SpamAssassin and you: How ServiceNow manages spam

ServiceNow has inherent protection against spam and junk email via an implementation of open source software called “Spam Assassin.” Unfortunately, documentation for some aspects of Spam Assassin can be difficult to read or find, especially since they completely removed their wiki pages in July of 2019 and are currently transitioning to a new website.

So how does it work? By default, any email that enters ServiceNow is evaluated based on a preset list of “tests” which can change daily as they are added/removed by developers. Each of these tests attribute either a positive or negative score. For ServiceNow, if any email ends evaluation with a score greater than 6, it is instantly moved to the spam folders of your ServiceNow instance. The following is an example of a SpamAssassin header:

Now, let us break down each section:

As you notice in the “Spam-Status” section, we have both positive and negative tests attributed to this email, and those are as follows:

Now, since we’ve seen a passing email, let us look at one that failed. In this example a client had changed the way they were sending emails in SecureWorks, but some steps were missed. This caused otherwise valid emails to be filtered as spam.

You’ll notice in the above that even though this email is marked as spam, it still passed the BAYES_00 test. Why is that? Let’s explore below:

As we can see from the above, even though the contents of the email passed the BAYES test, something as simple as the lack of plaintext in the email added a total of 3.57 points. Add to this the issue with the SPF being accurate, and now an otherwise “normal” email is added to spam and missed by the client. If SPFs are always up to date and emails are formatted properly when generated, you should almost never have actual valid email hitting your spam folders!

For more detailed information on Rules and what they mean, you can visit the SpamAssassin wiki pages. Unfortunately, as of writing this article, the wiki pages are undergoing a major overhaul and the old wiki is no longer easily available without the use of sites such as Wayback Machine. As such, the following link should give you a good start on Rules, though it is missing some new tests such as SB_GIF_AND_NO_URIS: Tests v3.3.x

Good luck and happy spam filtering!