Feature add Spam Score Check

[xtreme2020]

Hi, first thanks for this great tool for mail testing, also to see if the spam score feature can be added, i’ve seen in others projects and would be great if you can add it.

[axllent]

I'm looking into this. There is a catch though, in order for there to be a spam score, Mailpit will need to integrate with either an existing running spamassassin server, or alternatively use a public spamassassin API (meaning raw email data is posted to the third party... ie: privacy). It's not possible for Mailpit to do any spam detection itself.

The solution I'm working on will be opt-in, meaning it has to be enabled in Mailpit (startup flag or environment variable), and in doing so will have to choose which service to use. I'm experiencing some inconsistencies with spamassassin though (changing scores for the same email) so I have more research to do first.

[axllent]

Thank you for the suggestion @xtreme2020. I have just released this feature as part of v1.13.0. You can read more about the feature on the website.

It was an interesting discovery, here are some of the things I noted:

1. I chose to integrate with SpamAssassin as this appears to be the most common and widely open source solution. There are a number of different other solutions available, but all the others I came across were far more complex to set up, or didn't provide just the ability to test via an API or sorts. The most promising alternative was rspamd, however it was too complex (in my opinion) for most users who would end up returning here asking for help to get that set up (I do not wish to support installations of third-party software).
2. Although SpamAssassin released a new version (4) more than a year ago, I can't find any distribution which supports it. I couldn't install version 4 within Docker either no mater what I tried which may be why (just too complicated), so I have tested this only on version 3 (I suspect it will work on 4, I just have not been able to test). I don't think it matters as I think you'll end up on version 3 anyway.
3. SpamAssassin is maintained, but doesn't appear to be actively developed. The rules for the tests it runs however do get updated as far as I can tell, so that may not be too important. I don't know what this means in the long term, especially since their major upgrade (4) still isn't included in operating systems like Ubuntu (they all seem to use 3), not to mention that their website is, well, shit (it's a combined wiki with all other Apache software making things really hard to find). There is very little information available for the different tests (what they mean exactly, and how to resolve them). Almost every test does however include a short description, so maybe this doesn't matter. This list of tests includes (I think) everything, assuming the user hasn't added additional rules of their own or from other sources. SpamAssassin will only return the tests that got triggered for each message, so the list you'll be looking at is much much shorter.
4. SpamAssassin (like all other solutions) will by default include blacklisting tests using DNS queries. These public DNS servers can be a bit slow as they are obviously heavily used via all kinds of software, and they do often block requests. Given that each email can have 5-20 different hostnames/IPs, this means a single scan of a message often takes 3-5 seconds. Mailpit is used mostly for local testing, meaning DNS lookups are normally pointless, so I built a small Docker image which disables (by default) all DNS checks - this means a single scan takes as little as 0.1 seconds. You can use any SpamAssassin server you like though.
5. Given that not all users will want to install their own SpamAssassin server, I also provided the option to use a free online spam checking service (Postmark) which is really just SpamAssassin (3) behind a simple API. They do however do DNS checking, so that service may be a little slow. Also note that I have no control over what they do with the data, and to test each mail the entire email is posted to their API. I don't think they store/use any data though, however I obviously can't promise that.

Let me know how you get on and whether this does what you expected?