Optimize SpamAssassin with DirectAdmin

Optimize SpamAssassin with DirectAdminSpamAssassin already works well with the default settings, but there is still a lot that can be improved to optimize SpamAssassin to prevent spam. This tutorial explains how to set up a cron job that updates the spam filters regularly and how to train SpamAssassin what is and what is not spam. It also explains how to let an antivirus program such as ClamAV scan your e-mail messages.

SpamAssassin analyzes and learns to recognize common spam and blocks it the next time.

Requirements:

  • DirectAdmin (latest version) installation with CustomBuild 2.0 or higher
  • This tutorial was written for RHEL / RockyLinux / AlmaxLinux / CentOS 8 in combination with DirectAdmin
  • SSH (root) access

Note: Always make a snapshot and/or backup of your system before you upgrade the software! This way you can always fall back on a working configuration if something goes wrong.

Step 1 – Install SPAM prevention tools

With the latest versions of DirectAdmin, in addition to SpamAssassin, new tools are available to combat spam. These are the Easy Spam Fighter and Blockcracking tools. To install these tools together with SpamAssassin, we use the handy CustomBuild tool that comes with every DirectAdmin installation. Run the following commands in SSH as root to install these tools:

cd /usr/local/directadmin/custombuild
./build update
./build set spamassassin yes
./build set easy_spam_fighter yes
./build set blockcracking yes
./build set exim yes
./build set eximconf yes
./build set eximconf_release 4.5

./build update

./build exim
./build spamassassin
./build exim_conf

After compiling exim_conf there should appear a message that Easy Spam Fighter and BlockCracking are installed.

More information about Easy Spam Fighter can be found here and more information about Blockcracking can be found here.

Step 2 – Create IMAP folders

The first step is to create two new IMAP folders in which you can place the spam messages. In the INBOX folder create two new folders (this can be done with a webmail client such as roundcube or your desktop mail client).

  • spamtraining-true
  • spamtraining-false

In the spamtraining-true folder you place all messages that have arrived in your inbox but which are spam. In the spamtraining-false folder, place messages that are marked as spam but are not spam messages. You can change the names to your own liking, but pay attention in the next step to change the names there as well.

Step 3 – sa-learn Cronjob script

Now log in via SSH into your server. To create the cronjob script you can do this via root but it is recommended to log in as the user in DirectAdmin where you just created the two new spam training folders. The permissions of the file are then immediately correct. Chances are you still need to enable SSH in DirectAdmin for the user. This is possible if you log in to DirectAdmin as a reseller or admin and change the user and check the box for SSH. Now log in in SSH with the DirectAdmin user.

Once logged into SSH run the following commands:

cd /home/USERNAME/.spamassassin
touch teach.sh
nano teach.sh

Now copy the script below into the teach.sh file. Please note the following points here:

  • Change lines 3 and 11.12 to adjust the values to your liking.
  • Messages can be automatically deleted after each scan, change the variable DELETE_TEACH_DATA=0 to =1.
#!/bin/sh

DA_USER=USERNAME
DA_HOME=/home/${DA_USER}

#set this to 1 if you want the spam be removed after the run
DELETE_TEACH_DATA=0

learn_Maildir()
{
 FILESPAM=${1}/.INBOX.spamtraining-true
 FILEHAM=${1}/.INBOX.spamtraining-false

 if [ -e ${FILESPAM}/new ] || [ -e ${FILESPAM}/cur ]; then
 echo "learning spam via ${FILESPAM}...";
 sa-learn --no-sync --spam ${FILESPAM}/{cur,new}
 fi

 if [ -e ${FILEHAM}/new ] || [ -e ${FILEHAM}/cur ]; then
 echo "";
 echo "learning ham via $FILEHAM...";
 sa-learn --no-sync --ham ${FILEHAM}/{cur,new}
 fi

 if [ "$DELETE_TEACH_DATA" -eq 1 ]; then
 rm -f ${FILESPAM}/new/* ${FILESPAM}/cur/*
 rm -f ${FILEHAM}/new/* ${FILEHAM}/cur/*
 fi
}

if [ -e $DA_HOME/Maildir ]; then
 learn_Maildir $DA_HOME/Maildir
fi

for d in `ls $DA_HOME/imap`; do
{
 DOMAIN_DIR=${DA_HOME}/imap/${d}
 if [ -h $DOMAIN_DIR ]; then
 continue;
 fi

 for maildir in `ls -d ${DOMAIN_DIR}/*/Maildir 2>/dev/null`; do
 {
 learn_Maildir ${maildir}
 };
 done;
};
done;

echo "";
echo "syncing...";
sa-learn --sync

echo "";
echo "current status:"
sa-learn --dump magic

exit 0;

Now adjust the permissions of the file:

chmod 700 teach.sh

Now test this script with the command:

sh teach.sh

The output of the script shows how many messages and words are analyzed for each email address. The script looks at each existing email address and whether the spam training folders exist in it. If these directories do not exist, the script will not do anything with that email address.

If you get errors about writing bayes data, check if you have the following perl module installed as root:

dnf install perl-DB_File

Are more errors appearing? Then modify the cron job script in the following:

sa-learn -D --sync

This is SpamAssassin’s sa-learn debug mode. Now look for the error messages. Common errors are Perl modules that are missing from your system. You can install this as above command via the DNF package manager.

