SpamAssassin and you: How ServiceNow manages spam

ServiceNow has inherent protection against spam and junk email via an implementation of open source software called “Spam Assassin.” Unfortunately, documentation for some aspects of Spam Assassin can be difficult to read or find, especially since they completely removed their wiki pages in July of 2019 and are currently transitioning to a new website.

So how does it work? By default, any email that enters ServiceNow is evaluated based on a preset list of “tests” which can change daily as they are added/removed by developers. Each of these tests attribute either a positive or negative score. For ServiceNow, if any email ends evaluation with a score greater than 6, it is instantly moved to the spam folders of your ServiceNow instance. The following is an example of a SpamAssassin header:

Now, let us break down each section:

• Spam-Score: The total Score SpamAssassin has given this email. Anything above a 6 gets tagged as spam.
• Spam-Flag: Yes/No if the email was flagged as Spam.
• Spam-Status: This section details the flag, score, and tests that were “passed” on this email. This will show both positive and negative tests to give you a general idea of how the score was constructed.

As you notice in the “Spam-Status” section, we have both positive and negative tests attributed to this email, and those are as follows:

• BAYES_00 – Using Bayesian Algorithms (see: Naive Bayes Filtering), the system has identified this item as having a low chance of being spam. As such, it gives it a -1.9
• DKIM_SIGNED – Email contains a DKIM Signature. These aren’t always generally valid, so it adds only 0.1
• DKIM_VALID – Email contains a validated DKIM signature. As such, gives the email -1.1.
• DKIM_VALID_AU – Emails contains a validated DKIM signature for the author’s domain, essentially meaning the email is coming from where it says it is. As such, gives a -0.1
• HTML_MESSAGE – The email does contain an HTML message, which can contain malicious items. However, since this isn’t always bad, it only adds a 0.001
• SPF_PASS – Sender matches the SPF record for the client. Adds 0.1

Now, since we’ve seen a passing email, let us look at one that failed. In this example a client had changed the way they were sending emails in SecureWorks, but some steps were missed. This caused otherwise valid emails to be filtered as spam.

You’ll notice in the above that even though this email is marked as spam, it still passed the BAYES_00 test. Why is that? Let’s explore below:

• DKIM_INVALID – Email contains an invalid DKIM signature.
• HTML_IMAGE_ONLY_12 – Email contains an HTML “image” of 800-1200 bytes, but does not contain a plaintext version of the email. This is a generally common issue with spam emails, which is why it gives such a high score of 2.059. This can be avoided by always including a plaintext version of any system generated emails in the email.
• MIME_HTML_ONLY – Similar to the HTML_IMAGE_ONLY, this gives a score of .723 when the email contains only HTML mime parts and no plaintext.
• MPART_ALT_DIFF – Email’s plain text portion is substantially different than the HTML part. Any email with no plaintext part with automatically fails this test as well.
• SB_GIF_AND_NO_URIS – Email contains a GIF but does not contain any URI for the GIF in the email. Also a generally common spam tactic in emails, which is why the score for this is 2.199
• SPF_SOFTFAIL – The Sender’s SPF does not match. By default, for SpamAssassin, a softfail score is generally below 1. However, ServiceNow has changed the way this scoring works on their side and has an SPF_SOFTFAIL give a whopping 3.5 points. Of all spam issues you’ll encounter, an SPF_SOFTFAIL is going to be most common. Always ensure your SPFs are up to date!

As we can see from the above, even though the contents of the email passed the BAYES test, something as simple as the lack of plaintext in the email added a total of 3.57 points. Add to this the issue with the SPF being accurate, and now an otherwise “normal” email is added to spam and missed by the client. If SPFs are always up to date and emails are formatted properly when generated, you should almost never have actual valid email hitting your spam folders!

For more detailed information on Rules and what they mean, you can visit the SpamAssassin wiki pages. Unfortunately, as of writing this article, the wiki pages are undergoing a major overhaul and the old wiki is no longer easily available without the use of sites such as Wayback Machine. As such, the following link should give you a good start on Rules, though it is missing some new tests such as SB_GIF_AND_NO_URIS: Tests v3.3.x

Good luck and happy spam filtering!