I'm fairly SPAM free these days. My SpamAssasin rules do a good job of scoring and marking SPAM. I have a pretty low threshold of what I mark as SPAM (3 point) because by time SA is run in my procmail recipes I've filtered out email from various mail lists, individuals and the like (like email from my father, Perl lists, or clients is moved to their own mailboxes right away). Then, the remaining emails are generally from people who I don't filter explicitly or I don't know (so wouldn't expect them to email me). So, these emails are run through SA.

If it scores an email with >=3 points, it marks it as SPAM (with X-Spam-Status: Yes). If it has a score of >=10, I simply send it to /dev/null and never see it. I had that as a higher rating, but slowly lowered it as I analyzed scores from the usual Viagra, porn, printer cartridge, mortgage, etc... types of SPAM. The bulk of them seem to score 10 and above, so I can safely never see them. If anyone I know sends me an email that scores above 10... then it is their fault for sending an email which would score so high! Here's an email which just happened to come in, which I will never see:

From 376p6a@hotmail.com Sat Aug 23 19:10:01 2003
Subject: DVD Copying Features! 238912
Folder: /dev/null 7408

Of course, I have some people whitelisted with SA. For example, my buddy Alan. He would forward me things (anime deals, Best Buy sales, etc...) which would get marked as SPAM so he needed whitelisting.

I also have a recipe which looks for garbled characters (double-byte and such) and marks them as "X-Garbled-Chars: Yes" in the headers. I put these in my SPAM folder for now but may just delete them at some point. Usually, if there is a match in this recipe, they are also SPAM... or a bounce.

That's where my problem has been lately... bounces. Spammers like to use other folks (valid) domains to spoof their From data in email. Someone(s) has been using mine now for a while (and I'd give you a Columbian Necktie if I found you). So they send SPAM saying it comes from perlguy.com (I don't know if they spoof the envelope, or just the From: header in all cases) and peoples mail systems bounce them back to me. So, I get MANY MANY "user unknown" and "mailbox full" type of bounces. On a sidenote, if you get SPAM from my domain, it's not me... but would love to see the full headers of a fresh SPAM spoofing my domain. Anyways... the bounces. Most are marked as SPAM because of the contents of them. Many contain large parts of HTML, non US-ASCII in large chunks, or phrases that I have high scores on with SA. So, these go to my SPAM folder.

One thing about bounces is that they generally come from MAILER-DAEMON, postmaster or other system email addresses that I don't want to blindly blacklist just to not see these bounces. I do want to see legit bounces from emails I send. So I added another simple procmail recipe after the SA checks have been done to see if it is from MAILER-DAEMON or postmaster (would be a bounce) if it has already been marked as SPAM. If it is, it sent to through formail to add another X-* header.

:0:
* ^X-Spam-Status: Yes
{
:0 f
* ^From.*(MAILER-DAEMON|postmaster)
| ${FORMAIL} -A"X-MAILER-DAEMON: YES"
}

Of course, I can tweak it as needed. Then I left it like that, and watched my SPAM folder to make sure that all the bounces marked as SPAM correctly had that header added. Well, they did. Then, feeling good that I could delete these, simply changed the formail call to a redirection to /dev/null. Viola! Even less SPAM in my mailbox. Now I can get back to concentrating on the real SPAM that comes in, as opposed to SPAM being generated by someone else's SPAM.

I also made two recipes to do some bounces. I don't want to do an EXITCODE=67 and allow Postfix to bounce, as that would send someone more information than I want them to have. So, I did my own. One mimics a "unknown user" bounce message, and one is a little more custom which says the email didn't reach me because it looks like SPAM. I tested them out and they work fine, and now I just need to decide what type of emails I feel like bouncing with which. I'm not overly concerned with bouncing, as I've been mostly concerned with dealing with the unwanted bounces.

I'll tweak these as needed as well (comments also welcome on making them better). The first one will send a bounce, but still keep the email. Doing that for testing... once I feel good enough about it I will /dev/null. The second is the one that says it looks like SPAM. If something looks like SPAM, I don't want to see it... so right to /dev/null. All I do is add BOUNCETHIS=yes or SPAMBOUNCE=yes within a recipe and I INCLUDERC a file which looks like this at the end of my .procmailrc to handle the rest.

Why not just delete all SPAM-like things? Well, that's not a good idea. SpamAssassin is pretty good, but you can get some false positives. For example, my ex-boss sent me an email last week and it was marked as SPAM because it included an HTML part (I have high scoring on HTML). I wouldn't have thought to whitelist him before, so I would have never seen his email... which wouldn't have been good. I do, as you saw, delete a fair amount of SPAM automatically. I tweak my SA scores or procmail recipes every so often to make them even better. Since SPAM is ever changing, so are SPAM fighting techniques. Hopefully I'll now be back to basically no SPAM in my mailboxes, and the ones I do get I'll tweak things so I never see similar ones again.