NAME¶
spamprobe - A Bayesian spam filter
SYNOPSIS¶
spamprobe [options]
command [files ...]
DESCRIPTION¶
SpamProbe is a spam filter relying on a Bayesian analysis of the
frequency of words used in spam and non-spam emails received by an
individual person. The process is completely automatic and tailors itself to
the kinds of emails that each person receives.
SpamProbe recognizes and decodes MIME attachments in
quoted-printable and base64 encoding. Image attachments are considered as
words that can signal a spam. By default, it ignores HTML tags for scoring
purpose.
SpamProbe supports MBOX, MBX and Maildir mailbox formats. These
formats are automatically detected for mailboxes used as parameters of
SpamProbe commands.
spamprobe is designed to be used in mail delivery agents
(MDAs) like procmail(1) or maildrop(1) to help in identifying
spam.
OPTIONS¶
The recognized options are:
-a char
By default SpamProbe converts non-ascii characters
(characters with the most significant bit set to 1) into the letter 'z'. This
is useful for lumping all Asian characters into a single word for easy
recognition. The -a option allows you to change the character to something
else if you don't like the letter 'z' for some reason.
-c
Tells SpamProbe to create the database directory if it
does not already exist. Normally SpamProbe exits with a usage error if the
database directory does not already exist.
-C number
Tells SpamProbe to assign a default, somewhat neutral,
probability to any term that does not have a weighted (good count doubled)
count of at least
number in the database. This prevents terms which
have been seen only a few times from having an unreasonable influence on the
score of an email containing them.
The default value is 5. For example if number is 5 then in
order for a term to use its calculated probability it must have been seen 3
times in good mails, or 2 times in good mails and once in spam, or 5 times
in spam, or some other combination adding up to at least 5.
-d [type:]directory
By default SpamProbe stores its database in a directory
named .spamprobe under your home directory. The
-d option allows you to
specify a different directory to use. This is necessary if your home directory
is NFS mounted for example.
The directory name can be prefixed with a special code to force
SpamProbe to use a particular type of data file format. Defined types
include:
-d bdb:path
Forces the use of Berkeley DB data file.
-d hash:path
Forces the use of an mmapped hash file.
-d split:path
Forces the use of a hash file and ISAM file (may provide
better precision than plain hash in some cases).
The hash: option can also specify a desired file size in
megabytes before the path. For example -d hash:19:path would cause
SpamProbe to use a 19 MB hash file. The size must be in the range of 1-100.
The default hash file size is 16 MB. Because hash files have a fixed size
and capacity they should be cleaned relatively often using the
cleanup command (see below) to prevent them from becoming full or
being slowed by too many hash key collisions.
Hash files provide better performance than Berkeley DB. However
hash files do not store the original terms. Only a 32 bit hash key is stored
with each term. This prevents a user from exploring the terms in the
database using the dump command to see what words are particularly spammy or
hammy. The default data file format is Berkeley BD (bdb).
-D directory
Tells SpamProbe to use the database in the specified
directory (must be different than the one specified with the -d option)
as a shared database from which to draw terms that are not defined in the
user's own database. This can be used to provide a baseline database shared by
all users on a system (in the -D directory) and a private database
unique to each user of the system ($HOME/.spamprobe or -d
directory).
-g fieldname
Tells SpamProbe what header to look for previous score
and message digest in. Default is X-SpamProbe. Field name is not case
sensitive. Used by all commands except receive.
-h
By default SpamProbe removes HTML markup from the text in
emails to help avoid false positives. The -h option allows you to
override this behavior and force SpamProbe to include words from within HTML
tags in its word counts. Note that SpamProbe always counts any URLs in hrefs
within tags whether -h is used or not. Use of this option is
discouraged. It can increase the rate of spam detection slightly but unless
the user receives a significant amount of HTML emails it also tends to
increase the number of false positives.
-H option
By default SpamProbe only scans a meaningful subset of
headers from the email message when searching for words to score. The
-H option allows the user to specify additional headers to scan. Legal
values are
all,
nox,
none, or
normal.
all
scans all headers,
nox scans all headers except those starting with X-,
none does not scan headers, and
normal scans the normal set of
headers.
