Using Sieve scripts to filter mail automatically

Mail to IMAP/POP accounts can be filtered by the server as it is being delivered. This allows spam and virus-carrying mail to be discarded or filed separately. It also allows for mail to be sorted into categories for easier reading.

Spam and virus detection

Spam detection is handled by a combination of DNS blocklists and SpamAssassin content analysis. Mail coming from IP addresses in certain blocklists is rejected at SMTP time - this avoids us sending bounces to innocent people whose addresses were forged by the bad guys.

Virus scanning is done next, using ClamAV. Any message found to contain malware is rejected at the end of the SMTP DATA phase.

Content analysis is done at delivery time for people with IMAP or POP mailboxes. The spam score is written into the headers of the message so that the user's Sieve script can decide what to do with it.

When new accounts are created they are given a default Sieve script that files messages with 'X-Spam-Flag: Yes' into a folder called 'spam'. This flag is set by SpamAssassin when the score is over 15 (a very conservative value). Messages in the 'spam' folder are deleted after 30 days.

Messages to Mailman mailing lists are held for the moderator's attention if the score is above 5.

Using a Sieve script to discard spam messages

Sieve is a simple language for processing messages based on matching patterns in the headers. It is described in RFC3028. Here is a simple script to file spam mail into a folder called spam

	require "fileinto";

	# Score 5 or above is not worth reading
	# so we match 5 or more 's' characters
	if header :contains "X-Spam-Level" "sssss" {
		fileinto "INBOX.spam";

	# Everything else drops through to the normal INBOX

To put this in place from a Linux command-line:

  1. Create a file with the required Sieve script.
  2. Create the junk folder under your mailbox:
    	cyradm --user accountname --server
    		(Type the account password)
    	cm INBOX.spam
  3. Load the Sieve script and make it active:
    	sieveshell --authname=accountname --user=accountname
    		(Type the account password)
    	put scriptfilename
    	activate scriptfilename

Some mail interfaces have ways to create and upload Sieve scripts, so you may find that more convenient.

With the script in place, most spam messages should end up in the spam mailbox. You can access this from IMAP (but not from POP). You should check and clear it occasionally. Any sub-folder called 'spam' will have messages older than a couple of weeks removed automatically.

Obviously, it is possible to create more mailboxes and direct specific types of mail to them. This can be very useful with high-traffic mailing lists for example.

Andrew Findlay
Updated 7 September 2012

$Id: sieve.html,v 1.2 2006/04/16 12:08:07 root Exp shackweb $