HE Clissmann

SpamAssassin and cPanel -
how to kill of most but not all spam, based on the score

Using SpamAssassin and cPanel, it is reasonable easy to kill off all mails SpamAssassin considers as spam, based on a threshold you set. This threshold is a score of the odds of the mail being spam, where the default=5.

Our clients wanted a more refined situation. Where the odds were over 5 but under 15, they wanted to send the mail to a different account, which they would check periodically, or be able to recover false positives from. This meant the mail was never downloaded to individuals client PCs, saving users time and frustration.

Where the threshold (or odds of being spam) was over 15, they were happy enough to send the mail into a black hole. This meant the mail was never downloaded to their client PCs, saving bandwidth, time and frustration.

How to set up spam scoring in cPanel

Log on as the administrator in cPanel and, under the e-Mail section, select SpamAssassin.
Step 1    Enable SpamAssassin
Step 2    Select Configure SpamAssassin
Step 3    Under the heading "rewrite-header subject, enter the string: >>>SPAM _HITS_/_REQD_<<<
Step 4    Click Save and then Go Back.
Step 5    Ensure that Spam Box is disabled! The rest of this will fail if Spam Box is enabled.
Step 5    Click cPanel Home or Go Back a couple of time.

The effect of the above steps is to mark each mail with a modified header, if SpamAssassin scores the odds of it being spam over the threshold set (default=5, can be changed on the same screen you saw at Step 3, above). We will now use this score to direct the mail, according to the objectives the client set.

How to use spam scoring to re-direct the e-mail

Ensure your configuration of SpamAssassin is enabled, as described above.
Under the e-Mail section, select e-Mail filtering. There will be no rules set up, in the normal way. If there are, find out who set them up and what they do, before you proceed.

Click on [Add Filter] and you should see a screen similar to this (this screenshot shows some data already entered, which we will discuss below).

You will require 2 rules to achieve the results requested by our client. The first, is to forward spam to an account (in the example, spam.suspect@clissmann.com is shown), if the score is under 15.
Ensure you have selected the "matches regex" option! Then paste the following Regular Expression into the text-box on the right hand side (shown above in yellow):
>>>SPAM (1[5-9]|[2-9][0-9]|[0-9]{3,9})
Then add a destination of your choice and Activate this rule.
Now, a second rule, also with "matches regex" and paste in the following:
>>>SPAM ([0-9]\.[0-9]|1[0-4]\.[0-9])
and activate this rule also.
You can test your rules by changing the Subject Bar in the test area at the bottom of the cPanel Filter Maintenance screen - the result should show you how any given mail (based on it's subject bar) would get redirected. A sample subject bar to try might be:
>>>SPAM 16.9/5.0<<< Test
Ensure there is an account set up for the redirects, as described above for possible spam.

How these parameters work for mail filtering

cPanel support Regular Expressions (up to a point) for the evaluation of the subject bar of the mail, as described above. Regular Expressions is a subject in its own right. I found a use guide at www.regular-expressions.info and a great site for testing your expressions is to be found at http://ioctl.org/jan/test/regexp.htm - thanks to both authors!

Looking at the details of the two rules, lets parse some of the syntax, so you can adapt as needs be.

>>>SPAM (1[5-9]|[2-9][0-9]|[0-9]{3,9})says where the mail starts with >>>SPAM - as we set up at the start - and is either followed by:
1[5-9] - any two-digit number starting with 1 followed by any number between 5 and 9 OR (| symbol)
[2-9][0-9] - any two-digit number starting with 2 to 9 (=20-99) OR (| symbol)
[0-9]{3,9} - any number with 3 to 9 digits (essentially 100+)
will match the rule and - as we have selected - be discarded.

>>>SPAM ([0-9]\.[0-9]|1[0-4]\.[0-9])says where the mail starts with >>>SPAM - as we set up at the start - and is either followed by:
[0-9].\[0-9] - any single digit number followed by a decimal point and decimal number (=0.0-9.9) OR
1[0-4].\[0-9] - any two digit number starting with 1 followed by second number from 0-4 followed by a decimal point and decimal number (=10.0-14.9)

Note: The regex engine in cPanel requires some more specific information to be applied, than the general syntax requires. the \d and \s special characters are NOT supported. Also, in the rules above, false positives were obtained for values under 15, until the decimal separator and decimal value were added (\.\[0-9]). This is where the rule testing box on the cPanel for your site is very useful.

How you might adapt these rules

Say you want anything over 12 thrown away: simply lower the threshold in both rules as follows:

>>>SPAM ([0-9]\.[0-9]|1[0-1]\.[0-9])
>>>SPAM (1[2-9]|[2-9][0-9]|[0-9]{3,9})

Why I chose >>>SPAM xx.xx/yy.y<<< in the subject bar

The default setting for SpamAssassin is *** SPAM ***. This tells you nothing about the odds of the mail being spam and so needs to be extended.

I chose >>> and <<< as a surround for the SPAM warning, as the asterisk - * - is a special character in regex engines, as are [] and +. So, if you want to change it, pick something that is not a special character in regex.