In addition to those values you can also explicitly add a header
to the list of headers to process by adding the header name in lower case
preceded by a plus sign. Multiple headers can be specified by using multiple
-H options. For example, to include only the From and
Received headers in your train command you could run SpamProbe
as follows:
spamprobe -Hnone -H+from -H+received train
To process the normal set of headers but also add the SpamAssassin
header X-SpamStatus you could run SpamProbe as follows:
spamprobe -H+x-spam-status train
-l number
Changes the spam probability threshold for emails from
the default (0.7) to number. The number must be a value between
0 and 1. Generally the value should be above 0.5 to avoid a high false
positive rate. Lower numbers tend to produce more false positives while higher
numbers tend to reduce accuracy.
-m
Forces SpamProbe to use mbox format for reading emails in
receive mode. Normally SpamProbe assumes that the input to
receive mode contains a single message so it doesn't look for message
breaks.
-M
Forces SpamProbe to treat the entire input as a single
message. This ignores From lines and Content-Length headers in
the input.
-o option
Enables special options by name. Currently the only
special options are:
-o graham
Causes SpamProbe to emulate the filtering algorithm
originally outlined in [A Plan For Spam].
-o honor-status-header
Causes SpamProbe to ignore messages if they have a
Status: header containing a capital D. Some mail servers use this status to
indicate a message that has been flagged for deletion but has not yet been
purged from the file.
DO NOT use this option with the receive or train command in your
procmailrc file! Doing so could allow spammers to bypass the filter. This
option is meant to be used with the train-spam and train-good
commands in scripts that periodically update the database.
-o orig-score
Causes SpamProbe to use its original scoring algorithm
that produces excellent results but tends to generate scores of either 0 or 1
for all messages.
-o suspicious-tags
Causes SpamProbe to scan the contents of
“suspicious” tags for tokens rather than simply throwing them
out. Currently only font tags are scanned but other tags may be added to this
list in later versions.
-o tokenized
Causes SpamProbe to read tokens one per line rather than
processing the input as mail format. This allows users to completely replace
the standard SpamProbe tokenizer if they wish and instead use some external
program as a tokenizer.
In this mode SpamProbe considers a blank line to indicate the end
of one message's tokens and the start of a new message's tokens. SpamProbe
computes a message digest based on the lines of text containing the
tokens.
The -o option can be used multiple times and all requested
options will be applied. Note that some options might conflict with each
other in which case the last option would take precedence.
-p number
Changes the maximum number of words per phrase. Default
value is two. Increasing the limit improves accuracy somewhat but increases
database size. Experiments indicate that increasing beyond two is not worth
the extra cost in space.
-P number
Causes SpamProbe to perform a purge of all terms with
junk count less than or equal 2 after every number messages are processed.
Using this option when classifying a large collection of spam can prevent the
database from growing overly large at the cost of more processing time and
possible loss of precision.
-r number
Changes the number of times that a single word/phrase can
occur in the top words array used to calculate the score for each message.
Allowing repeats reduces the number of words overall (since a single word
occupies more than one slot) but allows words which occur frequently in the
message to have a higher weight. Generally this is changed only for
optimization purposes.
-R
Causes SpamProbe to treat the input as a single message
and to base its exit code on whether or not that message was spam. The exit
code will be 0 if the message was spam or 1 if the message was good.
-s number
SpamProbe maintains an in memory cache of the words it
has seen in previous messages to reduce disk I/O and improve performance. By
default the cache will contain the most recently accessed 2,500 terms. This
number can be changed using the -s option. Using a larger the cache
size will cause SpamProbe to use more memory and, potentially, to perform less
database I/O. A value of zero causes SpamProbe to use 100,000 as the limit
which effectively means that the cache will only be flushed at program exit
(unless you have really enormous mailbox files). The cache doesn't affect
receive, dump, or export but has a significant impact on the others.
