Apache SpamAssassin

Apache SpamAssassin was created by Justin Mason, who had maintained a number of patches against an earlier program named filter.plx by Mark Jeftovic, which began in August 1997. The original filter.plx was a simple Perl script designed to identify spam based on header analysis and keyword matching.^[6] Mason found the program's architecture limiting and decided to rewrite it from scratch, incorporating more sophisticated filtering techniques he had developed.^[7]

Mason uploaded the first version of SpamAssassin to SourceForge on 20 April 2001.^[8] The initial release included features that would become SpamAssassin's hallmarks: a scoring system based on multiple tests, support for blacklists, and the ability to learn from user feedback. The name "SpamAssassin" was chosen to reflect the program's aggressive approach to eliminating spam.^[6]

Following its release, SpamAssassin quickly gained adoption among system administrators dealing with the growing spam problem of the early 2000s. By 2002, major Linux distributions began including SpamAssassin in their repositories, and several commercial email services started incorporating it into their filtering systems.^[9]

The project attracted numerous contributors who added features such as:

• Bayesian filtering support (version 2.50, February 2003)^[10]
• Network-based tests and distributed checksum systems
• Support for SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail)^[11]

In summer 2004, the project entered the Apache Incubator, marking its transition to the Apache Software Foundation.^[12] This move was motivated by the need for a more formal governance structure and the desire to ensure the project's long-term sustainability. The Apache Foundation provided infrastructure, legal protection, and a proven development model.^[13]

The project graduated from incubation in December 2004 and was officially renamed to Apache SpamAssassin. Under Apache governance, the project established a Project Management Committee (PMC) and adopted Apache's consensus-based development model.^[14]

Apache SpamAssassin uses a points-based scoring system where each email is analyzed against hundreds of rules or "tests."^[4] Each test that matches assigns a positive or negative score to the message:

• Positive scores indicate spam characteristics (e.g., suspicious phrases, blacklisted senders)
• Negative scores indicate legitimate mail characteristics (e.g., valid DKIM signatures, whitelisted senders)

The scores are additive, and if the total score exceeds a configurable threshold (default 5.0), the message is classified as spam.^[15] This approach allows SpamAssassin to make nuanced decisions—a single spam indicator rarely causes a false positive, but multiple indicators together provide strong evidence.^[16]

SpamAssassin employs several categories of tests:^[17]

Header tests: Examine email headers for signs of forgery, suspicious routing, or spam software fingerprints.

Body tests: Use regular expressions to identify spam phrases, suspicious URLs, or attempts to bypass filters (e.g., "V1agra" instead of "Viagra").

Meta tests: Combine results from other tests using Boolean logic to identify complex spam patterns.

Network tests: Query external databases and services:

• DNS-based blacklists (DNSBLs) for known spam sources
• URI blacklists like SURBL for spam-advertised websites
• Distributed checksum systems to identify bulk mailings

Bayesian tests: Use statistical analysis based on previous training to identify spam patterns unique to each installation.

Apache SpamAssassin is a Perl-based application (Mail::SpamAssassin in CPAN) that can be deployed in several configurations:^[18]

The simplest deployment runs SpamAssassin as a command-line tool that processes individual messages. This mode is suitable for low-volume installations or testing but has significant performance overhead due to Perl interpreter startup time.

For better performance, SpamAssassin can run as a daemon (spamd) that stays resident in memory. Mail servers connect to it using a lightweight client (spamc). This architecture reduces overhead and allows for:^[19]

• Pre-compiled rulesets remaining in memory
• Shared Bayesian databases
• Connection pooling and load balancing

Many mail filtering applications embed SpamAssassin as a library:

• Amavisd-new: Comprehensive mail scanner integrating antivirus and anti-spam
• MIMEDefang: Sendmail/Postfix filter framework
• MailScanner: Multi-MTA scanning solution
• Exim with SA-Exim or Exiscan: Direct MTA integration

Several email clients can interface with SpamAssassin:

• Evolution and Thunderbird via filtering rules
• Procmail recipes for Unix-like systems
• Microsoft Outlook through third-party plugins^[20]

SpamAssassin includes a Bayesian classifier that learns from examples of spam and legitimate email (ham).^[21] The system uses the sa-learn utility to train on user-classified messages, building a statistical model of word frequencies in spam versus ham.^[22]

The Bayesian system in SpamAssassin uses several optimizations:

• Token selection: Only the most significant tokens are used for classification
• Header tokenization: Special parsing of headers to extract meaningful features
• Hapax legomena handling: Proper treatment of words seen only once
• Chi-squared combining: Robinson's improvements to naive Bayesian classification^[23]

SpamAssassin supports numerous network-based tests that leverage the collaborative nature of spam fighting:^[24]

DNS-based blacklists (DNSBLs): Queries against lists of known spam sources, including:

• Spamhaus (SBL, XBL, PBL)
• SORBS (Spam and Open Relay Blocking System)
• Barracuda Reputation Block List

URI blacklists: Checking URLs in message bodies against databases of spam-advertised websites:

• SURBL (Spam URI Realtime Blocklists)
• URIBL (Realtime URI Blacklist)
• DBL (Spamhaus Domain Block List)

Collaborative filtering networks:

