Fix Spam using SpamAssassin

Spam emails are more than just a nuisance—they can slow down your inbox, carry scams, and even introduce security risks. For businesses, receiving a large volume of spam can waste time, making work less efficient and potentially expose sensitive information. One of the most reliable tools we use for filtering spam is SpamAssassin, an industry-standard solution for email filtering.

What is SpamAssassin?

SpamAssassin is an open-source spam filtering tool that scans incoming emails and assigns them a “spam score” based on various criteria. It checks things like:

• The content of the email (words or phrases often used in spam)
• The links included in the email
• The sender’s server and IP address
• Email authentication records such as SPF, DKIM, and DMARC

Each email is scored. If it exceeds a defined threshold, it is classified as spam. SpamAssassin can also add tags to the subject line, move messages to a spam folder, or even delete them automatically, depending on how it is configured.

Using SpamAssassin via the cPanel

If your email is managed through cPanel, you can find SpamAssassin in the “Email” section. Here’s what you can do:

1. Enable SpamAssassin – Turn it on if it’s not already active.
2. Adjust the Spam Threshold Score – Lowering the score catches more spam but may increase false positives; increasing the score reduces false positives but may let some spam through.
3. Auto-Delete Spam – Optionally, have SpamAssassin automatically move or delete emails flagged as spam.
4. Access Custom Rules – cPanel provides a basic interface, but more advanced rules are added in the .spamassassin folder.

Key Configuration Files

Most custom SpamAssassin rules are stored in the .spamassassin folder, which is usually located in your home directory on the server.

• user_prefs: Stores individual user preferences, like score adjustments and whitelists. Users can adjust the score of certain rules, whitelist trusted senders, blacklist unwanted addresses, or modify thresholds for auto-deleting spam.
• local.cf: The primary file where you can define your own rules. create rules that target specific spam patterns, such as emails from certain countries, containing suspicious links, or including marketing phrases. This allows for much more precise spam filtering than relying on default rules alone.

SpamAssassin Spam Rules with user_prefs

The user_prefs file in the .spamassassin folder is where email blacklists, whitelists, and spam threshold settings can be defined. Changes here affect all users on the server. Individual user_prefs files can also be created within specific mailboxes, allowing each user to customise their own spam filtering preferences.

An example of user_prefs:

required_score 4
auto_learn 1
whitelist_from_spf *@queenslandtech.com.au
blacklist_from *@163.com
blacklist_from *@189.cn
trusted_networks 220.233.219.15/32
whitelist_from 
blacklist_from 

SpamAssassin Spam Rules with local.cf

The file can be used to block foreign IP relays known for spam, detect marketing phrases like “specialise in SEO services.”, flag emails containing foreign phone numbers or WhatsApp contacts, and check for suspicious top-level domains such as .xyz, .top, .click, .info, or .online. These types of rules are supported:

• header rules – check email headers for suspicious IP addresses or sender details.
• body rules – scan the content of emails for keywords or phrases often found in spam.
• uri rules – look at links in emails to detect suspicious domains or shortened URLs.
• meta rules – combine other rules to create a stronger signal.

Each rule can be assigned a score. Higher scores increase the likelihood the email will be marked as spam.

An example of local.cf:

# SPF/dmarc/dkim

header DMARC_FAIL_LOCAL Authentication-Results =~ /dmarc=fail/i
describe DMARC_FAIL_LOCAL Sending domain has no DMARC or DMARC failed
score DMARC_FAIL_LOCAL 1.0

header DKIM_FAIL_LOCAL Authentication-Results =~ /dkim=fail/i
describe DKIM_FAIL_LOCAL DKIM validation failed
score DKIM_FAIL_LOCAL 1.0

header SPF_FAIL_LOCAL Authentication-Results =~ /spf=fail/i
describe SPF_FAIL_LOCAL SPF validation failed
score SPF_FAIL_LOCAL 2.0


# suspect domains

uri SUSPICIOUS_TLD_RU /\.ru\b/i
describe SUSPICIOUS_TLD_RU Link to .ru domain
score SUSPICIOUS_TLD_RU 1.0

uri SUSPICIOUS_TLD /\.(xyz|top|click|info|online)\b/i
describe SUSPICIOUS_TLD Link to suspicious TLD (.xyz, .top, .click, .info, .online)
score SUSPICIOUS_TLD 1.0


# URL shorteners

uri LINK_SHORTENER_BITLY /bit\.ly/i
describe LINK_SHORTENER_BITLY Uses bit.ly link shortener
score LINK_SHORTENER_BITLY 2.0

uri LINK_SHORTENER_TCO /t\.co/i
describe LINK_SHORTENER_TCO Uses t.co link shortener
score LINK_SHORTENER_TCO 1.0

uri LINK_SHORTENER_TINYURL /tinyurl\.com/i
describe LINK_SHORTENER_TINYURL Uses tinyurl shortener
score LINK_SHORTENER_TINYURL 1.0


# unwanted brand

header SUBJECT_KLAUDENA Subject =~ /Klaudena/i
body BODY_KLAUDENA /Klaudena/i
meta KLAUDENA_CHECK (SUBJECT_KLAUDENA || BODY_KLAUDENA)
score KLAUDENA_CHECK 2


