IMAP Spam Begone

isbg is a script that makes it easy to scan an IMAP inbox for spam using SpamAssassin and get your spam moved to another folder.

Unlike the normal mode of deployments for SpamAssassin, isbg does not need to be involved in mail delivery, and can run on completely different machines to where your mailbox actually is.

Current version is 0.97 - 26 March 2003

There is a Yahoo group - imapspambegone for discussion and questions.

Table of Contents

• Features
• Does it work?
• Installation
• Your first run
• Running it
• Your folder names
• Advanced options
• How does it work?
• Multiple accounts
• Saving your password
• SSL
• Exit Codes
• Read and Seen flags
• Upgrading
• Version History
• Todo list
• Contact and about

Features

• Works with all common IMAP servers
• Works on Linux, MacOS X and Windows
• Can do IMAP over SSL
• Can remember your password
• Will work painlessly against multiple IMAP accounts and servers
• Is not involved in the mail delivery process, and so can run on any machine that can contact your IMAP server
• Highly configurable
• Sensible defaults so you don't have to do any configuring :-)

Does it work?

Yes, very well. It has been filtering my work email, some of which comes from a legacy email address that is from a spam unfiltered system. I run it as a cronjob every 15 minutes, and have had it doing that for 6 months. I get about 500 spams a month. Many other users have been using it for a variety of servers from a variety of platforms.

There are no known outstanding bugs.

Installation

Make sure you have SpamAssassin installed. This is described in spamassassin.org/dist/INSTALL.

SpamAssassin should be on your $PATH (it installs in /usr/bin by default)

Download isbg.py. You can rename it to anything you want, and make it executable (chmod 555 isbg.py). It is written in the Python scripting language. Python is installed by default on most Linux systems. You can find out more about Python at www.python.org

Simply invoke it by whatever name you called the file.

Your first run

SpamAssassin

If you have never used SpamAssassin before, you'll probably be quite nervous about it being too good and taking out legitimate email, or not taking out enough spam. It has an easily adustable threshold to change how aggressive it is. Run the following command to create your preferences file

$ spamassassin  </dev/null >/dev/null
Created user preferences file: /home/rogerb/.spamassassin/user_prefs

You can then edit $HOME/.spamassassin/user_prefs and change the thresholds.

isbg

The default behaviour of isbg is to not make any changes your Inbox unless you specify specific command line options. Consequently you can experiment without worry at the begining.

Your first step is to create a new folder to receive suspected spam. I use one named 'spam'.

Run isbg with the --help option to see what options are available:

$ isbg.py --help
isbg: IMAP Spam begone 0.97-26Mar03
All options are optional

  --imaphost hostname   IMAP server name [localhost]
  --ssl                 Make an SSL connection to the IMAP server
  --imapuser username   Who you login as [rogerb]
  --imapinbox mbox      Name of your inbox folder [INBOX]
  --spaminbox mbox      Name of your spam folder [INBOX.spam]
  --maxsize numbytes    Messages larger than this will be ignored as they are
                        unlikely to be spam [120000]
  --noreport            Don't include the SpamAssassin report in the message
                        copied to your spam folder
  --flag                The spams will be flagged in your inbox
  --delete              The spams will be marked for deletion from your inbox
  --expunge             Cause marked for deletion messages to also be deleted
                        (only useful if --delete is specified)
  --verbose             Show IMAP stuff happening
  --spamc               Use spamc instead of standalone SpamAssassin binary
  --savepw              Store the password to be used in future runs
  --nostats             Don't print stats
  --exitcodes           Use different exitcodes (see doc)
(Your inbox will remain untouched unless you specify --flag or --delete)
  
See http://www.rogerbinns.com/isbg for more details

Do your first run.

$ isbg.py --imaphost mail.example.com  --savepw
IMAP password for rogerb@mail.example.com: 

The amount of time it takes will be proportional to the size of your inbox. You can specify --verbose if you want to see the gory details of what is going on.

You can now examine your spam folder and will see what spam was detected. You can change the SpamAssassin threshold in your user_prefs file it created earlier.

isbg remembers which messages it has already seen, so that it doesn't process them again every time it is run. If you are testing and do want it to run again, then remove the trackfile (default $HOME/.isbg-track*).

If you specified --savepw then isbg will remember your password the next time you run against the same server with the same username. You should not specify --savepw in future runs unless you want to change the saved password.

Running it

You'll probably want something to actually be done with the original spams in your inbox. By default nothing happens to them, but you have two options available. If you specify --flag then spams will be flagged.

You can get the messages marked for deletion by specifying --delete. If you never want to see them in your inbox, also specify the --expunge option after --delete and they will be removed when isbg logs out of the IMAP server.

Your folder names

Each IMAP implementation names their folders differently, and most IMAP clients manage to hide most of this from you. If your IMAP server is Courier, then your folders are all below INBOX, and use dots to seperate the components.

The UWash server typically has the folders below Mail and uses slash '/' to seperate components.

