NAME
spamprobe - A Bayesian spam filter
SYNOPSIS
spamprobe [options] command [files ...]
DESCRIPTION
SpamProbe is a spam filter relying on a Bayesian analysis of the
frequency of words used in spam and non-spam emails received by an
individual person. The process is completely automatic and tailors
itself to the kinds of emails that each person receives.
SpamProbe recognizes and decodes MIME attachments in quoted-printable
and base64 encoding. Image attachments are considered as words that can
signal a spam. By default, it ignores HTML tags for scoring purpose.
SpamProbe supports MBOX, MBX and Maildir mailbox formats. These formats
are automatically detected for mailboxes used as parameters of
SpamProbe commands.
spamprobe is designed to be used in mail delivery agents (MDAs) like
procmail(1) or maildrop(1) to help in identifying spam.
OPTIONS
The recognized options are:
-a char
By default SpamProbe converts non-ascii characters (characters with
the most significant bit set to 1) into the letter 'z'. This is
useful for lumping all Asian characters into a single word for easy
recognition. The -a option allows you to change the character to
something else if you don't like the letter 'z' for some reason.
-c
Tells SpamProbe to create the database directory if it does not
already exist. Normally SpamProbe exits with a usage error if the
database directory does not already exist.
-C number
Tells SpamProbe to assign a default, somewhat neutral, probability
to any term that does not have a weighted (good count doubled)
count of at least number in the database. This prevents terms which
have been seen only a few times from having an unreasonable
influence on the score of an email containing them.
The default value is 5. For example if number is 5 then in order
for a term to use its calculated probability it must have been seen
3 times in good mails, or 2 times in good mails and once in spam,
or 5 times in spam, or some other combination adding up to at least
5.
-d [type:]directory
By default SpamProbe stores its database in a directory named
.spamprobe under your home directory. The -d option allows you to
specify a different directory to use. This is necessary if your
home directory is NFS mounted for example.
The directory name can be prefixed with a special code to force
SpamProbe to use a particular type of data file format. Defined
types include:
-d bdb:path
Forces the use of Berkeley DB data file.
-d hash:path
Forces the use of an mmapped hash file.
-d split:path
Forces the use of a hash file and ISAM file (may provide better
precision than plain hash in some cases).
The hash: option can also specify a desired file size in megabytes
before the path. For example -d hash:19:path would cause SpamProbe
to use a 19 MB hash file. The size must be in the range of 1-100.
The default hash file size is 16 MB. Because hash files have a
fixed size and capacity they should be cleaned relatively often
using the cleanup command (see below) to prevent them from becoming
full or being slowed by too many hash key collisions.
Hash files provide better performance than Berkeley DB. However
hash files do not store the original terms. Only a 32 bit hash key
is stored with each term. This prevents a user from exploring the
terms in the database using the dump command to see what words are
particularly spammy or hammy. The default data file format is
Berkeley BD (bdb).
-D directory
Tells SpamProbe to use the database in the specified directory
(must be different than the one specified with the -d option) as a
shared database from which to draw terms that are not defined in
the user's own database. This can be used to provide a baseline
database shared by all users on a system (in the -D directory) and
a private database unique to each user of the system
($HOME/.spamprobe or -d directory).
-g fieldname
Tells SpamProbe what header to look for previous score and message
digest in. Default is X-SpamProbe. Field name is not case
sensitive. Used by all commands except receive.
-h
By default SpamProbe removes HTML markup from the text in emails to
help avoid false positives. The -h option allows you to override
this behavior and force SpamProbe to include words from within HTML
tags in its word counts. Note that SpamProbe always counts any URLs
in hrefs within tags whether -h is used or not. Use of this option
is discouraged. It can increase the rate of spam detection slightly
but unless the user receives a significant amount of HTML emails it
also tends to increase the number of false positives.
-H option
By default SpamProbe only scans a meaningful subset of headers from
the email message when searching for words to score. The -H option
allows the user to specify additional headers to scan. Legal values
are all, nox, none, or normal. all scans all headers, nox scans
all headers except those starting with X-, none does not scan
headers, and normal scans the normal set of headers.
