Re: [exim] Exim and Spamassasin

Top Page

Reply to this message
Author: Marc Sherman
To: exim-users
Subject: Re: [exim] Exim and Spamassasin
Robby Balona wrote:
> I have Exim purring away and doing well and Spamasassin seems to work nicely
> to. I would like to drop or quarantine mails marked as spam by Spamasassin .
> I know all the arguments about doing this but I would like to block the spam
> never the less.

Magnus has already put you on the right path to how to do what you want.
You should give a bit of thought to what you want to do here, because
I'm not sure what exactly you're trying to accomplish.

There's a handful of different things you can do with spam once you've
identified it; some are better than others. Exim can be configured to
implement all of them, so you have to decide which you want to do
according to your own local policy:

- Reject the spam in the SMTP conversation, using a "drop" or "deny" acl
verb; this is the best thing to do when the spamassassin score is high,
because for legitimate false positives, the sender will get a bounce
from their own mail server, but for spam with fake headers, the spamware
will usually just ignore the rejection message

- Blackhole the spam, telling the sender that you've accepted it, but
not delivering it anywhere. This is widely considered to be a bad thing
to do, because no-one on either end knows that the message wasn't
delivered, so it's impossible to find false positives.

- Quarantine the spam; accept it at SMTP time, but deliver it to a
quarantine instead of the recipients normal mailbox (using a router and
transport in the config). This is a good thing to do with spam that
scores between two thresholds, but only if someone's checking the
quarantine on a regular basis, otherwise it's no different than a blackhole

- Mark the spam; accept it at SMTP time, but mark it in some way (either
with X-Spam* headers like you are currently doing, or with a tag added
to the subject header). It's then up to the users' MUA to filter the
spam however they like.

- Bounce the spam; accept it at SMTP time, and then promptly reject it
in a router. This is universally reviled as stupid and bad for the
internet, as it generates bounce messages to faked senders (collateral
spam). I'm only including it in the list for completeness; don't do this!

I think if you poll most people here and in other MTA admin communities,
you'll find that best practice is to reject above a certain score
threshold, and then either quarantine or mark messages that fall in a
lower score range where it's probably spam, but you can't be certain.

- Marc