Portal Home > Knowledgebase > Google Message Security > Using Postini With SpamAssassin - A Case Study
Using Postini With SpamAssassin - A Case Study
13th June 2006
DISCLAIMER: This information is not supported by Postini. Use at your own discretion.
Introduction
The purpose of this case study is to examine how a SpamAssassin installation interacts with email already filtered by Postini.
Note: Real world SpamAssassin-with-Postini setups must specify the Postini IP range as a Spam Assassin trusted relay, as from time to time Postini is mistakenly added to RBLs/DNSBLs. Therefore when Postini is not listed as a trusted relay, SpamAssassin could block all inbound mail based on false information.
Setup
An email address was forwarded from Postini's external gateway to a mail server inside the Postini network that ran SpamAssassin. Spam filtering was carried out by Postini, but message disposition was set to "Message Header Tagging". This means that Postini did not quarantine spam messages, but rather delivered them with headers added indicating that the message was judged to be spam.
Spam-like test emails were sent from a Postini mail server to this address.
The path taken by emails was this:
Pseudo-spam server -> Postini mail filtering -> Postini corporate gateway -> internal mail server with SpamAssassin
The system used for testing was a Sun V100, running FreeBSD 6.1, Sendmail 8.13.6 and SpamAssassin 3.1.3. SpamAssassin was configured to ignore the Postini X-pstn headers for heuristic purposes, in accordance with the SpamAssassin instruction on making sure that their heuristics do not start to rely on Postini headers as the basis of spam filtering:
$ tail -3 /usr/local/etc/mail/spamassassin/local.cf
bayes_ignore_header X-pstn-levels
bayes_ignore_header X-pstn-settings
bayes_ignore_header X-pstn-addresses
Results Overview
What I found during this investigation was that the spam-like emails I used were both caught by Postini and by SpamAssassin, and non-spam emails were not caught. I was not able to detect any significant difference in the capture rate with The SpamAssassin network tests on or off.
From reading the SpamAssassin documentation, it implies that the network checks apply to all servers it has passed through - for example, there is an option for "-notfirsthop" in rule sets. This would be consistent with other documentation where any text in the headers can be interpreted as an spam indicator or not. So when all emails have common factors like passing through Postini servers, that can tend towards a neutral effect - it applies to both spam and non-spam alike.
Reverse DNS tests (or lack of) are intrinsically difficult to test for from the inside of a corporate LAN. Postini does not use them as a basis for spam filtering, due to their unreliability. For example, a user may have their own mail server software on their laptop and be emailing from a hotel's network that does not have reverse DNS information. I have found myself in that situation several times and it can be discouraging to receive bounce messages from sites that rely on such a technique, when in fact the mail I have been sending is legitimate. Also this is a very easy check for a spammer to get round.
My understanding of the way SpamAssassin handles reverse DNS checks of prior servers is that it silently checks all of them anyway. Postini's servers do have reverse lookups, and, as discussed above, this result should tend towards the Bayesian-filter neutral in a mature SpamAssassin installation.
There was no indication that SpamAssassin features such as white lists and black lists would be materially affected by the initial passage of an email through Postini.
Examples with mail headers
This section can be skipped by anyone not requiring an in-depth look at mail headers and scoring results
Non-Spam
Here are the headers from a typical non-spam message:
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
klunk.postinicorp.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.1.3
Received: from exchsrvr3.postini.com (exchsrvr3.postini.com [172.16.0.56])
by klunk.postinicorp.com (8.13.6/8.13.6) with ESMTP id k5DIeSms063825
for <emeatest@klunk.postinicorp.com>; Tue, 13 Jun 2006 19:40:30 +0100 (BST)
(envelope-from william@palfreman.com)
Received: from EXCHANGE1.postini.com ([172.16.0.59]) by exchsrvr3.postini.com with Microsoft
+SMTPSVC(6.0.3790.211);
Tue, 13 Jun 2006 11:40:28 -0700
Received: from thor.postinicorp.com ([192.168.1.29]) by EXCHANGE1.postini.com with Microsoft
+SMTPSVC(6.0.3790.211);
Tue, 13 Jun 2006 11:40:27 -0700
Received: from psmtp.com (exprod8mx41.postini.com [64.18.3.141])
by thor.postinicorp.com (Postfix) with ESMTP id 449BF179949
for <emeatest@postini.com>; Tue, 13 Jun 2006 11:40:27 -0700 (PDT)
Received: from source ([80.68.91.157]) by exprod8mx41.postini.com ([64.18.7.10]) with SMTP;
Tue, 13 Jun 2006 11:40:26 PDT
Received: by cl0.palfreman.com (Postfix, from userid 1000)
id 6EFD0388F6; Tue, 13 Jun 2006 19:49:11 +0100 (BST)
Date: Tue, 13 Jun 2006 19:49:11 +0100
To: emeatest@postini.com
Subject: This is to set a good example
Message-ID: <20060613184911.GE27992@palfreman.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.5.1+cvs20040105i
From: william@palfreman.com (William Palfreman)
X-pstn-levels: (S: 9.74504/99.90000 P:95.9108 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 p
X-pstn-addresses: from <william@palfreman.com> [db-null]
X-OriginalArrivalTime: 13 Jun 2006 18:40:27.0811 (UTC) FILETIME=[D7245F30:01C68F18]
They show two sets of spam scores - spam score from Postini and spam scores from SpamAssassin.
