Manual Reference Pages - SPAMORACLE (1)
spamoracle - a spam classification tool
mailbox ... ]
mailbox ... ]
mailbox ... ]
mailbox ... ]
SpamOracle is a tool to help detect and filter away "spam"
(unsolicited commercial e-mail). It proceeds by statistical analysis
of the words that appear in the e-mail, comparing the frequencies of
words with those found in a user-provided corpus of known spam and
known legitimate e-mail. The classification algorithm is based on
Bayes formula, and is described in Paul Grahams paper,
A plan for spam,
This program is designed to work in conjunction with
The result of the analysis is output as an additional message header
X-Spam: followed by
unknown, plus additional details. A procmail rule can then test this
X-Spam: header and deliver the e-mail to the appropriate mailbox.
In addition, SpamOracle also analyses MIME attachments,
extracting relevant information such as MIME type, character encoding
and attached file name, and summarizing them in an additional
X-Attachments: header. This allows procmail to easily reject
e-mails containing suspicious attachments, e.g. Windows executables
which often indicate a virus.
REQUIREMENTS AND LIMITATIONS
To use SpamOracle, your mail must be delivered to a Unix machine on which
you have a shell account. This machine must have
http://www.procmail.org/) installed. Your
~/.forward file must be set up to run all incoming e-mail through
If your mail server supports the POP or IMAP protocols, you can also use
to fetch your mail from the server and have it delivered to your local machine.
To provide the corpus of messages from which SpamOracle "learns",
an archive of about 1000 of your e-mails is needed.
The archive must be manually or semi-automatically split into
known spams and known good messages. Mis-classified messages
in the corpus (e.g. spams mistakenly stored among the good messages)
will decrease the efficiency of the classification. The archive
must be in Unix mailbox format, or in "one message per file"
format (a la MH). Other formats, such as Emacs Babyl, are not
The notion of "word" used by SpamOracle is slanted towards Western
European languages, i.e. the ISO Latin-1 and Latin-9 character sets.
Preliminary support for JIS-encoded Japanese can be selected at
compile-time. SpamOracle will not work well if you receive many
legitimate e-mails written in other character sets, such as Chinese or
To build the database of word frequencies from the corpus, do:
By default, the database is stored in the file
.spamoracle.db in your home directory. This can be overriden with the
spamoracle -f mydatabase add ... The
-v option prints progress information during the processing of the corpus.
spamoracle add -v -good goodmails -spam spammails
This assumes that the good, non-spam messages from the corpus are
stored in the file
goodmails, and the known spam messages in the file
spammails. You can also fetch corpus messages from several files, and/or process them
via several invocations of SpamOracle:
spamoracle add -good goodmails1 ... goodmailsN
spamoracle add -spam spammails1 ... spammailsP
TESTING THE DATABASE
To check that the database was built correctly, and familiarize
yourself with the statistical analysis performed by SpamOracle,
invoke the "test" mode on the mailboxes that you just used for building
For each message in the given mailboxes, youll see a summary like this:
spamoracle test goodmails | more
spamoracle test spammails | more
The first two lines are just the
Subject: fields of the original message.
From: bbo <email@example.com>
Subject: Check This Out
Score: 1.00 -- 15
Details: refid:98 $$$$:98 surfing:98 asp:95 click:93 cable:92
instantly:90 https:88 internet:87 www:86 U4:85 isnt:14 month:81
Attachments: cset="GB2312" type="application/octet-stream"
Score: line summarizes the result of the analysis.
The first number (between 0.0 and 1.0) is the probability that the
message is actually spam --- or, equivalently, the degree of similarity
of the message with the spam messages in the corpus.
The second number (an integer between 0 and 15) is the number of
"interesting" words found in the message. "Interesting" words are
those that occur at least 5 times in the corpus.
In the example, we have 15 interesting words (the maximum) and a
score of 1.00, indicating a spam with high certainty.
