SpamAssasin - make a rule that adds a score EVERY occurance?

Andy Newby

Valued Member
Hi,

I'm trying to write a rule that will add 2 to the overall spam score for EVERY occurrence of a phrase in the body. So I have this, and that works (once);

Code:
body LOCAL_CLICKHERE_RULE   /Click here/i
score LOCAL_CLICKHERE_RULE 2
describe LOCAL_CLICKHERE_RULE       click here filter

However, if they have "click here" in the email 10 times, it only ever allocates a boost of 2 to the overall score. I assume there is a way to compound the scoring of specific rules? (as some are more spammy than others, so would need more points added every occurrence)

Thanks!

Andy
 

EQ Admin

EQ Forum Admin
Staff member
Hi Andy,

I'm not aware of compound scoring being a feature of SpamAssassin rule sets. I checked the rules documentation and don't see it mentioned there either. I recommend joining and posting your questions to the SpamAssassin Users mailing list - MailingLists - Spamassassin Wiki. I suspect they'll say it's not possible, but it can't hurt to ask.
 

Andy Newby

Valued Member
Thanks - will give that a go :) Seems a bit odd if its not an option, as you get lots of emails that have repetitive strings like "click here" or "view online", that you would really want to count each time (especially in the cases where they are really over using them!)

Cheers

Andy
 

EQ Admin

EQ Forum Admin
Staff member
Hi Andy, I've generally found that the default scoring for rules works well. I haven't needed to create a compound scoring rule because if an email has a spammy characteristic such as "click here" , if it's really a spam then there are several other rules also triggering and adding to the overall score. Most often there is a specific phrase or an RBL that goes out of service and needs to be set to 0 if I need to make an adjustment to the actual rules & scoring.
 

Andy Newby

Valued Member
Hi,

Thanks. I'm still a bit new to configuring all of this (normally I've had it done automatically on a managed server). I've currently got the following setup:

blacklist_from *@*.stream
blacklist_from *@*.link
blacklist_from *@*.click
blacklist_from *@*.science
blacklist_from *@*.study
blacklist_from *@*.download
blacklist_from *@*.top
blacklist_from *@*.accountant
blacklist_from *@*.date
blacklist_from *@*.review
blacklist_from *@*.win
blacklist_from *@*.gdn
blacklist_from *@*.date
blacklist_from *@*.cricket
blacklist_from *@*.xyz
blacklist_from *@*.ninja
blacklist_from *@*.academy
blacklist_from *@*.aaa
blacklist_from *@*.accenture
blacklist_from *@*.accountant
blacklist_from *@*.accountants
blacklist_from *@*.active
blacklist_from *@*.actor
blacklist_from *@*.bid
blacklist_from *@*.faith
blacklist_from *@*reserverchic.com

body LOCAL_MARIJUANA_RULE /Marijuana/i
score LOCAL_MARIJUANA_RULE 4
describe LOCAL_MARIJUANA_RULE Marijuana spam filters

body LOCAL_LOTTERY_RULE /Lottery/i
score LOCAL_LOTTERY_RULE 4
describe LOCAL_LOTTERY_RULE Lottery spam filters

from LOCAL_FROM_BOUNCES_RULE /\@bounces\./i
score LOCAL_FROM_BOUNCES_RULE 4
describe LOCAL_FROM_BOUNCES_RULE bounce email spam filters

body LOCAL_BITLY_RULE /bit.ly/i
score LOCAL_BITLY_RULE 4
describe LOCAL_BITLY_RULE Bit.ly spam filters

body LOCAL_CLICK_HERE_RULE1 /cliquez ici/i
score LOCAL_CLICK_HERE_RULE1 3
describe LOCAL_CLICK_HERE_RULE1 Cliiqueze ico spam filters

body LOCAL_IFCANNOT_RULE /Si vous ne parvenez pas/i
score LOCAL_IFCANNOT_RULE 2
describe LOCAL_IFCANNOT_RULE If you can not spam filters

body LOCAL_CLICK_HERE_RULE2 /click here/i
score LOCAL_CLICK_HERE_RULE2 2
describe LOCAL_CLICK_HERE_RULE2 Click here spam filters

body LOCAL_VER_ONLINE_RULE /consultez la version|voir la version en ligne|consultez-la en ligne|version en ligne/i
score LOCAL_VER_ONLINE_RULE 2
describe LOCAL_VER_ONLINE_RULE Version online spam filters

header LR_SUBJECT_VERY_LONG Subject =~ /.{200}/
describe LR_SUBJECT_VERY_LONG Subject contains a lot of characters
score LR_SUBJECT_VERY_LONG 1.5

header LR_SUBJECT_ANDY Subject =~ /^andy/i
describe LR_SUBJECT_ANDY Subject: starts with Andy
score LR_SUBJECT_ANDY 1

uri LR_URI_NUMERIC_ENDING m|^https?://.+?\d{4,}$|i
describe LR_URI_NUMERIC_ENDING Ends in a number of at least 4 digits
score LR_URI_NUMERIC_ENDING 1

body LOCAL_GO_THIS_PAGE_RULE /rendez-vous sur cette page/i
score LOCAL_GO_THIS_PAGE_RULE 2
describe LOCAL_GO_THIS_PAGE_RULE Go to this page spam filters

uri LR_URI_LC_SUB m|^https?://lc\.|i
describe LR_URI_LC_SUB Has lc as subdomain
score LR_URI_LC_SUB 1


