for X-Spam: Yes in the SA config.
Also, rather than running SA from procmail or other means, it is much more efficient and clean to run it from a seperate daemon like amavisd-new and then configure postfix to use amavisd-new as a content_filter. There are several advantages of this approach, the greatest one being that you do not have process startup penalties for incoming mails to be scanned since amavisd-new is written in perl, references the SA engine through the perl module rather than the commandline, and has a similar scalable child process architecture to apache and many other network server daemons. Other nice things about amavisd-new is that you can integrate many different virus scanners with it as well as SA and it will handle all the subject rewriting, mail deleting, etc for you.

Re:What am I doing wrong?

[Pasc]

Are you running the newest version? 2.60 is much improved over previous versions.

If you are running 2.60, have you trained and enabled the bayesian filters? By default you need to feed SpamAssassin about 300 spam and 300 ham (non-spam) messages for it to learn the difference. It will auto-train itself over time but it only auot-learns on messages that are very obviously (to it) spam or ham.

If you normally only get email from a select list of people then you may want to lower your threshold. For people you routinely recieve email from, SpamAssassin will remember that they usually don't send you spam so if you occasionally get something with a high score from them it will automatically lower it a bit. So, you can lower your threshold and still not get any false positives.

I have my required_hits set to 3 and the only false positives I've seen (since switching to 2.60) have been mailing lists (one was from LinuxWorld, the other from another news site) and not person-to-person email. I recieve 50-60 spam messages a day and only one or two a week gets into my inbox.

spam cathing - >99%
false positives (normal email) - 0%
false positives (mailing lists) - .5%

I do some stuff to keep SpamAssasin's bayesian filters well trained. Every couple weeks I will go in to my spam folder and quickly page through it. If I see a spam that the bayesian filters gave a low score (less than 90% sure it is spam) I will pipe it (I use pine) to sa-learn to train the bayesian filters (unless it was autotrained).

MailScanner on Fedora Core 1

We've just started using MailScanner on a box running Fedora Core 1 here. So far MailScanner with SpamAssassin, DCC, Razor and Pyzor is doing a good job, but it is too early for us to get meaningful statistics. A nice web front end for MailScanner is MailWatch, and we monitor the throughput and performance of the box with MailScanner-MRTG.

Phil

Spamassassin and other tools.

[hoyhoy]

I wrote an article about the open source tools that I use to keep Spam out of my inbox here:
http://www.involution.com/spamstats.php

Catching false positives.

[jelwell]

Here's how I catch false positives. But basically you should just learn to live with either false positives or spam. Take your pick.

I turned subject rewriting on:
rewrite_subject 1

Then I set the subject tag to include the hit number:
# Text to prepend to subject if rewrite_subject is used
subject_tag *****SPAM****:*_HITS_*

then in your email client you can sort your JUNK messages based on subject. This will put the tagged spam messages with the fewest hits at the top. That way you can easily look at messages with the fewest hits.

I added another level of filtering to avoid looking at totally bogus spam messages. I setup two folders in my email client. "SPAM" and "EVILSPAM". I have a procmail filter that pipes spam messages with hits greater than 10 to EVILSPAM, that way I don't even look at them. All other spam goes to SPAM: :0 H
* ^X-Spam-Status: Yes, hits=[0-9][0-9]
mail/EVILSPAM :0 H
* ^X-Spam-Status: Yes
mail/SPAM

Your email client can probably do this for you, instead of a procmail filter. But this way I can use webmail and all my rules are on my server, not on my client.
joe.

The author replies.....

[macdaddy]

I received a reply from the author, Logan Harbaugh, a little while ago. It would seem that I'm not the only person that stood up in support of SA. Apparently there was a reason he used an ancient version of SA. It would seem that the reason was supposed to be in the article but that the editing staff stripped it out prior to being published. Here is Mr. Harbaugh's reply:

Date: Tue, 25 Nov 2003 11:40:33 -0800

From: Logan Harbaugh
Subject: RE: In regards to your article titled "Commercial solutions win, spam loses"

To all concerned, I apologize for the apparent maligning of SpamAssassin in my recent article in InfoWorld. In my original article, I stated that I used the 2.44 release of SpamAssassin for two reasons - because it was the version shipping with the latest release of Red Hat 9 and because it would illustrate how much the state of the art has changed in the last year or two. This explanation was condensed in the finished article by copy editors, which is beyond my control. This will be covered in the letters to the editor section of InfoWorld so the rest of the world will know that I did not deliberately use an old version of SA to show it in a bad light against commercial products. I plan to review the current version in an upcoming article, and I am sure that it will perform better.

Regarding some of the other comments that have been made in the many emails I've received defending SpamAssassin, some of you have said that SA is not hard to install, taking no more than an hour or two to download, install, configure and begin using. That is consistent with the 10 times longer number I used, because the other installation and configuration times were all around 5-10 minutes. You have said that an experienced Linux administrator doesn't find SA difficult to install or configure, and that additional functionality such as user-accessible white lists can be added, either through additional open source software or by writing scripts or programming to extend the functionality of SA. That's true, but not really relevant, unless there is a distribution that contains all of those features.

You have also said that I should have taken into account the fact that it doesn't cost anything before making statements about it being harder to install, configure and manage than the commercial products. SA does cost - but in an administrator's time rather than money, which I did say in the article.

The same is true of support - while you may get faster or better support through this group than you get with commercial software, there's no guarantee that you'll get any support at all - and most organizations will find that hard to live with.

So, when I review the latest version of SA, you can expect performance to be better, but I will still look closely at installation, administration, updates, maintenance, reporting, granularity of management, and end-user features for SA, just as I will for any other anti-spam packages I review.

Again, my apologies for creating a story that distressed so many of you. I do try to create balanced reviews that reflect the pros and cons of all the products reviewed.

Thanks,

Logan G. Harbaugh

Thank you to Mr. Harbaugh for replying. His second paragraph still indicates that he doesn't realize that the current release of SA has all the features he said were missing. I look forward to this being corrected in a future article. I didn't go into much of a free vs commercial debate in my reply; however it seems that some folks did. I also didn't touch on the support issue. Frankly I find that support really isn't needed as long as the admin is compotent. I was involved in a discussion yesterday with a company I consult with. The topic of the discussion was which Linux distro we should use in the future now that RH is going towards an entreprise distribution and support contracts. Many seemed to believe that we should have technical support for whatever distro we chos