How To Improve SPAM Filtering using Runbox Filters
2005-07-15: This information hasn't been updated since Runbox implemented the trainable DSPAM filter. But much of the information is still relevant.
A blocklist doesn't do much good for most SPAM since SPAM doesn't usually have a valid "From" address nor use the same "From" address everytime. Here's what seems to work very well for me. (1) For "Detect junk mail" select "Yes, reject if possible" I no longer recommend selecting this option. See below for details. This allows Runbox to reject a message at the time it's being received, if it is flagged as SPAM and if everyone receiving the message has agreed to reject SPAM. I originally didn't use this option but the Linpro guys (the ones hosting the Runbox mail servers) convinced me it's a good choice. 2005-07-15: After using "reject if possible" for a while I decided it's not a feature worth using. It can cause more problems than it solves. First, if you receive messages from groups like Yahoo Groups or Google Groups it can bounce spam messages back to Yahoo or Google which will cause your address to be marked as "bouncing" and you'll stop getting mail from your groups until you reactivate your address. Second, since a lot of spam is bulk mailed to many users at the same domain there's a good chance that for a given spam mail at least one user will not have selected this option so for that message it's disabled for everyone. Finally, it's probably more likely to bounce a valid message sent just to you that was incorrectly flagged as spam and you'd never know it. (2) Create a "Spam" folder and a filter defined as: Order: -2 Messages where: "Header" "contains" "X-Spam-Flag: YES" will be: "saved to folder" "Spam" By selecting "reject if possible" for the "Detect junk mail" option, we have also disabled the ability to move SPAM to a Spam folder. This defines our own Spam Filter that will do the same thing the original Spam Filter did. If you want your Spam Filter to be more restrictive, like have a cutoff of 4 instead of the default of 5, you can define your filter like this: Order: -2 Messages where: "Header" "contains" "X-Spam-Level: ****" will be: "saved to folder" "Spam" For this filter, any message with a score greater than 4 (e.g. 4.1) will be moved to the Spam folder. (3) Create a "NotInWhiteList" folder and a filter defined as: Order: 999 Messages where: "Header" "doesn't contain" "USER_IN_WHITELIST" will be: "saved to folder" "NotInWhiteList" This should be your very last filter. If a message makes it all the way to this filter, it's next stop would be the Inbox. This filter will make sure that the message is from someone in your Whitelist, if not, it moves it to the "NotInWhileList" folder. Initially you will have messages in your "NotInWhiteList" folder that you either want to add to your Whitelist or create a filter to move it to a folder (could even be the Inbox). You will also have SPAM that wasn't caught by SpamAssassin. Eventually, as you update your Whitelist and filters, the "NotInWhiteList" folder will contain mostly uncaught SPAM. (4) Messages over 250K in size are not scanned by SpamAssassin. The reason being that mail that large is unlikely to be SPAM. Unless these messages are moved to a folder by a filter, they would end up in the "NotInWhiteList" folder because they will never contain the "X-Spam-Status" header for the "USER_IN_WHITELIST" check. To avoid this you can add the following filter: Order: 998 Messages where: "Header" "doesn't contain" "X-Spam-Status" will be: "saved to folder" "Inbox" This moves ANY message that hasn't been scanned by SpamAssassin to the Inbox. Or you could create a NotSpamChecked folder and move it there. (5) Add addresses of people/places you expect "ham" (not spam) email from to the Spam Filter whitelist. When SpamAssassin checks a message it will check the whilelist for the "From" address. If it finds the address, it will add "USER_IN_WHITELIST" to the "X-Spam-Status" header in the message. (6) Add filters for Mailing Lists and Groups. For mailing lists or groups (e.g. Yahoo Groups) that use the senders real email in the "From" address instead of the list/group email address, setup filters to move these messages to the proper folder. If they use the list email address in the "From" address you could White List it instead but you still might want to have a filter to move them to a folder. (7) Add other filters as needed/wanted. Messages are checked by SpamAssassin as they arrive at the Runbox servers. However, messages flagged as *SPAM* are not filtered until your filters are processed. The Spam Filter runs at an order value of "-2". If you want your filters to run BEFORE the Spam Filter, allowing you to handle ALL messages, your filter order values must be less than -2 (-3 through -99). If you want your filters to run AFTER the Spam Filter, allowing flagged SPAM to be filtered, your filter order values must be greater than -2 (-1 through 999). CAUTION: You can have multiple filters with the same order value. Within the same order value, filters are processed in the order in which the entry was first added to the database. The filters page will show the filters in the order processed. It may seem a bit complicated but it's working really well for me. Regards, Rich |
