+ <section> <title>Notes on running SpamAssassin at SMTP time</title>
+ <para>
+ Exim can run
+ <ulink url="https://spamassassin.apache.org/">
+ SpamAssassin</ulink> while receiving a message by SMTP which
+ allows one to avoid acceptance of spam messages. The Debian
+ configuration contains some example code for running SpamAssassin,
+ but like all filtering this needs to be handled carefully.
+ </para>
+ <para>
+ SpamAssassin's default report should not be used in a add_header
+ statement since it contains empty lines. (This triggers e.g.
+ Amavis' warning "BAD HEADER SECTION, Improper folded header field
+ made up entirely of whitespace".) This is a safe, terse alternative:
+ <programlisting>
+ clear_report_template
+ report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN_
+ </programlisting>
+ </para>
+ <para>
+ Rejecting spam messages: Do not reject spam-messages received on
+ (non-spam) mailing lists, this can/will cause auto-unsubscription.
+ This also applies to messages received via forwarding services
+ (e.g. @debian.org addresses). If theses messages are rejected the
+ forwarding services will need to send a bounce address to the
+ spammer and will probably disable the forwarding if it happens all
+ the time. You will need to have some kind of whitelist to exclude
+ these hosts.
+ </para>
+ <para>
+ Security considerations: By default <command>spamd</command>
+ runs as root and changes uid/gid to the requested user to run
+ SpamAssassin. The example uses SpamAssassin default non-privileged
+ user (nobody) which prevents use of Bayesian filtering since this
+ requires persistent storage. You might want to setup a dedicated
+ user for exim spam scanning and use that one, either for a separate
+ SpamAssassin user profile or to run SpamAssassin as non-privileged
+ user.
+ </para>
+ </section>