SpamAssasin - make a rule that adds a score EVERY occurance?

Discussion in 'Mail Server Support' started by Andy Newby, Mar 8, 2017.

  1. Andy Newby

    Andy Newby New Email

    Joined:
    Feb 21, 2017
    Messages:
    8
    Likes Received:
    1
    Hi,

    I'm trying to write a rule that will add 2 to the overall spam score for EVERY occurrence of a phrase in the body. So I have this, and that works (once);

    Code:
    body LOCAL_CLICKHERE_RULE   /Click here/i
    score LOCAL_CLICKHERE_RULE 2
    describe LOCAL_CLICKHERE_RULE       click here filter
    However, if they have "click here" in the email 10 times, it only ever allocates a boost of 2 to the overall score. I assume there is a way to compound the scoring of specific rules? (as some are more spammy than others, so would need more points added every occurrence)

    Thanks!

    Andy
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,085
    Likes Received:
    128
    Hi Andy,

    I'm not aware of compound scoring being a feature of SpamAssassin rule sets. I checked the rules documentation and don't see it mentioned there either. I recommend joining and posting your questions to the SpamAssassin Users mailing list - MailingLists - Spamassassin Wiki. I suspect they'll say it's not possible, but it can't hurt to ask.
     

  3. Andy Newby

    Andy Newby New Email

    Joined:
    Feb 21, 2017
    Messages:
    8
    Likes Received:
    1
    Thanks - will give that a go :) Seems a bit odd if its not an option, as you get lots of emails that have repetitive strings like "click here" or "view online", that you would really want to count each time (especially in the cases where they are really over using them!)

    Cheers

    Andy
     
  4. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,085
    Likes Received:
    128
    Hi Andy, I've generally found that the default scoring for rules works well. I haven't needed to create a compound scoring rule because if an email has a spammy characteristic such as "click here" , if it's really a spam then there are several other rules also triggering and adding to the overall score. Most often there is a specific phrase or an RBL that goes out of service and needs to be set to 0 if I need to make an adjustment to the actual rules & scoring.
     
  5. Andy Newby

    Andy Newby New Email

    Joined:
    Feb 21, 2017
    Messages:
    8
    Likes Received:
    1
    Hi,

    Thanks. I'm still a bit new to configuring all of this (normally I've had it done automatically on a managed server). I've currently got the following setup:

    blacklist_from *@*.stream
    blacklist_from *@*.link
    blacklist_from *@*.click
    blacklist_from *@*.science
    blacklist_from *@*.study
    blacklist_from *@*.download
    blacklist_from *@*.top
    blacklist_from *@*.accountant
    blacklist_from *@*.date
    blacklist_from *@*.review
    blacklist_from *@*.win
    blacklist_from *@*.gdn
    blacklist_from *@*.date
    blacklist_from *@*.cricket
    blacklist_from *@*.xyz
    blacklist_from *@*.ninja
    blacklist_from *@*.academy
    blacklist_from *@*.aaa
    blacklist_from *@*.accenture
    blacklist_from *@*.accountant
    blacklist_from *@*.accountants
    blacklist_from *@*.active
    blacklist_from *@*.actor
    blacklist_from *@*.bid
    blacklist_from *@*.faith
    blacklist_from *@*reserverchic.com

    body LOCAL_MARIJUANA_RULE /Marijuana/i
    score LOCAL_MARIJUANA_RULE 4
    describe LOCAL_MARIJUANA_RULE Marijuana spam filters

    body LOCAL_LOTTERY_RULE /Lottery/i
    score LOCAL_LOTTERY_RULE 4
    describe LOCAL_LOTTERY_RULE Lottery spam filters

    from LOCAL_FROM_BOUNCES_RULE /\@bounces\./i
    score LOCAL_FROM_BOUNCES_RULE 4
    describe LOCAL_FROM_BOUNCES_RULE bounce email spam filters

    body LOCAL_BITLY_RULE /bit.ly/i
    score LOCAL_BITLY_RULE 4
    describe LOCAL_BITLY_RULE Bit.ly spam filters

    body LOCAL_CLICK_HERE_RULE1 /cliquez ici/i
    score LOCAL_CLICK_HERE_RULE1 3
    describe LOCAL_CLICK_HERE_RULE1 Cliiqueze ico spam filters

    body LOCAL_IFCANNOT_RULE /Si vous ne parvenez pas/i
    score LOCAL_IFCANNOT_RULE 2
    describe LOCAL_IFCANNOT_RULE If you can not spam filters

    body LOCAL_CLICK_HERE_RULE2 /click here/i
    score LOCAL_CLICK_HERE_RULE2 2
    describe LOCAL_CLICK_HERE_RULE2 Click here spam filters

    body LOCAL_VER_ONLINE_RULE /consultez la version|voir la version en ligne|consultez-la en ligne|version en ligne/i
    score LOCAL_VER_ONLINE_RULE 2
    describe LOCAL_VER_ONLINE_RULE Version online spam filters

    header LR_SUBJECT_VERY_LONG Subject =~ /.{200}/
    describe LR_SUBJECT_VERY_LONG Subject contains a lot of characters
    score LR_SUBJECT_VERY_LONG 1.5

    header LR_SUBJECT_ANDY Subject =~ /^andy/i
    describe LR_SUBJECT_ANDY Subject: starts with Andy
    score LR_SUBJECT_ANDY 1

    uri LR_URI_NUMERIC_ENDING m|^https?://.+?\d{4,}$|i
    describe LR_URI_NUMERIC_ENDING Ends in a number of at least 4 digits
    score LR_URI_NUMERIC_ENDING 1

    body LOCAL_GO_THIS_PAGE_RULE /rendez-vous sur cette page/i
    score LOCAL_GO_THIS_PAGE_RULE 2
    describe LOCAL_GO_THIS_PAGE_RULE Go to this page spam filters

    uri LR_URI_LC_SUB m|^https?://lc\.|i
    describe LR_URI_LC_SUB Has lc as subdomain
    score LR_URI_LC_SUB 1


    Are there any other obvious one's you would suggest adding? I'm all for the system like SpamHaus to pickup as many of them as possible, but we still seem to get quite a few that get through :(

    Cheers

    Andy
     
  6. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    9,085
    Likes Received:
    128
    Hi Andy,

    That seems like overkill and not the most efficient approach. What do you have the default scoring set to? Check the matched hits on the spams that are getting through. It there an existing rule that's frequently triggering that you can increase the scoring on? Adding a lot of extra rules with the pattern matching can eventually lead to cpu resource problems on your server.
     
