Spam Filtering on the VWD Dedicated Client Server
Our clients only see a tiny fraction of the spam they are being sent on a daily basis. 100’s of billions of spam messages are sent annually by “bots”, automated software that targets their victims indiscriminately. These botnets trawl the internet collecting email addresses, they infect PCs and phones gathering information. Over half of all email traffic is spam.
The good news is that hosting providers and ISPs (Internet Service Providers) are getting much better at intercepting these spammers and the public are getting wiser.
VWD hosting needs to identify and filter spam and our cPanel hosting utilises one of the most advanced spam interception tools on the market, Apache SpamAssassin.
What is SpamAssassin?
We all get spam, I get loads of it because I have lots of email accounts. I’m also wary of blocking too much incoming mail in case I miss something, but that’s my problem.
Most of us can recognise spam email immediately. The sirens go off when we see poor grammar and spelling, there are certain words that scream “PHISH”. Over time we’ve taught ourselves how to spot the nasty beggars.
SpamAssassin does exactly the same thing, except it does it on a huge scale bigger, faster and more thoroughly. It uses algorithms, collating information gathered from billions of malicious emails and using that information to identify existing and new formulas.
Email filtering isn’t an exact science. Language is complex; the definition of “unwanted email” changes depending on the context, and spammers try to hide their real goal.
However, the software has been refined over many years with hundreds of sophisticated tests that can identify junk mail with great accuracy.
- Phrase and language tests — These encode a language pattern that indicates whether a message is more or less likely to be spam. For example, there are tests for long runs of text in capital letters, commonly promoted products, or words such as “money” or “win.” There are even tests to find out whether a sender has used red-flag words but tried to disguise them.
- Online databases — Online databases store examples of messages flagged by users and email hosts. For example, the Distributed Checksum Clearinghouse hosts patterns matching bulk emails.
- DNS blocklists (DNSBLs) — These are online lists that software can query to see if a message comes from a known source of junk email. SpamAssassin supports several free blocklists by default, including Mailspike and SpamHaus.
SpamAssassin ships with around 1,000 tests and each email message is subjected to about 600 or more individual tests.
What is the SpamAssassin Score?
The SpamAssassin score tells us how likely an email is to be spam. Each test has a number associated with it, often a small number like 0.1 or –0.2. As messages are analyzed, the software keeps a running total, adding the individual test results to produce a combined score.
The lower the score, the more likely a message is legitimate. If a message scores ten, it isdefinitely spam. If it’s a three, it has some of the qualities of junk mail, but the software is less confident.
It’s important to understand the SpamAssassin score because you can use it to configure email filtering sensitivity in cPanel, as we’ll talk about in the next section.
The Best Settings for SpamAssassin in cPanel
SpamAssassin is fully integrated into the cPanel interface, and you can tweak its settings to get exactly the right spam filtering functionality for your users. To configure it, select Spam Filters in the Email section of the cPanel Home interface.
The first setting on the Spam Filters overview page is “Process New Emails and Mark them as Spam.”
This is the switch that turns email testing on and off. When it is on, SpamAssassin marks high-scoring emails by inserting ***SPAM*** into the message’s header.
Configure the SpamAssassin Threshold Score
Just below “Process New Emails” is the Spam Threshold Score setting.
Earlier, we said that SpamAssassin generates a score by adding up the results of many tests. The Threshold lets cPanel users configure the score above which the software considers a message to be spammy.
For example, if you set the Spam Threshold Score to two, the software flags any email with a score above two. A low threshold leads to very sensitive filtering, and will likely cause non-spam messages to be flagged (false positives). In contrast, a threshold of ten is permissive; non-spam isn’t flagged, but some unwanted messages will make it through (false negatives).
The default setting is five, which is a good balance between sensitivity and too many false positives.
When the Spam Box is activated, flagged messages are moved to a separate folder. Unwanted email is kept out of the inbox, but saved so that you can review it and move any incorrectly identified messages. For the typical user, the Spam Box should be turned on unless you have another method of filtering legitimate messages.
Configure SpamAssassin Auto-Delete
The next setting, Auto-Delete, does exactly what you expect it to. When it’s activated, flagged messages are deleted immediately.
Auto-Delete does not use the Spam Threshold Score; it works with an independent Auto-Delete Threshold Score so that you can set different thresholds for identification and deletion.
You cannot recover a message after it is deleted. For most users, we recommend the Spam Box instead of Auto-Deletion because it allows you to review messages to see if they are incorrectly flagged.
Advanced cPanel Spam Filter Settings
Click on “Show Additional Configurations” to reveal advanced settings. These settings are rarely changed, but you may find whitelists and blacklists useful. (Note that these terms are likely to change in the future to make them more inclusive.)
The whitelist is a list of email senders that are always allowed through the filter even if their messages are flagged. The blacklist is the opposite; messages from senders on the blacklist are prevented from entering inboxes.
To add a sender to the whitelist, select ‘Add A New ”whitelist_from“ Item’ and enter a sender email address. You can use wildcards such as “?” to match any character and “*” for multiple characters.
The final setting, “Calculated Spam Score,” allows you to change the score associated with a test. Advanced users should only use this setting. SpamAssassin developers calibrate scores, and changing them is likely to have unpredictable side effects.
For most users, configuring SpamAssassin is as simple as activating it and choosing whether to use the Spam Box or Auto-Delete. You may need to adjust the default Threshold Score to suit your email hosting scenario, but once that’s done, SpamAssassin will work in the background to ensure that spam ends up where it belongs.
Any company that is flooded with hundreds of spam messages each day, and thousands per week, is in danger of being compromised. The risk of exposing your email addresses or compromising your servers is one that is not worth the fallout. Identifying and filtering unwanted messages requires greater security tools like Apache SpamAssassin which is specifically designed to identify spam before it gets where you don’t want it to go.
As always, if you have any feedback or comments, please let us know. We’re here to help. Find us on Discord, the cPanel forums, and Reddit.