-T
Causes SpamProbe to write out the top terms associated
with each message in addition to its normal output. Works with
find-good, find-spam, and score.
-v
When it appears once on the command line this option
tells SpamProbe to write verbose information during processing. When it
appears twice on the command line this option tells SpamProbe to write
debugging information to stderr. This can be useful for debugging or for
seeing which terms SpamProbe used to score each email.
-V
Prints version and copyright information and then
exits.
-w number
Changes the number of most significant words/phrases used
by SpamProbe to calculate the score for each message. Generally this is
changed only for optimization purposes.
-x
Normally SpamProbe uses only a fixed number of top terms
(as set by the -w command line option) when scoring emails. The
-x option can be used to allow the array to be extended past the max
size if more terms are available with probabilities <= 0.1 or >=
0.9.
-X
An interesting variation on the scoring settings.
Equivalent to using -w5 -r5 -x so that generally only words with
probabilites <= 0.1 or >= 0.9 are used and word frequencies in the email
count heavily towards the score. Tests have shown that this setting tends to
be safer (fewer false positives) and have higher recall (proper classification
of spams previously scored as spam) although its predictive power isn't quite
as good as the default settings. WARNING: This setting might work best with a
fairly large corpus, it has not been tested with a small corpus so it might be
very inaccurate with fewer than 1000 total messages.
-Y
Assume traditional Berkeley mailbox format, ignoring any
Content-Length: fields.
-7
Tells SpamProbe to ignore any characters with the most
significant bit set to 1 instead of mapping them to the letter 'z'.
-8
Tells SpamProbe to store all characters even if their
most significant bit is set to 1.
COMMANDS¶
SpamProbe recognizes the following commands:
spamprobe help [ command ]
With no arguments SpamProbe lists all of the valid
commands. If one or more commands are specified after the word help, SpamProbe
will print a more verbose description of each command.
spamprobe create-db
If no database currently exists SpamProbe will attempt to
create one and then exit. This can be used to bootstrap a new installation.
Strictly speaking this command is not necessary since the train-spam,
train-good, and auto-train commands will also create a database
if none already exists but some users like to create a database as a separate
installation step.
spamprobe create-config
Writes a new configuration file named spamprobe.hdl into
the database directory (normally $HOME/.spamprobe). Any existing configuration
file will be overwritten so be sure to make a copy before invoking this
command.
spamprobe receive [ filename... ]
Tells SpamProbe to read its standard input (or a file
specified after the receive command) and score it using the current databases.
Once the message has been scored the message is classified as either spam or
non-spam and its word counts are written to the appropriate database. The
message's score is written to stdout along with a single word. For example:
SPAM 0.9999999 595f0150587edd7b395691964069d7af
GOOD 0.0200000 595f0150587edd7b395691964069d7af
The string of hex digits after the score is the message's
“MD5-digest”, a 128 bit number which uniquely identifies the
message. The digest is used by SpamProbe to recognize messages that it has
processed previously so that it can keep its word counts consistent if the
message is reclassified.
Using the -T option additionally lists the terms used to
produce the score along with their counts (number of times they were found
in the message).
spamprobe train [ filename... ]
Functionally identical to receive except that the
database is only modified if the message was “difficult” to
classify. In practice this can reduce the number of database updates to as
little as 10% of messages received.
spamprobe score [ filename... ]
Similar to receive except that the database is not
modified in any way.
spamprobe summarize [ filename... ]
Similar to score except that it prints a short
summary and score for each message. This can be useful when testing. Using the
-T option additionally lists the terms used to produce the score along
with their counts (number of times they were found in the message).
spamprobe find-spam [ filename... ]
Similar to score except that it prints a short
summary and score for each message that is determined to be spam. This can be
useful when testing. Using the -T option additionally lists the terms
used to produce the score along with their counts (number of times they were
found in the message).
spamprobe find-good [ filename... ]
Similar to score except that it prints a short
summary and score for each message that is determined to be good. This can be
useful when testing. Using the -T option additionally lists the terms
used to produce the score along with their counts (number of times they were
found in the message).
spamprobe auto-train { SPAM|GOOD filename ... }
...
