Spam (junk email) filtering in Debian GNU/Linux
Prev		Next

1. Introduction

1.1. What is spam?

Spam is junk email. You may come across other synonyms for spam including UCE (Unsolicited Commercial Email) and UBE (Unsolicited Bulk Email).

To spam is to mass-mail unrequested identical or nearly-identical email messages, particularly those containing advertising. Especially used when the mail addresses have been culled from network traffic or databases without the consent of the recipients (see the Linux Dictionary).

Firewalls do not protect you against spam, but you can use other software to identify and filter out junk email.

1.2. What can you do about spam?

One thing everyone can do is to be careful when sending email to multiple addresses. Use Bcc: (blind carbon copy) to send to a message to multiple addresses, and leave the To: and Cc: fields empty. This means that none of the recipients gets any of the other of the other addresses. The addresses are less likely to be picked up by potential spammers .

If your ISP (Internet Service Provider) or web hosting provider has the facility to filter out spam, use it. It save you wasting time and money downloading rubbish.

If your provider does not filter email, or if you still have some spam coming through your provider's filter, read on. This document explains how to set up email filtering on your own home computer.

1.3. Email software components

1.3.1. Incoming mail

The type of software that manages email on your computer falls into three loosely defined catagories: Mail Transport Agent, Mail Delivery Agent and Mail User Agent. There is an article describing generic mail flow. These mail agents are often incorporated into a single software application (eg evolution, mozilla mail, etc). Figure 1 shows a typical system for receiving email.

Figure 1: the major components of a mail system dealing with incoming mail.

Mail Transport Agent (MTA), sometimes referred to as a Mail Transfer Agent. A mail transport agent is software that enables mail to travel from one mail system to another. Your provider's server uses an MTA to send you your mail. You must have an MTA at your end of the connection. A standard Debian installation uses exim, but you may come across others eg sendmail, smail, qmail, etc. Typically, the MTA passes the mail onto an MDA.
Mail Delivery Agent (MDA), sometimes referred to as a Local Delivery Agent (LDA). A mail delivery agent is software that takes mail from an MTA and passes it on to a mailbox or another MTA. A standard Debian installation uses procmail, although there are others eg deliver.
Mail User Agent (MUA). A mail user agent is the software that enables a user to write, send, receive and read email. A standard Debian installation uses mail for local mail. Other mail user agents include elm, pine, eudora, pegasus, etc.

Mail from your provider normally reaches you using the POP3 protocol. A protocol is a set of rules that govern how things communicate over the network (see theLinux dictionary).

1.3.2. Outgoing mail

Outgoing mail is sent to your provider's server, usually using the SMTP protocol. You use a mail user agent to write the message. A mail transport agent takes the message and passes it on to a mail transfer agent. The mail transport agent passes the message to a mail transport agent on your provider's server (see figure 2).

Figure 2: the major components of a mail system dealing with outgoing mail.

1.4. Mail on a Debian system

1.4.1. Debian local mail

If you have a fairly standard Debian installation, your system is probably set up like this. exim is the MTA and mail is the MUA. mail writes to the mailbox local-user-1@local-host. The contents of the mailbox are stored in the file /var/mail/local-user-1 (sometimes called the spool file). Here local-user-1 is the name that you use to login to your computer.

A user can read the mail using mail as the MUA. The command is:

mail

The user (local-user-1) can write a mail message to another user (local-user-2) on the system using the command:

mail local-user-2

1.4.2. Debian external mail

You probably manage your outgoing mail with an email application. This document focuses on evolution, but you may come across others eg links (text-based), lynx (text-based), Mozilla Mail and kmail. These email clients are designed to carry out all the necessary functions (MTA, MDA, and MUA) in one application.

In fact, evolution is not just an email client. It is a graphical groupware suite and also includes a calendar, task manager and contacts database. evolution stores the contents of its email inbox in the user's home directory (˜/evolution/local/Inbox).

1.4.3. Email filter

One reason for concentrating on evolution is that it has good, built-in functions for filtering mail. You can easily set up a filter to place all mail with a particular header into a particular folder. This approach means that you must first add the header to the original message before it reachesevolution. The task of identifying a spam email and adding identifying headers to the message is handled by spamassassin and procmail.

