The source code is available online and in pre-packaged versions. We set up a Fedora Core 2 server with sendmail and SpamAssassin. Once installed, we changed the global procmail configuration to ensure that all mail would be delivered through the filter.
That was easy. From there on, things were tougher. SpamAssassin works by comparing each message to a huge set of rules based on real-world spam. For each rule which matches, a score is incremented by a varying amount. After all the rules have been processed, if the final score exceeds a certain threshold, the mail is marked as spam and can be deleted, forwarded or modified.
SpamAssassin adds a custom header to each message to explain its score and which rules matched, which makes it easy to analyze the patterns of incoming messages.
Tweaking the filters is complex, as there are many rules and options. Configuration can be done system-wide or per user, though most environments will not have users operating Unix shells or able to construct custom mail filter configuration files! Even for experienced mail administrators, some of the complex options may be daunting.
The software integrates with some third-party services, such as RBLs and a community honeypot effort (called Vipul's Razor) which emulates the analysis of MSPs, aggregating reported spam from volunteers and maintaining a database of ongoing spam attacks.
Because of its open source nature, there is an extensive online community which has created a lot of documentation that varies in quality. The information is there but it sometimes takes work to find it. There are many adjunct projects which add to its functionality.
As a spam filter, SpamAssassin has excellent features and its performance is superb, but there is a steep learning curve involved. Even if you use another product, this is a great way to analyze your email traffic by running the software silently, tagging mail headers and keeping track of the scores.