In addition to those values you can also explicitly add a header to
the list of headers to process by adding the header name in lower
case preceded by a plus sign. Multiple headers can be specified by
using multiple -H options. For example, to include only the From
and Received headers in your train command you could run SpamProbe
as follows:
spamprobe -Hnone -H+from -H+received train
To process the normal set of headers but also add the SpamAssassin
header X-SpamStatus you could run SpamProbe as follows:
spamprobe -H+x-spam-status train
-l number
Changes the spam probability threshold for emails from the default
(0.7) to number. The number must be a value between 0 and 1.
Generally the value should be above 0.5 to avoid a high false
positive rate. Lower numbers tend to produce more false positives
while higher numbers tend to reduce accuracy.
-m
Forces SpamProbe to use mbox format for reading emails in receive
mode. Normally SpamProbe assumes that the input to receive mode
contains a single message so it doesn't look for message breaks.
-M
Forces SpamProbe to treat the entire input as a single message.
This ignores From lines and Content-Length headers in the input.
-o option
Enables special options by name. Currently the only special options
are:
-o graham
Causes SpamProbe to emulate the filtering algorithm originally
outlined in [A Plan For Spam].
-o honor-status-header
Causes SpamProbe to ignore messages if they have a Status:
header containing a capital D. Some mail servers use this
status to indicate a message that has been flagged for deletion
but has not yet been purged from the file.
DO NOT use this option with the receive or train command in
your procmailrc file! Doing so could allow spammers to bypass
the filter. This option is meant to be used with the train-spam
and train-good commands in scripts that periodically update the
database.
-o orig-score
Causes SpamProbe to use its original scoring algorithm that
produces excellent results but tends to generate scores of
either 0 or 1 for all messages.
-o suspicious-tags
Causes SpamProbe to scan the contents of “suspicious” tags for
tokens rather than simply throwing them out. Currently only
font tags are scanned but other tags may be added to this list
in later versions.
-o tokenized
Causes SpamProbe to read tokens one per line rather than
processing the input as mail format. This allows users to
completely replace the standard SpamProbe tokenizer if they
wish and instead use some external program as a tokenizer.
In this mode SpamProbe considers a blank line to indicate the
end of one message's tokens and the start of a new message's
tokens. SpamProbe computes a message digest based on the lines
of text containing the tokens.
The -o option can be used multiple times and all requested options
will be applied. Note that some options might conflict with each
other in which case the last option would take precedence.
-p number
Changes the maximum number of words per phrase. Default value is
two. Increasing the limit improves accuracy somewhat but increases
database size. Experiments indicate that increasing beyond two is
not worth the extra cost in space.
-P number
Causes SpamProbe to perform a purge of all terms with junk count
less than or equal 2 after every number messages are processed.
Using this option when classifying a large collection of spam can
prevent the database from growing overly large at the cost of more
processing time and possible loss of precision.
-r number
Changes the number of times that a single word/phrase can occur in
the top words array used to calculate the score for each message.
Allowing repeats reduces the number of words overall (since a
single word occupies more than one slot) but allows words which
occur frequently in the message to have a higher weight. Generally
this is changed only for optimization purposes.
-R
Causes SpamProbe to treat the input as a single message and to base
its exit code on whether or not that message was spam. The exit
code will be 0 if the message was spam or 1 if the message was
good.
-s number
SpamProbe maintains an in memory cache of the words it has seen in
previous messages to reduce disk I/O and improve performance. By
default the cache will contain the most recently accessed 2,500
terms. This number can be changed using the -s option. Using a
larger the cache size will cause SpamProbe to use more memory and,
potentially, to perform less database I/O. A value of zero causes
SpamProbe to use 100,000 as the limit which effectively means that
the cache will only be flushed at program exit (unless you have
really enormous mailbox files). The cache doesn't affect receive,
dump, or export but has a significant impact on the others.
-T
Causes SpamProbe to write out the top terms associated with each
message in addition to its normal output. Works with find-good,
find-spam, and score.
