Efficiently learn spam and ham with Dovecot and virtual users

JoWiSoftware.de

Saturday, June 5. 2010

Posted by Jochen Wierum in Bash, English, Linux, Mails

Comments (2)
Trackbacks (0)

Efficiently learn spam and ham with Dovecot and virtual users

I guess nearly every admin of a webserver knows the article ISP-style Email Server with Debian-Etch and Postfix 2.3 from workaround.org. I use a similar setup (with different pathes) for my private mailserver. I have a number of users and accounts and on some days I get a pretty high number of spam.

Step 11 of the tutorial shows an example how to automatically learn spams and ham. But I think, one can do this better.

There's nothing wrong with the script. It just has some drawbacks:

  1. Already learned messages are processed again and again.
  2. Only the spam folder and the trash is processed. I think, it's right to learn spam from the spam folder. But I sometimes move my spam into my trash, too. This means, my spam gets ham. I would prefer to learn folders like my inbox (and other folders as I use sieve to sort incoming mails). I can setup this, but this means I have to change the script if my mailbox structure changes. I prefer a blacklist: my spam folders aren't renamed that often.
  3. sa-learn gets called for each mail, which is slower than calling it for a number of messages.

As my setup is very small, performance is not that important. Also, I can trust all my users, so they won't try to learn ham as spam and vice versa. So my solution looks like this (I used the original path names here):

  1. #!/bin/sh
  2.  
  3. SADIR=/var/lib/amavis/.spamassassin
  4. DBPATH=$SADIR/bayes
  5.  
  6. IGNOREPATTERN=".*\.trash"
  7. SPAMPATTERN="junk\|spam"
  8.  
  9. GREP_SPAMPATTERN="/\.\($SPAMPATTERN\)/\(cur\|new\)/[^/][^/]*\$"
  10. GREP_IGNOREPATTERN="\(/\.\($IGNOREPATTERN\)/\(cur\|new\)/[^/][^/]*\|2,[^,]*T[^/]*\)\$"
  11.  
  12. find /var/vmail/*/*/Maildir -type f -ctime -1 \
  13.                 \( -path */Maildir/cur/* -o -path */Maildir/.[A-Za-z0-9]*/cur/* -o \
  14.                 -path */Maildir/new/* -o -path */Maildir/.[A-Za-z0-9]*/new/* \) \
  15.                 -print0 \
  16.         | grep -zZi $GREP_SPAMPATTERN \
  17.         | grep -zZvi $GREP_IGNOREPATTERN \
  18.         | xargs --null nice sa-learn --spam --no-sync --dbpath $DBPATH >/dev/null
  19.  
  20. find /var/vmail/*/*/Maildir -type f -ctime -1 \
  21.                 \( -path */Maildir/cur/* -o -path */Maildir/.[A-Za-z0-9]*/cur/* -o \
  22.                 -path */Maildir/new/* -o -path */Maildir/.[A-Za-z0-9]*/new/* \) \
  23.                 -print0 \
  24.         | grep -zZvi $GREP_SPAMPATTERN \
  25.         | grep -zZvi $GREP_IGNOREPATTERN \
  26.         | xargs --null nice sa-learn --ham --no-sync --dbpath $DBPATH >/dev/null
  27.  
  28. nice sa-learn --ham --sync --dbpath $DBPATH >/dev/null
  29. chown -R amavis:amavis $SADIR

Okay, what happens here? Line 7 and 8 define patterns. The IGNOREPATTERN means: don't learn Mails which are in "trash"-folders. That means "trash" and "my/dir/trash" are ignored and spam and ham can safely be deleted the way thunderbird & co does. Line 8 defines folders which contains spam. This is my blacklist. Some users prefer "spam", others "junk". Note that "my/dir/junk" would not be found.

Line 9 and 10 wrap the pattern into grep-compatible regexes. The lines 12-18 and 20-28 are nearly identical. First, /var/vmail is scanned for mails, which were created in the last 24 hours. This assumes that the script runs once per day (e.g. as a cron job). Lines 13 to 14 filter out directories which do not contain mails. Folder names may contain whitespaces, so a null-char is used to separate them.

Line 16 only returns spam-Mails. Note the "-v" in line 24: here, only ham is returned. This is one of two differences. Next, ignored folders are removed, because we can't say if they contain spam or ham.

After this, xargs is used to call sa-learn. This is a performance-boost since sa-learn is not called separately for each mail. Here is the second difference. In line 19, the parameter is "--spam", in line 26, it's "--ham". If a mail was learned as ham and classified as spam later (and the other way around), spamassassin automatically removes the mail before it re-learns it, so there is no need to do this manually. Last but not least, the correct owner is set.

The script runs as root, because it has to read all mails. For me, it's perfect. Perhaps there is someone out there who also likes it .

 

Update:

There are some reasons where it's perhaps better to not use this approach. If you have a big number of users, scanning mails for spam on the server may slow things down. In this case, it's perhaps better to let the users scan their mails individually. A second reason to avoid automatic filtering of mails is when different users write mails about totally different concerns. One user may report mails as spam which have content that another user would like to read. Thx to Christoph for this idea.

 

Update 2:

Learning spam and ham is much faster when the --no-sync and --sync parameters are used. Thanks to Alexey Vazhnov for this very valuable approach. Sometimes you should just read the manpage more than once wink.


Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

*Change
sa-learn --spam
to
sa-learn --no-sync --spam

sa-learn --ham
to
sa-learn --no-sync --ham

and add line to end of script:
sa-learn --sync --dbpath $DBPATH

From "man sa-learn":
--no-sync
Skip the slow synchronization step which normally takes place after changing database entries. If you plan to learn from many folders in a batch, or to learn many individual messages one-by-one, it is faster to use this switch and run "sa-learn --sync" once all the folders have been scanned.
#1 Alexey Vazhnov (Homepage) on 2011-11-28 11:05 (Reply)
*Thank you very much! I updated my article accordingly to your comment.
#1.1 Jochen Wierum (Homepage) on 2011-11-28 21:08 (Reply)

Add Comment


To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.
 

Frontpage - Top level

Quicksearch

Links in diesem Artikel

Static Pages

Links