SpamAssassin Gets a Promotion

darthcamaro writes "The folks at internetnews.com are reporting that the Spam Assassin project has been promoted to a full top level Apache Software Foundation project..the project has been in incubation for a while and it's finally made it through...the article also reveals that Apache is now using Spam Assassin themselves: 'I think spam filtering is now a critical part of the network infrastructure and Spam Assassin is a leader in the area,' said Daniel Quinlan, chairman of the Apache Spam Assassin Project Management Committee."

Bout Time!

[Irie+Brother]

A well configured installation of SA got me employee of the month way back when. Sadly, UCE/UBE is/has ruined the Internet. Finally.

Re:Bout Time!

[jest3r]

Today spam assassin filtered (flagged) 19,246 incoming emails out of 20,145 total on my mail server. Absolutely no false positives since I installed it a year ago .. and only a few false negatives. I silently drop anything with a score over 13 ... my cstomers are happy .. my qmail remote queue has been happy .. spam assassin is a quality app .. spam is really not a concern anymore.

Re:Bout Time!

[Mazem]

Absolutely no false positives since I installed it a year ago ..

... that you know of.

Re:Bout Time!

[Jacer]

spam is really not a concern anymore. You mean except for bandwidth I assume.

Re:Bout Time!

[tzanger]

I do the exact same thing, but with a score of 12. Anything that trips the filter as spam gets dumped into a spam folder off the main maildir and they can use IMAP or check with webmail to see what spam they have. A cron script erases anything in the spam folder older than 2 weeks. Oh yeah, and individual users can alter their own white/blacklists and scores since I pull the username and match the scores in a postgres database. Combined with clamd and qmail-scanner, it's heaven. :-)

As for the incoming mail I found that checking against a couple of RBLs has made ALL the difference in keeping the system load down. tcpserver checks against a .cdb file filled with entries from CBL and DNSRBL. Anything matching doesn't even see the real SMTP server and thus doesn't get scanned at all.

Re:Bout Time!

[paperguy]

That's a 95.5% spam rate. What are your users doing to generate so much spam?

Re:Bout Time!

[Just+Some+Guy]

I "augmented" SpamAssassin with an extremely tight Postfix ruleset. A remote server has to jump through these hoops before SA ever gets a crack at it:

1. HELO Filtering

1. Reject any connection that doesn't start with HELO or EHLO.
2. Allow any host on my LAN to continue on to step 2.
3. Reject any host not on my LAN that sends a hostname or IP of a machine on my LAN.
4. Reject non-FQDN hostnames (ala "mailserver").
5. Reject invalid hostnames (ala "432$@@112").
6. Let everyone who makes it this far continue on to step 2.

2. Sender Filtering

1. Allow authenticated senders to continue on to step 3.
2. Allow hosts on my LAN to continue on to step 3.
3. Reject non-FQDN sender domains ("foo@bar").
4. Reject unknown sender domain ("foo@imaginarydomain.com") - after all, if I can resolve their domain, then I couldn't reply to them anyway, right?
5. Let everyone who makes it this far continue on to step 3.

3. Recipient Filtering

1. Reject non-FQDN recipient domains (they'd bounce anyway).
2. Reject unknown recipient domains (same as above).
3. Allow authenticated users to send their mail and stop processing.
4. Allow hosts on my LAN to send their mail and stop processing.
5. Reject mail from anyone else that isn't to one of my domains, or one I'm an MX for.
6. Use SPF to reject spoofed email.
7. Use the relays.ordb.org, list.dsbl.org, and sbl-xbl.spamhaus.org DNS blackhole lists.
8. Greylist all email not coming in from or going out to peer MXes.
9. Pass everything else to step 4.

4. Content Filtering and Delivery

1. Use ClamAV to reject viruses. This takes a big load off SpamAssassin.
2. Use SpamAssassin to tag messages.
3. Use Cyrus's Sieve to reject high-probability spam, put medium-probability messages into a "review" folder, and filter everything else into the appropriate folders.

I reject over 95% of all incoming mail before it ever gets to SpamAssassin. This means that SA's success rate isn't as good as on other systems (since I weed out all of the obvious spam), but my mailbox is happy and shiny.

