Spamassassin Custom Rulesets



I’m starting this post in part as a placeholder for some information I’ve come across. I’ve been tinkering with my first custom spamassassin rule. I’ve tried the SARE rulesets and they seem to be missing one specific class of junk mail in my setup. (After verifying that the rulesets were actually being used), I set about trying to create my own rule to deal with the offending messages.


I found that it is amazingly simple at first blush to get a new rule going.

vi myrule.cf
header MY_LOCAL_SUBJECT_TEST Subject =~ /obviousspamword/i
score MY_LOCAL_SUBJECT_TEST 5.0

The above basically looks in the header of the message and if subject contains obviousspamword (i makes it case insensitive) then it adds 5 to the score. Among the warnings here…. the way I’ve set this up, if “obviousspamword” is part of a “good” email word, then I’m in trouble… If I want to make sure that word breaks are observed and I only match obviousspamword and not obviousspamwordoftheday, then I need to have Subject =~/bobviousspamwordb/i

It’s possible to do a body search the same way

body MY_LOCAL_BODY_TEST /obviousspamword/i

or to draw from the sa rules howto

n regular expressions a b can be used to indicate where a word-break (anything that isn’t
an alphanumeric character or underscore) must exist for a match. Our rule above can be
made to not match “testing” or “attest” like so:

body LOCAL_DEMONSTRATION_RULE /btestb/

The rule can also be made case-insensitive by adding an i to the end, like this:

body LOCAL_DEMONSTRATION_RULE /btestb/i
score LOCAL_DEMONSTRATION_RULE 0.1

Now the rule will match any combination of upper or lower case that spells “test” surrounded
by word breaks of some form.

That’s all well and good but what if we need to do a fancier matching of terms. Usually just one word isn’t enough. The matches used above use perl regex syntax and more detailed examples of regexs can be found at the perldoc site.

Other examples can be found at www.exit0.us custom body tests and Rules basics at the exit0.us wiki

The first site you should look at IF you want to tweak spamassassin with new rulesets is rulesemporium.com. There are many good and useful sets there.

Here are a few other suggestions that I’ve come across for building a custom ruleset. Use lots of little rules to add small numbers of points instead of one big rule. Think of ALL the possible ways something MIGHT match (am I killing good mail with the bad.) Make some rules that give a negative value to the spam score. (If you’re a furniture shop then messages with bed, couch, wood, etc. would lower the spam score.) Use an online corpus of known spam to test against. (Don’t try to feed the messages as new through a live mail system. There are other tools to test with…)

When you’ve made your rule, type spamassassin –lint -D to check that the rule is correctly designed (syntax).

Finally, be conservative in your testing of custom rules, don’t be too ambitious. If you can get rid (or even increase the score) of one class of junkmail at a time that should make for an improvement.

Related Posts

Blog Traffic Exchange Related Posts
  • Modern Computer Viruses are almost NEVER from whom they claim to be from This is one that I've probably talked about before, but it's worth rehashing because of a call I had this afternoon. A customer had been receiving phone calls and email messages from folks asking that he stop sending them a virus. Essentially all of the viruses were claiming to be......
  • Cleaning up after the Sony Rootkit Sunbeltblog has a suggestion (from Ben Edelman) for SONY on how to get the word out to customers that they have the problem laden XCP/ rootkit/ trojan/ drm software that's been burning up tech news... Distribute an ad through their own rootkit. It does, after all, "phone home" from time......
  • How Microsoft could patch VML vulnerability before October's patch day SO, there's the second big vulnerability exploit for Internet Explorer making the rounds in about a week and Microsoft's advisory says that the most recent flaw will likely be patched on October's patch day ("unless the need arises...") So, what would trigger that need? Lot's of browsers being subjected to......
Blog Traffic Exchange Related Websites
  • Golf Glossary pt 3 Bold - This usually describes a putt that has been hit too hard, and therefore goes well beyond the intended target. It may also be applied to a shot that carries away too far. Borrow - What this means is to play a put just to the side of the......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • Does the devil rule hell? Does the devil rule hell: The idea of the devil ruling hell is the product of medieval theology and has absolutely no biblical basis. According to Scripture, hell was created for the devil and his angels (what are called demons) as a place where they may exist apart from the......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site