Rich,
Thanks for an excellent set of instructions. I've dodged spam thus far but I think I will start building up my whitelist just in case. Along those lines I'm wondering whether there is an easy way to add a lot of addresses to the whitelist. I'd love to be able totake my contact manager software, dump out a file of all the email addresses and add them to my whitelist. Doing so I'd have 99% of my wanted email already flagged for whitelist. I tried using the RBTB2 and entering multiple addresses in the input field, separated by spaces, commas or semicolons but could only get it to work with one at a time. Is that the way it works? Along similar lines, I know your toolbar has an excellent tool for mass-uploading to one's address book . . . does being in the address book make a contact automatically count as whitelisted? If not, then can I respectfully suggest to the Runbox team (or the Toolbar "team" ;-) a mechanism for mass uploading of whitelist names? --Jason |
Hi Jason,
Quote:
Quote:
It currently only handles one address at a time. I could take a look at handling multiple addresses. Quote:
Regards, Rich |
Quote:
Well, I hate to correct you in public like this, but you were wrong when you said there is a way 'kind of'. In fact, your bookmarklet (surprise surprise) is PERFECT!! Not only did it allow me to wasily and quickly add 500 email addresses to my whitelist, but it also id'ed for me a dozen or so cases where I had improperly formatted email addresses in my Palm Pilot! The process was relatively simple. I exported the email field of my Palm address book to a CSV file, opened in excel, then copied into notepad and back into excel (this split records where I had multiple email addresses separated by carriage returns into separate cells in Excel. Then I split data to columns using commas as delimiters, so that any fields where I had multiple emails separate by commas would go into separate cells. I pasted the cells that were now in columns B, C, etc into column A and sorted alphabetically. I then pasted them into your form (about 100 at a time) and voila! Just tested it with an email from myself (fortunately I'm on my whitelist -- it's obviously not that exclusive) :D and saw the beloved USER_IN_WHITELIST flag. I've never used this before because of the difficulty in adding addresses one at a time, and a concern that if I only added them from emails I got, I would slways be getting emails in my "NotInWhitelist" folder from that person you'd not heard from in a long while. Even though Spam's not been a problem for me yet at this new address, I'm going to modify my growing system of filters to mimic what you've described above, and start to build a good solid pre-emptive system for dealing with spam. Thanks again, Rich! You rock!! --Jason |
Just FYI, I'm working on incorporating Rich's excellent "scheme" in the help pages, just have to find a way that doesn't send the insecure users into spasms of panic. ;)
Also, the current placing of the Toolbar and bookmarklets links is way too hidden away, I think (in the Help pages, under email add-ons). Liz |
that would be great - but please, make it 'idiot-proof' so even I can undestand it :D
|
If I understand it, you will too. ;)
Liz |
For the Spam Filtering, I know the process sounds a bit complicated although it's not too bad. I tried to add a little explanation of "why" it was being added but it might be easier for some if you just say "trust me, it will work" and just show the filters to add. Some better formatting via HTML and aa few screen shots might make it easier to follow too.
For the Whilelist editing, I said "kind of" because it would be a lot easier if it could import CSV files directly. I could probably do this with the import stuff form the Import Addressbook bookmarklet. I should probably write an Export Addressbook too then. I guess it's time to work on bookmarklets again. Rich |
i was wondering if anybody have time to make a visual repersentation of what carvern is talkin about. Not a lot of people would understand and i admit even tho im an IT major, i had trouble understand where is where and to input what.
|
Not a bad idea...if anyone would like to set up a dummy account with dummy contacts and make some screenshots with text a la the POP/IMAP setups guides (JPEG please), they will be rewarded. :) Do mail us first though, in case more than one person volunteers. :)
Liz |
Hi, problem with setting these filters around case sensitivity of the in the email address.