SpamAssassin is a brilliant last line of defense, but I wouldn't advise just dumping your raw incoming stream into it. Much of the useful information about a message isn't available to spamd (such as your list of local domain names, relay domains, etc.) and you should consider using a set of cheaper filters to flush out the blatant chaff.

erm

[bruns]

Perhaps Slashdot editors might want to take an extra 20 seconds to check the spelling of the URLs they put in their stories.

spamassassin.org, not spamassasin.org

Re:erm

[simoniker]

Fixed, sorry about that.

Great News!

This is great news! I have been running SpamAssassin on my box for quite a while, just to filter my own mail. I recently installed it on my mother's Windows 98 box to filter her mail when she checks it with Outlook Express, and she hasn't complained about Spam since. With a bit of tweaking, its been catching 95% with no false positives. Hopefully the SpamAssassin project will keep on getting better :)

Re:Great News!

[NigritudeUltramarine]

A success rate of 95% really sucks when (like me) you get just over 2,500 spams a day. That'd still mean around 125 spams a day would be getting through. (I've had the same email address since the early 1990's, back when there was no reason to keep your email address "secret.")

Personally I do use SpamAssassin, but as an intermediate step.

First step: Check a whitelist of known senders. Deliver if the sender is on the list, AND the message originated from an IP subnet that I allow for them personally.

Second step: Scan with SpamAssassin. If the score is really high (above 20) throw it the hell out.

Third step: If the score is less than 20, and the person wasn't whitelisted, run the message through TMDA and politely tell the sender I'm not sure who they are, and I get a lot of spam, and could you please click this link to prove that you're a real person.

I've been using this three-step system for eighteen months now, and out of over one million messages that have come into my mailbox (really), exactly FOUR spam messages have made it all the way through. Apparently the spammers decided to go ahead and click on the little link, or they used a real person's return address, and when that person got they autoreply, they were too stupid to understand what was going on.

Even better, I have not received ANY indiciation that I've lost any messages; at least, no one has ever mentioned anything about an email that I didn't get.

I've got five other people at my domain using the same system, although for not quite as long (one for fifteen months, three for about a year, and one for just a month now); they have all had similar success.

So based on those numbers I'd estimate a success rate of 99.9997% for eliminating spam (which is, admittedly, COMPLETELY INSANE), and a false-positive (or at least "lost message") rate of 0% so far (fingers crossed). A few people have had to confirm their messages, of course, but I've whitelisted them as that happens.

I actually wrote all the connecting code in PHP, believe it or not, with a MySQL database as a backend. It's invoked using .qmail files. PHP is indeed good for things other than web pages; and was a little bit easier for me to maintain and deal with than Perl. The whole thing is less than 25KB of code. There is also a web backend which I use to configure it; that adds another 40KB.

The whole system took about twelve hours of programming to set up, on one Saturday.

Now, for correspondence to companies (such as Microsoft, or Amazon.com), I use a different scheme (although it's handled by the same PHP code). I create up a unique email address for each of them, which ONLY allows mail to or from that domain (for example "rptamazon@mydomain.com" only allows messages from amazon.com). Those addresses are also easily cancellable, individually, if the company starts to annoy me with spam. Basically, each email address can be assigned its own unique whitelist, and can be cancelled individually at any time, through the little web interface.

I also have a number of email addresses for things such as customer support for our company (I write computer software). I'm using the same system for those, also, but instead of checking whitelists based on the sender, I've found a simple way to do it is to check for ANY of our product names anywhere in the message body or subject. If the message doesn't mention any of them, it sends a simple autoreply back similar to that in (3) above, but mentioning that the message didn't seem to be about any of our products, but if it was, please click here, blah blah. We don't have a high volume of support messages (about one or two a day; we're a small company) but in the last year only three or four people have had to click through like that, and, honestly, their support requests were so f*cked up anyways that I'd rather it just dropped them on the floor. ;-)

Then, as a very last ste

Re:Great News!