Advanced options

If you would like to do something beyond the options listed in the usage message above, isbg actually has several more options that can be used. You will easily be able to figure them out from looking in the isbg.py file.

How does it work?

IMAP assigns each message in a folder a unique id. isbg scans the folder for messages it hasn't seen before, and for each one, downloads the message and feeds it to SpamAssassin. If SpamAssassin says the message is spam, then the SpamAssassin report is uploaded into your spam folder. Unless you specify the --noreport option, in which case the message is copied from your Inbox to the Spam folder (the copy happens on the IMAP server itself so this option is good if you are on a low bandwidth connection).

Multiple accounts

By default isbg saves the list of seen IMAP message unique ids in a file in your home directory. It is named .isbg-trackXXXX where XXXX is a 16 byte identifier based on the IMAP host, username and port number. Consequently you can just run isbg against different servers/accounts and it will automatically keep the tracked uids seperate. You can override the filename with --trackfile.

Saving your password

If you don't want isbg to prompt you for your password each time, you can specify the --savepw option. This will save the password in a file in your home directory. The file is named .isbg-XXXX where XXXX is a 16 byte identifier based on the IMAP host, username and port number (the same as for the multiple accounts description above). You can override the filename with --passwordfilename

The password is obfuscated, so anyone just looking at the contents won't be able to see what it is. However, if they study the code to isbg then they will be able to figure out how to de-obfuscate it, and recover the original password. (isbg needs the original password each time it is run as well).

Consequently you should regard this as providing minimal protection if someone can read the file.

SSL

isbg can do IMAP over SSL if your version of Python has been compiled with SSL support. (Specifically it looks for the function socket.ssl). You can tell if you have ssl support by running isbg.py --help. If --ssl is listed in the options then you have ssl support.

However you should be aware that the SSL support does NOT check the certificate name nor validate the issuer. If an attacker can intercept the connection and modify all the packets flowing by, then they will be able to pose as the IMAP server. Other than that, the connection will have the usual security features of SSL.

Exit Codes

When ISBG exits, it uses the exit code to tell you what happened. In general it is zero if all went well, and non-zero if there was a problem. You can turn on additional reporting by using the --exitcodes command line option.

Read and Seen flags

There are two flags IMAP uses to mark messages, Recent and Seen. Recent is sent to the first IMAP client that connects after a new message is received. Other clients or subsequent connections won't see that flag. The Seen flag is used to mark a message as read. IMAP clients explicitly set Seen when a message is being read.

Pine and some other mailers use the Recent flag to mark new mail. Unfortunately this means that if isbg or any other IMAP client has even looked at the Inbox, the messages won't be shown as new. It really should be using Seen.

The IMAP specification does not permit clients to change the Recent flag.

Upgrading

To 0.95 from earlier versions

The name of the trackfile has changed. If you just run 0.95 it will reprocess your entire INBOX. If you would like to save the existing trackfile, then run isbg with --verbose and don't specify your password. It will print the name of the trackfile before the password prompt. Press control-C to break out. Rename ~/.isbg to the trackfilename it printed, and then rerun isbg.

Version History

0.97 - 26 March 2003

• If a message can't be saved to the spam box, then it is left alone. (Some IMAP servers hand isbg a message that they then refuse to be handed back). Previously isbg would exit.
• Be careful when inbox has no messages at all
• Allow using exit codes to see what happened
• Supply None as last two arguments to socket.ssl (even though api says they aren't needed). Some platforms implementation doesn't match the spec.
• Only attempt to set message flags if the user has specified any. (Some IMAP servers break if you ask them to add no flags to a message)

0.96 - 20 January 2003

• Actually do NL to CRNL conversion correctly

0.95 - 19 January 2003

• Removed --stop-at-threshold option as SA no longer has it
• Changed end of line to <CR><NL> since some IMAP servers get upset if the message only has newlines. SpamAssassin helpfully removes all the CRs which the IMAP protocol requires
• Make /dev/null be nul on Windows
• Added support for IMAP over SSL.
• Made the default trackfile be based on host, user and port
• Some borken IMAP servers didn't like a space after the opening parenthesis in message flags
• Provide the ability to store password (filename also based on host, user and port)
• Added --nostats to prevent printing of final statistics
• Removed uids from trackfile if they are no longer in the INBOX

0.92 - 28 October 2002

• Removed --pipe option to SpamAssassin since it is now the default and complains if it is supplied
• Changed the order of the UID SIZE fetch fields since iPlanet returns them in the order it feels like, not what was requested.

0.9 - 14 July 2002

• Initial version

Todo list

• Just delete very high scoring messages and don't even put them in the spam folder
• Auto report messages to Razor (high scoring ones that are definitely spam)
• Seperate out messages that may be false positives (scores close to SpamAssassin thresholds) from the definite spam ones.

Contact and about

This software is written and maintained by Roger Binns <rogerb@rogerbinns.com> It is distributed under the Artistic License.

There is a Yahoo group - imapspambegone for discussion and questions.