A look at SpamAssassin 3.0 [LWN.net]

June 2, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

For many of us, SpamAssassin is all that stands between us and an inbox clogged to the gills with unwanted e-mail. With the much-anticipated 3.0 release just around the corner, we decided to see what anti-spam fighters would have to work with in the near future. To that end, we touched base with SpamAssassin developers Theo Van Dinter and Craig Hughes. Hughes left the project recently, but was heavily involved in the development of 3.0 and still has his finger on the pulse of SpamAssassin development.

What's different from the current release, and why the version jump? Both Van Dinter and Hughes noted some important technical improvements in the 3.0 release. Hughes said that the most important feature for 3.0 is its modularity. The 3.0 release is "more modular, easier to write plugins for...easier to plug in other pieces of functionality that aren't distributed with the core package," said Hughes. He noted that prior to 3.0, it was difficult to add in custom code for functions that were not part of SpamAssassin.

Both Hughes and Van Dinter also noted the replacement of SpamAssassin's "genetic algorithm" with a "perceptron learner" for score generation. Van Dinter noted that the new score generation is vastly improved, taking the average time from "[around] 14 hours to less than five minutes per scoreset (there are four)." Van Dinter also told LWN that the message/mime parser for SpamAssassin has been rewritten "essentially from scratch."

Another big improvement for 3.0 is improved scalability. The new version supports installations with larger numbers of mailboxes, with preferences stored in an SQL database or LDAP server. The primary focus there, according to Hughes, was for large ISPs that wanted to use SpamAssassin without having a Unix login or home directory for every user.

While there are plenty of technical improvements in SpamAssassin, Hughes also noted that there's a non-technical rationale for the bump to 3.0. SpamAssassin is in the process of becoming a top-level project of the Apache Software Foundation. This also means a licensing change for the project, which was quite a bit of work according to Hughes:

It's going to be using the Apache License instead of using Perl's licensing, and we've gone through a tremendously long, laborious, tedious even, process of sourcing every line of code...making sure that every author really did have the rights to publish it.

Hughes said that the project met little resistance in switching from the former licensing scheme -- which allowed licensing under either the GPL or the Perl Artistic License -- to the Apache Software License. Hughes said that "only a handful" of developers said they wouldn't allow their code to be relicensed, as well as "two or three we couldn't contact." The end result, he said, was that nothing substantial had to be removed due to licensing issues.

Because of the nature of the project, we were also curious how SpamAssassin manages to stay ahead of spammers. According to Van Dinter, it's not so much staying ahead as an "arms race" between SpamAssassin and spammers:

We filter, they mutate, we start filtering the mutation, they mutate again. Lather, Rinse, Repeat. I'm actually not really involved in the rules (I work on the back-end code more than anything else,) but it basically comes down to looking at the spam that's coming in, seeing which ones aren't caught, and figuring out how to catch them in the future. There are also other useful data points unrelated to the messages themselves. For instance, verifying that the sender isn't forged via SPF (Sender Policy Framework) and utilizing the information provided by SenderBase.

Hughes told LWN that there are two things that help SpamAssassin stay ahead of spammers:

One is that you only have to stay ahead of most spammers. There may be one percent that may be particularly good [at getting by SpamAssassin] but if you can block 99 percent of it, it doesn't matter that much...we're not shooting to be perfect, we're shooting to be as good as we can without trying to squeeze out that last one percent.

The other thing is the sheer complexity of SpamAssassin. It's not just a Bayesian filter, it's not just looking up things in RBLs...it's all those things together. It's actually very, very non-trivial for a human to be able to craft a message that's a piece of spam and get through...to defeat all of the system requires a great deal of work, or a lot of luck.

Another piece of good news for SpamAssassin enthusiasts, is that it shouldn't be hard to upgrade. According to Hughes, it "should be simple, as long as you're not doing anything really funky" in terms of tweaking and customizing the SpamAssassin code. He noted that the 3.0 release is designed to recognize file format changes, and to automatically upgrade user files that are in the old format.

If the SpamAssassin 3.0 meta-bug dependency tree is any indication, there's not much left to do before the 3.0-final release. Hughes said that the project "looks like it's on target" to meet the June 30 release date. Users are encouraged to help test SpamAssassin prior to the final release.

(Log in to post comments)

Carthago delenda est

Posted Jun 13, 2004 9:32 UTC (Sun) by stuart_hc (guest, #9737) [Link]

Good point. I wonder how many projects which previously linked with or were derived from SpamAssassin will have to maintain a fork of the old version.

The FSF explain why it is incompatible with the GPL:

This is a free software license but it is incompatible with the GPL. The Apache Software License is incompatible with the GPL because it has a specific requirement that is not in the GPL: it has certain patent termination cases that the GPL does not require. (We don't think those patent termination cases are inherently a bad idea, but nonetheless they are incompatible with the GNU GPL.)

Carthago delenda est sed Apache non Carthago est

Posted Jun 16, 2004 6:02 UTC (Wed) by crankysysadmin (guest, #19449) [Link]

For my part, I'm glad to hear SA is in the good company of the Apache folks. License schmicence. Since when is the Apache group evil? And IMNSHO there are plenty of licenses that are incompatible with the GPL that are quite OK, like the Creative Commons ones, the BSD license, etc. I like them all for different reasons. There's no sense in dogmatically insisting on the GPL when there are actual good reasons under varying circumstances to use other licenses.

Carthago delenda est sed Apache non Carthago est

Posted Jun 17, 2004 10:53 UTC (Thu) by angdraug (subscriber, #7487) [Link]

For my part, I'm glad to hear SA is in the good company of the Apache folks. License schmicence. Since when is the Apache group evil?