[WebCrapper]

I'd be interested in seeing the scripts you have setup for a project I'm involved with. Any thought of sharing?

Re:Great News!

[kidlinux]

Do you use sa-learn to teach SA about new spam? I have spam tagged email dumped to a Spam folder on my imap server so I can go through it and make sure there aren't any false-negatves. I then move all the spam to a shared folder and run an sa-learn script on it nightly.

Currently I have amassed 3681 spams totalling 76 megs. I should probably empty that directory sometime :P

sa-learn makes a big difference though. Helps with the misspellings and random junk. Havn't seen a Nigerian scam come through either. In fact, I think I might see 2 spams a month or something - when the spammers figure out a new technique I guess, but just feed it through sa-learn and all subsequent spams are toast.

Re:Great News!

[mkettler]

Word salad I can understand (if you bayes isn't aggressively trained at least).. I don't have problems with it, but my bayes is very heavily trained. (100-300 spams a day manual training)

What I don't understand is the base64 problem.. One of the first thing SA does is decode base64. Even "rawbody" rules get base64 decoding, so really base64 encoding shouldn't make a difference at all, as SA never examines the encoded text.

As for the intentional mis-spellings of V!agr0, check out antidrug.cf (use google) or wait for SA 3.0 which includes this set of rules as a part of the standard distribution.

Disclaimer: I am the author of antidrug, and thus do have a bias here.

Re:Great News!

[duncf]

Third step: If the score is less than 20, and the person wasn't whitelisted, run the message through TMDA and politely tell the sender I'm not sure who they are, and I get a lot of spam, and could you please click this link to prove that you're a real person. ...

So based on those numbers I'd estimate a success rate of 99.9997% for eliminating spam (which is, admittedly, COMPLETELY INSANE), and a false-positive (or at least "lost message") rate of 0% so far (fingers crossed).

Yeah that is COMPLETELY INSANE. You have no idea how many legitimate messages you fail to get because the sender couldn't be bothered, or quite simply can't (i.e. automatic sender, but non-spam) click that link.
TMDA is bad.

Re:Great News!

[NigritudeUltramarine]

Yes, I would definitely like to make this stuff publicly available; I know a lot of people would be interested. I need to find a good way to do it. I'm a bit worried about drawing needless attention to myself by releasing such a thing--for example, the system is NOT foolproof, so I could certainly see myself becoming a target for attacks and such.

Hopefully I'll find some free time later this summer (two big big programming projects I'm working on now are ending next month) and I'll see if I can take a weekend and put a site together. I'll submit it as a story to Slashdot (and if it doesn't make it, post it in my signature and leave comments about it everytime someone mentions spam here).

The unfortunate thing is that making this public will increase work for me, of course (people needing help with installations, or submitting patches, etc.), so I'd like to find a way to mitigate the work involved. I don't really know what's involved in setting up an open source project; perhaps I'll look into SourceForge and see what the deal is. Normally I write commercial software; I don't know whether or not something like this could be sold or not. Obviously, if people were paying for it, providing support and taking time away from paying projects wouldn't be as big a problem for me since I'd be compensated. :-)

Alternatively, I've also gotten suggestions that I should keep the software to myself, and offer a paid service where my servers are the MX (mail) hosts for people's domains, giving them POP and IMAP access. I've actually been doing exactly that for my friends over the past six months or so; it's worked out well (four domains for friends currently) but I'm not sure how much the system can scale before I start running out of resources (bandwidth, CPU time, etc.). I'd really have to calculate everything carefully and work out the economics in order to do something like that as a real commercial venture.

Here is the real link to spam assasins site

[vespazzari]

For those looking for the official spam assasin site here it is

The link in the text goes to some search page

DSpam

[Pinball+Wizard]

After using SpamAssassin for quite a while, it just wasn't cutting it - 75%-80% accuracy is still a lot of spam to go through and delete. I added DSpam to my mail server and my spam catching rate is now better than 99%.

DSpam also came with much better directions for integrating with Exim than did SpamAssassin. As fond as I was of SpamAssassin, they have some catching up to do.