Attempts to efficiently build a database from all of the
named files. You may specify one or more file of each type. Prior to each set
of file names you must include the word
SPAM or
GOOD to indicate
what type of mail is contained in the files which follow on the command line.
The case of the SPAM and GOOD keywords is important.
Any number of file names can be specified between the keywords. The command
line format is very flexible. You can even use a find command in backticks
to process whole directory trees of files. For example:
spamprobe auto-train SPAM spams/* GOOD `find hams -type f`
SpamProbe pre-scans the files to determine how many emails of each
type exist and then trains on hams and spams in a random sequence that
balances the inflow of each type so that the train command can work most
effectively. For example if you had 400 hams and 400 spams, auto-train will
generally process one spam, then one ham, etc. If you had 4000 spams and 400
hams then auto-train will generally process 10 spams, then one ham, etc.
Since this command will likely take a long time to run it is often
desirable to use it with the -v option to see progress information as the
messages are processed.
spamprobe -v auto-train SPAM spams/* GOOD hams/*
spamprobe good [ filename... ]
Scans each file (or stdin if no file is specified) and
reclassifies every email in the file as non-spam. The databases are updated
appropriately. Messages previously classified as good (recognized using their
MD5 digest) are ignored. Messages previously classified as spam are
reclassified as good.
spamprobe train-good [ filename... ]
Functionally identical to good command except that
it only updates the database for messages that are either incorrectly
classified (i.e. classified as spam) or are “difficult” to
classify. In practice this can reduce amount of database updates to as little
as 10% of messages.
spamprobe spam [ filename... ]
Scans each file (or stdin if no file is specified) and
reclassifies every email in the file as spam. The databases are updated
appropriately. Messages previously classified as spam (recognized using their
MD5 digest of message ids) are ignored. Messages previously classified as good
are reclassified as spam.
spamprobe train-spam [ filename... ]
Functionally identical to spam command except that
it only updates the database for messages that are either incorrectly
classified (i.e. classified as good) or are “difficult” to
classify. In practice this can reduce amount of database updates to as little
as 10% of messages.
spamprobe remove [ filename... ]
Scans each file (or stdin if no file is specified) and
removes its term counts from the database. Messages which are not in the
database (recognized using their MD5 digest of message ids) are ignored.
spamprobe cleanup [ junk_count [ max_age ]
]
Scans the database and removes all terms with
junk_count or less (default 2) which have not had their counts modified
in at least max_age days (default 7). You can specify multiple
count/age pairs on a single command line but must specify both a count and an
age for all but the last count. This should be run periodically to keep the
database from growing endlessly.
spamprobe purge [ junk_count ]
Similar to cleanup but forces the immediate deletion of
all terms with total count less than junk_count (default is 2) no
matter how long it has been since they were modified (i.e. even if they were
just added today). This could be handy immediately after classifying a large
mailbox of historical spam or good email to make room for the next
batch.
spamprobe purge-terms regex
Similar to purge except that it removes from the database
all terms which match the specified regular expression. Be careful with this
command because it could remove many more terms than you expect. Use
dump with the same regex before running this command to see
exactly what will be deleted.
spamprobe edit-term term good_count
spam_count
Can be used to specifically set the good and spam counts
of a term. Whether this is truly useful is doubtful but it is provided for
completeness sake.
spamprobe dump [ regex ]
Prints the contents of the word counts database one word
per line in human readable format with spam probability, good count, spam
count, flags, and word in columns separated by whitespace. When given, the
regex argument limits output to matching tokens.
spamprobe tokenize [ filename ]
Prints the tokens found in the file one word per line in
human readable format with spam probability, good count, spam count, message
count, and word in columns separated by whitespace. Terms are listed in the
order in which they were encountered in the message. The standard unix sort
command can be used to sort the terms as desired.
spamprobe export
Similar to the dump command but prints the counts
and words in a comma separated format with the words surrounded by double
quotes. This can be more useful for importing into some databases.
spamprobe import
Reads the specified files which must contain export data
written by the export command. The terms and counts from this file are
added to the database. This can be used to convert a database from a prior
version.
