How does the SPAM filter work?

The BNT Mail server is configured to automatically check each email that arrives to see if it is spam. This is done using a number of techniques.

The BNT Mail server is configured to automatically check each email that arrives to see if it is spam. This is done using a number of techniques:

  • There is an automated analysis of the content of the email. This analysis is designed to search for text elements that commonly occur in spam such as the names of sexual disfunction drugs.
  • Some elements of the email are verified against a number of spam monitoring organizations around the world. These organizations maintain lists of spammers and information about the spam they send.

Each email is given a score according to the likelyhood of its being spam.

  • If an email is known for sure to be spam, it gets a very high score and is refused as it is entering the mail server. The sender is therefore aware that the email was not delivered.
  • If an email is given a high-enough score, the system will consider it to be spam. In this case an extra header is added: X-Spam-Flag: Yes.
  • Otherwise, an exra header is added to the email to indicate that it was scanned and not considered to be spam: X-Spam-Flag: No.

    The last two steps, the tagging of each email with a spam status header, is necessary. There is a small chance that the system will mark an email as being spam when it is in fact something that you requested. For this reason, the system must deliver the email so that you can verify if it's spam or not. You need to take a look, from time to time, at your spam to see if any of it is actually valid email.

    The score required to tag an email as spam is a figure which is chosen by the people who designed the spam filter. If the required score is too high, too many emails will not be marked as spam when they should be. If the required score is too low, too many valid emails will be marked as spam.

    As noted above, there are some cases where so many people have complained about a particular spammer that the system is certain that email from that source is definately spam. In all other cases, the system must deliver the email to your mail box so that you can manually verify if it is spam or not.

    Note that there are several other headers added to each email by the spam filter; it's sometimes interesting to look at them. One of these is a report header that lists all the tests that were failed by the email and the resulting score that was assigned.

    Here is an exmaple of the spam headers that are added when an email is tagged as ham (not spam:)

    X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham

    Here is an example of the spam headers that are added when an email is tagged as spam:

    X-Spam-Flag: YES X-Spam-Status: Yes, score=14.4 required=5.0 tests=BAYES_99, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_SORBS_SOCKS, RCVD_IN_SORBS_WEB,RCVD_IN_XBL,URIBL_JP_SURBL autolearn=no version=3.0.4 X-Spam-Report: * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.0000] * 0.3 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server * [65.91.54.10 listed in dnsbl.sorbs.net] * 3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org * [<http://dsbl.org/listing?65.91.54.10>] * 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see <http://www.spamcop.net/bl.shtml?65.91.54.10>] * 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [65.91.54.10 listed in sbl-xbl.spamhaus.org] * 0.0 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server * [65.91.54.10 listed in dnsbl.sorbs.net] * 2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: yourclockparts.info] X-Spam-Level: **************