Re:DSpam

DSpam 3.0 is definitely not easy to set up. Add to that there is a database that needs to be set up on the back-end, and lots of configure flags at compile-time, plus permissions issues, etc. etc.
It's also not very easy to understand how it works, or configure your mail client to easily train it, or to configure procmail how to properly call it (there are a lot of command-line flags as well).

That being said, IT IS WORTH IT. A properly set up and trained DSPAM filter will SOLVE your spam problem. Training time usually takes about 2 weeks and the results are fantastic after that.

You can also set it up a number of ways - server-side, user-side, with postfix or another mail server, with procmail or without. Relay or not. It's up to you.

Re:DSpam

[prockcore]

I added DSpam to my mail server and my spam catching rate is now better than 99%.

I haven't seen any false positive stats on dspam. It's easy to say a spam filter has a high spam catching rate, but it means nothing without a very low false positive rate.

Redirecting my mail to /dev/null gives me a 100% spam catching rate.

Re:DSpam

[fyonn]

I've only had dspam installed for a week or so but my stats are as follows: I've taught it 43 spams (ie from a database of nothing, 43 got through and I've trained on them) and 1 false positive (an itms reciept)(again taught to the system) and since then it's been pretty damn good. it's flagged 632 spams and let 730 innocent spams through correctly.

I've got my system set to deliver spam to a spambox which I check nightly for false positives.

and the docs say that I ought to have alot more training before it's up to standard. it's already better for me than SA was.

dave

Re:DSpam

[Huge+Pi+Removal]

I have to say I had the same problem with SA missing a lot (mind you, I have yet to upgrade to newer versions), and Dspam solved it. Having said that, I still use SA as a "first pass", and delete any mail with a score of >9 or so (I would put it lower, but any false positives and users would complain). This leads to less mail in the dspam quarantine.

It's a bugger to set up with Procmail, but if anyone wants a peek at my config file, just e-mail... One thing I did do was forget about that whole "forward spam to this e-mail address" thing: just too much trouble for users. Instead I created a special IMAP folder into which users could save spam, then a simple script corpus-feeds the contents of that folder into Dspam each night.

Oliver.

Re:DSpam

[Chief+Typist]

The best feature of DSPAM, in my opinion, is that the SPAM never leaves the mail server.

The bad messages go into a quarantine on the server and can be reviewed by the end user using a web-based interface (looking for false positives.) In the press of a button, that quarantine can be emptied, freeing up disk resources on the server.

Other SPAM solutions (like SpamAssassin) mark the message and continue with delivery. What's the point in downloading the SPAM to your mail client just to throw them away?

-ch

If Only It Was For Real

[Nom+du+Keyboard]

If only it truly assassinated spamers.

The problem is...

[Lord_Slepnir]

See, i'm not interested in Assassinating Spam. Now if there was a SpammerAssassin, then I'd be all over using that.

what to do with spam after it's id'd?

[Hollins]

What do you do with mail SA has flagged?

I like SA, and find it is very good for identifying around 95% of my incoming spam. However, I also have around 0.1% false positive rate, which means at some point I have to look through all the filtered spam messages and make sure none of them were legit.

I need a better tool for handling mail SA has identified as spam, either server-side or client-side. I'd like to delete anything with a score > 15, simply store anything with a score > 5, and send an auto-reply for scores between 5 and 10 indicating that the message was marked as spam and I'll probably never look at it.

A good set of procmail and formail rules will accomplish this, but my hosting company has a weird procmail setup and I'd prefer something easier to implement.

Any ideas?

Re:what to do with spam after it's id'd?

[dasunt]

I need a better tool for handling mail SA has identified as spam, either server-side or client-side. I'd like to delete anything with a score > 15, simply store anything with a score > 5, and send an auto-reply for scores between 5 and 10 indicating that the message was marked as spam and I'll probably never look at it.

Procmail can do it, but please reconsider the auto-replies. What happens if I'm pissed at bob and decide to sent out 1m spams with the return address of bob@example.com? More common, what about viruses that forge headers?

I would consider auto-whitelisting instead.

Re:what to do with spam after it's id'd?