Details: line provides an explanation of the score. It lists
the 15 most interesting words found in the message, that is, the 15
interesting words whose probability of denoting a spam is farthest
away from the neutral 0.5. Each word is given with its individual score,
written as a percentage (between 01 and 99) rather than as a
probability so as to save space. Here, we see a number of very
"spammish" words such as
click, with probability 0.98
and 0.93 respectively, and a few "innocent" words such as
isnt (probability 0.14). The
U4 word with probability 0.85 is actually
a pseudo-word representing a 4-letter word all in uppercase --
something spammers are fond of.
Attachments: line summarizes some information about MIME
attachments for this message. Here, we have one attachment of type
application/octect-stream, file name
Guangwen4.zip, and character set
GB2312 (an encoding for Chinese).
File: line shows the file that is being tested.
Normally, when running
spamoracle test goodmails, most messages should come out with low score (0.2 or less), and when running
spamoracle test spammails, most messages should come out with a
high score (0.8 or more). If not, your corpus isnt very good,
or not well classified into spam and non-spam. To quickly see
the outliers, you can reduce the interval of scores for which
message summaries are displayed, as follows:
Now, for a more challenging test, take a mailbox that contains
unfiltered e-mails, i.e. a mixture of spam and legitimate e-mails,
and run it through SpamOracle:
spamoracle test -min 0.2 goodmails | more
# Shows only good mails with score >= 0.2
spamoracle test -max 0.8 spammails | more
# Shows only spam mails with score <= 0.8
Marvel at how well the oracle recognizes spam from the rest!
If the result isnt that marvelous to you, keep in mind that
certain spams are just too short to be recognized (not enough
significant words). Also, perhaps your corpus was too small,
or not well categorized...
spamoracle test mymailbox | less
MARKING AND FILTERING INCOMING E-MAIL
Once the database is built, youre ready to run incoming e-mails
through SpamOracle. The command
spamoracle mark reads one e-mail from standard input, and copies it to standard output,
with two headers inserted:
X-Spam: header has one the following formats:
details are as described for
yes/no/unknown tag synthesizes the results of the analysis:
yes means that the score is >= 0.8 and at least 5 interesting words were found;
no means that the score is <= 0.2 and at least 5 interesting words were found;
unknown is returned otherwise. The
unknown case generally occurs for very short messages, where not enough
interesting words were found.
X-Attachments: header contains the same information as
Attachments: output of
spamoracle test, that is, a summary of the message attachments.
To process automatically your incoming e-mail through SpamOracle
and act upon the results of the analysis, just insert the following
"recipes" in the file ~/.procmailrc:
| /usr/local/bin/spamoracle mark
* ^X-Spam: yes;
What these cryptic commands mean is:
- Run every mail through the
spamoracle mark command.
(If spamoracle wasnt installed in /usr/local/bin, adjust the path
as necessary.) This adds two headers to the message:
X-Attachments:, describing the results of the spam analysis and the attachment analysis.
- If we have an
X-Spam: yes header, deliver the message to the file
spambox rather than to your regular mailbox. Presumably,
spambox once in a while, but less often than your regular mailbox.
Daring users can put
/dev/null instead of
spambox to just throw away the message, but please dont do that until
youve used SpamOracle for a while and are happy with the results.
SpamOracles false positive rate (i.e. legitimate mails
classified as spam) is low (0.1%) but not null.
So, better save the presumed spams somewhere, and scan them
quickly from time to time.
If youd like to enjoy a bit of attachment-based filtering, here are
some procmail rules for that:
The first rule treats as spam every mail that has a Windows
executable as attachment. These mails are typically sent by viruses.
The second rule does the same with attachments of type x-wav or x-midi.
I never normally receive music by e-mail, however some popular
e-mail viruses seem fond of these attachment types.
The third rule treats as spam every mail that uses character
encodings corresponding to Korean, Chinese, Japanese, and Cyrillic.