-v
When it appears once on the command line this option tells
SpamProbe to write verbose information during processing. When it
appears twice on the command line this option tells SpamProbe to
write debugging information to stderr. This can be useful for
debugging or for seeing which terms SpamProbe used to score each
email.
-V
Prints version and copyright information and then exits.
-w number
Changes the number of most significant words/phrases used by
SpamProbe to calculate the score for each message. Generally this
is changed only for optimization purposes.
-x
Normally SpamProbe uses only a fixed number of top terms (as set by
the -w command line option) when scoring emails. The -x option can
be used to allow the array to be extended past the max size if more
terms are available with probabilities <= 0.1 or >= 0.9.
-X
An interesting variation on the scoring settings. Equivalent to
using -w5 -r5 -x so that generally only words with probabilites <=
0.1 or >= 0.9 are used and word frequencies in the email count
heavily towards the score. Tests have shown that this setting tends
to be safer (fewer false positives) and have higher recall (proper
classification of spams previously scored as spam) although its
predictive power isn't quite as good as the default settings.
WARNING: This setting might work best with a fairly large corpus,
it has not been tested with a small corpus so it might be very
inaccurate with fewer than 1000 total messages.
-Y
Assume traditional Berkeley mailbox format, ignoring any
Content-Length: fields.
-7
Tells SpamProbe to ignore any characters with the most significant
bit set to 1 instead of mapping them to the letter 'z'.
-8
Tells SpamProbe to store all characters even if their most
significant bit is set to 1.
COMMANDS
SpamProbe recognizes the following commands:
spamprobe help [ command ]
With no arguments SpamProbe lists all of the valid commands. If one
or more commands are specified after the word help, SpamProbe will
print a more verbose description of each command.
spamprobe create-db
If no database currently exists SpamProbe will attempt to create
one and then exit. This can be used to bootstrap a new
installation. Strictly speaking this command is not necessary since
the train-spam, train-good, and auto-train commands will also
create a database if none already exists but some users like to
create a database as a separate installation step.
spamprobe create-config
Writes a new configuration file named spamprobe.hdl into the
database directory (normally $HOME/.spamprobe). Any existing
configuration file will be overwritten so be sure to make a copy
before invoking this command.
spamprobe receive [ filename... ]
Tells SpamProbe to read its standard input (or a file specified
after the receive command) and score it using the current
databases. Once the message has been scored the message is
classified as either spam or non-spam and its word counts are
written to the appropriate database. The message's score is written
to stdout along with a single word. For example:
SPAM 0.9999999 595f0150587edd7b395691964069d7af
GOOD 0.0200000 595f0150587edd7b395691964069d7af
The string of hex digits after the score is the message's
“MD5-digest”, a 128 bit number which uniquely identifies the
message. The digest is used by SpamProbe to recognize messages that
it has processed previously so that it can keep its word counts
consistent if the message is reclassified.
Using the -T option additionally lists the terms used to produce
the score along with their counts (number of times they were found
in the message).
spamprobe train [ filename... ]
Functionally identical to receive except that the database is only
modified if the message was “difficult” to classify. In practice
this can reduce the number of database updates to as little as 10%
of messages received.
spamprobe score [ filename... ]
Similar to receive except that the database is not modified in any
way.
spamprobe summarize [ filename... ]
Similar to score except that it prints a short summary and score
for each message. This can be useful when testing. Using the -T
option additionally lists the terms used to produce the score along
with their counts (number of times they were found in the message).
spamprobe find-spam [ filename... ]
Similar to score except that it prints a short summary and score
for each message that is determined to be spam. This can be useful
when testing. Using the -T option additionally lists the terms used
to produce the score along with their counts (number of times they
were found in the message).
spamprobe find-good [ filename... ]
Similar to score except that it prints a short summary and score
for each message that is determined to be good. This can be useful
when testing. Using the -T option additionally lists the terms used
to produce the score along with their counts (number of times they
were found in the message).
spamprobe auto-train { SPAM|GOOD filename ... } ...