[Twirlip+of+the+Mists]

I need a better tool for handling mail SA has identified as spam, either server-side or client-side.

Yes, you sure do.

Odds are that this doesn't apply to you, but the Mac OS X mail program, Mail, does a brilliant job. It recognizes the YES or NO header that SpamAssassin adds to filtered messages and, depending on your preferences, filters accordingly. By default it merely flags spam messages with a little trash-bag icon and leaves them in your inbox. At the flip of a switch, you can have the program automatically move spams into a Junk folder that (again, depending on your prefs) can be automatically emptied every week or month or day or whatever.

If your mail program doesn't already do this, then your mail program sucks. ;-)

Re:what to do with spam after it's id'd?

Sending an auto-reply on scores between 5 and 10 (or any other range) makes you part of the problem, not part of the solution.

I have a very well known address (which is why I'm posting as an Anonymous Coward :-) that receives many hundreds of messages every day. My mail server deals with about half of the spam I get. Well over half of the rest is autoreply responses from idiots who don't understand that *I* never sent that message in the first place -- the from address was forged by a virus.

The correct response to spam is to throw it away. Trying to reply to it makes the world worse, not better.

Re:what to do with spam after it's id'd?

[Cato]

Auto replies would also get your address marked as 'confirmed valid' i.e. able to receive emails, even if you don't read the spam, so you'll probably just get even more spam.

Re:what to do with spam after it's id'd?

[antsquish]

I know you mentioned procmail, but for those using Courier IMAP's maildrop, here's what I use in my ~/.mailfilter for SpamAssassin. I've just pasted the relevant sections, but it logs all deliveries, I then filter known recipients into their own folders (not shown here), then any unknown messages are filtered through Spam Assassin. Messages with a score > 10 are sent to /dev/null, while others are delivered to a spam folder.

logfile "/path/to/my/home/dir/maildrop.log"

###
### Maildrop variable substitution
###

MAILBOX="./Maildir"
DEFAULT= "$MAILBOX"
SPAM="$MAILBOX/.Spam"

###
### SpamAssassin :: filter out spam mail
###

# Filter through SpamAssassin
xfilter "/usr/local/bin/spamc"

# Handle messages marked as spam
if ( /^X-Spam-Flag: YES/ )
{
# Store messages flagged as spam in another folder; uncomment
# this during testing just in case any legit mail gets sent
# to /dev/null
#cc "./spam-store"

# Delete messages with a score of 10 or higher, filter all other
# spam messages into a spam folder
/^X-Spam-Status: yes, hits=![:digit:]+\.[:digit:]+!.*/
if ( $MATCH2 >= 10.0 )
to "/dev/null"
else
to $SPAM
}

What's the big deal?

[FireBreathingDog]

Everyone on Slashdot always seems to be complaining about spam. I don't see what the big deal is. I enjoy receiving e-mail from people and companies I don't know. Each morning when I run my e-mail program, it starts downloading, and the unexpected e-mail is a pleasant surprise that brightens my day. Well, a few hundred pleasant surprises that is, and they brighten my day in the same way that stepping in a pile of dogshit brightens my day. A few hundred times. So what the fuck? Why are all you whiny bitches on Slashdot always complaining about spam? Don't waste your time writing or deploying spam blockers. Enjoy life. And relax. Assholes.

You people need to stop being so cynical

[Enlarge+Your+Penis]

I don't employ Spamassassin or any other spam blocker. As a result, I now have a penis that will make her scream, hot lesbian schoolgirls lusting after my every move, a wide range of generic drugs, 2 PhDs and a completely clean credit record

A step up from living in your parent's basement and whacking off to an inflatable doll, right?

I'd stay and chat, but I have to get back to a Nigerian man about a bank transfer

Re:You people need to stop being so cynical

[cryms0n]

I am no expert on inflatable dolls, but I think you are supposed to make love to them, not whack off looking at them.

sorting mail by spamassassin score

[David+Jao]

I'd like to delete anything with a score > 15, simply store anything with a score > 5, and send an auto-reply for scores between 5 and 10 indicating that the message was marked as spam and I'll probably never look at it.