Postini spam headers and scores
X-pstn-levels: (S: 9.74504/99.90000 P:95.9108 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 p
X-pstn-addresses: from <william@palfreman.com> [db-null]
SpamAssassin headers and scores
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
klunk.postinicorp.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.1.3
Spam-like example
Next we have an example of a spam message that was caught by both systems
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
klunk.postinicorp.com
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=ADDR_NUMS_AT_BIGSITE,
FORGED_HOTMAIL_RCVD,NO_REAL_NAME,NUMERIC_HTTP_ADDR,SPF_SOFTFAIL,
SUBJ_ALL_CAPS autolearn=no version=3.1.3
X-Spam-Report:
* 0.6 NO_REAL_NAME From: does not include a real name
* 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
* [SPF failed: Please see http://www.openspf.org/why.html?sender=gl53368%40hotmail.com&ip=172.16.0.56&receiver=klunk.postinicorp.com]
* 1.2 SUBJ_ALL_CAPS Subject is all capitals
* 2.2 FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found
* 0.6 NUMERIC_HTTP_ADDR URI: Uses a numeric IP address in URL
* 1.0 ADDR_NUMS_AT_BIGSITE Has an address with lots of numbers at a big
* ISP
Received: from exchsrvr3.postini.com (exchsrvr3.postini.com [172.16.0.56])
by klunk.postinicorp.com (8.13.6/8.13.6) with ESMTP id k5DIJCtB063687
for <emeatest@klunk.postinicorp.com>; Tue, 13 Jun 2006 19:19:17 +0100 (BST)
(envelope-from GL53368@hotmail.com)
Received: from EXCHANGE1.postini.com ([172.16.0.59]) by exchsrvr3.postini.com with Microsoft
SMTPSVC(6.0.3790.211);
Tue, 13 Jun 2006 11:19:12 -0700
Received: from thor.postinicorp.com ([192.168.1.29]) by EXCHANGE1.postini.com with Microsoft
SMTPSVC(6.0.3790.211);
Tue, 13 Jun 2006 11:19:12 -0700
Received: from psmtp.com (exprod8mx24.postini.com [64.18.3.124])
by thor.postinicorp.com (Postfix) with ESMTP id 44DB7179663
for <emeatest@postini.com>; Tue, 13 Jun 2006 11:19:12 -0700 (PDT)
Received: from source ([64.18.7.193]) by exprod8mx24.postini.com ([64.18.7.10]) with SMTP;
Tue, 13 Jun 2006 14:19:11 EDT
Received: from ella.netuser.com (ella.netuser.com [209.249.220.2])
by bigband.netuser.com (8.8.8/8.8.8) with ESMTP id DAA08447
for <greg@bigband.netuser.com>; Wed, 23 Feb 2000 03:06:45 -0800 (PST)
From: GL53368@hotmail.com
Received: from mail.qmced.ac.uk (mail.qmced.ac.uk [194.83.92.3])
by ella.netuser.com (8.9.3/8.9.3) with ESMTP id DAA01123
for <gmerrell@netuser.com>; Wed, 23 Feb 2000 03:06:43 -0800 (PST)
Received: from vaio (unverified [168.191.74.90]) by mail.qmced.ac.uk
(Rockliffe SMTPRA 2.1.6) with SMTP id <B0001827658@mail.qmced.ac.uk>;
Wed, 23 Feb 2000 10:46:56 +0000
Date: Wed, 23 Feb 2000 10:46:56 +0000
Message-ID: <B0001827658@mail.qmced.ac.uk>
To: notification@hotmail.com
Subject: **SPAM Assassin** YOU ARE GOING ON VACATION!!
