Overview
Spam filtering identifies and segregates unsolicited or potentially harmful messages before they reach an inbox. Stalwart includes a built-in spam and phishing filter whose behaviour is defined by a set of customizable rules, tags, scores, and statistical classifiers. The bulk of the spam and phishing rules shipped with Stalwart are ported directly from RSpamd, with a small number derived from SpamAssassin. Combined with expressions, this provides comparable filtering depth to those systems while keeping the configuration inside the JMAP object model.
Settings
4 items
Linear Classifier
4 items
LLM classifier
The LLM classifier extends Stalwart's spam filtering by using a large language model to detect unsolicited, commercial, or harmful messages. It integrates with any configured AI model and analyses message subjects and bodies through natural language processing, complementing the statistical classifier with higher-level semantic reasoning.
Rules
Stalwart supports custom spam filter rules that analyse incoming messages and assign tags dynamically. Rules use expressions to evaluate specific parts of a message (headers, body, sender information, attachments, and so on) and to decide which tags to apply.
DNS blocklists
In email security and spam filtering, two widely used tools are DNSBL (DNS-based Block List) and DNSWL (DNS-based Allowlist). Both are maintained by external organisations and updated continuously to reflect the latest information about spam and malicious activity. The lists are queried over DNS, so lookups are fast and cacheable, and are used to decide whether to accept, reject, or further scrutinise an incoming message.
DMARC analysis
Ensuring the authenticity and integrity of incoming messages is important given the prevalence of phishing and spoofing attacks. Stalwart validates incoming messages using four email authentication standards: DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and ARC (Authenticated Received Chain).
Phishing protection
Phishing is a deceptive technique used by attackers to trick recipients into revealing sensitive information, such as passwords or credit card numbers. Typical phishing attacks use counterfeit emails, websites, or messages that appear to come from a legitimate source. Over time, phishing attempts have become more sophisticated and harder to distinguish from genuine communications.
Collaborative digests
Collaborative spam detection networks such as Pyzor, Razor, and DCC rely on message digests. When a user identifies an email as spam, the system generates a unique hash of the message and shares it across the network. Incoming messages are then compared against the repository of spam hashes; if a hash matches, the message is flagged. The principle is straightforward: once one participant in the network identifies a spam wave, all other participants are immediately protected from the same messages.
Trusted senders
Trusted sender mechanisms take precedence over the spam filter's final score and ensure that a message is delivered to the recipient's inbox when specific trust conditions are met. These mechanisms are independent of the statistical classifier and apply at a higher decision level, providing deterministic guarantees for messages that are strongly associated with the recipient's legitimate correspondence. Their purpose is to prevent false positives in cases where contextual knowledge is more reliable than statistical inference.
Greylisting
Greylisting temporarily rejects messages from unknown senders. When a message from an unfamiliar source arrives, the server returns a "try again later" response. Legitimate MTAs follow standard retry logic and will attempt the delivery again after a short delay, at which point the message is accepted. Many spam senders do not retry, so their messages never get through.
Spamtrap
A spam trap is an email address set up specifically to attract spam. These addresses are not used for regular communication and do not belong to real users, so any message sent to one is, by definition, unsolicited. Spam traps therefore provide a reliable indicator of spam activity.