spamprobe - Online in the Cloud

PROGRAM:

NAME

spamprobe - A Bayesian spam filter

SYNOPSIS

spamprobe [options] command [files ...]

DESCRIPTION

SpamProbe is a spam filter relying on a Bayesian analysis of the frequency of words used
in spam and non-spam emails received by an individual person. The process is completely
automatic and tailors itself to the kinds of emails that each person receives.

SpamProbe recognizes and decodes MIME attachments in quoted-printable and base64 encoding.
Image attachments are considered as words that can signal a spam. By default, it ignores
HTML tags for scoring purpose.

SpamProbe supports MBOX, MBX and Maildir mailbox formats. These formats are automatically
detected for mailboxes used as parameters of SpamProbe commands.

spamprobe is designed to be used in mail delivery agents (MDAs) like procmail(1) or
maildrop(1) to help in identifying spam.

OPTIONS

The recognized options are:

-a char
By default SpamProbe converts non-ascii characters (characters with the most
significant bit set to 1) into the letter 'z'. This is useful for lumping all Asian
characters into a single word for easy recognition. The -a option allows you to change
the character to something else if you don't like the letter 'z' for some reason.

-c
Tells SpamProbe to create the database directory if it does not already exist.
Normally SpamProbe exits with a usage error if the database directory does not already
exist.

-C number
Tells SpamProbe to assign a default, somewhat neutral, probability to any term that
does not have a weighted (good count doubled) count of at least number in the
database. This prevents terms which have been seen only a few times from having an
unreasonable influence on the score of an email containing them.

The default value is 5. For example if number is 5 then in order for a term to use its
calculated probability it must have been seen 3 times in good mails, or 2 times in
good mails and once in spam, or 5 times in spam, or some other combination adding up
to at least 5.

-d [type:]directory
By default SpamProbe stores its database in a directory named .spamprobe under your
home directory. The -d option allows you to specify a different directory to use. This
is necessary if your home directory is NFS mounted for example.

The directory name can be prefixed with a special code to force SpamProbe to use a
particular type of data file format. Defined types include:

-d bdb:path
Forces the use of Berkeley DB data file.

-d hash:path
Forces the use of an mmapped hash file.

-d split:path
Forces the use of a hash file and ISAM file (may provide better precision than
plain hash in some cases).

The hash: option can also specify a desired file size in megabytes before the path.
For example -d hash:19:path would cause SpamProbe to use a 19 MB hash file. The size
must be in the range of 1-100. The default hash file size is 16 MB. Because hash files
have a fixed size and capacity they should be cleaned relatively often using the
cleanup command (see below) to prevent them from becoming full or being slowed by too
many hash key collisions.

Hash files provide better performance than Berkeley DB. However hash files do not
store the original terms. Only a 32 bit hash key is stored with each term. This
prevents a user from exploring the terms in the database using the dump command to see
what words are particularly spammy or hammy. The default data file format is Berkeley
BD (bdb).

-D directory
Tells SpamProbe to use the database in the specified directory (must be different than
the one specified with the -d option) as a shared database from which to draw terms
that are not defined in the user's own database. This can be used to provide a
baseline database shared by all users on a system (in the -D directory) and a private
database unique to each user of the system ($HOME/.spamprobe or -d directory).

-g fieldname
Tells SpamProbe what header to look for previous score and message digest in. Default
is X-SpamProbe. Field name is not case sensitive. Used by all commands except receive.

-h
By default SpamProbe removes HTML markup from the text in emails to help avoid false
positives. The -h option allows you to override this behavior and force SpamProbe to
include words from within HTML tags in its word counts. Note that SpamProbe always
counts any URLs in hrefs within tags whether -h is used or not. Use of this option is
discouraged. It can increase the rate of spam detection slightly but unless the user
receives a significant amount of HTML emails it also tends to increase the number of
false positives.

-H option
By default SpamProbe only scans a meaningful subset of headers from the email message
when searching for words to score. The -H option allows the user to specify additional
headers to scan. Legal values are all, nox, none, or normal. all scans all headers,
nox scans all headers except those starting with X-, none does not scan headers, and
normal scans the normal set of headers.

In addition to those values you can also explicitly add a header to the list of
headers to process by adding the header name in lower case preceded by a plus sign.
Multiple headers can be specified by using multiple -H options. For example, to
include only the From and Received headers in your train command you could run
SpamProbe as follows:

spamprobe -Hnone -H+from -H+received train

To process the normal set of headers but also add the SpamAssassin header X-SpamStatus
you could run SpamProbe as follows:

spamprobe -H+x-spam-status train

-l number
Changes the spam probability threshold for emails from the default (0.7) to number.
The number must be a value between 0 and 1. Generally the value should be above 0.5 to
avoid a high false positive rate. Lower numbers tend to produce more false positives
while higher numbers tend to reduce accuracy.

