Something I have found to be very helpful with spamassassin is to add the score to the header rewrite by using the _HITS_ keyword. My rewrite message is: ***SPAM _HITS_***. This allows me to sort the spams by subject so that the likely mismarked messages are always at the top. By the time I get to a score of 6.0 or more, they are all definitely spam.

You can also use this with procmail to only delete spam with a certain score. For example, I delete everything that is 10 or higher and route everything else to another account that I only download a few times each day. This really cuts down on the spam traffic. Here is the procmailrc setting:

###>>>>>> route marked spam with score of less than 10 to spam account
:0
* ^Subject: \*\*\*SPAM 0
/var/mail/spam
###

###>>>>>> delete the rest that are 10 or above
:0
* ^Subject: \*\*\*SPAM
/dev/null
###^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

My rewrite message is: ***SPAM _HITS_***

That is pretty sweet. So you are saying, that the above subject rewrite will produce something similar to:

Subject: ***SPAM 6.32*** Blah blah blah blah

_HITS_ is replace with the actual spam score?

Yes. And the procmailrc code is nice because I can auto-delete only those with certain scores.

###>>>>>> route marked spam with score of less than 10 to spam account
:0
* ^Subject: \*\*\*SPAM 0
/var/mail/spam
###

Looking at the above code, the expressions says, "* ^Subject: \*\*\*SPAM 0". When SA rewrites the subject with the score of less than 10, does it always start with a zero? For example,

Subject: ***SPAM 06.25*** Blah blah blah blah

Yes. And that is why I have those in a particular order. There is probably a way to "or" the 08 09 but was too lazy to figure it out.

Great tip, :-)

I think I will go and implement this myself....


AJ

I use the following that checks for the score more than just for the first "0" (which is only for 0 through 9)


###>>>>>> route marked spam with score of 7 or less to spam account
:0
* ^Subject: \*\*\*SPAM 0[0-7]
/var/mail/spam
###

###>>>>>> delete the rest
:0
* ^Subject: \*\*\*SPAM
/dev/null
###^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



Seems to work great so far!

Since this rule is done after Spamassassin does its thing, you could also check the X-Spam-Status header that Spamassassin writes instead of 'Subject'. This would help stop false positives from non-spam subject lines purposely written "***SPAM". Though I cannot imagine why they would want such a subject line...

* ^ X-Spam-Status: Yes
/var/mail/spam

since the X-Spam-Status also gives the number of hits too, you can parse the mail by number of hits.