In 1998, a mathematician named Gary Robinson adapted a statistical technique called Naive Bayes classification to the problem of email spam. The idea was simple enough to fit on a napkin: words that appear frequently in spam and rarely in legitimate mail are evidence of spam. Words that appear frequently in legitimate mail and rarely in spam are evidence of legitimacy. Combine enough of those per-word probabilities across a message, and you get a reliable overall spam probability.
Two-plus decades later, Bayesian filtering is still at the core of most production spam detection systems — including Indition Spam Killer — because the fundamental insight remains sound, and the technique scales gracefully from a single mailbox to tens of millions.
Tokens and Probability: The Basic Idea
The classifier works on tokens. A token is usually a word, but it can also be a phrase, a URL, a header field value, or any other extracted feature. During training, the classifier builds a database of token probabilities: for each token, it records how often that token appeared in spam messages versus in legitimate (ham) messages.
Say the classifier has seen "free" appear in 850 out of 1,000 spam messages and 40 out of 1,000 ham messages. The spam probability for the token "free" is 850/(850+40) = approximately 0.955. That's a strongly spam-associated token.
Contrast that with "invoice" appearing in 120 spam messages and 380 ham messages. The spam probability is 120/(120+380) = 0.24. That's a ham-associated token — seeing it pushes the score toward legitimate.
When a new message arrives, the classifier extracts its tokens, looks up the probability for each one, and combines them. The combination step uses a formula that multiplies the individual probabilities together in a way that lets them reinforce each other — a message containing multiple strongly spam-associated tokens scores very high, even if none of the individual tokens is a smoking gun on its own.
Here's a simplified look at a handful of tokens scored against a trained model:
| Token | Spam appearances | Ham appearances | Spam probability |
|---|---|---|---|
free |
850 | 40 | 0.955 |
click here |
720 | 25 | 0.966 |
unsubscribe |
580 | 310 | 0.652 |
invoice |
120 | 380 | 0.240 |
quarterly report |
30 | 420 | 0.067 |
meeting |
45 | 610 | 0.069 |
A message containing "free", "click here", and "unsubscribe" would score very high. A message containing "invoice", "quarterly report", and "meeting" would score very low. A message with a mix would fall somewhere in the middle, with the balance determined by how many tokens fall on each side and how extreme their individual probabilities are.
Why the Classifier Gets Better Over Time
The key property of Bayesian classification is that every correctly labeled message makes the model more accurate. Each time the classifier sees a spam message it correctly identified, the spam probabilities for the tokens in that message get reinforced. Each time it encounters a new spam technique — a new phrase, a new obfuscation pattern, a new sending behavior — and gets correctly labeled through user feedback or automated analysis, those tokens enter the model.
This is the structural advantage that a well-trained production filter has over a freshly deployed one: years of signal. A filter that has processed hundreds of millions of messages across thousands of domains has seen virtually every spam technique in active use. Its token probability database is rich enough that novel spam campaigns — which typically rely on known tactics in new combinations — get caught on the first message, because the individual tokens are already well-characterized.
The improvement curve is not linear. Early in a filter's life, accuracy improves rapidly with each new training example. As the model matures, each incremental example contributes less — you're filling in the margins of an already comprehensive picture. This is why Indition Spam Killer requires a minimum of 50 spam and 50 ham samples before activating the Bayesian classifier for a new domain: below that threshold, the model doesn't have enough signal to make reliable predictions, and defaulting to heuristics produces fewer errors than an undertrained classifier.
What Makes Good Training Data
The quality of training data matters as much as the quantity. A well-trained Bayesian model needs:
Balance between spam and ham samples. A model trained on 10,000 spam messages and 50 ham messages learns to distrust nearly everything. The classifier's prior probability gets skewed toward spam, and legitimate mail starts scoring higher than it should. Aim for a ratio no worse than 3:1 in either direction; 1:1 is ideal during initial training.
Recency. Spam techniques evolve constantly. A training corpus that's two years old contains patterns for campaigns that no longer exist, while missing the patterns for current ones. Periodic retraining on recent mail — or a system that continuously incorporates new labeled examples — keeps the model current.
Domain relevance. Generic spam corpora (like the Enron dataset used in academic research) are useful for bootstrapping but not for production use at a specific domain. Your spam looks different from a public benchmark dataset's spam, and your legitimate mail looks very different. The more domain-specific your training data, the more accurately the model reflects your actual mail environment.
Clean labels. Garbage in, garbage out. If ham messages accidentally end up in the spam training set — or vice versa — the model learns contradictory signal and its accuracy degrades. The most common source of label corruption is over-eager bulk import of "everything in the Junk folder," which often includes mail the user manually moved there that isn't actually spam.
How Bayesian Scoring Combines with Other Signals
A pure Bayesian classifier operating in isolation is powerful but not sufficient. Spammers know how Bayesian filters work and actively try to defeat them — by including random legitimate-looking text, by rotating vocabulary, by embedding the message in images, or by keeping the body too short to score reliably.
This is why production filters combine Bayesian scoring with other signals:
- Authentication scoring: Does the message pass SPF, DKIM, and DMARC? A message that fails authentication gets a score penalty before the Bayesian analysis even runs.
- Sending IP reputation: Is the sending IP on known blocklists? Has it been observed sending spam to other domains on the service? Reputation signals can short-circuit the process entirely for well-known bad senders.
- Heuristic rules: Pattern-matching rules catch techniques that are hard to express statistically — specific header anomalies, obfuscation patterns, phishing URL structures.
- Rate and behavior signals: Is this the first message from this sender, or the thousandth in the last hour? Sudden high-volume sending from an address that's never sent before is a strong signal regardless of content.
The Bayesian score is one component in a weighted composite. Indition Spam Killer computes a final spam score by combining all of these signals, with weights adjusted based on which combination of signals is most predictive for the message's apparent type. A message that fails authentication, comes from a known-bad IP, and scores highly on Bayesian analysis is almost certainly spam. A message that passes authentication and comes from a known-good IP but scores moderately on Bayesian — a newsletter with promotional language from a legitimate sender — gets the benefit of the doubt.
The result is a system that's genuinely adaptive: harder to fool with any single technique, increasingly accurate as it accumulates signal, and capable of recognizing entirely new spam campaigns as variations on known patterns rather than starting from scratch every time.