Spam Filter Configuration¶
Configure spam detection engines, thresholds, and actions to protect your organization from unwanted email.
Overview¶
Mailborder uses a multi-engine approach to spam detection:
- Rspamd - Primary spam engine with machine learning
- SpamAssassin - Traditional rule-based filtering (optional)
- RBL Checks - Real-time blacklist queries
- SPF/DKIM/DMARC - Sender authentication
- Content Analysis - Keywords, patterns, headers
- Greylisting - Temporary rejection of unknown senders
Each engine contributes to a spam score. Actions are taken based on total score.
Accessing Spam Filter Settings¶
Via Web Interface: Navigate to Email Security → Spam Filtering
Via Command Line:
Spam Score Thresholds¶
Mailborder uses a scoring system where higher scores = more spam-like.
Understanding Scores¶
Typical Score Ranges: - < 2.0 - Almost certainly legitimate - 2.0 - 5.0 - Probably legitimate, minor spam indicators - 5.0 - 7.0 - Suspicious, could be spam or legitimate - 7.0 - 15.0 - Likely spam - > 15.0 - Almost certainly spam
Threshold Actions¶
Pass (Deliver)
Email below this score is delivered normally.
Default: < 6.0
Quarantine
Email between pass and reject thresholds is quarantined for review.
Default: 6.0 - 20.0
Reject
Email above this score is blocked completely.
Default: > 20.0
Tag Only
Add spam headers but don't quarantine or reject.
Email with score > 4.0 gets X-Spam: Yes header.
Recommended Threshold Profiles¶
Conservative (Low False Positives)
sudo mb-config set spam.threshold.pass 8.0
sudo mb-config set spam.threshold.quarantine 8.0
sudo mb-config set spam.threshold.reject 25.0
Use when: False positives are unacceptable, prefer some spam over blocking legitimate email.
Balanced (Default)
sudo mb-config set spam.threshold.pass 6.0
sudo mb-config set spam.threshold.quarantine 6.0
sudo mb-config set spam.threshold.reject 20.0
Use when: Standard business environment, balance effectiveness and safety.
Aggressive (Low False Negatives)
sudo mb-config set spam.threshold.pass 4.0
sudo mb-config set spam.threshold.quarantine 4.0
sudo mb-config set spam.threshold.reject 15.0
Use when: Spam reduction is priority, can handle occasional false positive.
Tag-Only (Maximum Safety)
sudo mb-config set spam.threshold.pass 100.0
sudo mb-config set spam.threshold.quarantine 100.0
sudo mb-config set spam.threshold.reject 100.0
sudo mb-config set spam.action.tag true
Use when: Testing, training period, or user-managed spam folders.
Rspamd Configuration¶
Rspamd is the primary spam detection engine.
Enable/Disable Rspamd¶
Default: Enabled
Rspamd Modules¶
Bayesian Filter
Machine learning classifier trained on spam and ham.
Auto-Learning:
# Auto-learn spam (score > threshold)
sudo mb-config set spam.rspamd.bayes.autolearn_spam_threshold 12.0
# Auto-learn ham (score < threshold)
sudo mb-config set spam.rspamd.bayes.autolearn_ham_threshold 1.0
Train Bayesian Filter:
# Learn spam
sudo mb-rspamd-learn --spam /path/to/spam-samples/
# Learn ham (legitimate email)
sudo mb-rspamd-learn --ham /path/to/ham-samples/
# Reset and retrain
sudo mb-rspamd-learn --reset
Neural Network
Deep learning classifier (requires training data).
Fuzzy Hashing
Detect emails similar to known spam.
URL Redirector
Follow URL redirects to check final destination.
Rspamd Actions¶
Add Header
Add spam headers to email (always enabled).
Rewrite Subject
Prepend [SPAM] to subject line.
sudo mb-config set spam.rspamd.rewrite_subject true
sudo mb-config set spam.rspamd.subject_prefix "[SPAM] "
Soft Reject
Temporarily reject (greylisting-like).
Rspamd Performance¶
Cache Results
Cache spam scores for identical emails.
sudo mb-config set spam.rspamd.cache.enabled true
sudo mb-config set spam.rspamd.cache.ttl 3600 # 1 hour
Timeout
Maximum scanning time.
SpamAssassin Configuration¶
Traditional rule-based spam filter (optional, complementary to Rspamd).
Enable SpamAssassin¶
Default: Disabled (Rspamd usually sufficient)
SpamAssassin Settings¶
Required Score
Minimum score to mark as spam (SpamAssassin's internal threshold).
Rules
Enable/disable rule sets:
# Default rules
sudo mb-config set spam.spamassassin.use_bayes true
sudo mb-config set spam.spamassassin.use_pyzor true
sudo mb-config set spam.spamassassin.use_razor2 true
sudo mb-config set spam.spamassassin.use_dcc false
Auto-Whitelist
Learn sender reputation over time.
Update Rules
# Update SpamAssassin rules
sudo sa-update
# Restart SpamAssassin
sudo systemctl restart spamassassin
RBL (Real-time Blacklist) Configuration¶
Query DNS-based blacklists for sender reputation.
Enable RBL Checks¶
Default: Enabled
RBL Servers¶
Default RBLs (Reputable, Free): - zen.spamhaus.org - Spamhaus composite (highly recommended) - bl.spamcop.net - SpamCop - b.barracudacentral.org - Barracuda - dnsbl.sorbs.net - SORBS
Add RBL:
Remove RBL:
List RBLs:
RBL Weights¶
Each RBL hit contributes to spam score.
Weight Guidelines: - 1.0 - Low confidence RBL - 2.0 - Standard RBL - 3.0 - High confidence RBL - 5.0 - Very high confidence (automatic quarantine)
Adjust Weight:
RBL Whitelisting¶
Exclude specific IPs from RBL checks:
RBL Timeout¶
Maximum time to wait for RBL response.
If timeout exceeded, RBL result ignored (fail-open).
RBL Caching¶
Cache RBL results to reduce DNS queries.
sudo mb-config set spam.rbl.cache.enabled true
sudo mb-config set spam.rbl.cache.ttl 300 # 5 minutes
SPF/DKIM/DMARC Validation¶
Sender authentication checks.
SPF (Sender Policy Framework)¶
Validate sender IP is authorized by domain.
Enable:
Actions:
# Add score for SPF results
sudo mb-config set spam.spf.score.pass -0.5 # Reduce score (good)
sudo mb-config set spam.spf.score.fail 3.0 # Increase score (bad)
sudo mb-config set spam.spf.score.softfail 1.0
sudo mb-config set spam.spf.score.neutral 0.0
sudo mb-config set spam.spf.score.none 0.5
Reject on SPF Fail:
DKIM (DomainKeys Identified Mail)¶
Verify cryptographic signature.
Enable:
Actions:
sudo mb-config set spam.dkim.score.pass -1.0
sudo mb-config set spam.dkim.score.fail 2.0
sudo mb-config set spam.dkim.score.invalid 3.0
DKIM Signing (Outbound)
Sign outbound email:
sudo mb-config set spam.dkim.sign_outbound true
sudo mb-config set spam.dkim.selector "mailborder"
sudo mb-config set spam.dkim.domain "example.com"
Generate DKIM key:
Publish DNS TXT record (shown in output).
DMARC (Domain-based Message Authentication)¶
Policy enforcement for SPF and DKIM.
Enable:
Actions:
sudo mb-config set spam.dmarc.score.pass -0.5
sudo mb-config set spam.dmarc.score.quarantine 2.0
sudo mb-config set spam.dmarc.score.reject 5.0
sudo mb-config set spam.dmarc.score.none 1.0
Honor DMARC Policy:
# Respect sender's DMARC policy (reject/quarantine as they request)
sudo mb-config set spam.dmarc.honor_policy true
# Or just score (ignore policy)
sudo mb-config set spam.dmarc.honor_policy false
Content Filtering¶
Analyze email content for spam indicators.
Subject Line Filtering¶
Keyword Blocking:
sudo mb-spam-keyword add "V1AGRA" --score 5.0
sudo mb-spam-keyword add "CLICK HERE NOW" --score 3.0
sudo mb-spam-keyword add "LIMITED TIME OFFER" --score 2.0
Regular Expressions:
Remove Keywords:
Body Content Filtering¶
HTML Analysis:
# Detect excessive HTML tags (obfuscation technique)
sudo mb-config set spam.content.html_ratio_threshold 0.8
# Score hidden text (white text on white background)
sudo mb-config set spam.content.hidden_text_score 3.0
URL Analysis:
# Check URL reputation
sudo mb-config set spam.content.check_urls true
# Detect shortened URLs (bit.ly, tinyurl, etc.)
sudo mb-config set spam.content.shortened_url_score 1.0
# Detect IP addresses in URLs (suspicious)
sudo mb-config set spam.content.ip_url_score 2.0
Attachment Analysis:
# Score executable attachments
sudo mb-config set spam.content.executable_attachment_score 5.0
# Score password-protected archives
sudo mb-config set spam.content.encrypted_archive_score 3.0
Header Analysis¶
Missing Headers:
# Score emails missing standard headers
sudo mb-config set spam.headers.missing_date 1.0
sudo mb-config set spam.headers.missing_message_id 2.0
Invalid Headers:
# Score malformed headers
sudo mb-config set spam.headers.invalid_date 2.0
sudo mb-config set spam.headers.invalid_from 3.0
Forged Headers:
Greylisting¶
Temporarily reject email from unknown senders. Legitimate servers retry, spammers typically don't.
Enable Greylisting¶
Default: Disabled (adds delivery delay)
Greylisting Settings¶
Delay Period
How long to defer unknown senders.
Retry Window
Sender must retry within this window after delay.
Greylist Expiry
How long to remember sender (after successful retry).
Greylisting Exceptions¶
Whitelist
Skip greylisting for trusted senders:
# By sender address
sudo mb-greylist-whitelist add sender@example.com
# By domain
sudo mb-greylist-whitelist add @example.com
# By IP
sudo mb-greylist-whitelist add 203.0.113.10
Auto-Whitelist
Automatically whitelist after first successful delivery.
Whitelists and Blacklists¶
Override spam scoring for specific senders.
Whitelist¶
Never mark as spam (always pass).
Add to whitelist:
# Email address
sudo mb-whitelist add legituser@example.com
# Entire domain
sudo mb-whitelist add @example.com
# IP address
sudo mb-whitelist add 203.0.113.10
# IP range
sudo mb-whitelist add 203.0.113.0/24
List whitelist:
Remove from whitelist:
Blacklist¶
Always mark as spam (reject or quarantine).
Add to blacklist:
sudo mb-blacklist add spammer@spam.com
sudo mb-blacklist add @spam-domain.com
sudo mb-blacklist add 198.51.100.10
Blacklist Action:
# Reject (default)
sudo mb-config set spam.blacklist.action reject
# Or quarantine
sudo mb-config set spam.blacklist.action quarantine
Score Adjustments¶
Fine-tune scoring for specific scenarios.
Per-Domain Adjustments¶
Different thresholds for different domains:
# More strict for executive@example.com
sudo mb-spam-threshold --domain example.com --user executive --threshold 4.0
# Less strict for marketing@example.com
sudo mb-spam-threshold --domain example.com --user marketing --threshold 10.0
Per-User Adjustments¶
User-specific spam tolerance:
Time-Based Adjustments¶
Different rules at different times (rare use case):
# Less strict during business hours (fewer false positives matter)
sudo mb-spam-schedule add --hours "09:00-17:00" --threshold 7.0
# More strict at night
sudo mb-spam-schedule add --hours "00:00-06:00" --threshold 5.0
Testing and Tuning¶
Test Email Scoring¶
Send test email and check score:
Output:
Spam Score: 8.5
Threshold: 6.0
Action: QUARANTINE
Score Breakdown:
Rspamd: 6.5
Bayesian: 3.0
URL blacklist: 2.5
HTML ratio: 1.0
RBL (zen.spamhaus.org): 2.0
SPF (fail): 3.0
DKIM (none): 0.5
Missing headers: 1.0
-------------------------
Total: 8.5
View Spam Statistics¶
# Overall stats
sudo mb-spam-stats
# Per-domain stats
sudo mb-spam-stats --domain example.com
# False positive rate
sudo mb-spam-stats --false-positives
# False negative rate
sudo mb-spam-stats --false-negatives
Analyze Quarantine¶
Review quarantined email to find patterns:
# Top spam sources
sudo mb-quarantine-stats --top-senders
# Common spam scores
sudo mb-quarantine-stats --score-distribution
# Recently quarantined
sudo mb-quarantine-list --recent --limit 20
Performance Optimization¶
Caching¶
Cache spam check results:
Identical emails (same hash) use cached result.
Timeout Settings¶
Prevent slow spam checks from blocking queue:
# Overall spam check timeout
sudo mb-config set spam.timeout 60 # 60 seconds
# Per-engine timeouts
sudo mb-config set spam.rspamd.timeout 30
sudo mb-config set spam.spamassassin.timeout 30
sudo mb-config set spam.rbl.timeout 5
Parallel Processing¶
Process multiple emails concurrently:
Troubleshooting¶
All Email Marked as Spam¶
Check thresholds:
Temporarily disable spam filtering:
Check Rspamd status:
Spam Getting Through¶
Lower thresholds:
Enable more engines:
Update signatures:
False Positives¶
Whitelist sender:
Increase threshold:
Review and train:
Slow Spam Checking¶
Check RBL timeouts:
Disable slow engines:
Increase concurrent checks:
Next Steps¶
- Antivirus Configuration - Configure virus scanning
- Policy Enforcement - Custom filtering rules
- Quarantine Management - Handle held email
- SPF/DKIM/DMARC - Sender authentication details