| Re: Custom SpamAssassin scores and rules [message #126084 is a reply to message #125903] |
Tue, 01 December 2015 18:35   |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
New rule writing lesson:
We have been getting some spams that have what is probably a fake unsubscribe at the bottom, and the basic wording and layout is the same, but each is a little different. These have typically been the 'negative info on your credit report added' or 'Medicare enrollment info'. I say fake unsubscribe because the wording and format in that area contains a lot of dashes (-) and periods (.) between words.
Such as scan-ads scan.ads score-ads score.ads vacation-ads vacationads etc...
An easy way to match these varieties of word formats is to use the following in the SA rule:
scan(\S|)ads
The \S {MUST be a capital S} matches any character except for a SPACE.
The (\S|) indicates that we are using not only the \S to match a character, but to also include a 'no space'.
This means the following will match the rule:
scanads
scan-ads
scan.ads
scan_ads
BUT, this will NOT match "scan ads". This is a way to match words put together to fool spam filters, but words but together that may be used in a normal email.
This is easier than writing several matches for the different various characters that they may stick between the words.
If you wanted to match any character, no character, or a space, you could change that part to: (\S|| )
|
|
|
|
| Re: Custom SpamAssassin scores and rules [message #126793 is a reply to message #114168] |
Thu, 31 December 2015 18:53 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
As the year 2015 comes to an end, lets hope that the end of spam follows shortly. But in the mean time, I thought I would post the current spam assassin custom rule file that I am using.
DISCLAIMER: These are the rules that work for me. Depending on your industry and location in the world, these may need to be first altered for your use. Such as, I am in the USA so many of the foreign (to me) country domains are scored very heavy. So take some time to look through the rules before putting in place.
Suggestion to help spam assassin (whether use this file or not).
Change the mailserver.cfg file to check larger sized messages (2048). The Default message size of 128 is too small. You will have to stop Connect and manually edit the file.
<table name="SpamFilter">
<variable name="MessageSizeLimit">2048</variable>
The file is attached. Happy Spam Hunting!
|
|
|
|
| Re: Custom SpamAssassin scores and rules [message #127734 is a reply to message #114168] |
Fri, 05 February 2016 20:01 |
barneyRubble
Messages: 30
Registered: July 2015
Location: 127.0.0.1
|
|
|
|
markk
huge thanks for this... has made a HUGE difference
do you update your file regularly & upload here?
i will go thru your geat tutorial on writing/editing the file and attempt to catch the stuff that still seems to be getting thru (nurses, yachts, private jets to name but a few)
HUGE thanks again
barneyRubble
|
|
|
|
| Re: Custom SpamAssassin scores and rules [message #127736 is a reply to message #127734] |
Fri, 05 February 2016 21:07 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
I have from time to time. Attached is the latest copy that I am using. DISCLAIMER: This works for me and my industry. Your mileage may vary, and you may need to remove / change some of the items in there for your successful usage.
Make sure that you have changed the Spam Assassin message size limit from the default (tiny) 128K to 2048, so that more messages are being processed. That could be why some of your jet plane and yacht spams are not getting caught. This is true whether you use additional rule files or just the default installed ones.
mailserver.cfg file
<table name="SpamFilter">
<variable name="MessageSizeLimit">2048</variable>
I haven't really had to make very many changes for a while. The occasional addition of another variation of the formatted "|scan(\S|)ads|" has been about all lately.
This thread has grown quite long, and there are additional how-to's in some of the later replies on how to do things or better do things than what was originally posted. So go through all of the posts and pull out the info. One of the best things on this was from someone else (sorry, don't remember who), but that was not having to actually restart Kerio Connect, but instead just turning off / turning on the spam assassin processing to get the new rules read in to memory. That only takes a few seconds, and there is no down time.
I argued this point a long time ago, but better spam blocking aids in better malware blocking - and vice versa. Block the bad stuff one way or another.
|
|
|
|
| Re: Custom SpamAssassin scores and rules [message #129288 is a reply to message #126793] |
Fri, 29 April 2016 12:47 |
barneyRubble
Messages: 30
Registered: July 2015
Location: 127.0.0.1
|
|
|
|
howdy
having some issues with custom rules
i have created the following:
subject > substring > /working from home/i > increse score by 10
however... none of the rules i have setup using the above "template" seem to tag mail
is there something i am missing
thanks in advance
|
|
|
|
|
|
|
|
| Re: Custom SpamAssassin scores and rules [message #130712 is a reply to message #114168] |
Tue, 05 July 2016 23:24 |
MarkK
Messages: 342
Registered: April 2007
|
|
|
|
Well, I think it has been a few months since I posted an update rule file for Spam Assassin. Here is the latest one I am using, and may be one of the last ones (or the last one) that I post. Due to an upcoming merger, Connect will probably be going away in my future.
Once again - use at your own risk - adjust the rules (add/subtract) items from the search items to work for your industry.
[Updated on: Wed, 06 July 2016 00:10] Report message to a moderator |
|
|
|
| Re: Custom SpamAssassin scores and rules [message #130781 is a reply to message #114168] |
Mon, 11 July 2016 16:20 |
barneyRubble
Messages: 30
Registered: July 2015
Location: 127.0.0.1
|
|
|
|
markk
HUGE thanks for all your help on these forums with the never-ending battle against spam
your tutorials have been insightful... and your sharing of the custom rules file invaluable
wishing you all the best in your future away from connect
barneyRubble
|
|
|
|
|
|
) 1 Vote
Members
Search
Help
Register
Login
Home
