Filtering SA flagged mail above a certain threshold

[Fergie]

(I didn't see anything specific to this in a search, but if it's there, please let me know and I'll go look it up.)

I just inherited the webmaster position for my non-profit and found spam taking over the server. (Electronic kudzu) I've configured SA to filter all mail AND put the value in the subject header, but I still have to go and clear all the spam boxes every few days. I don't want to discard all SA mail via filter, just those above a certain value. Other than resetting the initial spam threshold to higher than 5.0 and discarding those emails only, (and dealing with a lot more unflagged spam) can I put some sort of an expression in a filter to discard all mail above a certain threshold?

I'm thinking something like: SpamAssasin Spam Header | contains | greater than or equal to 8.0. That way the really obvious stuff gets deleted immediately, but the less likely spam gets forwarded appropriately (and I don't to clear out /mail every 48 hours).

Is it even possible? If so, what would be the proper syntax for an expression like that?

Thanks in advance!

[cPanelDavidG]

(I didn't see anything specific to this in a search, but if it's there, please let me know and I'll go look it up.)

I just inherited the webmaster position for my non-profit and found spam taking over the server. (Electronic kudzu) I've configured SA to filter all mail AND put the value in the subject header, but I still have to go and clear all the spam boxes every few days. I don't want to discard all SA mail via filter, just those above a certain value. Other than resetting the initial spam threshold to higher than 5.0 and discarding those emails only, (and dealing with a lot more unflagged spam) can I put some sort of an expression in a filter to discard all mail above a certain threshold?

I'm thinking something like: SpamAssasin Spam Header | contains | greater than or equal to 8.0. That way the really obvious stuff gets deleted immediately, but the less likely spam gets forwarded appropriately (and I don't to clear out /mail every 48 hours).

Is it even possible? If so, what would be the proper syntax for an expression like that?

Thanks in advance!

If you have root access to the box, you can go to WHM -> Service Configuration -> Exim Configuration Editor then select Reject mail at SMTP time if the spam score from spamassassin is greater than 10.0. and click "Save" at the bottom of that page.

[mtindor]

CPanelDavidG's recommendation is a good one if you are the administrator of the server itself and can unilaterally make the decision to reject any mail with a spam score over 10.0.

If you cannot do that (or even if you can but you wish to do some other filtering), try something like this:

Set up an Account Level Filter (which will apply to all email accounts of all domains under your particular Cpanel account.

OR

Set up a User Level Filter (which will apply to single email accounts).

Scenario: I am the server admin and I want to reject during SMTP _any_ email with a spam score greater than 10.0. For my specific account emails (Account Level), I want to delete any mail with a spam score above 8.0 and I want the rest of the spam emails to be put into the Spam folder. For my specific email account blah@blah.com (User Level) I want to delete anything with a spam score above 7.0 and I want the rest of the spam emails to be put into the Spam folder.

1. I enable spamassassin on the account (or serverwide if you are root and you want to).

2. I go into WHM / Exim Configuration Editor and tell it to reject any emails (ACLs) above 10.0.

3. I log into my Cpanel account and enable SpamAssassin. I set my default spam score to '5'. This means that anything with a spam score of 5.0 and up will be tagged as spam.

4. I enable Spambox (so that spam messages will be put into a folder called 'Spam' for all the email accounts in all domains under my specific user account.

5. I add an Account Level Filter to delete anything with a spam score of 8.0 or above.

Spam Score
Is Above (#s only)
80
Discard

6. On one particular account (User Level Filter) I want to specifically delete anything with a spam score of 8 or above and then let anything between the default (5.0) and 8 be put into the Spam folder.

- I set up a User Level filter, with the rule looking like this:

Spam Score
Is Above (#s only)
80
Discard

The way this _should work is:
spam score greater than 10.0, it is rejected during SMTP
spam score between 8.0 and 10.0, delete (all email accounts under my user account)
spam score between 5.0 and 8.0, put in Spam folder (all email accounts under my usre account)
spam score between 7.0 and 10.0 on blah@blah.com mail, delete
spam score between 5.0 and 7.0 on blah@blah.com, put in Spam folder
spam score below 5.0, put in Inbox

Mike

[Fergie]

Thank you both!
As you guessed, I do not have root access to the server - but I have no access to WHM either! I have emailed the hosting company to ask them if they can filter email for my domain at the SMTP level, but I'm waiting to hear.

I have tried setting up an account level filter, but my options for doing so are very limited. I can choose from: From, Subject, To, Body, Any Header or Spam Assasin Header. I'm not sure how to set it to check the Spam Score, unless maybe I can use Any Header' and have it check 'X-Spam-Level'? If I understand the syntax correctly for 'X-Spam-Level: +++++++++', the + signals the score.
I should then be able to have :$message_headers contains "X-Spam-Level: ********" and have it discard those that met the criteria.

It appears to work in test, but I'm waiting to see what will continue to occur.

[mtindor]

Thank you both!
As you guessed, I do not have root access to the server - but I have no access to WHM either! I have emailed the hosting company to ask them if they can filter email for my domain at the SMTP level, but I'm waiting to hear.

I have tried setting up an account level filter, but my options for doing so are very limited. I can choose from: From, Subject, To, Body, Any Header or Spam Assasin Header. I'm not sure how to set it to check the Spam Score, unless maybe I can use Any Header' and have it check 'X-Spam-Level'? If I understand the syntax correctly for 'X-Spam-Level: +++++++++', the + signals the score.
I should then be able to have :$message_headers contains "X-Spam-Level: ********" and have it discard those that met the criteria.

It appears to work in test, but I'm waiting to see what will continue to occur.

Sounds like your host isn't using Cpanel 11 - must be a previous version with the old X theme. It is still doable, but not the same way - and unfortunately I cannot write out instructions for that one

MIke

[Fergie]

Sounds like your host isn't using Cpanel 11 - must be a previous version with the old X theme. It is still doable, but not the same way - and unfortunately I cannot write out instructions for that one

MIke

Yeah.

I checked the release and it's v.11-15, but the interface still says v.10 if you look reeeeealy closely. I'll figure something out . . . if only to get the host to fully upgrade.

Thanks for your help - following your post thought process has increased my knowledge of such things immensely.

[cPanelDavidG]

Yeah.

I checked the release and it's v.11-15, but the interface still says v.10 if you look reeeeealy closely. I'll figure something out . . . if only to get the host to fully upgrade.

Thanks for your help - following your post thought process has increased my knowledge of such things immensely.

Keep in mind the older X and X2 themes aren't cPanel 11 aware. If your host switches you to the X3 theme, things should be a lot less confusing .

[MWMcons]

Thanks for supplying us with the great scenario Mike (mtindor). You know the cPanel documentation gives no indication of how to use the new filtering system (i.e. the "Spam Score" rule). Luckily, I found your post which explains to set the rule as follows:

Spam Score
Is Above (#s only)
## (i.e. 80)
<action> (i.e. Discard)

Cheers for your time!

- MWM