• Distributed Checksum Clearinghouse (DCC): Identifies bulk mail
• Razor: Distributed spam detection network
• Pyzor: Python implementation of Razor protocol

SpamAssassin verifies several email authentication standards:^[25]

• SPF: Validates sending server authorization
• DKIM: Verifies cryptographic message signatures
• DMARC: Enforces ___domain-level authentication policies

SpamAssassin's rules are highly configurable through configuration files:^[26]

• System-wide configuration: /etc/mail/spamassassin/
• User preferences: ~/.spamassassin/user_prefs
• SQL databases: For large installations with many users

Administrators can:

• Adjust rule scores based on local spam patterns
• Create custom rules for organization-specific spam
• Whitelist or blacklist specific senders or domains
• Define trusted networks and authentication methods

The sa-update utility, introduced in version 3.1, automatically downloads rule updates from the SpamAssassin project.^[27] This allows installations to receive new spam detection rules without upgrading the software, similar to antivirus signature updates. The updates are cryptographically signed to ensure authenticity.^[28]

The sa-compile utility compiles SpamAssassin's ruleset into a deterministic finite automaton, providing significant performance improvements for body rules. This optimization can reduce CPU usage by 25-40% in typical deployments.^[29]

SpamAssassin's performance depends heavily on configuration and deployment method:^[30]

Processing speed:

• Standalone mode: 1-5 messages/second
• Daemon mode: 10-50 messages/second
• With sa-compile: 20-100 messages/second

Resource usage:

• Memory: 50-200MB per child process
• CPU: Varies with enabled tests and message complexity

Large installations often use:

• Multiple spamd processes behind load balancers
• Dedicated servers for network tests
• Caching DNS resolvers to reduce lookup latency
• Database backends for Bayesian data and user preferences

SpamAssassin is one of the most widely deployed open-source anti-spam solutions:^[31]

• All major Linux distributions include SpamAssassin packages
• FreeBSD, OpenBSD, and NetBSD ports available
• macOS support through Homebrew and MacPorts
• Windows support via Cygwin or native Perl installations

Many commercial products incorporate SpamAssassin:^[32]

• Email security appliances: Barracuda, SonicWall
• Hosting control panels: cPanel, Plesk, DirectAdmin
• Managed email services: Many providers use SpamAssassin as one layer in multi-stage filtering

• Internet service providers: Used by numerous ISPs for customer email filtering
• Educational institutions: Deployed at many universities worldwide
• Government agencies: Adopted by various government email systems
• Web hosting providers: Standard component in shared hosting environments

Despite its widespread use, SpamAssassin has several limitations:^[33]

• Resource intensive: Perl-based architecture requires significant CPU and memory
• Startup overhead: Even in daemon mode, complex rulesets can be slow to load
• Network test latency: DNS lookups can create bottlenecks in high-volume environments

• Rule updates needed: Requires regular updates to maintain effectiveness
• Configuration complexity: Optimal configuration requires significant expertise
• False positive risk: Aggressive settings can block legitimate email

• Limited image spam detection: Primarily text-based analysis
• Minimal attachment scanning: Requires external tools for comprehensive malware detection
• Language bias: Rules primarily developed for English-language spam

SpamAssassin occupies a specific niche in the anti-spam ecosystem:^[34]

vs. Rspamd: Rspamd offers better performance and more modern architecture but less mature ecosystem

vs. Commercial filters: SpamAssassin provides transparency and customization that proprietary solutions lack, but may require more maintenance

vs. Cloud-based filtering: On-premise SpamAssassin offers privacy and control but lacks the collaborative intelligence of cloud services

vs. CRM114: More user-friendly than CRM114 but potentially less accurate for well-trained installations

Apache SpamAssassin maintains an active development community:^[35]

• Mailing lists: Users, developers, and commits lists with thousands of subscribers
• Bug tracking: Apache Bugzilla instance for issue tracking
• Rule development: Community-contributed rules through RuleQA system
• Documentation: Comprehensive wiki and man pages

Major contributors include corporations that depend on SpamAssassin for their services, independent system administrators, and anti-spam researchers. The project follows Apache's meritocratic governance model with an elected Project Management Committee overseeing development.^[36]

• Anti-spam techniques
• Email filtering
• Rspamd
• ASSP (Anti-Spam SMTP Proxy)
• Bogofilter
• CRM114
• DSPAM
• Email authentication
• Greylisting

• Tan, Ying (2016). Anti-Spam Techniques Based on Artificial Immune System. CRC Press. ISBN 978-1498725387. {{cite book}}: Check |isbn= value: checksum (help)
• Bochenek, Chris (2013). Email Security with Cisco IronPort. Cisco Press. ISBN 978-1587142925.
• Dada, Emmanuel Gbenga (2019). "Machine Learning for Email Spam Filtering: Review, Approaches and Open Research Problems". Heliyon. 5 (6): e01802. Bibcode:2019Heliy...501802D. doi:10.1016/j.heliyon.2019.e01802.{{cite journal}}: CS1 maint: article number as page number (link)

• Official website  
• Apache SpamAssassin Wiki
• Apache SpamAssassin Rule Updates Wiki Automatically updating Apache SpamAssassin
• KAM.cf KAM Ruleset for Apache SpamAssassin
• Apache SpamAssassin on GitHub (Mirror)