Step 4 – Installing the cronjob

Now go to the cronjob page in DirectAdmin for the user and create a new cronjob with the following command (modify USERNAME to your DirectAdmin user):

 /home/USERNAME/.spamassassin/teach.sh >> /home/USERNAME/sa-teach.log 2>&1

Choose a time for the cronjob to run. For example, I do this just before the daily backups. The cron job is now run every night at half past one and the spam messages are now analyzed and processed. Of course you can run this cronjob at your own desired time or several times a day.

If you set in the previous step that messages are automatically deleted, this will happen with this cronjob.

Step 5 – DirectAdmin – Optimize SpamAssassin Settings

The SpamAssassin settings can be personalized in DirectAdmin. Log in with your username or admin account and go to the SpamAssassin settings.

SpamAssassin in DirectAdmin
SpamAssassin settings in DirectAdmin

On this page you can see if SpamAssassin is activated. If this is not yet the case, click on Enable.

SpamAssassin instellingen
Where do you want the SPAM messages to go?

With this option you can specify where new spam messages needs to go:

  • Main Inbox, which is of course not desired
  • Redirect to the catch-all spam folder in the general IMAP account
  • To the spam folder (under the INBOX folder) of the user (email address)
  • Remove the spam directly without checking
SpamAssassin score
What score must the messages meet in order to be marked as spam?

Each e-mail message is scored on the basis of various checks. Here you can set the score e-mail messages must have before they are seen as spam message. By default, this option is set to Low (5.0) and that is generally recommended. A lower score blocks more spam, but some legitimate messages may end up in the spam folder. You can also set a score number yourself.

Verwijder hoge score spam
Would you like to delete high scoring spam?

If a message gets too high a score, the message can be deleted immediately.

Onderwerp van het spambericht aanpassen
Change the subject of the spam message?

It is advisable to turn this on so that you can immediately see from a message whether it is SPAM or not. The subject of the email will be changed to *****SPAM***** + original subject.

Veiligheidsinstellingen spamberichten
Spam security settings

It is recommended to enable this option to “Use text-only attachments”. Filters potentially dangerous messages and removes dangerous attachments.

Step 6 – Block TLDs globally

In recent years, there have been many top-level domain extensions that are almost exclusively used to send spam. This is already a nice list:

*@*.ar
*@*.bg
*@*.bid
*@*.biz
*@*.br
*@*.camera
*@*.cc
*@*.click
*@*.club
*@*.co
*@*.computer
*@*.cricket
*@*.date
*@*.es
*@*.faith
*@*.global
*@*.guru
*@*.help
*@*.in
*@*.info
*@*.link
*@*.media
*@*.news
*@*.ninja
*@*.nyc
*@*.org
*@*.party
*@*.photography
*@*.pt
*@*.pw
*@*.racing
*@*.review
*@*.rocks
*@*.ru
*@*.science
*@*.solutions
*@*.space
*@*.tech
*@*.today
*@*.tr
*@*.uno
*@*.vn
*@*.website
*@*.win
*@*.work
*@*.xyz

Extensions that are almost exclusively used for spam can be blocked immediately so that they never end up in your inbox or spam box.

See which extensions you do need and get them out. You can place this list in the Email Blacklist box. Once all settings are to your liking, click Save.

Open a Pull Request when you have more extensions that are a welcome addition to this list. It’s also possible to block these TLDs globally, see this tutorial on how do to this.

Step 7 – Check for Missing Perl Modules

SpamAssassin uses a large number of Perl modules. To verify and check this, run the following command:

sa-update -D

SpamAssassin now runs in debug mode. Look for the part that contains this text a lot:

module not installed:
or
module installed:

Missing Perl modules can be installed via the DNF package manager:

dnf install perl-Razor-Agent
dnf install perl-Net-DNS-Nameserver
dnf install perl-Net-CIDR*

Once you have installed all the missing modules, reinstall SpamAssassin:

cd /usr/local/directadmin/custombuild
./build update
./build exim
./build spamassassin
./build exim_conf

Step 8 – Scanning incoming mails with ClamAV

Another important step is to scan every mail with ClamAV as a virus scanner. In this tutorial we will explain how you can do this!

Step 9 – Checking the spam filter

Method 1:

After you have gone through all the steps, it is useful to check whether SpamAssassin is actually running and set up correctly. Run the following commands in SSH as root:

cd /usr/local/directadmin/custombuild
./build update
./build versions

Now you will see a list of all installed software. Exim_conf must be on version 4.5. Look for the version of SpamAssassin, Easy Spam Fighter and BlockCracking. If not, follow the steps in Step 1.

Method 2:

To see if SpamAssassin is running on the server run the following command in SSH as root:

ps ax | grep spamd

The result should be something like this:

21276 pts/0 S+ 0:00 grep spamd
27565 ? Ss 0:03 /usr/bin/spamd -d -c -m 15
27577 ? S 0:00 spamd child
27578 ? S 0:00 spamd child

Method 3:

By looking in the e-mail headers you can also see whether SpamAssassin is scanning the e-mail correctly. Send an email to yourself and open the headers of the email. In some clients this is the “Show original” or “Show headers” option. In the headers you should see something along the lines of the following:

X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on *
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
HTML_MESSAGE,MIME_HTML_ONLY autolearn=no autolearn_force=no version=3.4.1

SpamAssassin now scans incoming e-mail messages. The headers show what score the email message has received and which requirements the email message has met.

Method 4:

To check if the SpamAssassin daemon is running correctly, run the following command:

systemctl status spamassassin.service

You will now see all information about the SpamAssassin service, and whether it is running correctly.

That’s all! If you now get a spam message in your inbox, please move them to the spamtraining-true folder. Give it a while and the spam messages that used to hit the inbox should now decrease.