Attempts to efficiently build a database from all of the named
files. You may specify one or more file of each type. Prior to each
set of file names you must include the word SPAM or GOOD to
indicate what type of mail is contained in the files which follow
on the command line.
The case of the SPAM and GOOD keywords is important. Any number of
file names can be specified between the keywords. The command line
format is very flexible. You can even use a find command in
backticks to process whole directory trees of files. For example:
spamprobe auto-train SPAM spams/* GOOD ‘find hams -type f‘
SpamProbe pre-scans the files to determine how many emails of each
type exist and then trains on hams and spams in a random sequence
that balances the inflow of each type so that the train command can
work most effectively. For example if you had 400 hams and 400
spams, auto-train will generally process one spam, then one ham,
etc. If you had 4000 spams and 400 hams then auto-train will
generally process 10 spams, then one ham, etc.
Since this command will likely take a long time to run it is often
desireable to use it with the -v option to see progress information
as the messages are processed.
spamprobe -v auto-train SPAM spams/* GOOD hams/*
spamprobe good [ filename... ]
Scans each file (or stdin if no file is specified) and reclassifies
every email in the file as non-spam. The databases are updated
appropriately. Messages previously classified as good (recognized
using their MD5 digest) are ignored. Messages previously classified
as spam are reclassified as good.
spamprobe train-good [ filename... ]
Functionally identical to good command except that it only updates
the database for messages that are either incorrectly classified
(i.e. classified as spam) or are “difficult” to classify. In
practice this can reduce amount of database updates to as little as
10% of messages.
spamprobe spam [ filename... ]
Scans each file (or stdin if no file is specified) and reclassifies
every email in the file as spam. The databases are updated
appropriately. Messages previously classified as spam (recognized
using their MD5 digest of message ids) are ignored. Messages
previously classified as good are reclassified as spam.
spamprobe train-spam [ filename... ]
Functionally identical to spam command except that it only updates
the database for messages that are either incorrectly classified
(i.e. classified as good) or are “difficult” to classify. In
practice this can reduce amount of database updates to as little as
10% of messages.
spamprobe remove [ filename... ]
Scans each file (or stdin if no file is specified) and removes its
term counts from the database. Messages which are not in the
database (recognized using their MD5 digest of message ids) are
ignored.
spamprobe cleanup [ junk_count [ max_age ] ]
Scans the database and removes all terms with junk_count or less
(default 2) which have not had their counts modified in at least
max_age days (default 7). You can specify multiple count/age pairs
on a single command line but must specify both a count and an age
for all but the last count. This should be run periodically to keep
the database from growing endlessly.
spamprobe purge [ junk_count ]
Similar to cleanup but forces the immediate deletion of all terms
with total count less than junk_count (default is 2) no matter how
long it has been since they were modified (i.e. even if they were
just added today). This could be handy immediately after
classifying a large mailbox of historical spam or good email to
make room for the next batch.
spamprobe purge-terms regex
Similar to purge except that it removes from the database all terms
which match the specified regular expression. Be careful with this
command because it could remove many more terms than you expect.
Use dump with the same regex before running this command to see
exactly what will be deleted.
spamprobe edit-term term good_count spam_count
Can be used to specifically set the good and spam counts of a term.
Whether this is truly useful is doubtful but it is provided for
completeness sake.
spamprobe dump [ regex ]
Prints the contents of the word counts database one word per line
in human readable format with spam probability, good count, spam
count, flags, and word in columns separated by whitespace. When
given, the regex argument limits output to matching tokens.
spamprobe tokenize [ filename ]
Prints the tokens found in the file one word per line in human
readable format with spam probability, good count, spam count,
message count, and word in columns separated by whitespace. Terms
are listed in the order in which they were encountered in the
message. The standard unix sort command can be used to sort the
terms as desired.
spamprobe export
Similar to the dump command but prints the counts and words in a
comma separated format with the words surrounded by double quotes.
This can be more useful for importing into some databases.
spamprobe import
Reads the specified files which must contain export data written by
the export command. The terms and counts from this file are added
to the database. This can be used to convert a database from a
prior version.