X-suspect: From: hotmail.com but not from hotmail
X-spam: To: gmerrell@netuser.com
X-pstn-levels: (S: 0.00000/86.67176 P:95.9108 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 p
X-pstn-addresses: from <GL53368@hotmail.com> [db-null]
X-OriginalArrivalTime: 13 Jun 2006 18:19:12.0439 (UTC) FILETIME=[DEF60C70:01C68F15]
X-Spam-Prev-Subject: YOU ARE GOING ON VACATION!!
Postini spam headers and scores
X-pstn-levels: (S: 0.00000/86.67176 P:95.9108 )
X-pstn-settings: 1 (0.1500:0.1500) gt3 gt2 gt1 p
X-pstn-addresses: from <GL53368@hotmail.com> [db-null]
SpamAssassin headers and scores
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
klunk.postinicorp.com
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.9 required=5.0 tests=ADDR_NUMS_AT_BIGSITE,
FORGED_HOTMAIL_RCVD,NO_REAL_NAME,NUMERIC_HTTP_ADDR,SPF_SOFTFAIL,
SUBJ_ALL_CAPS autolearn=no version=3.1.3
X-Spam-Report:
* 0.6 NO_REAL_NAME From: does not include a real name
* 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
* [SPF failed: Please see http://www.openspf.org/why.html?sender=gl53368%40hotmail.com&ip=172.16.0.56&receiver=klunk.postinicorp.com]
* 1.2 SUBJ_ALL_CAPS Subject is all capitals
* 2.2 FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found
* 0.6 NUMERIC_HTTP_ADDR URI: Uses a numeric IP address in URL
* 1.0 ADDR_NUMS_AT_BIGSITE Has an address with lots of numbers at a big
* ISP
It is interesting to note the spam-like email failed on the category "1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)". This is an example of a SpamAssassin network test triggering after a message has already passed through Postini.
Comparing identical mails: SpamAssassin spam scores and effect of Passage through Postini
This spam-like mail was sent via an MX relay inside Postini's LAN. It was therefore able to send direct to the SpamAssassin box *and* to the email address that was filtered by Postini and forwarded to this box. The spam scores were close, and both were detected as spam by SpamAssassin:
This email did not go through Postini filtering:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
klunk.postinicorp.com
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.4 required=5.0 tests=ALL_TRUSTED,
DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,DNS_FROM_RFC_WHOIS,
DRUGS_ERECTILE,DRUGS_ERECTILE_OBFU,FUZZY_CPILL,FUZZY_PHARMACY,
NO_REAL_NAME,SUBJECT_FUZZY_MEDS,SUBJ_BUY,UNDISC_RECIPS autolearn=no
version=3.1.3
X-Spam-Report:
* 0.6 NO_REAL_NAME From: does not include a real name
* 0.9 UNDISC_RECIPS Valid-looking To "undisclosed-recipients"
* 0.1 SUBJ_BUY Subject line starts with Buy or Buying
* 2.9 SUBJECT_FUZZY_MEDS Attempt to obfuscate words in Subject:
* -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
* 2.6 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
* 0.9 FUZZY_CPILL BODY: Attempt to obfuscate words in spam
* 0.5 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
* 0.9 DNS_FROM_RFC_WHOIS RBL: Envelope sender in whois.rfc-ignorant.org
* 1.4 DNS_FROM_RFC_POST RBL: Envelope sender in
* postmaster.rfc-ignorant.org
* 2.0 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
* 0.1 DRUGS_ERECTILE Refers to an erectile drug
Received: from scheherazde.postini.com ([172.30.1.45])
by klunk.postinicorp.com (8.13.6/8.13.6) with ESMTP id k5DK7UAk066567
for <emeatest@klunk.postinicorp.com>; Tue, 13 Jun 2006 21:07:30 +0100 (BST)
(envelope-from ccwp@postini.com)
Received: from domain (localhost [127.0.0.1])
by scheherazde.postini.com (8.13.4/8.13.4) with SMTP id k5DJvNbB014638;
Tue, 13 Jun 2006 20:57:50 +0100 (BST)
(envelope-from ccwp@postini.com)
Date: Tue, 13 Jun 2006 20:57:23 +0100 (BST)
From: ccwp@postini.com
Message-Id: <200606131957.k5DJvNbB014638@scheherazde.postini.com>
Subject: **SPAM Assassin** buy viagra, c1alis, meds
To: undisclosed-recipients:;
X-Spam-Prev-Subject: buy viagra, c1alis, meds
All your pharm@cy needs
1-800-232-3434, meds@s4r5anol.ru