-m
Forces SpamProbe to use mbox format for reading emails in receive mode. Normally
SpamProbe assumes that the input to receive mode contains a single message so it
doesn't look for message breaks.

-M
Forces SpamProbe to treat the entire input as a single message. This ignores From
lines and Content-Length headers in the input.

-o option
Enables special options by name. Currently the only special options are:

-o graham
Causes SpamProbe to emulate the filtering algorithm originally outlined in [A Plan
For Spam].

-o honor-status-header
Causes SpamProbe to ignore messages if they have a Status: header containing a
capital D. Some mail servers use this status to indicate a message that has been
flagged for deletion but has not yet been purged from the file.

DO NOT use this option with the receive or train command in your procmailrc file!
Doing so could allow spammers to bypass the filter. This option is meant to be
used with the train-spam and train-good commands in scripts that periodically
update the database.

-o orig-score
Causes SpamProbe to use its original scoring algorithm that produces excellent
results but tends to generate scores of either 0 or 1 for all messages.

-o suspicious-tags
Causes SpamProbe to scan the contents of “suspicious” tags for tokens rather than
simply throwing them out. Currently only font tags are scanned but other tags may
be added to this list in later versions.

-o tokenized
Causes SpamProbe to read tokens one per line rather than processing the input as
mail format. This allows users to completely replace the standard SpamProbe
tokenizer if they wish and instead use some external program as a tokenizer.

In this mode SpamProbe considers a blank line to indicate the end of one message's
tokens and the start of a new message's tokens. SpamProbe computes a message
digest based on the lines of text containing the tokens.

The -o option can be used multiple times and all requested options will be applied.
Note that some options might conflict with each other in which case the last option
would take precedence.

-p number
Changes the maximum number of words per phrase. Default value is two. Increasing the
limit improves accuracy somewhat but increases database size. Experiments indicate
that increasing beyond two is not worth the extra cost in space.

-P number
Causes SpamProbe to perform a purge of all terms with junk count less than or equal 2
after every number messages are processed. Using this option when classifying a large
collection of spam can prevent the database from growing overly large at the cost of
more processing time and possible loss of precision.

-r number
Changes the number of times that a single word/phrase can occur in the top words array
used to calculate the score for each message. Allowing repeats reduces the number of
words overall (since a single word occupies more than one slot) but allows words which
occur frequently in the message to have a higher weight. Generally this is changed
only for optimization purposes.

-R
Causes SpamProbe to treat the input as a single message and to base its exit code on
whether or not that message was spam. The exit code will be 0 if the message was spam
or 1 if the message was good.

-s number
SpamProbe maintains an in memory cache of the words it has seen in previous messages
to reduce disk I/O and improve performance. By default the cache will contain the most
recently accessed 2,500 terms. This number can be changed using the -s option. Using a
larger the cache size will cause SpamProbe to use more memory and, potentially, to
perform less database I/O. A value of zero causes SpamProbe to use 100,000 as the
limit which effectively means that the cache will only be flushed at program exit
(unless you have really enormous mailbox files). The cache doesn't affect receive,
dump, or export but has a significant impact on the others.

-T
Causes SpamProbe to write out the top terms associated with each message in addition
to its normal output. Works with find-good, find-spam, and score.

-v
When it appears once on the command line this option tells SpamProbe to write verbose
information during processing. When it appears twice on the command line this option
tells SpamProbe to write debugging information to stderr. This can be useful for
debugging or for seeing which terms SpamProbe used to score each email.

-V
Prints version and copyright information and then exits.

-w number
Changes the number of most significant words/phrases used by SpamProbe to calculate
the score for each message. Generally this is changed only for optimization purposes.

-x
Normally SpamProbe uses only a fixed number of top terms (as set by the -w command
line option) when scoring emails. The -x option can be used to allow the array to be
extended past the max size if more terms are available with probabilities <= 0.1 or >=
0.9.

-X
An interesting variation on the scoring settings. Equivalent to using -w5 -r5 -x so
that generally only words with probabilites <= 0.1 or >= 0.9 are used and word
frequencies in the email count heavily towards the score. Tests have shown that this
setting tends to be safer (fewer false positives) and have higher recall (proper
classification of spams previously scored as spam) although its predictive power isn't
quite as good as the default settings. WARNING: This setting might work best with a
fairly large corpus, it has not been tested with a small corpus so it might be very
inaccurate with fewer than 1000 total messages.

-Y
Assume traditional Berkeley mailbox format, ignoring any Content-Length: fields.

-7
Tells SpamProbe to ignore any characters with the most significant bit set to 1
instead of mapping them to the letter 'z'.

