SSH in to the server and find the affected inbox.
Quick Look at the inbox
This command shows the From, X-Spam-Bar, and Subject, without the file name. If you want to see the file names, remove the -h. You may have to use a different header for the spam score.
grep -h “From: \|X-Spam-Bar: \|Subject: ” * | more
The output should show give you an overview of what has been delivered, where it came from, and the subject.
The spam score is an appealing tool because it adapts to the current spam environ, and includes many parameters such as the sending IP address, domain, email address, SPF and reverse DNS information.
This is a very simple script that gives an overview of the spam bar values. It can be used as a first pass t set the level for filtering.
echo ‘Items in Inbox’
ls -1 | wc -l
echo ‘No Spam Bar (probably not spam)’
grep -L “X-Spam-Bar:” * | wc -l
echo ‘X-Spam-Bar Counts’
grep -m1 “X-Spam-Bar: +$” * | wc -l
grep -m1 “X-Spam-Bar: ++$” * | wc -l
grep -m1 “X-Spam-Bar: +++$” * | wc -l
grep -m1 “X-Spam-Bar: ++++$” * | wc -l
grep -m1 “X-Spam-Bar: +++++$” * | wc -l
grep -m1 “X-Spam-Bar: ++++++$” * | wc -l
It’s good to check the spam bar for valid emails as well. Many times, ‘real’ email is given a spam score.
Look for patterns in the from addresses. Common patterns include ‘email@example.com’ - the info, either as the sending email user or TLD is frequently used.
grep -h -m1 “From: ” * | sort
The subjects should be checked for the patterns in a similar manner as the From header.
Using the results of the From and Subject checks, review a few of the message bodies (read the emails). Look for common text that would not be used by people. For example, Dear firstname.lastname@example.org. People wouldn’t use an email address in a salutation, neither would real newsletter senders or other respectable sources.
Set the Filters
Read the directions. All the systems work differently.
Test the filters with some valid emails and some spam to be sure they behave as intended.
I created three filters.
- Discard - The discard filter checks for glaring spam signs, such as a server that sent many spams messages, a from address pattern, distinct text patterns that simply wouldn’t come from people or other valid sources. These are discarded without warning to the sender.
- Fail with message - Fail with message warnings were issued for anything that looked like spam, but might still be a valid email. Since the only ones that will read the fail with message text are people, it’s worth sending a friendly message, with a proposed solution. A good proposed solution is to suggest they use the site’s contact form. This will usually bypass the spam filters. It’s probably not a good idea to put a URL in the message, since a creative spammer may use it.