I can't speak for auto-replies, but you can do the sorting part client-side. The key is that spamassassin adds a line like "X-Spam-Level: *****" where the number of *'s is the score of the email. Almost any email client can filter mail to different folders based on headers. The unary representation of the spam score ensures that even a primitive filter can work.

For example, one popular client is Microsoft Outlook, and there are several web pages in google (such as this one) that explain how to reroute mail to specific folders depending on the spamassassin score.

Don't worry

[KalvinB]

they'll get it when they post the story again.

Ben

a better approach: reject the mail

[Trepidity]

If you integrate it with your mailer, you can reject the mail during the SMTP session rather than generating a separate bounce email, which would have the problems you mentioned (going to a forged from: address). As an added bonus, when you reject it during the SMTP session, you'll get taken off a lot of spam lists, since your address will look like it had delivery problems. And you still get the advantage of bounces, that legitimate mail that got rejected will end up with a bounce back to the sender informing them of it.

Get the owner, not the dog.....

[Univac_1004]

Spam Assassin, while a very clever program, is as misdirected as the "Canned Spam" legislation. It has no effect on the real economics of spam: who pays for it.

Somebody is paying for the spamming, and we know exactly who it is. The URL of that organization is prominently displayed in every item of spamail. It is the advertiser.

The advertiser is right there out in the open, easy to locate. If they're not, the spam isn't doing its job, and wouldn't have been sent. And easy to locate means easy to go after, easy to sue, to fine, DoS or whatever.

Dinging the advertisers, and dinging them hard, will instantly put the spammers out of business.

Spamming can be eliminated without blocking, white lists, or anti-spoofing RFC's. Just go to where it's pointing.

To draw an [ugly, graphic] picture: a dog comes and poops on sidewalk in front of my house, and I step in it. Yelling at the dog is going to be only moderately successful, building a poop filter is difficult, messy, and leaky (as Spam Assassin demonstrates) . Following the dog's leash and fining the owner is what works.

The owner doesn't bring the dog back since s/he doesn't want to pay another fine.

No owner, no dog, no spam.

Get the owner.

Kill the spam.

Re:Get the owner, not the dog.....

The advertiser is right there out in the open, easy to locate. If they're not, the spam isn't doing its job, and wouldn't have been sent. And easy to locate means easy to go after, easy to sue, to fine, DoS or whatever.

1. Send out spam pointing to competitor's website
2. Watch them get sued/fined/DoSed/whatever
3. Profit!

Re:Get the owner, not the dog.....

[Chatmag]

What I had suggested in other posts regarding spam is this:

Let the FBI actually buy something from a spammer, trace the money, as its being bought with a CC, then prosecute whoever cashes the CC transaction. They do buys for drug busts routinely, so why not.

3.0, late-July, early August

[chathamhouse]

3.0.0pre1 was made available last week.

It will apparently take another month or so to finalize the weighting of the rules.

I've put 3.0.0pre1 on a production system that filters ~350k messages per day. With some tweaking of the RBL, bayes, and AWL rules, it is much (~10%) more efficient at tagging spam than 2.63, which I'm running on a parallel server that also sees ~350k messages/day (load balancing is your friend).

More info: http://www.au.spamassassin.org/full/3.0.x/dist/bui ld/3.0.0_change_summary

Re:Spam... I just don't get it.

[cpghost]

Publish your addy on /. (or anywhere else), wait a few days, and have fun!

Re:I prefer my method - sacrificial subdomains

[cpghost]

As a side note, I don't use these email addresses for personal emails - I can hopefully trust that the people I personally send emails to are not, or are not going to become spammers.

Well, that is not a very secure assumption. Unless you know that all those people are not using an MUA/OS combination that is vulnerable to viruses or worms. Harvesting addresses is done that way nowadays...

Re:Challenge-Response schemes are more effective

[Vellmont]

I've been running SA since February, and have had a grand total of ONE false positive out of a few thousand emails. The message was from a new account, very short, and in HTML. That address has since been added to my autowhitelist. SA couple with Amavisd-new and clamav has reduced my spam volume by about 95%, and my virus emails to zero. It's a great product and I'm looking forward to 3.0.