-8
Tells SpamProbe to store all characters even if their most significant bit is set to
1.

COMMANDS

SpamProbe recognizes the following commands:

spamprobe help [ command ]
With no arguments SpamProbe lists all of the valid commands. If one or more commands
are specified after the word help, SpamProbe will print a more verbose description of
each command.

spamprobe create-db
If no database currently exists SpamProbe will attempt to create one and then exit.
This can be used to bootstrap a new installation. Strictly speaking this command is
not necessary since the train-spam, train-good, and auto-train commands will also
create a database if none already exists but some users like to create a database as a
separate installation step.

spamprobe create-config
Writes a new configuration file named spamprobe.hdl into the database directory
(normally $HOME/.spamprobe). Any existing configuration file will be overwritten so be
sure to make a copy before invoking this command.

spamprobe receive [ filename... ]
Tells SpamProbe to read its standard input (or a file specified after the receive
command) and score it using the current databases. Once the message has been scored
the message is classified as either spam or non-spam and its word counts are written
to the appropriate database. The message's score is written to stdout along with a
single word. For example:

SPAM 0.9999999 595f0150587edd7b395691964069d7af
GOOD 0.0200000 595f0150587edd7b395691964069d7af

The string of hex digits after the score is the message's “MD5-digest”, a 128 bit
number which uniquely identifies the message. The digest is used by SpamProbe to
recognize messages that it has processed previously so that it can keep its word
counts consistent if the message is reclassified.

Using the -T option additionally lists the terms used to produce the score along with
their counts (number of times they were found in the message).

spamprobe train [ filename... ]
Functionally identical to receive except that the database is only modified if the
message was “difficult” to classify. In practice this can reduce the number of
database updates to as little as 10% of messages received.

spamprobe score [ filename... ]
Similar to receive except that the database is not modified in any way.

spamprobe summarize [ filename... ]
Similar to score except that it prints a short summary and score for each message.
This can be useful when testing. Using the -T option additionally lists the terms used
to produce the score along with their counts (number of times they were found in the
message).

spamprobe find-spam [ filename... ]
Similar to score except that it prints a short summary and score for each message that
is determined to be spam. This can be useful when testing. Using the -T option
additionally lists the terms used to produce the score along with their counts (number
of times they were found in the message).

spamprobe find-good [ filename... ]
Similar to score except that it prints a short summary and score for each message that
is determined to be good. This can be useful when testing. Using the -T option
additionally lists the terms used to produce the score along with their counts (number
of times they were found in the message).

spamprobe auto-train { SPAM|GOOD filename ... } ...
Attempts to efficiently build a database from all of the named files. You may specify
one or more file of each type. Prior to each set of file names you must include the
word SPAM or GOOD to indicate what type of mail is contained in the files which follow
on the command line.

The case of the SPAM and GOOD keywords is important. Any number of file names can be
specified between the keywords. The command line format is very flexible. You can even
use a find command in backticks to process whole directory trees of files. For
example:

spamprobe auto-train SPAM spams/* GOOD `find hams -type f`

SpamProbe pre-scans the files to determine how many emails of each type exist and then
trains on hams and spams in a random sequence that balances the inflow of each type so
that the train command can work most effectively. For example if you had 400 hams and
400 spams, auto-train will generally process one spam, then one ham, etc. If you had
4000 spams and 400 hams then auto-train will generally process 10 spams, then one ham,
etc.

Since this command will likely take a long time to run it is often desireable to use
it with the -v option to see progress information as the messages are processed.

spamprobe -v auto-train SPAM spams/* GOOD hams/*

spamprobe good [ filename... ]
Scans each file (or stdin if no file is specified) and reclassifies every email in the
file as non-spam. The databases are updated appropriately. Messages previously
classified as good (recognized using their MD5 digest) are ignored. Messages
previously classified as spam are reclassified as good.

spamprobe train-good [ filename... ]
Functionally identical to good command except that it only updates the database for
messages that are either incorrectly classified (i.e. classified as spam) or are
“difficult” to classify. In practice this can reduce amount of database updates to as
little as 10% of messages.

spamprobe spam [ filename... ]
Scans each file (or stdin if no file is specified) and reclassifies every email in the
file as spam. The databases are updated appropriately. Messages previously classified
as spam (recognized using their MD5 digest of message ids) are ignored. Messages
previously classified as good are reclassified as spam.

spamprobe train-spam [ filename... ]
Functionally identical to spam command except that it only updates the database for
messages that are either incorrectly classified (i.e. classified as good) or are
“difficult” to classify. In practice this can reduce amount of database updates to as
little as 10% of messages.

spamprobe remove [ filename... ]
Scans each file (or stdin if no file is specified) and removes its term counts from
the database. Messages which are not in the database (recognized using their MD5
digest of message ids) are ignored.

