EmailDiscussions.com - View Single Post - How To Improve SPAM Filtering using Runbox Filters

carverrn · 30 Jan 2004, 05:00 AM

2005-07-15: This information hasn't been updated since Runbox implemented the trainable DSPAM filter. But much of the information is still relevant.

A blocklist doesn't do much good for most SPAM since SPAM doesn't usually
have a valid "From" address nor use the same "From" address everytime.

Here's what seems to work very well for me.

(1) For "Detect junk mail" select "Yes, reject if possible"
I no longer recommend selecting this option. See below for details.

This allows Runbox to reject a message at the time it's being received,
if it is flagged as SPAM and if everyone receiving the message has agreed
to reject SPAM. I originally didn't use this option but the Linpro guys (the
ones hosting the Runbox mail servers) convinced me it's a good choice.

2005-07-15: After using "reject if possible" for a while I decided it's not a feature worth using. It can cause more problems than it solves. First, if you receive messages from groups like Yahoo Groups or Google Groups it can bounce spam messages back to Yahoo or Google which will cause your address to be marked as "bouncing" and you'll stop getting mail from your groups until you reactivate your address. Second, since a lot of spam is bulk mailed to many users at the same domain there's a good chance that for a given spam mail at least one user will not have selected this option so for that message it's disabled for everyone. Finally, it's probably more likely to bounce a valid message sent just to you that was incorrectly flagged as spam and you'd never know it.

(2) Create a "Spam" folder and a filter defined as:

Order: -2
Messages where: "Header" "contains" "X-Spam-Flag: YES"
will be: "saved to folder" "Spam"

By selecting "reject if possible" for the "Detect junk mail" option,
we have also disabled the ability to move SPAM to a Spam folder. This
defines our own Spam Filter that will do the same thing the original
Spam Filter did.

If you want your Spam Filter to be more restrictive, like have a cutoff
of 4 instead of the default of 5, you can define your filter like this:

Order: -2
Messages where: "Header" "contains" "X-Spam-Level: ****"
will be: "saved to folder" "Spam"

For this filter, any message with a score greater than 4 (e.g. 4.1) will
be moved to the Spam folder.

(3) Create a "NotInWhiteList" folder and a filter defined as:

Order: 999
Messages where: "Header" "doesn't contain" "USER_IN_WHITELIST"
will be: "saved to folder" "NotInWhiteList"

This should be your very last filter. If a message makes it all the way to
this filter, it's next stop would be the Inbox. This filter will make sure
that the message is from someone in your Whitelist, if not, it moves it to
the "NotInWhileList" folder.

Initially you will have messages in your "NotInWhiteList" folder that you
either want to add to your Whitelist or create a filter to move it to a
folder (could even be the Inbox). You will also have SPAM that wasn't caught
by SpamAssassin. Eventually, as you update your Whitelist and filters, the
"NotInWhiteList" folder will contain mostly uncaught SPAM.

(4) Messages over 250K in size are not scanned by SpamAssassin. The reason
being that mail that large is unlikely to be SPAM. Unless these messages are
moved to a folder by a filter, they would end up in the "NotInWhiteList"
folder because they will never contain the "X-Spam-Status" header for the
"USER_IN_WHITELIST" check. To avoid this you can add the following filter:

Order: 998
Messages where: "Header" "doesn't contain" "X-Spam-Status"
will be: "saved to folder" "Inbox"

This moves ANY message that hasn't been scanned by SpamAssassin to the Inbox.

Or you could create a NotSpamChecked folder and move it there.

(5) Add addresses of people/places you expect "ham" (not spam) email from
to the Spam Filter whitelist.

When SpamAssassin checks a message it will check the whilelist for the
"From" address. If it finds the address, it will add "USER_IN_WHITELIST"
to the "X-Spam-Status" header in the message.

(6) Add filters for Mailing Lists and Groups. For mailing lists or groups
(e.g. Yahoo Groups) that use the senders real email in the "From" address
instead of the list/group email address, setup filters to move these messages
to the proper folder. If they use the list email address in the "From" address
you could White List it instead but you still might want to have a filter to
move them to a folder.

(7) Add other filters as needed/wanted.

Messages are checked by SpamAssassin as they arrive at the Runbox servers.
However, messages flagged as *SPAM* are not filtered until your filters are
processed. The Spam Filter runs at an order value of "-2".

If you want your filters to run BEFORE the Spam Filter, allowing you to handle
ALL messages, your filter order values must be less than -2 (-3 through -99).

If you want your filters to run AFTER the Spam Filter, allowing flagged SPAM
to be filtered, your filter order values must be greater than -2 (-1 through
999).

CAUTION: You can have multiple filters with the same order value. Within
the same order value, filters are processed in the order in which the entry
was first added to the database. The filters page will show the filters in
the order processed.

It may seem a bit complicated but it's working really well for me.