I'm afraid since before I've started to pay attention to them. Besides, there are no good and evil folks, there are good and evil deeds, and that is exactly this "schmicence" attitude that is a problem for me.

And IMNSHO there are plenty of licenses that are incompatible with the GPL that are quite OK, like the Creative Commons ones, the BSD license, etc.

I think your IMNSHO should be humbled down to IMHO: Creative Commons are far from being OK, they are not even DFSG-compliant, BSD without advertising clause is GPL-compatible and that is why it is OK.

There's no sense in dogmatically insisting on the GPL when there are actual good reasons under varying circumstances to use other licenses.

Each time GPL is discussed, someone always has to stich the "dogma" label on it. You know what? It's wrong, there are plenty of practical reasons to fight for GPL-compatibility.

In Red Hat 7.1, released in 2001, 63% of the software (counted by lines of code) was licensed under GPL and LGPL. In Sisyphus, current snapshot of ALT Linux, 77% of 5500 packages are licensed under GPL and LGPL. Now, isn't it important that it remains possible for two thirds of free software to be able to link and exchange code with the remaining third?

Carthago delenda est sed Apache non Carthago est

Posted Jun 17, 2004 11:28 UTC (Thu) by crankysysadmin (guest, #19449) [Link]

> Now, isn't it important that it remains possible for two thirds of free
> software to be able to link and exchange code with the remaining third?

Let me put my opinion this way: I'm not as idealistic as you (which need not be interpreted as a criticism) and therefore I'm glad that there are licenses out there that are not quite as permissive as the GPL but which are still worlds apart from the closed-source proprietary world.

More simply put: I think getting rid of all non-GPL licenses would, at this stage of the OSS struggle, result in less free software, FSVO 'free'.

However, I think the DFSG are great, and I think the GPL is great. I think they incorporate an ideal that still needs to be worked toward, and (important point) with which not everyone is fully comfortable (that's where the "dogma" would come in). Until that time let there be more free software, and let the developers of that software live with the harsh realities of not being able to swap code with absolutely everyone, and perhaps then they'll see the light.

Carthago delenda est sed Apache non Carthago est

Posted Jun 17, 2004 12:43 UTC (Thu) by angdraug (subscriber, #7487) [Link]

I'm not as idealistic as you

There, now you've put another false label on me, even if less negative than "dogma". Please, don't do that again.

I think getting rid of all non-GPL licenses would, at this stage of the OSS struggle, result in less free software, FSVO 'free'.

1. Don't put words in my mouth. I am talking GPL-incompatible here, not non-GPL. Can you see the difference?

2. Getting rid of GPL-incompatible licenses would result in one strong community, instead of the fracturing set of smaller communities sharing nothing but name, and confused even about that (OSS vs. free software).

However, I think the DFSG are great, and I think the GPL is great.

Now that intro brought up my spin-doctor alarm. Sorry, but I'm too used to hearing this exact phrase from folks who don't really mean it...

I think they incorporate an ideal (...) with which not everyone is fully comfortable (that's where the "dogma" would come in).

There, you did it again, now using both "idealism" and "dogma" labels in one sentence. Stick a label, rinse, repeat?

Of course there are people who are not comfortable with the idea of freedom. Otherwise, you wouldn't have to fight for it, right?

Carthago delenda est sed Apache non Carthago est

Posted Jun 17, 2004 14:07 UTC (Thu) by crankysysadmin (guest, #19449) [Link]

Whatever. No offense meant, I don't want to get in a flame war with you, nor did I intentionally put words in your mouth with my "I" statement. However, you're seemingly deliberately ignoring my point, which merits one more response from me. Let me see if this formulation pleases you:

I think getting rid of all GPL-incompatible licenses would, at this stage of the OSS struggle, result in less open source software, FSVO 'open'.

So in other words, my priority is on getting people who write code to make it somewhat free (in the sense of "open", not in the sense of "cost"), even if it isn't as free as the GPL. In that sense I feel I am also trying to increase freedom, because I currently see the alternative as being more closed-source, proprietary software. Obviously you are welcome to an opposing viewpoint.

Carthago delenda est sed Apache non Carthago est

Posted Jun 17, 2004 16:01 UTC (Thu) by angdraug (subscriber, #7487) [Link]

Ok, ok, apologies accepted.

But you're wrong in saying that I deliberately ignored your point: I've dedicated whole point "2. (...)" above to addressing it. Now that we have finished with "you said I said" games (I hope), lets get to the core of the matter.

So in other words, my priority is on getting people who write code to make it somewhat free (in the sense of "open", not in the sense of "cost"), even if it isn't as free as the GPL. In that sense I feel I am also trying to increase freedom, because I currently see the alternative as being more closed-source, proprietary software.

My experience proves otherwise. Once people decided to release the source under whatever license, they are already over the fence, in the sense that they're not very likely to back away from releasing it at all. If they are told (with polite and convincing arguments) that the license they've chosen is wrong, they are much more likely to release under a better license than not to release at all. OTOH, once considerable amount of time has passed since the release, it becomes much more difficult to change the license to a better one.

Thus, if the final goal is to get as much software as possible under as free licenses as possible, being careful about choosing a right license from the very start is more effective than the "schmicence" attitude.

And finally, please allow me to brainwash you about the words you use. After all, Orwell was right and our words do infuence our thoughts. "Open" is a wrong word as it implies that you can look, but not necessarily can touch (as in patents which are open just fine). Freedom should also include the right to touch and even to take it and walk away with it.