Killing Spam Dead in OSX?
November 26, 2005 9:14 AM   Subscribe

I'm on 10.4.3 (sure that's not the version you're on, too?), and i've had no problems with Mail.app's spam filter. On average, about 3-4 get thru (eg, land in my inbox), but most of it gets dumped.

Does your mail host have any server-side filtering options?
posted by slater at 9:16 AM on November 26, 2005

I've had much success using SBL+XBL on my mail server, along with SpamAssassin.
posted by cmonkey at 9:18 AM on November 26, 2005

spamassassin plus procmail filter. just looking in the trash, it looks like spamassassin killed about 200 messages for me yesterday and let about 10 through. mail from anyone i know gets moved into a folder of their own, so my "inbox" is mainly unkilled span i skim through quickly every now + then.
posted by andrew cooke at 9:22 AM on November 26, 2005

oh, yes, and the procmail checks against places like sbl.
posted by andrew cooke at 9:23 AM on November 26, 2005

eh? i just installed it from suse. while i'm au fait with perl + cron, you don't need them for spamassassin. i thought things like fink et al made this similarly easy on a mac?
posted by andrew cooke at 9:43 AM on November 26, 2005

If you're just concerned with one client machine then the combination of JunkMatcher and Mail.app should easily do the trick. 60 spam emails a day isn't actually that much, and any solution should be able to sail through. I'm surprised that you find the filters in Mail.app to be worthless - I had the opposite experience, and JunkMatcher was simply an add-on that catches the extra for me.

If you have multiple clients (say, a laptop or a Treo) that you use to check the same accounts, then that solution won't work since it leaves the spam on the server even though it filters it from your inbox.

In that case, the only solution on the client machine (i.e., other than SpamAssassin) is SpamFire, which works with any email client on your Mac but deletes filtered spam from the server immediately, leaving the server clean and ready to be checked by your "extra" clients.
posted by mikel at 9:54 AM on November 26, 2005

My procmail challenge-response filter works perfectly; I get no spam. (And I've recently written a daemon that watches the server's mail log to automatically white-list anyone I send mail to - I'll be adding that to the page soon.)
posted by nicwolff at 10:07 AM on November 26, 2005

warning - there's at least one person in the world who simply throws bounced emails away rather than deal with someone else's challenge response filter. sorry.
posted by andrew cooke at 10:09 AM on November 26, 2005

There probably is, and the hell with him.
posted by nicwolff at 10:13 AM on November 26, 2005

For a while, spamassassin wasn't running on my host for who-knows-what reason, so I tried filtering everything though gmail. That actually works quite well, except 1) I was generally a little uncomfortable giving google all my e-mail, and 2) gmail's spam blocker is a little too aggressive--my guess is that I had false-positives somewhere in the range of 1/day to 1/week. Since I get about 300 spam messages/day, it's not feasible to troll through the junk bin.

Currently I'm back to host-side spamassassin; I've got it set up so that anything with a SA score >= 10 gets shitcanned, and anything with a score between 5 and 10 goes into a junk bin; that sees about 15 messages/day. About 5 messages/day get trapped by Mail.app's own junk filters, and a few false-negatives squeak past.
posted by adamrice at 11:40 AM on November 26, 2005

there's at least one person in the world

Nope, there's one more, and several more I know. I run a business, and can't afford to piss off customers with Challenge Response Authentication Protocol (C.R.A.P.)


I'm on Windows, but I use a server-side filter to trash anything above a SpamAssasin rating of 7 without me even downloading it. This takes care of a LOT of spam. I then use POPFile on the client side to take care of whatever little was left. (I know you're using a Mac, but I thought this might help someone else using a PC.)
posted by madman at 11:45 AM on November 26, 2005

The combination of JunkMatcher and Mail.app works huge wonders. My biggest problem with them--as with nearly all spam filters, including those that are strictly Bayesian--is that I receive a lot of legitimate email from strangers. Such mail tends to have *no* common positive-point-generating attributes (the "to" address is, or should be, points-neutral) and at least one negative-point-generating attribute.
posted by Mo Nickels at 12:34 PM on November 26, 2005

With mail.app and JunkMatcher, I find an unacceptable rate of false positives. No point filtering out the spam if you have to read it all anyway! The mail I have in those accounts, however, comes from mostly academic colleagues

Mail from 3 of my five accounts comes in through gmail; after a couple of weeks training I no longer seem to have falso positives in my spam folder. Now less than 50% of my in-box is spam - not perfect but manageable, and I'm no longer worried about false positives.
posted by nowonmai at 12:37 PM on November 26, 2005

I don't know if any spam filter can deal effectively without the amount of spam you're getting. Maybe you need to be more proactive about defending your email address in the first place. When I was in a situation similar to yours, I just abandoned by primary email address (after notifying my friends) and was much more careful about giving out the new address. It's not posted on any webpage and I have a spamcatcher address that I use for dodgy stuff. That, plus SpamBayes, means 1-2 spam emails slip through per day.
posted by zanni at 12:43 PM on November 26, 2005

Mail's Junk filter is worthless

Not in the experience of most users, I would say.

