Examples of SpamAssassin Rule Actions

Julian Field MailScanner at ecs.soton.ac.uk
Fri Oct 9 11:20:19 IST 2009



On 09/10/2009 10:30, Richard Mealing wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
>> Sent: 24 September 2009 09:23
>> To: MailScanner discussion
>> Subject: Re: Examples of SpamAssassin Rule Actions
>>
>>
>>
>> On 24/09/2009 09:08, Michael Mansour wrote:
>>      
>>> Hi,
>>>
>>> I have a requirement to consider spam which scores under the high scoring spam threshold for an individual, to be consider that message high scoring spam.
>>>
>>> I have looked at the "SpamAssassin Rule Actions" setting and there's examples of:
>>>
>>> "
>>> # You can also trigger actions on the spam score of the message. You can
>>> # compare the spam score with a number and cause this to trigger an action.
>>> # For example, instead of a SA_RULENAME you can specify
>>> # SpamScore>number or SpamScore>=number or SpamScore==number or
>>> # SpamScore<number or SpamScore<=number
>>> # where "number" is the threshold value you are comparing it against.
>>> # So you could have a rule/action pair that looks like
>>> #                  SpamScore>25=>delete
>>> # This would cause all messages with a total spam score of more than 25 to be
>>> # deleted. You can use this to implement multiple levels of spam actions in
>>> # addition to the normal spam actions and the high-scoring spam actions.
>>> #
>>> # Combining this with a ruleset makes it even more powerful, as different
>>> # recipients and/or senders can have different sets of rules applied to them.
>>> "
>>>
>>> But no example of how to actually say:
>>>
>>> "if SpamScore>9=>quarantine for To address of blah at blah.com"
>>>
>>> Is there more details I can find anywhere on the wiki or anywhere else on how I can setup the above?
>>>
>>>        
>> You first need a ruleset to apply the action to just blah at blah.com. So set
>> SpamAssassin Rule Actions = %rules-dir%/spam.rule.actions.rules
>>
>> Then in /etc/MailScanner/rules/spam.rule.actions.rules put this
>>
>> To: blah at blah.com SpamScore>9=>store,not-deliver
>> FromOrTo: default deliver
>>
>> That should do the trick. Do you understand it?
>>
>> Jules
>>
>> -- 
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>      
>
> Hi,
>
> I was wondering if someone could give me some help on setting up a ruleset for this -
>
> # Some virus scanners now use their signatures to detect spam as well as
> # viruses. These "viruses" are called "spam-viruses". When they are found
> # the following header will be added to your message before it is passed to
> # SpamAssassin, listing all the "spam-viruses" that were found as a comma-
> # separated list.
> # This can also be the filename of a ruleset.
>
> For example, I would like to create individual scores for all the different rules in a database (this is one of them) -
> Sanesecurity.Doc                #Fake phishing documents
> Sanesecurity.Fake               #Fake emails from companies/spear phishing
> Sanesecurity.Phishing.Auction   #Phishing emails from Ebay
> Sanesecurity.Phishing.Azon      #Phishing emails from Amazon
> Sanesecurity.Phishing.Bank      #Phishing emails from Banks
> Sanesecurity.Phishing.Card      #Phishing Postcards
> Sanesecurity.Phishing.Cur       #Simple phishing heuristics based on headers/urls and content
> Sanesecurity.Phishing.Dca       #Html based doubleclick revenue link
> Sanesecurity.Phishing.Fake      #Fake emails from companies/spear phishing
> Sanesecurity.Phishing.GiftCard  #Phishing Postcards
> Sanesecurity.Phishing.Hex       #Simple Heuristics based hex urls
> Sanesecurity.Phishing.Ivt       #Html based invalid tags
> Sanesecurity.Phishing.Jsc       #Html based
> Sanesecurity.Phishing.Nam       #Html based common fake html editor
> Sanesecurity.Phishing.Onf       #Html based
> Sanesecurity.Phishing.Pay       #Phishing emails from PayPal
> Sanesecurity.Phishing.Rdi       #Phishing redirects
> Sanesecurity.Phishing.Rock      #Phishing emails generated with the rockfish toolkit
> Sanesecurity.Phishing.RockGen   #Phishing emails generated with the rockfish toolkit
> Sanesecurity.Phishing.Shop      #Phishing emails for shops
> Sanesecurity.Phishing.Slw       #Html based
> Sanesecurity.Phishing.Url       #Url based phishing detection
> Sanesecurity.Phishing.Wrd       #Fake phishing documents
> Sanesecurity.PhishingTestSig    #Sanesecurity Test Signature
> TestSig_Type3_Bdy               #Sanesecurity Test Signature
> TestSig_Type4_Bdy               #Sanesecurity Test Signature
> TestSig_Type4_Hdr               #Sanesecurity Test Signature
>
>
> ... Instead of just 1 score for the entire thing. I've tried a few different ways but I'm not really sure how to do it. If anyone could give me some pointers that would be great.
>    
The key is that they need to be *SpamAssassin* rules, not MailScanner ones.

In your /etc/MailScanner/spam.assassin.prefs.conf, put something like this:

header SPAMVIRUS1 X-MailScanner-SpamVirus-Report =~ /SaneSecurity.Doc/i
header SPAMVIRUS2 X-MailScanner-SpamVirus-Report =~ /SaneSecurity.Fake/i
header SPAMVIRUS3 X-MailScanner-SpamVirus-Report =~ 
/SaneSecurity.Phishing.Hex/i
score SPAMVIRUS1 2.0
score SPAMVIRUS2 2.1
score SPAMVIRUS3 2.5

and so on.
Then restart MailScanner.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list