# Magnetic therapy

body MAGNETIC_THERAPY /relieves pain with magnetic therapy/i
describe MAGNETIC_THERAPY Magnetic therapy spam claim
score MAGNETIC_THERAPY 2.0


# SEO etc

body WHITE_LABEL_SEO /SEO, PPC, and social media/i
describe WHITE_LABEL_SEO Contains common white-label marketing spam phrase
score WHITE_LABEL_SEO 2.0

body SEO_SERVICES /(digital marketing services\s*\(SEO,\s*PPC,\s*SMO\)|speciali[sz]e in SEO services|improving search engine rankings)/i
describe SEO_SERVICES SEO marketing spam phrase
score SEO_SERVICES 2.0

body FACEBOOK_ADS /(manag(e|ing)\s+(your\s+)?(social\s+media\s+)?posts?\s+(across|on)\s+Facebook|speciali[sz]e\s+in\s+(running\s+)?(paid\s+)?ads?\s+on\s+Facebook)/i
describe FACEBOOK_ADS Facebook marketing spam wording
score FACEBOOK_ADS 2.0

body PAID_BACKLINKS /paid backlinks?/i
describe PAID_BACKLINKS Backlink selling spam
score PAID_BACKLINKS 2.0

body INCREASING_TRAFFIC /(generate\s+traffic|about\s+increasing\s+your\s+website\s+traffic)/i
describe INCREASING_TRAFFIC Traffic increase spam phrase
score INCREASING_TRAFFIC 2.0


# website work

body WEBSITE_REDESIGN /(web\s*designer|Do you need a website re[-\s]*design)/i
describe WEBSITE_REDESIGN Website redesign solicitation
score WEBSITE_REDESIGN 2.0


# suspect

body LIMITED_TIME_OFFER /limited[-\s]*time offer/i
describe LIMITED_TIME_OFFER Urgency marketing phrase
score LIMITED_TIME_OFFER 1.0

body WHATSAPP_CONTACT /contact (me|us) on WhatsApp/i
describe WHATSAPP_CONTACT WhatsApp-based sales outreach
score WHATSAPP_CONTACT 1.0

body FOREIGN_TEAM /our team in (India|Asia|Philippines|China)/i
describe FOREIGN_TEAM Foreign team
score FOREIGN_TEAM 1.0

body FOREIGN_PHONE /(?:Phone|Tel|Contact):\s*(?:\+|00|011)(?!61|0)[0-9\s\-\(\)]{6,20}/i
describe FOREIGN_PHONE Email contains non-Australian international phone number
score FOREIGN_PHONE 1.0


# blocked relays

header BLOCK_MG_SPECIFIC Received =~ /mail\.(somarec|sotana)\.or\.mg/i
describe BLOCK_MG_SPECIFIC Message passed through mail.somarec.or.mg
score BLOCK_MG_SPECIFIC 2.0

header BLOCK_BAD_RELAY_RANGE Received =~ /\[?62\.173\.(14[8-9]|15[0-4])\.\d{1,3}\]?/
describe BLOCK_BAD_RELAY_RANGE Message passed through blocked relay 62.173.148.0 - 62.173.154.255
score BLOCK_BAD_RELAY_RANGE 6.0


# WordPress whitelist

body WORDPRESS_COMMENT_NOTIFY /A new comment on the post .*Author: .*Comment: .*Approve it: .*waiting for approval/s
describe WORDPRESS_COMMENT_NOTIFY Legitimate WordPress comment notification
score WORDPRESS_COMMENT_NOTIFY -6.0


# Office soft whitelist

body OFFICE_HTML_TABLE /MsoNormalTable/i
describe OFFICE_HTML_TABLE Likely legitimate Word email with tables
score OFFICE_HTML_TABLE -1.0

body OFFICE_HTML_MOBILE /ms-outlook-mobile-signature/i
describe OFFICE_HTML_MOBILE Likely legitimate Outlook mobile email
score OFFICE_HTML_MOBILE -1.0

body OFFICE_HTML_NS /urn:schemas-microsoft-com:office:office/i
describe OFFICE_HTML_NS Likely legitimate Microsoft Office/Word generated email
score OFFICE_HTML_NS -2.0


# iPhone soft whitelist

body IPHONE_EMAIL /apple-mail-supports-explicit-dark-mode.*lineBreakAtBeginningOfSignature.*Sent from my iPhone/s
describe IPHONE_EMAIL Likely legitimate email sent from iPhone
score IPHONE_EMAIL -2.0


# automated / calendar

body AUTOMATED_MSG /This is an automated message/i
describe AUTOMATED_MSG Likely automated notification
score AUTOMATED_MSG -0.5

body ICAL_EVENT /BEGIN:VCALENDAR/i
describe ICAL_EVENT Likely calendar invitation
score ICAL_EVENT -1.0

Maintaining SpamAssassin

For optimal results:

• Review spam folders regularly to check for false positives or missed spam.
• Update or add new rules when you notice new patterns.
• Keep SPF, DKIM, and DMARC records correctly configured to help SpamAssassin identify legitimate senders.
• Enable DNS-based blacklists (DNSBLs) which automatically flag known spam servers.

Queensland Tech, manages both websites and email systems for businesses, ensuring your emails are filtered efficiently so you can focus on running your business rather than sorting spam.

Further info

Fix Email Spam