EXAMPLES
External Tokenizers
Assuming you have a tokenizer tokenize.pl, in your procmailrc file you
could use:
SCORE=| tokenize.pl | /usr/bin/spamprobe -o tokenized train
Querying Mailboxes
To list all words from “most good” to “least good” use this command:
spamprobe tokenize filename | sort -k 1n -k 2nr
To list all words from “most spammy” to “least spammy” use this
command:
spamprobe tokenize filename | sort -k 1nr -k 3nr
Querying The Database
Use spamprobe dump to get a human readable list of tokens in
SpamProbe's database. Berkeley DB sorts terms alphabetically; piping
output into the standard unix sort(1) command can be used to sort the
terms as desired.
To list all words in SpamProbe's database from “most good” to “least
good” use this command:
spamprobe dump | sort -k 1n -k 2nr
To list all words from “most spammy” to “least spammy” use this
command:
spamprobe dump | sort -k 1nr -k 3nr
Optionally you can specify a regular expression. If specified SpamProbe
will only dump terms matching the regular expression. For example:
spamprobe dump 'finance'
spamprobe dump '\\bfinance\\b'
spamprobe dump 'HSubject_.*finance'
DATABASE MAINTAINANCE
When no provision is taken, SpamProbe's databases will constantly grow
while classifying messages. In order to remove old unused entries, you
should run cleanup on a regular basis, most easily from cron(1).
# daily at 00:03
# remove entries with count <= 2 that haven't
# been touched during the last 2 weeks from
# spamprobe's database
3 0 * * * /usr/bin/spamprobe cleanup 2 14
Alternatively you might want to use a much higher count (1000 in this
example) for terms that have not been seen in roughly six months:
3 0 * * * /home/brian/bin/spamprobe cleanup 1000 180 2 14
Because of the way that Berkeley DB works the database file will not
actually shrink, but newly added terms will be able to use the space
previously occupied by any removed terms so that the file's growth
should be significantly slower if this command is used.
To actually shrink the database you can build a new one using the
Berkeley DB utility programs db_dump(1) and db_load(1) or the SpamProbe
import and export commands. For example:
cd ~
mkdir new.spamprobe
spamprobe export | spamprobe -d ~/new.spamprobe import
mv .spamprobe old.spamprobe
mv new.spamprobe .spamprobe
The -P option can also be used to limit the rate of growth of the
database when importing a large number of emails. For example if you
want to classify 1000 emails and want SpamProbe to purge rare terms
every 100 messages use a command such as:
spamprobe -P 100 good goodmailboxname
Using -P slows down the classification but can avoid the need to use
the export/import trick. Note that -P only makes sense when classifying
a large number of messages.
You may want to force a particular word to be very spammy or extremely
good:
spamprobe edit-term xanax 0 1000000
spamprobe edit-term debian 10000000 0
At least pinning good terms tends to help spammers.
BUGS
This manual page is still work in progress. In particular it's lacking
a description of which headers are processed with -H normal and how
terms are generated from headers as well as a reference to the regex
syntax applicable to dump and purge-term commands.
FILES
~/.spamprobe
When not otherwise specified with the -d directory option,
SpamProbe stores its database files in this directory. It does not
automatically create database directories except when explicitly
asked to by the -c command line flag or the create-db command. If
your home directory is NFS mounted, use a different directory on a
local disk, since Berkeley DB performance suffers badly over NFS.
~/.spamprobe/spamprobe.hdl
Configuration file for spamprobe. This file is optional. It can be
initialized with all the default values by the create-config
command.
SEE ALSO
procmail(1) , maildrop(1)
AUTHOR
SpamProbe has been written by Brian Burton
<bburton@users.sourceforge.net> and is published under the QPL (Qt
Public License).
This manual page was compiled by Siggy Brentrup bsb@debian.org from the
distributed one for the Debian GNU/Linux system but may be used by
others. Permission is granted to copy, distribute and/or modify this
document under the terms of the GPL version 2.