Unsubscribe me : http://www.med4u.azo14.ru
--------------------------------------------------------------
This email did go through Postini filtering:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
klunk.postinicorp.com
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.7 required=5.0 tests=AWL,DRUGS_ERECTILE,
DRUGS_ERECTILE_OBFU,FUZZY_CPILL,FUZZY_PHARMACY,NO_REAL_NAME,
SUBJECT_FUZZY_MEDS,SUBJ_BUY,UNDISC_RECIPS autolearn=no version=3.1.3
X-Spam-Report:
* 0.6 NO_REAL_NAME From: does not include a real name
* 0.9 UNDISC_RECIPS Valid-looking To "undisclosed-recipients"
* 0.1 SUBJ_BUY Subject line starts with Buy or Buying
* 2.9 SUBJECT_FUZZY_MEDS Attempt to obfuscate words in Subject:
* 2.6 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
* 0.9 FUZZY_CPILL BODY: Attempt to obfuscate words in spam
* 2.0 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
* 0.1 DRUGS_ERECTILE Refers to an erectile drug
* 0.7 AWL AWL: From: address is in the auto white-list
Received: from exchsrvr3.postini.com (exchsrvr3.postini.com [172.16.0.56])
by klunk.postinicorp.com (8.13.6/8.13.6) with ESMTP id k5DK93IJ066583
for <emeatest@klunk.postinicorp.com>; Tue, 13 Jun 2006 21:09:04 +0100 (BST)
(envelope-from ccwp@postini.com)
Received: from EXCHANGE1.postini.com ([172.16.0.59]) by exchsrvr3.postini.com with Microsoft
SMTPSVC(6.0.3790.211);
Tue, 13 Jun 2006 13:09:03 -0700
Received: from thor.postinicorp.com ([192.168.1.29]) by EXCHANGE1.postini.com with Microsoft
SMTPSVC(6.0.3790.211);
Tue, 13 Jun 2006 13:09:02 -0700
Received: from psmtp.com (exprod8mx42.postini.com [64.18.3.142])
by thor.postinicorp.com (Postfix) with ESMTP id E6B901789BD;
Tue, 13 Jun 2006 13:08:59 -0700 (PDT)
Received: from source ([64.18.7.193]) (using TLSv1) by exprod8mx42.postini.com ([64.18.7.10]) with SMTP;
Tue, 13 Jun 2006 16:08:58 EDT
Received: from domain (localhost [127.0.0.1])
by scheherazde.postini.com (8.13.4/8.13.4) with SMTP id k5DJwbGg014640;
Tue, 13 Jun 2006 20:58:51 +0100 (BST)
(envelope-from ccwp@postini.com)
Date: Tue, 13 Jun 2006 20:58:37 +0100 (BST)
From: ccwp@postini.com
Message-Id: <200606131958.k5DJwbGg014640@scheherazde.postini.com>
Subject: **SPAM Assassin** buy viagra, c1alis, meds
To: undisclosed-recipients: ;
X-pstn-levels: (S: 0.00499/96.89465 R:95.9108 P:95.9108 M:96.8350 C:51.8443 )
X-OriginalArrivalTime: 13 Jun 2006 20:09:02.0672 (UTC) FILETIME=[370BCD00:01C68F25]
X-Spam-Prev-Subject: buy viagra, c1alis, meds
All your pharm@cy needs
1-800-232-3434, meds@s4r5anol.ru
Unsubscribe me : http://www.med4u.azo14.ru
--------------------------------------------------------------
Both emails would have been blocked by SpamAssassin and, and the second one would also have been blocked by Postini had spam filtering been enabled.
Conclusion
On the basis of this limited test environment, I have not found reason to expect Spam Assassin to perform materially less well after emails have passed through Postini than if emails were being sent to it direct.
One factor of Postini filtering is that even where an email address is "unfiltered", Postini's own extensive real-time blocking will substantially reduce the level of spam ever reaching a SpamAssassin server. Postini's blocking functionality, called preEMPt, is genuinely real-time - we only hold information about abusive IP addresses for one hour - and as one of the world's top mail processors, we have access to excellent information about what IP addresses are acting in an abusive manner at any given time.
So even allowing for the possibility that sometimes the SpamAssassin spam score might be slightly lower on mail already passed through Postini, the Postini preEMPT functionality will still mean that the level of spam protection will be significantly improved for users relying on SpamAssassin filtering only.
Add to Favourites 
Print this Article
Keep up-to-date on new technology, and services as the industry changes.
