A.10. Adding SpamAssassin

Invoking SpamAssassin at SMTP-time is commonly done in either of two ways in Exim:

A.10.1. Invoke SpamAssassin via Exiscan

Exiscan-ACL's "spam" condition passes the message through either SpamAssassin or Brightmail, and triggers if these indicate that the message is junk. By default, it connects to a SpamAssassin daemon (spamd) running on localhost. The host address and port can be changed by adding a spamd_address setting in the main section of the Exim configuration file. For more information, see the exiscan-acl-spect.txt file included with the patch.

In our implementation, we are going to reject messages classified as spam. However, we would like to keep a copy of such messages in a separate mail folder, at least for the time being. This is so that the user can periodically scan for False Positives.

Exim offers controls that can be applied to a message that is accepted, such as freeze. The Exiscan-ACL patch adds one more of these controls, namely fakereject. This causes the following SMTP response:

550-FAKEREJECT id=message-id
550-Your message has been rejected but is being kept for evaluation.
550 If it was a legit message, it may still be delivered to the target recipient(s).

We can incorporate this feature into our implementation, by inserting the following snippet in acl_data, prior to the final accept statement:

  # Invoke SpamAssassin to obtain $spam_score and $spam_report.
  # Depending on the classification, $acl_m9 is set to "ham" or "spam".
  # If the message is classified as spam, pretend to reject it. 
    set acl_m9  = ham
    spam        = mail
    set acl_m9  = spam
    control     = fakereject
    logwrite    = :reject: Rejected spam (score $spam_score): $spam_report

  # Add an appropriate X-Spam-Status: header to the message.
    message     = X-Spam-Status: \
                  ${if eq {$acl_m9}{spam}{Yes}{No}} (score $spam_score)\
                  ${if def:spam_report {: $spam_report}}
    logwrite    = :main: Classified as $acl_m9 (score $spam_score)

In this example, $acl_m9 is initially set to "ham". Then SpamAssassin is invoked as the user mail. If the message is classified as spam, then $acl_m9 is set to "spam", and the FAKEREJECT response above is issued. Finally, an X-Spam-Status: header is added to the message. The idea is that the Mail Delivery Agent or the recipient's Mail User Agent can use this header to filter junk mail into a separate folder.

A.10.2. Configure SpamAssassin

By default, SpamAssassin presents its report in a verbose, table-like format, mainly suitable for inclusion in or attachment to the message body. In our case, we want a terse report, suitable for the X-Spam-Status: header in the example above. To do this, we add the following snippet in its site specific configuration file (/etc/spamassassin/local.cf, /etc/mail/spamassassin/local.cf, or similar):

### Report template
report "_TESTSSCORES(, )_"

Also, a Bayesian scoring feature is built in, and is turned on by default. We normally want to turn this off, because it requires training that will be specific to each user, and thus is not suitable for system-wide SMTP time filtering:

### Disable Bayesian scoring
use_bayes 0

For these changes to take effect, you have to restart the SpamAssassin daemon (spamd).

A.10.3. User Settings and Data

Say you have a number of users that want to specify their individual SpamAssassin preferences, such as the spam threshold, acceptable languages and character sets, white/blacklisted senders, and so on. Or perhaps they really want to be able to make use of SpamAssassin's native Bayesian scoring (though I don't see why[1]).

As discussed in the User Settings and Data section earlier in the document, there is a way for this to happen. We need to limit the number of recipients we accept per incoming mail delivery to one. We accept the first RCPT TO: command issued by the caller, then defer subsequent ones using a 451 SMTP response. As with greylisting, if the caller is a well-behaved MTA it will know how to interpret this response, and retry later.

A.10.3.1. Tell Exim to accept only one recipient per delivery

In the acl_rcpt_to, we insert the following statement after validating the recipient address, but before any accept statements pertaining to unauthenticated deliveries from remote hosts to local users (i.e. before any greylist checks, envelope signature checks, etc):

  # Limit the number of recipients in each incoming message to one
  # to support per-user settings and data (e.g. for SpamAssassin).
  # NOTE: Every mail sent to several users at your site will be
  #       delayed for 30 minutes or more per recipient.  This
  #       significantly slow down the pace of discussion threads
  #       involving several internal and external parties.
    message      = We only accept one recipient at a time - please try later.
    condition    = $recipients_count

A.10.3.2. Pass the recipient username to SpamAssassin

In acl_data, we modify the spam condition given in the previous section, so that it passes on to SpamAssassin the username specified in the local part of the recipient address.

  # Invoke SpamAssassin to obtain $spam_score and $spam_report.
  # Depending on the classification, $acl_m9 is set to "ham" or "spam".
  # We pass on the username specified in the recipient address,
  # i.e. the portion before any '=' or '@' character, converted
  # to lowercase.  Multiple recipients should not occur, since
  # we previously limited delivery to one recipient at a time.
  # If the message is classified as spam, pretend to reject it. 
    set acl_m9  = ham
    spam        = ${lc:${extract{1}{=@}{$recipients}{$value}{mail}}}
    set acl_m9  = spam
    control     = fakereject
    logwrite    = :reject: Rejected spam (score $spam_score): $spam_report

Note that instead of using Exim's ${local_part:...} function to get the username, we manually extracted the portion before any "@" or "=" character. This is because we will use the latter character in our envelope signature scheme, to follow.

A.10.3.3. Enable per-user settings in SpamAssassin

Let us now again look at SpamAssassin. First of all, you may choose to remove the use_bayes 0 setting that we previously added in its site-wide configuration file. In any case, each user will now have the ability to decide whether to override this setting for themselves.

If mailboxes on your system map directly to local UNIX accounts with home directories, you are done. By default, the SpamAssassin daemon (spamd) performs a setuid() to the username we pass to it, and stores user data and settings in that user's home directory.

If this is not the case (for instance, if your mail accounts are managed by Cyrus SASL or by another server), you need to tell SpamAssassin where to find each user's preferences and data files. Also, spamd needs to keep running as a specific local user instead of attempting to setuid() to a non-existing user.

We do these things by specifying the options passed to spamd at startup:

  • On a Debian system, edit the OPTIONS= setting in /etc/default/spamassassin.

  • On a RedHat system, edit the SPAMDOPTIONS= setting in /etc/sysconfig/spamassassin.

  • Others, figure it out.

The options you need are:

  • -u username - specify the user under which spamd will run (e.g. mail)

  • -x - disable configuration files in user's home directory.

  • --virtual-config-dir=/var/lib/spamassassin/%u - specify where per-user settings and data are stored. "%u" is replaced with the calling username. spamd must be able to create or modify this directory:
# mkdir /var/lib/spamassassin
    # chown -R mail:mail /var/lib/spamassassin

Needless to say, after making these changes, you need to restart spamd.



Although it is true that Bayesian training is specific to each user, it should be noted that SpamAssassin's Bayesian classifier is, IMHO, not that stellar in any case. Especially I find this to be the case since spammers have learned to defeat such systems by seeding random dictionary words or stories in their mail (e.g. in the metadata of HTML messages).