cPanel® Blog

Spam Filtering on cPanel: Everything You Need To Know About SpamAssassin

Spam is a huge challenge for anyone who hosts email, even though users only see a tiny fraction of the spam they’re sent.  Most unwanted messages never reach inboxes, but an incredible 54 percent of all email traffic is spam, and that’s down from 70 percent a decade ago.   

The good thing is ISPs and hosting providers are better at stamping out spammers, and users are more aware of the risks.  Still,  hundreds of billions of messages are sent every year by automated botnets that collect email addresses, compromise servers, and bombard users with malicious advertising and phishing attacks.

If you host email, you need a way to identify and filter unwanted messages, and cPanel integrates one of the most sophisticated filtering tools available. Apache SpamAssassin flags spam to remove it before it gets to users. 

To make sure we understand how it works, let’s take a close look at what SpamAssassin is, how it works, and the best settings for SpamAssassin in cPanel.

What Is SpamAssassin and How Does It Work?

We all receive spam and can recognize what it is right away. We know what it looks like, and, usually, alarm bells start ringing in our minds even if we can’t say precisely why. When that happens, we’re pattern-matching: our brains have learned to associate specific words, phrases, typography, and grammar with unwanted email.

SpamAssassin works in the same way but on a much bigger scale. It looks for patterns that are common in unwanted email and, if a message matches lots of patterns, tells us that it’s probably not something you want to see.

Email filtering isn’t an exact science. Language is complex; the definition of “unwanted email” changes depending on the context, and spammers try to hide their real goal.

However,  the software has been refined over many years with hundreds of sophisticated tests that can identify junk mail with great accuracy.

  • Phrase and language tests — These encode a language pattern that indicates whether a message is more or less likely to be spam. For example, there are tests for long runs of text in capital letters,  commonly promoted products, or words such as “money” or “win.” There are even tests to find out whether a sender has used red-flag words but tried to disguise them.
  • Online databases — Online databases store examples of messages flagged by users and email hosts. For example, the Distributed Checksum Clearinghouse hosts patterns matching bulk emails. 
  • DNS blocklists (DNSBLs) — These are online lists that software can query to see if a message comes from a known source of junk email. SpamAssassin supports several free blocklists by default, including Mailspike and SpamHaus.

SpamAssassin ships with around 1,000 tests and each email message is subjected to about 600 or more individual tests.

What is the SpamAssassin Score?

The SpamAssassin score tells us how likely an email is to be spam. Each test has a number associated with it, often a small number like 0.1 or –0.2. As messages are analyzed, the software keeps a running total, adding the individual test results to produce a combined score.

The lower the score, the more likely a message is legitimate. If a message scores ten, it is definitely spam. If it’s a three, it has some of the qualities of junk mail, but the software is less confident.

It’s important to understand the SpamAssassin score because you can use it to configure email filtering sensitivity in cPanel, as we’ll talk about in the next section.

The Best Settings for SpamAssassin in cPanel

SpamAssassin is fully integrated into the cPanel interface, and you can tweak its settings to get exactly the right spam filtering functionality for your users. To configure it, select Spam Filters in the Email section of the cPanel Home interface.

cPanel Interface

The first setting on the Spam Filters overview page is “Process New Emails and Mark them as Spam.”

SpamAssassin Interface

This is the switch that turns email testing on and off. When it is on, SpamAssassin marks high-scoring emails by inserting ***SPAM*** into the message’s header.

Configure the SpamAssassin Threshold Score

Just below “Process New Emails” is the Spam Threshold Score setting.

cPanel Interface / SpamAssassin Interface

Earlier, we said that SpamAssassin generates a score by adding up the results of many tests. The Threshold lets cPanel users configure the score above which the software considers a message to be spammy.

SpamAssassin Interface

For example, if you set the Spam Threshold Score to two, the software flags any email with a score above two. A low threshold leads to very sensitive filtering, and will likely cause non-spam messages to be flagged (false positives). In contrast, a threshold of ten is permissive; non-spam isn’t flagged, but some unwanted messages will make it through (false negatives).

The default setting is five, which is a good balance between sensitivity and too many false positives.

cPanel Interface / SpamAssassin Interface

When the Spam Box is activated, flagged messages are moved to a separate folder. Unwanted email is kept out of the inbox, but saved so that you can review it and move any incorrectly identified messages. For the typical user, the Spam Box should be turned on unless you have another method of filtering legitimate messages.

Configure SpamAssassin Auto-Delete

The next setting, Auto-Delete, does exactly what you expect it to. When it’s activated, flagged messages are deleted immediately.

SpamAssassin Interface

Auto-Delete does not use the Spam Threshold Score; it works with an independent Auto-Delete Threshold Score so that you can set different thresholds for identification and deletion.

You cannot recover a message after it is deleted. For most users, we recommend the Spam Box instead of Auto-Deletion because it allows you to review messages to see if they are incorrectly flagged.

Advanced cPanel Spam Filter Settings

Click on “Show Additional Configurations” to reveal advanced settings. These settings are rarely changed, but you may find whitelists and blacklists useful. (Note that these terms are likely to change in the future to make them more inclusive.)

SpamAssassin Interface

The whitelist is a list of email senders that are always allowed through the filter even if their messages are flagged. The blacklist is the opposite; messages from senders on the blacklist are prevented from entering inboxes.

To add a sender to the whitelist, select ‘Add A New ”whitelist_from“ Item’ and enter a sender email address. You can use wildcards such as “?” to match any character and “*” for multiple characters.

SpamAssassin Interface

The final setting, “Calculated Spam Score,” allows you to change the score associated with a test. Advanced users should only use this setting. SpamAssassin developers calibrate scores, and changing them is likely to have unpredictable side effects.

For most users, configuring SpamAssassin is as simple as activating it and choosing whether to use the Spam Box or Auto-Delete. You may need to adjust the default Threshold Score to suit your email hosting scenario, but once that’s done, SpamAssassin will work in the background to ensure that spam ends up where it belongs.

Any company that is flooded with hundreds of spam messages each day, and thousands per week, is in danger of being compromised. The risk of exposing your email addresses or compromising your servers is one that is not worth the fallout. Identifying and filtering unwanted messages requires greater security tools like Apache SpamAssassin  which is specifically designed to identify spam before it gets where you don’t want it to go. 

As always, if you have any feedback or comments, please let us know. We’re here to help. Find us on Discord, the cPanel forums, and Reddit.

cPanel

The web hosting industry's most reliable, management solution since 1997. With our first-class support and rich feature set, it's easy to see why our customers and partners make cPanel & WHM their hosting platform of choice. For more information, visit cPanel.net.