My work address gets sent as: Joseph.Cairns@ibx.com But on the white list I'm only able to put: joseph.cairns@ibx.com There's no way for me to enter anything with upper case, so unfortunately, the server isn't putting the "USER_IN_WHITELIST" tag on this header. The process should be converting everything to lower case before it compares addresses but it doesn't seem to be doing this. Thanks! |
You might want to reformat your address so it doesn't get spammed (userATdomain instead of realuser@realdomain). Also, you don't need to put your username, enough to put your UserName for the example.
|
How my email admins at work set up my address' format is outside of my control.
This is coming from my worlk server with the capitals but I'm unable to enter an address with capitals in the white list. Edit Note: regardless email addresses are not case sensitive and User@xyz.com should match user@xyz.com. |
according to the RFC's, the localpart is case sensitive.
I ment how you write your address in your post. (write supportATrunbox instead of support@runbox). |
Ahh gotcha have a million things going on here at once and my head is spinning. ;)
My address at work is send only so no worries there, but I'll keep it in mind for future reference, thanks! Quote:
|
|
Ahh cool, I'll read through that. The whitelist section should allow us to add case sensitive addresses then, it currently only alllows entries of all lower case.
|
Quote:
Yes, that's true, but as the next passage says: Quote:
So, regarding the whitelist question. I'm really surprised that a lower case mail address doesn't match the mixed case address. I'll have to check spamassassin to find out if this is expected behavior. |
Quote:
It should be noted that a change to the Whitelist might not be instant. There could be several minutes before SpamAssassin actually sees the updated Whitelist. With my most recent test, a test message sent immediately after changing the Whitelist did not result in a USER_IN_WHITELIST. All subsequent test messages did. Regards, Rich |
It may be that way for you but it's not the case for me as of last Friday. That setup is working for every incoming email I have in my white list sans the one with the capital letters for the account name.
If it's not case then I don't know what it is. |
Something changed since Thursday/Friday then as this now works now with no changes on my end.
|
Glad to hear it's working now.
Rich |
Re: How To Improve SPAM Filtering using Runbox Filters
Quote:
I have tried sending the famous "ADV: Your Membership Exchange order -- Question to eBay seller g.r.a.p.e?" message minus the "ADV" ( since FastMail doesn't allow sending messages with it in the subject line) from various accounts to test this feature. The message definitely gets flagged as spam and filed to the Spam folder but it doesn't get rejected. |
Re: Re: How To Improve SPAM Filtering using Runbox Filters
Quote:
If anyone did not have Reject If Possible chosen, then Runbox is required by email protocol to accept it and deliver it to all recipients. The strange thing in what you describe is, as I understand it, you should not be able to have simultaneously selected "Reject if Possible" and "File in XX folder". They are 2 different options. So, for people who choose Reject if Possible, you need to set up a filter in your Manager to reject anything that meets your criteria of spam. So mine, for example, says any messsage whose header contains "X-Spam-Level: ****" should be filed as spam. This catches anything with a SA score above ~4 and moves it to my Spam folder. Post here again if you have "Reject If Possible" selected, no other Spam filters that you've set up yourself, but Spam getting moved to a separate folder. I'd be interested in understanding it better. What you've described (not being rejected, filed in folder) would make sense if the second of the 3 spam options is selected, "Detect, and file in XX". In the mean time, hope this all makes sense. --Jason |
Hi Jason,
Thanks for the reply. These are some of my points. 1) I have currently selected "Yes, reject if possible". The "Yes, save to folder" is Trash but it is not selected. I also have a filter order -2 which reads: Messages where: "Header" "contains" "X-Spam-Flag: YES" will be: "saved to folder" "Spam" as suggested above by Carverrn. 2) Previously I had also selected "Yes, reject if possible", but the "Yes, save to folder" was Spam but it was also not selected. However, the spam messages continued to file to "Spam" folder. Don't you think this is strange? 3) I sent out a sample message from both my FastMail account as well as my MailSnare account. They both had my correct email addresses as the "From" address. The messages were classified as spam by runbox, but were filed to folder instead of being rejected. Can you explain it? 4) Can you give me one example of how I can test the reject feature to see that it really works? Thanks. |