UPDATING THE DATABASE
At any time, you can add more known spams or known legitimate
messages to the database by using the
spamoracle add command.
For instance, if you find a spam message that was not classified
as such, run it through
spamoracle add -spam, so that SpamOracle can learn from its mistake. (Without additional
arguments, this command will read a single message from standard input
and record it as spam.) Under
for instance, just highlight the spam message and type
Similarly, if you find a legitimate message while checking your
spam box, run it through
spamoracle add -good.
|spamoracle add -spam
Another option is to collect more known spams or more known good
messages into mailbox files, and once in a while do
spamoracle add -good new_good_mails or
spamoracle add -spam new_spam_mails.
QUERYING THE DATABASE
For your edification and entertainment, the contents of the database
can be queried by regular expressions. The
spamoracle list regexp command lists all words in the database that match
regexp (an Emacs-style regular expression), along with their number of
occurrences in spam mail and in good mail. For instance:
spamoracle list .* # show all words -- big list!
spamoracle list sex.*
spamoracle list linux.*
The database used by SpamOracle is stored in a compact, binary format that
is not humanly readable. Moreover, this format is subject to change in later
versions of SpamOracle. To facilitate backups and upgrades, the
database contents can also be manipulated in a portable, text format.
spamoracle backup command dumps the contents of the database to
standard output, in a textual, portable format.
spamoracle restore command reads such a dump from standard input
and rebuilds the database with this data.
The recommended procedure for upgrading to a newer version of SpamOracle is:
# Before the upgrade:
spamoracle backup > backupfile
# Upgrade SpamOracle
# Restore the database
spamoracle restore < backupfile
CONFIGURING FILTERING PARAMETERS
Many of the parameters that govern message classification can be
configured via a configuration file. By default, the configuration
is read from the file
.spamoracle.conf in the users home directory. A different configuration file can
be specified on the command line using the
spamoracle -config myconfigfile ...
The list of configurable parameters and the format of the
configuration file are described in
All parameters have reasonable defaults, but you can try to improve
the quality of classification further by tweaking them. To determine
the impact of your changes, use either the
stat commands to
spamoracle stat command prints a one-line summary of how many spam, non-spam, and
unknown messages were found in the mailboxes given as arguments.
SpamOracles notion of "word" is any run of 3 to 12 of the following
characters: letters, single quotes, and dashes (-).
If support for non-English european languages was
compiled in, word characters also include the relevant accented letters
for the languages in question. All words are
mapped to lowercase, and accented letters are mapped to the corresponding
A run of 3 to 12 of the following characters also constitutes a word:
digits, dots, commas, and dollar, Euro and percent signs.
In addition, a run of three or more uppercase letters generates a
n is the length of the run. Similarly,
a run of three or more non-ASCII characters (code >= 128) generates
n is the length of the run.
For instance, the following text:
is processed into the following words, assuming French support was
selected at compile-time:
SUMMER in English is written "�t�" in French ���
and if French support was not selected:
U5 summer english written ete french W3
U5 summer english written french W3
To see the words that are extracted from a message, issue the
spamoracle words command. It reads either a single message from standard input, or all
messages from the mailbox files given as arguments, decomposes the
messages into words and prints the words.
The database file can be compressed with
to save disk space, at the expense of slower
spamoracle operations. If the database file specified with the
-f option has the extension
spamoracle will automatically uncompress it on start-up, and re-compress it after
If your mail is stored in MH format, you may run into "command line
too long" errors while trying to process a lot of small files with the
spamoracle add command, e.g. when doing
spamoracle add -good archives/*/* -spam spam/*
Instead, do something like:
find archives -type f -print | xargs spamoracle add -good
find spam -type f -print | xargs spamoracle add -spam
Xavier Leroy <Xavier.Leroy@inria.fr>
http://cristal.inria.fr/~xleroy/software/ (SpamOracle distribution site)
http://www.paulgraham.com/spam.html (Paul Grahams seminal paper)
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.