I finally gave up and installed SpamAssassin on my mail server. I’ve been using CommuniGate Pro’s blacklist and SPF support for several years now, but it’s getting a few false positives, so I had to move to something more flexible.
The deciding factor was learning that SpamAssassin 3 uses URI blacklists, so that links in the body of spam can be checked for known spam. This is a very powerful facility. I wonder why it took until V3 to implement this.
I’ve seen one spam with no links, just a phone number, so it’s not perfect, but I’m optimistic.
I increased the score for the various URI blacklists. The original scores are surprisingly low (under 5). I don’t know why they’re not absolutely damning, given the small false positive rate of these blacklists.
The most difficult part of installing SpamAssassin was getting mail piped to Mailman scanned. As-is, the CGPSA adaptor doesn’t scan mail that’s not ending up in a local mailbox. Turning on “headers only” mode, makes it scan all mail passing through the server, so that will have to do. The downside is that I lose per-domain control over the settings.
I hope that this cuts down my needing to reject spam aimed at the lists that I host. There’s only one or two of those a day, but they’re so annoying, I will spend extra time setting up a filter to automatically stomp on them. I installed the SpamAssassin plugin for Mailman so that it will automatically reject messages with a score of 10 or more.
I wish that I could get a log of the mail marked as spam by SpamAssassin, but unfortunately, CGPSA has no facility to log that, and can’t use spamd, which does its own logging. Since I plan to dump Communigate in the next few months, this problem will likely get fixed then too.