[NCLUG] SpamAssassin Testimonials?

Bob Proulx bob at proulx.com
Mon Jul 14 22:57:38 MDT 2003


> Replies to: rich at experienceplus.com

Rich Young wrote:
> 	We're considering installing SpamAssassin, and some 

I know this was a week ago but just now getting caught up...

> of my users here aren't familiar enough with it to know 
> whether they should support the plan or not. I would 
> appreciate it if a few of you who have had personal 
> experience with SpamAssassin could reply to me off list 
> with your brief thoughts on its effectiveness as a spam 
> reduction tool.

IMHO SpamAssassin is the best overall tool available.  It uses a
combined arms tactics method of collating multiple indicators into one
diagnosis.  RBLs are another best in class tool.  Block all open
relays and then tag with SA for best results.  I don't see as much
advantage from Razor, DCC, Pyzor.  But keep an eye on them and other
techniques such as greylisting which shows promise.  It is a continued
battle and the landscape will continue to evolve over time.

I implemented SA as an optional addition for a large group of people,
a couple hundred, in an engineering lab.  I don't know how many
actually turned it on out of that group since it was a personal
configuration capability.  Some never get spam and would not have
turned it on.  Others did.  It was opt-in on a personal configuration
basis.

Most were VERY happy with SpamAssassin.  It was received as a
lifesaver in the sea of spam.  A few had some false positives.  Even
with the false positives they were very happy to have the technology
available and were mostly wanting to understand how to drive it.  But
remember this was an engineering lab of techies and techies love to
twiddle knobs.  The few that decided not to use it had turned it on
themselves and just turned it off themselves too.

> I'd be especially grateful for comments on:
> - accidental filtering of legitimate messages

False tagging will happen.  One person got html mail from their wife
at another site that always tagged email with headers and footers.
They totally agreed it looked like a spam message but wanted to know
how to whitelist the address.  Getting their wife to change mailers,
companies, etc. was not an option.  The address was whitelisted and
there was no more trouble.

Another person bought and sold items on eBay often and had mail tagged
from non-eBay people trying to contact them about those items.  This
one was more trouble since the mail could come from anywhere, not just
eBay, and would really look a lot like spam.  Initially they turned
off SA during the time that they had items and deals open and turned
SA back on again when they had nothing in the pipeline and the spam
was annoying them too much.  I see that type of FP as the hardest to
avoid.

> - difficulties adjusting the threshold to optimal level

Am using the default level here.  Although users can adjust it I don't
know of any that actually do.  Most that get involved start writing
their own rules to target their own particular type of spam.
Personally I increase the likelyhood that any html mail is spam since
almost all of my html mail is spam.

> - numeric estimates on how much spam reduction it provided

Varies greatly by individual.  Some got one spam a month.  Others were
getting up to 50 a day.  (I am averaging around 30 a day personally.)
The more spam the individual got the more of a reduction was seen.

> - how much maintenance it requires to stay ahead of the 
>    spammers

The RBL lists are a godsend for dynamically keeping ahead of spammers.
At the least block any open relay.  Open relays are very bad in
today's hostile Internet and the open relay RBLs are very low at false
positives and collateral damage making them relatively safe to deploy
widely.

Stay upgraded to the current version of SA.  Since spam flavor changes
often you should keep up to date.  Like updating virus filters.  If I
were to plug the distro I like which makes it trivial to stay on the
latest version it would start a religious war about distros so just
let me say keep up to date by whatever method you prefer.

> - any issues regarding using it in a business setting 
>    with multiple users

Make sure to educate users that this type of tagging is taking place.
Making this opt-in is certainly best.  I recommend tagging and then
automatically filing into a caught spam folder.  In that case make
sure they check their spam folder routinely, at least initially until
they have confidence in it, and look for false positives.  In that
initial period is when most of your false positives from moms, spouses
and eBay deals will show up.

Do not automatically delete tagged email.  If it was wrongly tagged
and then deleted then it is gone.  Instead quarantine and age spam at
some safe rate to provide a way to retrieve messages from the garbage.
If nothing else looking through the trash can provide a peace of mind
that a message you were waiting for was not filed as spam.  Educate
users how to retrieve messages from the trash.  By default the
original message is turned into a MIME attachment so that it is not
munged by the report which is placed around it.  This makes it trivial
to retrieve completely error free.  But MIME attachments also have
been known to confuse users.  I have had users convinced that MIME
attachments were some form of irreversible corruption.  You should be
prepared ahead of time with the expectation that people will need
hand holding at this step.

Everyone has unique needs and no tagging or filtering will work for
everything.  There is no such thing as one size fits all so please
avoid providing only one size.  Expect to see unique situations.

Bob



More information about the NCLUG mailing list