GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Custom SpamAssassin scores and rules (Write your own rules and block the crap)  () 1 Vote
Custom SpamAssassin scores and rules [message #114168] Fri, 13 June 2014 04:33 Go to previous message
MarkK is currently offline  MarkK
Messages: 342
Registered: April 2007
Just sharing this with everyone. As I have said in my past posts, I am an advocate for setting up custom scores in SpamAssassin. Some of the default values such as .001 are just more of an 'informative score' rather than a 'score building up a spam score'.

This will be a little bit long, but trying to make it easy to understand after reading it a couple of times. You can probably do some of the same thing with the built in Custom Spam rules in Connect Admin, but it may take more individual rules to accomplish the same thing.

Tired of still seeing spams making it through the filter with maybe only a hit on the RDNS, reverse dns lookup, I decided it was time to learn how to start writing some of the scoring rules. Basic rules are not very hard. That is far as I have made it so far; I need to learn some Perl scripting language structure in order to get more advanced.

So I thought I would share the basic rule writing here. These are additional lines that you would put in to your custom .cf file, should as zlocal.cf. DON'T change the .cf files that came with Kerio / SpamAssassin, those will be overwritten the next time you upgrade. it would also be a good idea to keep a duplicate copy of your custom .cf file, even if it is in your disk/tape backup.

You can find this info and a little more at http://wiki.apache.org/spamassassin/WritingRules

To write one basic rule, you will need to add at least 2 lines to your file, and a 3rd line if you want to put a informative description of that particular rule.

body {RuleName} {Rule} OR header {RuleName} {HeaderName} =~ {Rule}
score {Rulename} {Score}
description {RuleDescription}

Figure out a name for your local rule. To avoid naming your rule the same as one of the existing SA rules, start it with LOCAL_; for example LOCAL_DOCOZ.

Figure out if you will be looking at the Body or at one of the headers, such as Subject. Determine what score you want to assess if the rule is true.

In this example, I will add a score of 2.0 for emails that have reference to DocOz in the body.

body LOCAL_DOCOZ /docoz/i
score LOCAL_DOCOZ 2.0
describe LOCAL_DOCOZ Found DocOz in email body

Line1 - Looking in email "body", rule name is "LOCAL_DOCOZ", and searching for the text "docoz" (characters between the forward slashes / /) any where in the body, and letter case is "i" or insensitive. Will match 'docoz' or 'DocOz'. This will also match DocOzzie or DocOzborn, since I have not specified any word breaks.

Line2 - If this rule LOCAL_DOCOZ finds a hit, it will add 2.0 to the spam score. You can set any number you want. Personally, I try not to go overboard with the scoring numbers.

Line3 - The describe statement contains the text which will be placed into the verbose report, if verbose reports are used. I don't believe they are used in Kerio. You can omit this line if you want.

That is a simple functional rule. But DocOz can be referenced in a number of ways in spams, such as 'Doc Oz' or 'Dr Oz'. This can be handled easily by adding ( ) and | characters.

body LOCAL_DOCOZ /(DocOz|Doc Oz|DrOz|Dr Oz|Dr. Oz)/i

Everything between the ( ) characters is considered to be a list of items, separated by the | character. So now we will have a hit if the body contains "DocOz", "Doc Oz", "DrOz", "Dr Oz", or "Dr. Oz"; all case insensitive. But we will still match the name Ozzie or Ozborn.

You can add \b, which searches for a word-break (anything that isn't an alphanumeric character or underscore) so that the match is more exacting.

body LOCAL_DOCOZ /\b(DocOz|Doc Oz|DrOz|Dr Oz|Dr. Oz)\b/i

Now we are looking for the following:
" DocOz "
" Doc Oz "
" DrOz "
" Dr Oz "
" Dr. Oz "
Now none of what we are looking for will no longer match "Dr Ozborn", since the character after the "z" is not a word-break character such as a space.

To match a header:
header LOCAL_DOCOZ_SUBJECT Subject =~ /\b(DocOz|Doc Oz|DrOz|Dr Oz|Dr. Oz)\b/i
score LOCAL_DOCOZ_SUBJECT 2.0

Here we are looking at the Subject header (don't forget the =~ characters), searching for the same DocOz variations. If found, 2.0 is added to the score.

You can examine any of the headers. You can find the header name by looking at the emails headers or view the message's source code.


This is just a quick basic lesson on writing your own rules. Once you have saved the .cf file that you put your rules in, you will need to restart Kerio Connect in order for them to start being used.

May all your spam rules find their mark and kill the nasty little beasts.

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message icon14.gif
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Kerio became slow with 10 users
Next Topic: PSA: If you use Internet Explorer don't upgrade to 9.1.1
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue Mar 28 23:54:05 CEST 2023

Total time taken to generate the page: 0.09442 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software