Examples of SpamAssassin Rule Actions

Richard Mealing richard at fastnet.co.uk
Fri Oct 9 10:30:10 IST 2009

>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
>Sent: 24 September 2009 09:23
>To: MailScanner discussion
>Subject: Re: Examples of SpamAssassin Rule Actions
>On 24/09/2009 09:08, Michael Mansour wrote:
>> Hi,
>> I have a requirement to consider spam which scores under the high scoring spam threshold for an individual, to be consider that message high scoring spam.
>> I have looked at the "SpamAssassin Rule Actions" setting and there's examples of:
>> "
>> # You can also trigger actions on the spam score of the message. You can
>> # compare the spam score with a number and cause this to trigger an action.
>> # For example, instead of a SA_RULENAME you can specify
>> # SpamScore>number or SpamScore>=number or SpamScore==number or
>> # SpamScore<number or SpamScore<=number
>> # where "number" is the threshold value you are comparing it against.
>> # So you could have a rule/action pair that looks like
>> #                  SpamScore>25=>delete
>> # This would cause all messages with a total spam score of more than 25 to be
>> # deleted. You can use this to implement multiple levels of spam actions in
>> # addition to the normal spam actions and the high-scoring spam actions.
>> #
>> # Combining this with a ruleset makes it even more powerful, as different
>> # recipients and/or senders can have different sets of rules applied to them.
>> "
>> But no example of how to actually say:
>> "if SpamScore>9=>quarantine for To address of blah at blah.com"
>> Is there more details I can find anywhere on the wiki or anywhere else on how I can setup the above?
>You first need a ruleset to apply the action to just blah at blah.com. So set
>SpamAssassin Rule Actions = %rules-dir%/spam.rule.actions.rules
>Then in /etc/MailScanner/rules/spam.rule.actions.rules put this
>To: blah at blah.com SpamScore>9=>store,not-deliver
>FromOrTo: default deliver
>That should do the trick. Do you understand it?
>Julian Field MEng CITP CEng
>Buy the MailScanner book at www.MailScanner.info/store
>Need help customising MailScanner?
>Contact me!
>Need help fixing or optimising your systems?
>Contact me!
>Need help getting you started solving new requirements from your boss?
>Contact me!
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>Before posting, read http://wiki.mailscanner.info/posting
>Support MailScanner development - buy the book off the website! 


I was wondering if someone could give me some help on setting up a ruleset for this - 

# Some virus scanners now use their signatures to detect spam as well as
# viruses. These "viruses" are called "spam-viruses". When they are found
# the following header will be added to your message before it is passed to
# SpamAssassin, listing all the "spam-viruses" that were found as a comma-
# separated list.
# This can also be the filename of a ruleset.

For example, I would like to create individual scores for all the different rules in a database (this is one of them) - 
Sanesecurity.Doc                #Fake phishing documents
Sanesecurity.Fake               #Fake emails from companies/spear phishing
Sanesecurity.Phishing.Auction   #Phishing emails from Ebay
Sanesecurity.Phishing.Azon      #Phishing emails from Amazon
Sanesecurity.Phishing.Bank      #Phishing emails from Banks
Sanesecurity.Phishing.Card      #Phishing Postcards
Sanesecurity.Phishing.Cur       #Simple phishing heuristics based on headers/urls and content
Sanesecurity.Phishing.Dca       #Html based doubleclick revenue link
Sanesecurity.Phishing.Fake      #Fake emails from companies/spear phishing
Sanesecurity.Phishing.GiftCard  #Phishing Postcards
Sanesecurity.Phishing.Hex       #Simple Heuristics based hex urls
Sanesecurity.Phishing.Ivt       #Html based invalid tags
Sanesecurity.Phishing.Jsc       #Html based
Sanesecurity.Phishing.Nam       #Html based common fake html editor
Sanesecurity.Phishing.Onf       #Html based
Sanesecurity.Phishing.Pay       #Phishing emails from PayPal
Sanesecurity.Phishing.Rdi       #Phishing redirects
Sanesecurity.Phishing.Rock      #Phishing emails generated with the rockfish toolkit
Sanesecurity.Phishing.RockGen   #Phishing emails generated with the rockfish toolkit
Sanesecurity.Phishing.Shop      #Phishing emails for shops
Sanesecurity.Phishing.Slw       #Html based
Sanesecurity.Phishing.Url       #Url based phishing detection
Sanesecurity.Phishing.Wrd       #Fake phishing documents
Sanesecurity.PhishingTestSig    #Sanesecurity Test Signature
TestSig_Type3_Bdy               #Sanesecurity Test Signature
TestSig_Type4_Bdy               #Sanesecurity Test Signature
TestSig_Type4_Hdr               #Sanesecurity Test Signature

... Instead of just 1 score for the entire thing. I've tried a few different ways but I'm not really sure how to do it. If anyone could give me some pointers that would be great.

Thanks very much,

More information about the MailScanner mailing list