Welcome

Welcome to the home page for the open-source Apache SpamAssassin Project.

Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).

It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

Apache SpamAssassin is a project of the Apache Software Foundation (ASF).

• Click here to get started using SpamAssassin!
• Looking for tips to improve your existing installation? Click here for a variety of topics in our Wiki that might help.
• Sent here because you received an e-mail message which was modified by SpamAssassin? Please read this end-user notice.

Latest News

2022-12-17: Apache SpamAssassin 4.0.0 has been released! This is a major upgrade to SpamAssassin with full Unicode support and many other new features. Visit the downloads page to pick it up, and for more info.

2021-04-12: Apache SpamAssassin 3.4.6 has been released! Apache SpamAssassin 3.4.6 fixes two bugs that were introduced by the 3.4.5 release that could prevent certain rules from properly firing.

*** There will be no more development or bug fixes in the 3.4 branch unless a new security issue requires a 3.4.7 release. All future releases and bug fixes will be in the 4.0 series. ***

2021-03-24: Apache SpamAssassin 3.4.5 has been released! Apache SpamAssassin 3.4.5 is primarily a security release. In this release, there are bug fixes for one CVE:

• CVE-2020-1946 for Malicious rule configuration (.cf) files can be configured to run system commands.

*** On March 1, 2020, we stopped publishing rulesets with SHA-1 checksums. If you do not update to 3.4.2 or later, you will be stuck at the last ruleset with SHA-1 checksums. ***

2020-01-28: Apache SpamAssassin 3.4.4 has been released! Apache SpamAssassin 3.4.4 is primarily a security release. In this release, there are bug fixes for two CVEs:

• CVE-2020-1931 for Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.
• CVE-2020-1930 for Nefarious rule configuration (.cf) files can be configured to run system commands with sa-compile.

2019-12-11: Apache SpamAssassin 3.4.3 has been released! Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there is also one new plugin and there are bug fixes for two CVEs:

• CVE-2019-12420 for Multipart Denial of Service Vulnerability
• CVE-2018-11805 for nefarious Configuration (.cf) files can be configured to run system commands without any output or errors.

*** On March 1, 2020, we will stop publishing rulesets with SHA-1 checksums. If you do not update to 3.4.2 or later, you will be stuck at the last ruleset with SHA-1 checksums. ***

2019-09-05:Happy Birthday! Apache SpamAssassin turned 18.

News Archive page. Atom feed

Features

• Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
• Free software: it is distributed under the same terms and conditions as other popular open-source software packages such as the Apache web server.
• Easy to extend: Anti-spam tests and configuration are stored in plain text, making it easy to configure and add new rules.
• Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API so it can be integrated anywhere in the email stream. The Mail::SpamAssassin classes can be used on a wide variety of email systems including procmail, sendmail, Postfix, qmail, and many others.
• Easy Configuration: SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. Once classified, site and user-specific policies can then be applied against spam. Policies can be applied on both mail servers and later using the user's own mail user-agent application.