  7. Andy Newby

    Andy Newby New Email

    Joined:
    Feb 21, 2017
    Messages:
    8
    Likes Received:
    1
    Hi,

    haha well I'm up for the best approach =)

    Oh, and FYI I found out what you do to catch multiple occurrences:

    Code:
    body LOCAL_CLICK_HERE_RULE1   /cliquez[\- ]ici/i
    tflags   LOCAL_CLICK_HERE_RULE1 multiple maxhits=10
    score LOCAL_CLICK_HERE_RULE1 1
    describe LOCAL_CLICK_HERE_RULE1       Cliiqueze ico spam filters
    In a test case where it existed a lot in the emails, it now correctly gives:

    Code:
    Content analysis details:   (7.0 points, 4.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     1.2 URIBL_ABUSE_SURBL      Contains an URL listed in the ABUSE SURBL blocklist
                                [URIs: top-bonsplans.com]
     0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                                See
                                http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                                 for more information.
                                [URIs: top-bonsplans.com]
    -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                                [89.248.214.248 listed in wl.mailspike.net]
    -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                                trust
                                [89.248.214.248 listed in list.dnswl.org]
     1.0 LOCAL_CLICK_HERE_RULE1 BODY: Cliiqueze ico spam filters
     1.0 LOCAL_CLICK_HERE_RULE1 BODY: Cliiqueze ico spam filters
     1.0 LOCAL_CLICK_HERE_RULE1 BODY: Cliiqueze ico spam filters
     1.0 LR_URI_NUMERIC_ENDING  URI: Ends in a number of at least 4 digits
    -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                                [score: 0.0000]
     0.4 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image area
     0.0 HTML_MESSAGE           BODY: HTML included in message
    -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
    -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                                domain
     0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
     1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                                above 50%
                                [cf: 100]
     0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
     0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                                [cf: 100]
    

    The current setting is 4. Unfortunatly a *lot* was still getting through:

    Code:
    Return-Path: <ha2taljvg4wtenjxguyda@e.enquete-famille.fr>
    X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on francecom
    X-Spam-Level:
    X-Spam-Status: No, score=-1.0 required=4.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,LR_URI_NUMERIC_ENDING,RCVD_IN_MSPIKE_H4,
        RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.1
    Delivered-To: andy@mydomain.com
    Received: from localhost (localhost [127.0.0.1])
        by mail.chambresdhote.net (Postfix) with ESMTP id 2F40D42ECF
        for <andy@mydomain.com>; Wed,  8 Mar 2017 13:54:45 +0000 (UTC)
    Received: from mail.chambresdhote.net ([127.0.0.1])
        by localhost (mail.chambresdhote.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id CLH18LzYGgre for <andy@mydomain.com>;
        Wed,  8 Mar 2017 13:54:45 +0000 (UTC)
    Received: from regiesmtp1101-1.odiso.net (regiesmtp1101-1.odiso.net [89.248.218.221])
        by mail.chambresdhote.net (Postfix) with ESMTP id 0A0AF3EA2E
        for <andy@mydomain.com>; Wed,  8 Mar 2017 13:54:45 +0000 (UTC)
    Message-Id: <1488981284.ha2taljvg4wtenjxguyda@e.enquete-famille.fr>
    Feedback-Id: 1048:850
    Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=e.enquete-famille.fr; h=message-id:list-unsubscribe:from:to:reply-to:content-type:subject:content-transfer-encoding:mime-version:date; s=selector1; bh=HE6o/4+TA8Y+bBfjETPn9Ck2YjY=; b=IpqFLzA6o5sogEPxVgmmNQn48RpElLxcqWiEoHcfmtHPm8sHaBhZaduXKwDUisoUNRnCJ/ebPITSw2/gP7JNKe+FZZ7uOxEqZprVqsOKDczGbPNY9V0l1NcJf/xdmGlaueKNyPmOHFJ4Yp3/NHAHjSEPwPCmFL5I+/g1E/u4adU=
    List-Unsubscribe: <mailto:ha2taljvg4wtenjxguyda@lu.e.enquete-famille.fr>
    Precedence: bulk
    From: "MAAF - MC" <newsletter@e.enquete-famille.fr>
    To: andy@mydomain.com
    Reply-To: newsletter@e.enquete-famille.fr
    Content-Type: multipart/alternative; boundary="_----------=_148898128472591"
    Subject: 2 mois gratuits sur votre nouveau contrat assurance auto
    Content-Transfer-Encoding: binary
    MIME-Version: 1.0
    X-Mailer: MIME::Lite 3.028 (F2.82; T1.35; A2.09; B3.13; Q3.13)
    Date: Wed, 8 Mar 2017 14:54:44 +0100
    


    As you can see, that one only had a -1 score, when it really is crap spam (I get tons of emails from these guys). Maybe I've missed something to pick on those types?

    Cheers

    Andy
     

    popowich likes this.

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...