1.4.4. Example of a spam email modified using spamassassin

1.4.4.1. Added headers

The version of spamassassin in Woody is 2.20-1woody. The important header for basic filtering is X-Spam-Flag. It is set to “YES” when spamassassin has identified enough known features of spam messages.

X-Spam-Status: Yes, hits=5.7 required=5.0
     tests=VIAGRA,BASE64_ENC_TEXT,SUBJ_ALL_CAPS version=2.20
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.20 
     (devel $Id: x27.html.en,v 1.1 2004/04/30 21:50:38 chrislale Exp $)
X-Spam-Prev-Content-Type: text/plain
X-Spam-Prev-Content-Transfer-Encoding: base64
X-Evolution-Source: mbox:/var/mail/local-user

1.4.4.2. Modified subject line

spamassassin also modifies the subject line of suspected spam.

Subject: *****SPAM***** WEEKEND VIAGRA

1.4.4.3. Lines added to the top of the message

spamassassin 2.20 adds these lines to the top of the message. (Later versions of spamassassin do this differently.)

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM: 
SPAM: Content analysis details:   (5.7 hits, 5 required)
SPAM: Hit! (2.4 points)  BODY: Plugs Viagra
SPAM: Hit! (1.4 points)  Message text disguised using base-64 encoding
SPAM: Hit! (1.9 points)  Subject is all capitals
SPAM: 
SPAM: -------------------- End of SpamAssassin results ---------------------

1.5. Outline of the installation

There are several stages in the installation process. There are good reasons for this. If you try to install and configure all the software in one go, you are more likely to run into difficulty because there is simply more to go wrong. You may also find it much more difficult to trace faults. By installing and testing in stages, you can go from each stage to the next one with confidence, knowing that your configuration works correctly. Of course, you may need to change one or two configuration settings in the next stage. However, if you make changes one at a time and a fault occurs, you do not have to look very far to find out why.

evolution
fetchmail
fetchmaildaemon
- configure fetchmail to run as a daemon
- test that fetchmail runs the retrieval and forwarding process in the background
eximand procmail
- check the current installations of exim and procmail
- test that exim (MTA) and procmail (MDA) deliver local and incoming mail
spamassassin- mail filter to identify spam using text analysis

If you have a dialup connection you probably retrieve external mail from a POP3 server, and send email via an SMPT server. Your Internet Service Provider (ISP) or web hosting provider gave you this information when you set up your account with them. You can also obtain the details you need by looking at the working configuration of a computer that you currently use to connect to your provider. As a last resort you can contact your provider and ask for the information.

1.6. Information you need before you start

You need some detailed information about your ISP (Internet Service Provider) or web hosting provider. If you have printed this document, you may wish to fill in the details in this table.

Information you need	Details of the account with your provider
your provider's telephone number
the address of your provider's POP3 server (for your incoming mail)
your username for logging in to the POP3 server
your password for logging in to the POP3 server
the address of your provider's SMTP server (for your outgoing mail)

1.7. Names used in this document

The examples in this document use pseudonyms to represent usernames, computer names etc. If you have printed this document, you may wish to use this table to make a note of the real names on your system.

1.7.1. Names used on your (local) computer

Pseudonym	Description	Real name on your system
firstname surname	your full name
local-host	the name of your (local) computer. (You can find out by entering `hostname` at the command prompt
local-user or local-user@local-host	your username on the local computer
Example	the account name used evolution to identify your provider (eg the provider's name)

1.7.2. Names used on your provider's (remote) server

Pseudonym	Description	Real name on your system
remote-user-name	your username on the remote server (isp or hosted server)
remote-user-name@example.net	the name of your account on the remote server
mail.example.net	the name of the remote POP3 mail server (that your incoming mail comes from)
smtp.example.net	the name of the remote SMTP mail server (that your outgoing mail goes to)

You will also need your password for the remote server.

Prev	Home	Next
Spam (junk email) filtering in Debian GNU/Linux		evolution- email client providing the mail user agent (MUA)