Cambridge’s spam filter

I’ve been fascinated to learn about how SpamAssassin, the system used by Cambridge University’s email system, works. It assigns a score to each incoming message, based on the reputation of the sender (whether they are blacklisted or from trusted domains) and the contents of the message. Other technical flags are noted as well. If the score is sufficiently high then your email client will put that message into your ‘junk’ folder.

Here’s an example that I received a while ago. Interestingly, the flag LOTS_OF_MONEY doesn’t attract any score.

Received: from ppsw-42.csi.cam.ac.uk (ppsw-42-intramail.csi.cam.ac.uk [192.168.128.142])
	 by cyrus-1a.csi.private.cam.ac.uk (Cyrus v2.4.17) with LMTPA;
	 Wed, 05 Apr 2017 17:54:16 +0100
X-Sieve: CMU Sieve 2.4
X-Cam-SpamScore: ssss
X-Cam-SpamDetails: score 4.3 from SpamAssassin-3.4.1-1786853 
 * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
 *      trust
 *      [209.85.220.193 listed in list.dnswl.dnsbl.ja.net]
 *  0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source
 *      [209.85.220.193 listed in dnsbl.sorbs.net]
 * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
 *      [209.85.220.193 listed in wl.mailspike.net]
 *  1.5 SUBJ_ALL_CAPS Subject is all capitals
 *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 *       (faridsagbohan[at]gmail.com)
 * -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
 *      [score: 0.0738]
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
 *      author's domain
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 *  1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 *  0.0 LOTS_OF_MONEY Huge... sums of money
 * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
 *  1.0 FREEMAIL_REPLY From and body contain different freemails
 *  0.0 T_MONEY_PERCENT X% of a lot of money for you
 *  0.0 MONEY_FRAUD_8 Lots of money and very many fraud phrases
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
[...]
From: Rohany hosan 
Date: Wed, 5 Apr 2017 17:54:14 +0100
Message-ID: 
Subject: DEAREST FRIEND
To: undisclosed-recipients:;
Content-Type: text/plain; charset=UTF-8
Bcc: jmft2@cam.ac.uk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.