You do know you have to train it, right?
posted by AmbroseChapel at 1:29 PM on November 26, 2005

Mail's Junk filter is worthless

Agreed. I've trained it religiously for thousands and thousands of messages, and it still gets false positives. Any system that gets false positives is useless, since that means I have to read my junk mail anyway.

Challenge-Response is a non-starter for me. I'm not willing to inconvenience other people for my own benefit, and it doesn't seem to have a slick way to handle things like receipts, travel confirmations, etc, that tend to be auto-generated, and come from a wide range of vendors.

I just use an ISP with reasonable filtering, and I delete the few strays that make it through.
posted by I Love Tacos at 2:07 PM on November 26, 2005

i don't know what you're using, but with many filtering systems it's possible to define a rule saying that the contents (or subject) must match (or not match) a regular expression. if so, then something like (depending on the exact details of the system) "[a-zA-Z]{5}" requires at least 5 consecutive "western" characters.
posted by andrew cooke at 6:52 AM on November 27, 2005

I use Mailwasher on XP. Just add a few free spam databases to it and train it as you go.

Its VERY rarely lets anything through. More often it highlights ones its not sure about.

You still see the spam, but it picks most of it up and marks it for deletion. One click and its all gone letting you read the genuine emails.
posted by lemonfridge at 8:53 AM on November 27, 2005

I block most of my spam at the mail server. I have entire Asian and Eastern European countries blacklisted in addition to the usual spam-source blacklists. These senders get bounce messages telling them how to get through, so they aren't permanently blacklisted -- and I've never had a spammer actually do this, not once in two years.

I use a catchall address so I can use a different e-mail address at each site I visit without having to explicitly create an e-mail address. E-mail addresses I have received spam on get forwarded to a spamtrap address. Any e-mail that is sent to the spamtrap address (even if it is sent to other valid addresses at my server at the same time) is considered spam and not delivered. (I have a dummy mailto link on my Web site so spammers will harvest a known spamtrap as well.)

The catchall does theoretically leave me open for a dictionary attack, in which a spammer just sends e-mail to random addresses at my domain, but since I'm the only real user at my domain, my server's configured such that each e-mail may have no more than three specified recipients. A dictionary attack rarely uses individual e-mails, instead the mail is simply sent to dozens of addresses all at once, so this blocks it handily. (Also, the server is set to temporarily block any sender that generates more than a couple SMTP errors in a given period of time, so such a spammer will find themselves unable to connect to my machine at all in short order.)

Some of the public addresses I use have additional filtering. For example, some spammer guessed I used "amazon" as the account name for Amazon.com, so that address now only accepts e-mail from amazon.com and discards the rest. The domain in my WHOIS records only accepts e-mail from registrars (it produces a bounce with whitelisting instructions for others). The e-mail addresses I use on Usenet and on various Web sites where my address is seen publicly are pretty stringently filtered: they must have a message ID, they must be plain text, they must be no larger than 32K. (The latter is because of the swen worm, which once dropped 1000 150K messages on me in a day.)

Of course there's also protection to keep your e-mail address from being harvested in the first place. On Usenet I don't my e-mail address in the From header but in the Reply-To (most Usenet address harvesters grab the XOVER headers and most servers don't include Reply-To in XOVER). If I must put a real e-mail address on a Web site somewhere, I use a unique address for each site and use a JavaScript onMouseOver handler to actually put the correct address into the link before it is clicked. (Spammers are wise to scripts that simply write out the e-mail address link, but harvesters aren't yet firing off the handlers for the links they follow. If they ever do, it'd be easy to fuck with 'em by including some dummy links with handlers that no human would ever see.)

Any messages that actually get to my inbox (1-2 a day on a bad day, 0 on a good day) are dealt with handily by SpamSieve. If I get a bunch of spams of a similar type getting through I'll see if I can write a new server-level rule to block them -- for example, last week I got a bunch that were spoofing return addresses at my domain -- admin@, service@, etc. -- and these will never darken my inbox again.
posted by kindall at 9:21 AM on November 27, 2005

For foreign-character spam, there's almost certainly a header you can use. Looking at some Japanese spam I got, there's this:

Content-Type: text/plain; charset="shift-jis"

for instance, which is specifying a Japanese character set. You might have to add a few, but that'll sort most of it out.
posted by AmbroseChapel at 1:28 PM on November 27, 2005

« Older A good majority of the non-fic...   |   Which 3 movies in your collect... Newer »

This thread is closed to new comments.