spamprobe cleanup [ junk_count [ max_age ] ]
Scans the database and removes all terms with junk_count or less (default 2) which
have not had their counts modified in at least max_age days (default 7). You can
specify multiple count/age pairs on a single command line but must specify both a
count and an age for all but the last count. This should be run periodically to keep
the database from growing endlessly.

spamprobe purge [ junk_count ]
Similar to cleanup but forces the immediate deletion of all terms with total count
less than junk_count (default is 2) no matter how long it has been since they were
modified (i.e. even if they were just added today). This could be handy immediately
after classifying a large mailbox of historical spam or good email to make room for
the next batch.

spamprobe purge-terms regex
Similar to purge except that it removes from the database all terms which match the
specified regular expression. Be careful with this command because it could remove
many more terms than you expect. Use dump with the same regex before running this
command to see exactly what will be deleted.

spamprobe edit-term term good_count spam_count
Can be used to specifically set the good and spam counts of a term. Whether this is
truly useful is doubtful but it is provided for completeness sake.

spamprobe dump [ regex ]
Prints the contents of the word counts database one word per line in human readable
format with spam probability, good count, spam count, flags, and word in columns
separated by whitespace. When given, the regex argument limits output to matching
tokens.

spamprobe tokenize [ filename ]
Prints the tokens found in the file one word per line in human readable format with
spam probability, good count, spam count, message count, and word in columns separated
by whitespace. Terms are listed in the order in which they were encountered in the
message. The standard unix sort command can be used to sort the terms as desired.

spamprobe export
Similar to the dump command but prints the counts and words in a comma separated
format with the words surrounded by double quotes. This can be more useful for
importing into some databases.

spamprobe import
Reads the specified files which must contain export data written by the export
command. The terms and counts from this file are added to the database. This can be
used to convert a database from a prior version.

EXAMPLES

External Tokenizers
Assuming you have a tokenizer tokenize.pl, in your procmailrc file you could use:

SCORE=| tokenize.pl | /usr/bin/spamprobe -o tokenized train

Querying Mailboxes
To list all words from “most good” to “least good” use this command:

spamprobe tokenize filename | sort -k 1n -k 2nr

To list all words from “most spammy” to “least spammy” use this command:

spamprobe tokenize filename | sort -k 1nr -k 3nr

Querying The Database
Use spamprobe dump to get a human readable list of tokens in SpamProbe's database.
Berkeley DB sorts terms alphabetically; piping output into the standard unix sort(1)
command can be used to sort the terms as desired.

To list all words in SpamProbe's database from “most good” to “least good” use this
command:

spamprobe dump | sort -k 1n -k 2nr

To list all words from “most spammy” to “least spammy” use this command:

spamprobe dump | sort -k 1nr -k 3nr

Optionally you can specify a regular expression. If specified SpamProbe will only dump
terms matching the regular expression. For example:

spamprobe dump 'finance'
spamprobe dump '\\bfinance\\b'
spamprobe dump 'HSubject_.*finance'

DATABASE MAINTAINANCE

When no provision is taken, SpamProbe's databases will constantly grow while classifying
messages. In order to remove old unused entries, you should run cleanup on a regular
basis, most easily from cron(1).

# daily at 00:03
# remove entries with count <= 2 that haven't
# been touched during the last 2 weeks from
# spamprobe's database
3 0 * * * /usr/bin/spamprobe cleanup 2 14

Alternatively you might want to use a much higher count (1000 in this example) for terms
that have not been seen in roughly six months:

3 0 * * * /home/brian/bin/spamprobe cleanup 1000 180 2 14

Because of the way that Berkeley DB works the database file will not actually shrink, but
newly added terms will be able to use the space previously occupied by any removed terms
so that the file's growth should be significantly slower if this command is used.

To actually shrink the database you can build a new one using the Berkeley DB utility
programs db_dump(1) and db_load(1) or the SpamProbeimport and export commands. For
example:

cd ~
mkdir new.spamprobe
spamprobe export | spamprobe -d ~/new.spamprobe import
mv .spamprobe old.spamprobe
mv new.spamprobe .spamprobe

The -P option can also be used to limit the rate of growth of the database when importing
a large number of emails. For example if you want to classify 1000 emails and want
SpamProbe to purge rare terms every 100 messages use a command such as:

spamprobe -P 100 good goodmailboxname

Using -P slows down the classification but can avoid the need to use the export/import
trick. Note that -P only makes sense when classifying a large number of messages.

You may want to force a particular word to be very spammy or extremely good:

spamprobe edit-term xanax 0 1000000
spamprobe edit-term debian 10000000 0

At least pinning good terms tends to help spammers.

Use spamprobe online using onworks.net services