How the "reject if possible" is suppose to work was described in this posting by Sigurdur from Linpro (the host for Runbox's mail servers):
http://www.emaildiscussions.com/...203#post160203 Based on that I would have expected your test SPAM to be rejected (assuming you only sent it to one Runbox address). I think SpamAssassin is handled at the Linpro end so maybe Liz can ask them to comment on this. Rich |
Quote:
The folder in the "save to" setting is used even if you've selected the "reject if possible" option (I think so, at least), so you could just do that instead of adding the filter. Do note the "if possible" part of "Reject if possible", though. For instance, if the mail is received from POP retreival or sent by another Runbox user from the web interface, this setting won't be used. Quote:
I suggested having the "reject" option as a check box (which then could be turned on/off if the "Yes, save to" radio box setting was selected) when we implemented it, and I still think that would have reflected the actual process better. But I don't meddle around in the webapp code at all, so.. shrug Quote:
The reject feature was temporarily disabled a few days ago due to the load it inflicted. A new box -- bolivar -- was installed today to take over that particular task, and I expect to re-enable the feature sometime tomorrow. This new box should also pave the way for extended spam filtering functionality such as per-user bayesian databases, too. Quote:
|
Sounds like that explains why it was not rejected -- that the feature was temporarily disabled. Otherwise, mail2me, I would expect that your spammy message, sent from outside Runbox to only one recipient at runbox should be rejected.
Tore- I did not think that the file to folder still worked even if the Reject if Possible option was selected. I agree with you, it should be possible to select both, the Reject should be a checkbox enabled as an option when the Detect and File is picked. I have my personal filter set up because I thought I'd read in a posting that the file to folder would not work if the reject option is selected. By the way, for mail2me and others, the reason I filter on the occurrence of "X-Spam-Level: ****" instead of just SpamFlag: Yes is that it allows you to tailor your spam tolerance. SA decides it's spam when the score is 5 or greater, but I was occasionally getting spam that scored a 4, 4.5 4.9 etc, so I lowered my "tolerance" to 4. You could also make it X-Spam-Level: ** which would lower it to 2 (and still would catch ***, ****, *****, etc), just depends on how aggressive you want to be. --Jason |
Thanks tore for the reply. You have answered all the questions.
I will wait till the reject function is enabled before testing again. |
Hi tore!
Quote:
http://www.emaildiscussions.com/...threadid=21309 Thanks, Rich |
Quote:
|
Quote:
|
Quote:
The reject message that Runbox sends out is as follows: Quote:
|
Quote:
However, changing the reject setting doesn't come into effect real-time - the configuration is distributed to the MXes every six minutes (if I recall correctly). That also applies to the white list. That was probably the reason it didn't work for you the first time around - there is no other obvious one I can think of, at least. |
Thanks for posting what the spam rejection message looks like. I hadn't seen it yet.
However, the filters shouldn't have anything to do with why you weren't getting the rejection message before. According to Linpro and Runbox, SPAM rejection takes place while the message is being received so that it is never actually accepted by the Runbox mail servers. Since it is never really delivered I don't think it can ever be processed by the filters. At least this is my understanding. Maybe they were still playing around with getting it working again while you were playing around with the filters. Regards, Rich |
Thanks for the explanation Tore!
Rich |
Could a MODERATOR please make this thread sticky? Thanks. :)
Liz |
Quote:
Shelley |
Quote:
X-Spam-Status: No, hits=-99.0 required=5.0 tests=CLICK_BELOW, HTML_60_70, HTML_FONTCOLOR_BLUE, HTML_LINK_CLICK_HERE, HTML_MESSAGE, HTML_TAG_BALANCE_HTML, NO_REAL_NAME, USER_IN_WHITELIST So it's that last entry in the X-Spam-Status flag that tells you the sender is in the whitelist, and it adds a -100 (negative one hundred) to the spam score. Thus my mother would have to REALLY send me a lousy piece of mail for it to add up to a plus five total. ;) When you look in that flag, do you then see the USER_IN_WHITELIST text? --Jason |
Re: How To Improve SPAM Filtering using Runbox Filters
Quote:
I started using Rich's method and (shockingly) spam seems to have disappeared. This worries me somewhat (the fear of false positives) ;) |
All times are GMT +9. The time now is 09:04 PM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy