Junk Mail Controls: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
Line 79: Line 79:


==Trusting SpamAssassin and SpamPal==
==Trusting SpamAssassin and SpamPal==
Spammers sometimes use [http://en.wikipedia.org/wiki/Bayesian_poisoning Bayesian poisoning] to degrade spam filters that use Bayesian filtering. SpamPal uses [http://en.wikipedia.org/wiki/DNSBL DNS Blacklists] and SpamAssassin uses several methods (it's best known for its extensive testing of message headers) to filter spam so that type of attack has little or no effect on them. Both of them add special headers to a message to indicate whether it's spam. SpamPal is only available for Windows, but the [http://appdb.winehq.org/index.php Wine Application Database] rates it as platinum (i.e. install and run flawlessly on an out-of-the-box Wine installation)   
Spammers sometimes use [http://en.wikipedia.org/wiki/Bayesian_poisoning Bayesian poisoning] to degrade spam filters that use Bayesian filtering. [http://spampal.sourceforge.net/index2.html SpamPal] uses [http://en.wikipedia.org/wiki/DNSBL DNS Blacklists] and SpamAssassin uses several methods (it's best known for its extensive testing of message headers) to filter spam so that type of attack has little or no effect on them. Both of them add special headers to a message to indicate whether it's spam. SpamPal is only available for Windows, but the [http://appdb.winehq.org/index.php Wine Application Database] rates it as platinum (i.e. install and run flawlessly on an out-of-the-box Wine installation)   


Tools -> Junk Mail Controls has a setting to tell Thunderbird to trust junk mail headers set by either [http://spampal.sourceforge.net/index2.html SpamPal] or [http://spamassassin.apache.org/ SpamAssassin]. The order of processing is:
Tools -> Junk Mail Controls has a setting to tell Thunderbird to trust junk mail headers set by either [http://spampal.sourceforge.net/index2.html SpamPal] or [http://spamassassin.apache.org/ SpamAssassin]. The order of processing is:

Revision as of 23:41, 3 March 2012

This article applies to both Thunderbird and the Mozilla Suite. The Junk Mail Controls interface in the Mozilla Suite is slightly different from the Thunderbird interface, described below.


Both Thunderbird and the Mozilla Suite can detect unwanted e-mail messages. For junk-mail detection to be effective, however, you must "train" it because it uses Bayesian filtering. Anti-phishing and other tools are also discussed below.

Activating the Junk Mail Controls

To start using the Junk Mail Controls in Thunderbird:

  1. Note: Controls are divided between two locations: (a) Tools -> Options -> Security -> Junk, and (b) Tools -> Account Settings -> *each account* -> Junk Settings.
  2. Click Tools -> Options -> Security -> Junk
  3. Change settings as desired
    • Caution: "Reset Training Data" applies to ALL of your accounts. There is only one set of training data, so don't reset it thinking it will only affect one account.
  4. When finished, click the "OK" button
  5. In Account Settings, choose the email account for which you want to activate the Junk Mail Controls. "Email account" means the folder structure under which the emails are saved. So if you use the Global Inbox for a pop account, you must select "Local Folders" as the account. (This is different from the message filters, where you select the account that retrieves the email.)
  6. Click the "Junk Settings" tab
  7. Make sure that the checkbox for "Enable adaptive junk mail" is checked.
  8. Choose your settings for Whitelists at "Do not mark mail as junk...".
    • It only supports whitelisting specific email addresses, and only those in your address books. However, message filters may be used to test whether the sender "contains" a domain, and set the junk status accordingly, because filters are run before the junk mail controls.
  9. Make sure that the checkbox for "Move junk messages to" is checked, unless you want junk mail kept in your Inbox. (Junk folder normally will not appear alongside your other mail folders until you mark your first message as Junk.)
    1. Enable retention settings if desired. But if you do not enable it, then you must periodically Empty Junk.
  10. If you have more than one email account, repeat the above steps for each account with which you want to use the Junk Mail Controls.
  11. When finished with account settings, click the "OK" button.
  12. Proceed next to training ...

Training the Junk Mail Controls

Junk processing must be well trained for it to work correctly. Training involves marking many messages as "junk" and many messages as "not junk". It is important to mark both types of messages, both good and bad, not just the ones that are junk.

Initially, incoming messages might not be accurately junked because you have not trained it enough.

  1. Check your Junk folder to see if any non-junk messages have been detected as junk, and mark non-junk ones as not junk.
  2. Bayesian filtering requires at least 100 bad messages be marked as spam and 100 good messages marked as not junk to function. To work best, it needs a few hundred of each marked.
    • If you mark a thousand spam messages but do not mark legitimate messages, or very few, it won't work well.
    • It's best to mark different types of messages good and bad - marking 500 messages from the same source is not as good as marking 500 messages from different people.

After an initial training period

  1. You should find that Junk Mail Controls are effectively detecting unwanted junk emails and keeping them from your Inbox. If it is not, see the tweaking information below.
  2. You should occasionally train non-junk messages - doing it when you mark bad messages as junk is a good habit.

There are various ways that you can mark messages:

  • Select a message and type "Shift+J" (for not Junk) or "J" (for Junk).
  • Right-click on a message and choose "Mark -> As Junk" (or "As Not Junk").
  • Select a message and from the "Message" menu, choose "Mark -> As Junk" (or "As Not Junk").
  • Select a message and click on the "Junk" icon on the toolbar.
  • Select a message and click on the "Junk Status" column in the message-list pane (which will show a small "Junk" icon if the message is marked as junk).

You don't need to keep the messages you have marked - marking stores the information it needs as tokens in the training.dat file. Training data for the Junk Mail Controls is stored in "training.dat" in your profile folder. You can view the Junk Mail Log by selecting "Junk Mail Log" in "Tools -> Junk Mail Controls -> Logging", and then use the mouse to 'grab' any corner and stretch it until it expands enough for you to see the log data.

Tweaking the Junk Mail Controls

mail.adaptivefilters.junk_threshold is the preference that determines at what "level" messages are classified as junk. It defaults to 90 in version 3.1.7. Lowering this value will make it easier to recognize messages as spam, though it increases the risk that it will classify a legitimate message as spam. This might help get more messages marked; for example, messages that look like text but are actually clickable images. (Note however, adaptive processing does NOT examine images nor care about whether a message has an image - it is not part of the junk algorithm)

You can change the preference using Tools -> Options -> Advanced -> General -> Config Editor. Enter junk in the Filter field to show only the preferences that contain junk in their name, and then double-click on mail.adaptivefilters.junk_threshold, enter a value lower than the default 90 in the edit field and press the OK button. Many users report good results with values of 30 or lower.

JunQuilla is an add-on which can help you tweak junk processing and help you better understand how it is working. It provides a column that shows the odds that a message is spam, enhances the junk status column, and adds a Uncertain folder for messages requiring a users decision. It requires Thunderbird version 3 and newer.

Bayes Junk Tool can also be used to examine and modify the raw training data. Sometimes it helps to get rid of tokens that are just as likely to occur in spam and legitimate messages, especially if the training data file gets very large. The web site also has several sets of training data that you can import or merge with your existing training data.

Bayesian filters are useful, but they are not always the best tool. Sometimes checking whether the message was sent by somebody on a DNSBL list is more effective. See this article for how to integrate SpamPal and the junk mail controls, and control which messages are downloaded.

The FolderFlags extension can set various internal flags that Thunderbird uses to classify folders. If you set the "Junk" flag on a folder (other than the one spam is moved to) it won't scan that folder for spam.

The Delete Junk Context Menu extension adds "Delete Mail Marked as Junk" to a folders context menu. It can be configured to delete mail without moving it to using the Trash folder.

Any mention of "spam"

Thunderbird doesn't use or react to the word "spam" in its identification of junk mail, nor does Thunderbird put it in the subject.

If you see the "spam" in a subject or have a folder called "Spam", this is either due to your email provider or an add-on product (such as SpamPal). If it's due to your email provider, log into your webmail using a browser and browse its help to get more information. Your provider may support webmail commands to let you manage or disable whatever they're doing.

Use custom headers added by your email provider

Your email provider may run a spam filtering program on their mail server such as SpamAssassin, MailScanner, CRM114, SpamProbe, QSF or Bogofilter that analyzes each message and adds custom headers with information about its content. If they use SpamAssassin, see the next section for how to integrate it with Thunderbird's junk mail controls. Otherwise, use "View -> Message Source" and look for headers whose name begins with a 'X' and contain phrases such as Spam. They typically provide a spam score and/or keywords that you can test using message filters.

For example:

X-Spam-score: 1.5
X-Spam-hits: BAYES_60 1, HTML_IMAGE_ONLY_16 1.526, HTML_IMAGE_RATIO_08 0.001,
  HTML_MESSAGE 0.001, RCVD_IN_DNSWL_LOW -1, SPF_HELO_PASS -0.001,
  SPF_PASS -0.001, BAYES_USED global
X-Spam-source: IP='88.131.62.198', Host='mail.anp.se', Country='SE', FromHeader='com',
  MailFrom='se'

You could test whether X-Spam-score "is greater than" a certain value, whether X-Spam-source "doesn't contain" Country='US' (the example was from Sweden) or test whether X-Spam-hits "contains" certain keywords (they're the name of a test that increased the spam score) that you notice that the junk mail controls has problems recognizing spam with those attributes. Not every email provider will provide as much customization as the example, but it should at least have some sort of spam score you can test.

Trusting SpamAssassin and SpamPal

Spammers sometimes use Bayesian poisoning to degrade spam filters that use Bayesian filtering. SpamPal uses DNS Blacklists and SpamAssassin uses several methods (it's best known for its extensive testing of message headers) to filter spam so that type of attack has little or no effect on them. Both of them add special headers to a message to indicate whether it's spam. SpamPal is only available for Windows, but the Wine Application Database rates it as platinum (i.e. install and run flawlessly on an out-of-the-box Wine installation)

Tools -> Junk Mail Controls has a setting to tell Thunderbird to trust junk mail headers set by either SpamPal or SpamAssassin. The order of processing is:

  1. Message filters
  2. "Trust header"
  3. "Adaptive junk" (junk mail controls)

Some email providers customize the headers added by SpamAssassin, or modify the subject prefix. This can cause the junk mail controls to ignore the information. "Trust header" is actually a standard message filter, stored in a isp subdirectory in the Thunderbird program directory. Thunderbird checks whether either X-Spam-Status: or X-Spam-Flag: begins with Yes, or the subject begins with ***SPAM***. If you run into this problem backup the SpamAssassin.sfd file and then change what it tests for using a text editor (not a word processor). There is also a SpamPal.sfd file.

Some users have reported that the trust SpamAssassin option sometimes ignores the junk mail headers in Thunderbird 2.x. It's not clear whether you can work around this bug by disabling the option and adding the appropriate message filter.

If you use SpamAssassin you might want to uncheck "enable adaptive junk mail controls for this account" in Tools -> Account Settings -> Junk Settings. That controls the Bayesian filter in the junk mail controls, which is what it uses to learn how to recognize junk. SpamAssassin is normally configured with a Bayesian filter that is more sophisticated, has more data to learn from (it learns from all of your email providers messages, not just your messages), and is probably tweaked by the same admin who tweaks the SpamAssassin filters. Having two Bayesian filters for the same account makes things unnecessarily complex. For example, it's not defined what's supposed to happen if you mark a message as not junk, and later on the adaptive junk mail controls notices (again) that SpamAssassin says it's spam.

You could probably edit the SpamAssassin.sfd file in the isp subdirectory in the Thunderbird program directory to make the junk mail controls think another spam filter such as SpamBayes is actually SpamAssassin. The first step would be to figure out what the spam filter modifies in the message in order to identify whether it's spam by looking at a messages source.

SpamBayes

Junk mail controls do not support trusting SpamBayes. But the ThunderBayes and ThunderBayesPP add-ons install a customized version of to integrate with Thunderbird. This includes adding a toolbar button to classify a message as "Spam" or "Ham" and a preferences page in the account settings.

Spamato

The junk mail controls don't support trusting Spamato, possibly because the Spamato instructions recommend disabling the junk mail controls. There is a Spamato forum, some documentation on the different types of spam filters they support and a FAQ on sourceforge.net. Spamato does not store its information in the Thunderbird profile, it creates its own profile

Image spam

One way to weed out image-based spam is to create a message filter and set it to match all of the following:

  • Content-Type contains multipart/related
  • From isn't in my address book (repeat this for each address book)

In "Perform these actions" add

  • "Set Junk Status" to "Junk"
  • "Move Message to" your junk mail folder.

This will mark the message as junk and move it to the Junk folder if the Content-Type header contains multipart/related and the sender wasn't in your address book. The message filters don't know how to recognize Content-Type headers, you will need to add it using the "customize..." option at the bottom of the leftmost list box. This method is rather heavy-handed. If your email provider runs a spam filter program such as SpamAssassin, it will typically do a much better job recognizing image spam.

Problems with junk processing

Regular expressions - advanced

Neither the junk mail controls or the message filters support wild cards or regular expressions. There don't appear to be any extensions that add support for that. However, SpamPal (a mail classification program normally used for filtering spam) supports a RegExFilter Plugin that adds regular expression support based on Perl Regular Expressions. If you configure the junk mail controls to trust SpamPal you could use regular expressions to filter spam. [1]

There are many other SpamPal plugins available here. For example, you could extend white lists and black lists to apply to email addresses from any header, white list any message that contain words from a list of good words, filter on what web sites are mentioned, launch other programs (passing them information about the message as command line arguments) or run Ruby scripts. The main drawback is none of this is integrated into the junk mail controls - it just knows when SpamPal marks a message as spam.

Anti-phishing tools

Sender Policy Framework (SPF) is a method for verifying an email sender's domain name, to figure out whether an address is spoofed. The Sender Verification Extension makes use of SPF to verify the From address on emails, plus DNS black and white lists such as SURBL, Spamhaus, DNSWL, and Sender Score Certified to check the sender's reputation. When you open a message, the add-on adds a line at the top of message with the verification status of the sender. For example, "Reputable Sender", "This sender is a known malicious spammer or phisher. Discard this email", or "Sending domain does not support verification (address could be forged).". You have to actually read the message to get the warning (it is not meant to be used as a mail filter), and it's probably most useful as an alternative to Thunderbird's phishing protection (which most users disable due to its inability to learn and its many false positives).

Check the spam score of messages you sent

MailingCheck is a free Windows program that calculates the spam score of a message based on SpamAssassin rules. Its useful if you suspect that some of your recipients aren't getting your message due to it being treated as spam and you can't verify that by having them check in their junk mail folder.

You might want to also check if your mail server is black listed by checking it with a web site such as MXToolbox.

Junk filtering in newsgroups

Experimental support for junk filtering of newsgroups was added to Thunderbird 3.0. The JunQuilla add-on is needed to manage some features. See this blog post for more information.

See also

External links

Add-on to improve Thunderbird's junk processing

  • The JunQuilla add-on adds support for a column that shows the odds that a message is spam, enhances the junk status column, and adds a Uncertain folder for messages requiring a users decision. It works with version 3 and newer.
  • The Sender Verification Anti-Phishing add-on verifies the senders domain to help prevent phishing.
  • The Show Address extension adds columns to show the senders and recipient's email address (rather than the display name). This can be useful when trying to identify spam.
  • The Spamness add-on adds a color and size based display of how likely a message is spam based on its SpamAssassin score.

Add-ons interfacing to external services

  • The KnujOn add-on forwards all messages marked as Junk to KnujOn.com, a spam fighting organization.
  • The Spamato4Thunderbird add-on adds support for the Spamato spam filters. It requires Java. Its an alternative to installing Spamato as a local proxy.
  • The ThunderBayes add-on adds support for the SpamBayes spam filter. Its no longer supported by the author. ThunderbirdBayesPP is a more recent alternative implementation. Neither supports IMAP.
  • The MailWasher Free proxy lets you view and bounce messages before downloading them. If you want to do that read this explanation first on why bouncing by end users will just send them to an innocent person who may report the bouncer for sending them spam.
  • SPAMfighter Standard is a free version of the SpamFighter spam filter that supports Thunderbird. It adds a SPAMfighter footer to your messages and has a limited number of blacklist/whitelist entries.