Regards,
Rich

30 Jan 2004, 05:00 AM	#1
carverrn Intergalactic Postmaster Join Date: Jan 2002 Location: Chicago, IL Posts: 5,606 Representative of: Runbox.com	How To Improve SPAM Filtering using Runbox Filters 2005-07-15: This information hasn't been updated since Runbox implemented the trainable DSPAM filter. But much of the information is still relevant. A blocklist doesn't do much good for most SPAM since SPAM doesn't usually have a valid "From" address nor use the same "From" address everytime. Here's what seems to work very well for me. (1) For "Detect junk mail" select "Yes, reject if possible" *I no longer recommend selecting this option. See below for details.* This allows Runbox to reject a message at the time it's being received, if it is flagged as SPAM and if everyone receiving the message has agreed to reject SPAM. I originally didn't use this option but the Linpro guys (the ones hosting the Runbox mail servers) convinced me it's a good choice. 2005-07-15: After using "reject if possible" for a while I decided it's not a feature worth using. It can cause more problems than it solves. First, if you receive messages from groups like Yahoo Groups or Google Groups it can bounce spam messages back to Yahoo or Google which will cause your address to be marked as "bouncing" and you'll stop getting mail from your groups until you reactivate your address. Second, since a lot of spam is bulk mailed to many users at the same domain there's a good chance that for a given spam mail at least one user will not have selected this option so for that message it's disabled for everyone. Finally, it's probably more likely to bounce a valid message sent just to you that was incorrectly flagged as spam and you'd never know it. (2) Create a "Spam" folder and a filter defined as: Order: -2 Messages where: "Header" "contains" "X-Spam-Flag: YES" will be: "saved to folder" "Spam" By selecting "reject if possible" for the "Detect junk mail" option, we have also disabled the ability to move SPAM to a Spam folder. This defines our own Spam Filter that will do the same thing the original Spam Filter did. If you want your Spam Filter to be more restrictive, like have a cutoff of 4 instead of the default of 5, you can define your filter like this: Order: -2 Messages where: "Header" "contains" "X-Spam-Level: ***" will be: "saved to folder" "Spam" For this filter, any message with a score greater than 4 (e.g. 4.1) will be moved to the Spam folder. (3) Create a "NotInWhiteList" folder and a filter defined as: Order: 999 Messages where: "Header" "doesn't contain" "USER_IN_WHITELIST" will be: "saved to folder" "NotInWhiteList" This should be your very last filter. If a message makes it all the way to this filter, it's next stop would be the Inbox. This filter will make sure that the message is from someone in your Whitelist, if not, it moves it to the "NotInWhileList" folder. Initially you will have messages in your "NotInWhiteList" folder that you either want to add to your Whitelist or create a filter to move it to a folder (could even be the Inbox). You will also have SPAM that wasn't caught by SpamAssassin. Eventually, as you update your Whitelist and filters, the "NotInWhiteList" folder will contain mostly uncaught SPAM. (4) Messages over 250K in size are not scanned by SpamAssassin. The reason being that mail that large is unlikely to be SPAM. Unless these messages are moved to a folder by a filter, they would end up in the "NotInWhiteList" folder because they will never contain the "X-Spam-Status" header for the "USER_IN_WHITELIST" check. To avoid this you can add the following filter: Order: 998 Messages where: "Header" "doesn't contain" "X-Spam-Status" will be: "saved to folder" "Inbox" This moves ANY message that hasn't been scanned by SpamAssassin to the Inbox. Or you could create a NotSpamChecked folder and move it there.* (5) Add addresses of people/places you expect "ham" (not spam) email from to the Spam Filter whitelist. When SpamAssassin checks a message it will check the whilelist for the "From" address. If it finds the address, it will add "USER_IN_WHITELIST" to the "X-Spam-Status" header in the message. (6) Add filters for Mailing Lists and Groups. For mailing lists or groups (e.g. Yahoo Groups) that use the senders real email in the "From" address instead of the list/group email address, setup filters to move these messages to the proper folder. If they use the list email address in the "From" address you could White List it instead but you still might want to have a filter to move them to a folder. (7) Add other filters as needed/wanted. Messages are checked by SpamAssassin as they arrive at the Runbox servers. However, messages flagged as SPAM are not filtered until your filters are processed. The Spam Filter runs at an order value of "-2". If you want your filters to run BEFORE the Spam Filter, allowing you to handle ALL messages, your filter order values must be less than -2 (-3 through -99). If you want your filters to run AFTER the Spam Filter, allowing flagged SPAM to be filtered, your filter order values must be greater than -2 (-1 through 999). CAUTION: You can have multiple filters with the same order value. Within the same order value, filters are processed in the order in which the entry was first added to the database. The filters page will show the filters in the order processed. It may seem a bit complicated but it's working really well for me. Regards, Rich Last edited by carverrn : 16 Jul 2005 at 12:00 AM.