Which SA rule set considered "Best Practice"?

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Mon Feb 23 10:35:48 GMT 2004

I'd add Chris Santerre's BigEvil rule and Jennifer's Backhair to the list:


My experience has been that it is worth examining the spam which gets
through and finding rules to clobber it.

If you have MS Exchange as your backend mail system it's nigh impossible (to
train users) to feed stuff back from exchange to spamassassin in a reliable

My favourite rule is simple, obvious, but only works in countries where the
dollar isn't the local currency:

header   WRONGCURRENCY  Subject =~ /\$|dollar/i
describe WRONGCURRENCY  Wrong currency - dollar in subject
score    WRONGCURRENCY  4.0

We had a load of spams a while back which matched this:

header  TO_MEET         Subject =~ /(wants? to (meet|talk to) you|lets meet
describe TO_MEET        A spammer wants to meet you
score   TO_MEET         3.5

If you do RBL lookups within spamassassin, these might be useful:

header  RCVD_IN_BNBL    eval:check_rbl('bnbl', 'bl.blueshore.net.')
describe RCVD_IN_BNBL   Listed by BNBL
tflags  RCVD_IN_BNBL    net
score   RCVD_IN_BNBL    2.0

header  RCVD_IN_PSBL    eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL   Listed by PSBL (surriel.com)
tflags  RCVD_IN_PSBL    net
score   RCVD_IN_PSBL    2.0

header  RCVD_IN_SXBL    eval:check_rbl('sxbl', 'xbl.spamhaus.org.')
describe RCVD_IN_SXBL   Listed by SXBL (spamhaus.org)
tflags  RCVD_IN_SXBL    net
score   RCVD_IN_SXBL    2.0



Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Matt Kettler
> Sent: 21 February 2004 00:11
> Subject: Re: Which SA rule set considered "Best Practice"?
> At 06:37 PM 2/20/2004, Michael St. Laurent wrote:
> >We're still getting more spam slipping through than I would
> like and was
> >wondering which of the additional rule sets are recommended.
>  I've installed
> >the fetch scripts for both the bigevil and backhair rule sets so far.
> >
> >Suggestions please?
> Disclaimer of bias: I'm one of the add-on ruleset writers... I wrote
> antidrug.cf.
> Personally I think your best bet prior to using add on
> rulesets is to get
> all of the features of the default SA system working well.
>          1) Enable DNSBLs by installing Net::DNS.
>          2) Enable bayes by feeding sa-learn.. Feed it well,
> and feed it
> often. Mine gets fed a diet of about 100 fresh spams/day and about 20
> nonspams/day. A good regiment of feeding bayes with input
> from spamtraps
> and such is very helpful.
>          3) Consider installing DCC.. DCC works pretty well
> and is pretty
> lightweight. Razor is more accurate, but seems prone to more
> network timeouts.
> As for add-on rules, I don't use that many, despite being a
> add-on set writer.
>   "Best practice" would be to be very cautious when using
> them, and test
> them out with very low scores to start.
> If you want to know what I'm using:
> Obviously I use my own antidrug.cf, but that's mostly done as
> a giant rude
> gesture in the direction of the pill spammers who have been
> so aggressive
> lately. I also use a pair of rules which is a collapsed
> version of Jen's
> popcorn.cf.
>          describe LOCAL_POPCORN  1-5 letters - hidden tag -
> 1-7 letters
>          rawbody     LOCAL_POPCORN  /[>\s]\w{1,5}<\![^>]*>\w{1,7}\W/i
>          describe LOCAL_POPCORN2  1-5 letters - hidden tag -
> 1-7 letters
>          rawbody     LOCAL_POPCORN2
> /[>\s]\w{1,5}<\/\w{2,10}>\w{1,7}\b/i
> I also find this useful:
>          body LOCAL_MEDS /\bmed[sz]\b/i
> and this:
>          body BODY_RND_GENERATOR
> And that's about it.. other than a bunch of goofball test
> rules floating
> around. I've also been playing with the FVGT_s_OBFU_* rules.
> The SA wiki has a pretty comprehensive list of the add-on
> sets if you need
> a list of them. Just remember, when in doubt, test with low scores!
> http://wiki.spamassassin.org/w/CustomRulesets

More information about the MailScanner mailing list