EXAMPLES¶
External Tokenizers¶
Assuming you have a tokenizer tokenize.pl, in your procmailrc file
you could use:
SCORE=| tokenize.pl | /usr/bin/spamprobe -o tokenized train
Querying Mailboxes¶
To list all words from “most good” to “least
good” use this command:
spamprobe tokenize filename | sort -k 1n -k 2nr
To list all words from “most spammy” to
“least spammy” use this command:
spamprobe tokenize filename | sort -k 1nr -k 3nr
Querying The Database¶
Use spamprobe dump to get a human readable list of tokens
in SpamProbe's database. Berkeley DB sorts terms alphabetically; piping
output into the standard unix sort(1) command can be used to sort the
terms as desired.
To list all words in SpamProbe's database from “most
good” to “least good” use this command:
spamprobe dump | sort -k 1n -k 2nr
To list all words from “most spammy” to
“least spammy” use this command:
spamprobe dump | sort -k 1nr -k 3nr
Optionally you can specify a regular expression. If specified
SpamProbe will only dump terms matching the regular expression. For
example:
spamprobe dump 'finance'
spamprobe dump '\\bfinance\\b'
spamprobe dump 'HSubject_.*finance'
DATABASE MAINTAINANCE¶
When no provision is taken, SpamProbe's databases will constantly
grow while classifying messages. In order to remove old unused entries, you
should run cleanup on a regular basis, most easily from
cron(1).
# daily at 00:03
# remove entries with count <= 2 that haven't
# been touched during the last 2 weeks from
# spamprobe's database
3 0 * * * /usr/bin/spamprobe cleanup 2 14
Alternatively you might want to use a much higher count (1000 in
this example) for terms that have not been seen in roughly six months:
3 0 * * * /home/brian/bin/spamprobe cleanup 1000 180 2 14
Because of the way that Berkeley DB works the database file will
not actually shrink, but newly added terms will be able to use the space
previously occupied by any removed terms so that the file's growth should be
significantly slower if this command is used.
To actually shrink the database you can build a new one using the
Berkeley DB utility programs db_dump(1) and db_load(1) or the
SpamProbe import and export commands. For example:
cd ~
mkdir new.spamprobe
spamprobe export | spamprobe -d ~/new.spamprobe import
mv .spamprobe old.spamprobe
mv new.spamprobe .spamprobe
The -P option can also be used to limit the rate of growth
of the database when importing a large number of emails. For example if you
want to classify 1000 emails and want SpamProbe to purge rare terms every
100 messages use a command such as:
spamprobe -P 100 good goodmailboxname
Using -P slows down the classification but can avoid the
need to use the export/import trick. Note that -P only
makes sense when classifying a large number of messages.
You may want to force a particular word to be very spammy or
extremely good:
spamprobe edit-term xanax 0 1000000
spamprobe edit-term debian 10000000 0
At least pinning good terms tends to help spammers.
BUGS¶
This manual page is still work in progress. In particular it's
lacking a description of which headers are processed with -H normal
and how terms are generated from headers as well as a reference to the regex
syntax applicable to dump and purge-term commands.
FILES¶
~/.spamprobe
When not otherwise specified with the -d
directory option, SpamProbe stores its database files in
this directory. It does not automatically create database directories
except when explicitly asked to by the -c command line
flag or the create-db command. If your home directory
is NFS mounted, use a different directory on a local disk, since Berkeley DB
performance suffers badly over NFS.
~/.spamprobe/spamprobe.hdl
Configuration file for spamprobe. This file is
optional. It can be initialized with all the default values by the
create-config command.
AUTHOR¶
SpamProbe has been written by Brian Burton
<bburton@users.sourceforge.net> and is published under the QPL (Qt
Public License).
This manual page was compiled by Siggy Brentrup
<bsb@debian.org> from the distributed one for the Debian GNU/Linux
system but may be used by others. Permission is granted to copy, distribute
and/or modify this document under the terms of the GPL version 2.
