General Notes on Running SpamAssassin Site-wide

False Positives

SpamAssassin will produce false positives (flagging non-spam mail as possible spam), and this will drive some of your users up the wall. Quite a few mail users still get very little spam.

Here's some tips:

  • Use a more conservative default points setting, such as 8.0 or 10.0 instead of the default 5.0. This will cut down on false positives, at the cost of letting more spam through: at a rough guess, a setting of 10.0 will permit an additional 20% of the total spam.
  • You should make filtering opt-out by default, and opt-in on request, or else allow users a way to opt-out of filtering easily. (this can be done by setting required_hits to 100 for that user, either in their ~/.spamassassin/user_prefs file or in the SQL database.)
  • Modify the default SpamAssassin report template to include site-specific details of how they can opt out, or how to change their threshold to something higher.
  • Let them know that you've installed a spam filter! Modify the report template, and send them mail! I regularly get mail from users who haven't got a clue why they got mail from 'something called SpamAssassin', asking me to leave them alone. (wink)

Legal Issues

Note that there may be legal issues with site-wide spam filtering. For example, in the UK, it is apparently illegal to hold emails for examination for longer than 2 days. Also, the MailScanner info page reckons that under section 3(3) of the Regulation of Investigatory Powers Act, care must be taken to ensure that no-one other than the sender and intended recipient of any message can read any part of that message.

A possible way to route around this, is by simply using SpamAssassin in it's default mode, so that it simply tags the mails with their estimated status, instead of full mail filtering where you redirect or delete mail without the user's intervention. This way, the user still has final choice in what to do; and they can also rest assured that nobody on your staff has been "reading their mail". However, take this advice with a grain of salt – I am not a lawyer, so if you're worried, ask one.

Also, there will be false positives, so simply deleting or bouncing mail based on SpamAssassin's judgement is not a wise thing to do and not recommended.

Some tests, such as the mail-abuse.org RBL tests, require payment for site-wide use.

  • No labels