Are there any other obvious one's you would suggest adding? I'm all for the system like SpamHaus to pickup as many of them as possible, but we still seem to get quite a few that get through :(

Cheers

Andy
 

EQ Admin

EQ Forum Admin
Staff member
Hi Andy,

That seems like overkill and not the most efficient approach. What do you have the default scoring set to? Check the matched hits on the spams that are getting through. It there an existing rule that's frequently triggering that you can increase the scoring on? Adding a lot of extra rules with the pattern matching can eventually lead to cpu resource problems on your server.
 

Andy Newby

Valued Member
Hi,

haha well I'm up for the best approach =)

Oh, and FYI I found out what you do to catch multiple occurrences:

Code:
body LOCAL_CLICK_HERE_RULE1   /cliquez[\- ]ici/i
tflags   LOCAL_CLICK_HERE_RULE1 multiple maxhits=10
score LOCAL_CLICK_HERE_RULE1 1
describe LOCAL_CLICK_HERE_RULE1       Cliiqueze ico spam filters

In a test case where it existed a lot in the emails, it now correctly gives:

Code:
Content analysis details:   (7.0 points, 4.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                            [URIs: top-bonsplans.com]
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: top-bonsplans.com]
-0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                            [89.248.214.248 listed in wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                            trust
                            [89.248.214.248 listed in list.dnswl.org]
 1.0 LOCAL_CLICK_HERE_RULE1 BODY: Cliiqueze ico spam filters
 1.0 LOCAL_CLICK_HERE_RULE1 BODY: Cliiqueze ico spam filters
 1.0 LOCAL_CLICK_HERE_RULE1 BODY: Cliiqueze ico spam filters
 1.0 LR_URI_NUMERIC_ENDING  URI: Ends in a number of at least 4 digits
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.4 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
 0.0 HTML_MESSAGE           BODY: HTML included in message
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]


What do you have the default scoring set to? Check the matched hits on the spams that are getting through. It there an existing rule that's frequently triggering that you can increase the scoring on? Adding a lot of extra rules with the pattern matching can eventually lead to cpu resource problems on your server.

The current setting is 4. Unfortunatly a *lot* was still getting through:

Code:
Return-Path: <ha2taljvg4wtenjxguyda@e.enquete-famille.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on francecom
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=4.0 tests=BAYES_00,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,LR_URI_NUMERIC_ENDING,RCVD_IN_MSPIKE_H4,
    RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.1
Delivered-To: andy@mydomain.com
Received: from localhost (localhost [127.0.0.1])
    by mail.chambresdhote.net (Postfix) with ESMTP id 2F40D42ECF
    for <andy@mydomain.com>; Wed,  8 Mar 2017 13:54:45 +0000 (UTC)
Received: from mail.chambresdhote.net ([127.0.0.1])
    by localhost (mail.chambresdhote.net [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id CLH18LzYGgre for <andy@mydomain.com>;
    Wed,  8 Mar 2017 13:54:45 +0000 (UTC)
Received: from regiesmtp1101-1.odiso.net (regiesmtp1101-1.odiso.net [89.248.218.221])
    by mail.chambresdhote.net (Postfix) with ESMTP id 0A0AF3EA2E
    for <andy@mydomain.com>; Wed,  8 Mar 2017 13:54:45 +0000 (UTC)
Message-Id: <1488981284.ha2taljvg4wtenjxguyda@e.enquete-famille.fr>
Feedback-Id: 1048:850
Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=e.enquete-famille.fr; h=message-id:list-unsubscribe:from:to:reply-to:content-type:subject:content-transfer-encoding:mime-version:date; s=selector1; bh=HE6o/4+TA8Y+bBfjETPn9Ck2YjY=; b=IpqFLzA6o5sogEPxVgmmNQn48RpElLxcqWiEoHcfmtHPm8sHaBhZaduXKwDUisoUNRnCJ/ebPITSw2/gP7JNKe+FZZ7uOxEqZprVqsOKDczGbPNY9V0l1NcJf/xdmGlaueKNyPmOHFJ4Yp3/NHAHjSEPwPCmFL5I+/g1E/u4adU=
List-Unsubscribe: <mailto:ha2taljvg4wtenjxguyda@lu.e.enquete-famille.fr>
Precedence: bulk
From: "MAAF - MC" <newsletter@e.enquete-famille.fr>
To: andy@mydomain.com
Reply-To: newsletter@e.enquete-famille.fr
Content-Type: multipart/alternative; boundary="_----------=_148898128472591"
Subject: 2 mois gratuits sur votre nouveau contrat assurance auto
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.028 (F2.82; T1.35; A2.09; B3.13; Q3.13)
Date: Wed, 8 Mar 2017 14:54:44 +0100



As you can see, that one only had a -1 score, when it really is crap spam (I get tons of emails from these guys). Maybe I've missed something to pick on those types?

Cheers

Andy
 
Top