Re:3.0?

[Brian+the+Bold]

Have a look at the Rules Emporium at:



I use the rules there, and even minor spam gets obliterated with no problems of catching real mail.

I recommend it!

throws away ANY bulk mail

[gfody]

not all bulk mail is spam. spam assassin gives 2.4 points if it finds anything that looks like a unique identifier for X-Sender, and another 1.4 points for anything that looks like a tracking image or tracked link.

that plus the points for any non-safe html colors or any html at all, SA effectively tags ANY bulk mail as spam!

For an end user to setup on their client (as a "junk mail" folder) thats great.. I like to have bulk mail seperated from my personal mail, but for an ISP to throw it away before it even gets to the intended recipient is fucking rediculous and should be illegal.

The only email an ISP should be allowed to discard are the ones with attached viruses or some known email worm. The only reason your customers are happy with you throwing away their email is because you don't fucking tell them.

Re:throws away ANY bulk mail

[0x0d0a]

but for an ISP to throw it away before it even gets to the intended recipient is fucking rediculous and should be illegal.

Thank Microsoft. ISPs could easily just add a header line and let the user filter on it, but Outlook Express is crippled from Outlook in that it can't match on arbitrary header lines, forcing ISPs to delete or leave alone.

I agree that SA is great client-side, which is how I use it. The problem is that it isn't plug-and-play on even *IX, and it's not trivial to set up on the client side on Windows.

You can even run spamassassin directly on Exchange

[AssFace]

Many people use spamassassin on unix boxes, or if they have Exchange they use SA on a unix gateway between the net and the Exchange system.
But if you are a smaller shop and don't have the resources for that, then you can run sa right on Exchange.
Here is a write up on how to do it (that particular write up is for Exchange 2003 and SA 3.0, but it will work for SA 2.x as well, and for Exchange 2000 - or any combination thereof - but it won't work on Exchange 5.5 that I know of).

Re:Challenge-Response schemes are more effective

[jdowland]

Challenge/Response is fundamentally broken. For more information, take a look at some discussions on the topic from debian-user: here's one. There's a few google-harvested discussions on the topic too.

Re:I'll never need Spam Assassin

[cpghost]

You're just plain lucky. It's a fact of life that at least one of your email pals will use Windows, and store your emails in an Outlook or Outlook Express mail folder. Some days later, your pal will catch a worm or virus, and this little spam helper will harvest all those addresses, including your beloved, "protected" addy.

Re:Challenge-Response schemes are more effective

[cpghost]

We shouldn't feed the trolls (eh. ACs), but I'll bite anyway, because it's a valid argument.

You also ban all innocent bystanders than send you regular 550: no such user bounces, right? TMDA messages are exactly like bounces if you think of it. They appear automatically generated on purpose. It's a piece of cake to filter them if you dislike 'em. It's not like spam which tries to deceive you.

Now, trying not to be too caustic, backscatter is a fact of life. If you really want to avoid this completely, you have to follow a strict whitelist policy. Some people actually do this, and if you must, go ahead, block all TMDA users. It's your decision to allow/disallow users (legitimate or illegitimate), bots, or spammers to access your network. That's exactly what TMDA is all about: putting the recipient, not the sender, in control.

OTOH, it's up to TMDA's users to decide how they control their own networks. If it helps stem the spam tide (and it does extremely well!), it will be used. Sending innocent bystanders a 550: No such user or a TMDA confirmation message with a list of full headers is qualitatively the same; perhaps even better, because if you belong to some spam busters brigade, you're free to use those headers to RBL the initial offender, dynamic IP zombie or whatever.

Instead of whining about backscatter, fix SMTP or your legislation (or both). In the mean time, C/R systems are the only alternative to content-based filtering. If you combine C/R and C/B systems, you also reduce the amount of TMDA bounces. Permbanning only helps the spammers by intimidating potential TMDA users and slowing down a more widespread adoption of C/R systems (which would also dry up the spam stream substantially). But, as said, you're the recipient, and you're free to do whatever you like. It's your resources. Make good use of them.