Writing Spam Assassin Rules

10 posts / 0 new
Last post
#1 Mon, 05/18/2009 - 14:24
mrwilder

Writing Spam Assassin Rules

Do these look like correctly formatted rules?

[img size=632]http://www.virtualmin.com/components/com_fireboard/uploaded/images/spama...

Should I be prefixing and suffixing strings like

healthplan

for example?

Am I way off?

Tue, 05/19/2009 - 05:04
christophera

I'm glad you asked about this, I've been wondering the same thing about whether some kind of wildcard prefix/suffix is needed.

Tue, 05/19/2009 - 15:58 (Reply to #2)
mrwilder

Agreed. I hope *somebody* can chime in on this...

I always have a serious spam problem on my servers and it's just driving me nuts anymore.

Tue, 05/19/2009 - 19:18 (Reply to #3)
andreychek

Hey guys,

I'll try and dig into this all a bit more, but here's my take on that screen --

The "Match Expression" field is in the format:

[code:1]/_________________/___[/code:1]

What I think they're looking for is a regular expression in the first box, and any regular expression modifiers in the second.

So to look for emails containing the text "foo bar", you might do:

[code:1]/foo bar/___[/code:1]

If you want to match "Foo" or "foo", you could use:

[code:1]/[Ff]oo bar/___[/code:1]

And to make the entire thing case insensitive, you'd pass in the 'i' modifier to the regular expression:

[code:1]/foo bar/i[/code:1]

That would match any case.

So, no, you don't need to add a wildcard (or "glob" characters) to the beginning or end of the regular expression, as it's already looking through the entire email already for the text you're searching for.

As far as score to apply -- I'd be careful marking it too high.

If it's actually a spam message, you can mark it at or around SpamAssassin's "spam threshhold" setting. By default, that's 5. So if you made those rules worth, say, 7 or 8, they should be marked as spam in just about every case, unless some other rule comes along to push the value down.... such as one of your users forwarding you the message to ask a question or something.

Just some thoughts, I hope that helps!
-Eric

Sun, 06/07/2009 - 07:55 (Reply to #4)
mrwilder

By the way, if any of you kids try this at home, there's supposed to be a Backslash in front of that b...

Perhaps you cannot type it in the forum. Let me try it and find out:

without the code tag:
\b

with the code tag:
[code:1]\b[/code:1]

Sun, 06/07/2009 - 07:55 (Reply to #5)
mrwilder

So there you have it:

a) you can't type a backslash in the forum and
b) it's a

[code:1]/\bham\b/[/code:1]

Sun, 06/07/2009 - 07:55 (Reply to #6)
mrwilder

So there you have it:

a) you can't type a backslash in the forum and
b) it's a

[code:1]/\bham\b/[/code:1]

Wed, 05/20/2009 - 04:33
christophera

Thank you, that does help. I had some words that I put in and the points just weren't being assigned to them, but after looking at your note, I think it's related to being sensitive to the case. I'll add the i.

Chris

Sun, 06/07/2009 - 07:55 (Reply to #8)
andreychek

Hi Chris,

This SpamAssassin document might help you a bit:

http://wiki.apache.org/spamassassin/WritingRules

It offers some details on what goes into making rules.

That involves learning a bit about regular expressions, but that can be fun :-)

As a further hint, you might want to add a "\b" both at the beginning and end of your text, which causes it to only match if there's a "word break" before and after your text.

For example, this:

/ham/

Will match both ham and hamburger.

So if we add the \b:

/\bham\b/

That only matches ham, it will not match hamburger, since the \b characters match a "word boundary" -- they only match if "ham" is not part of another word.
-Eric

Sat, 05/23/2009 - 14:30
Joe
Joe's picture

Yeah, this forum is so awful, it's like we set out to make everybodies life miserable. (We didn't. I had no idea how bad it was when we first set it up. It's going away soon. I just started in on porting our reseller system to the new Drupal database, and it should all be ready to roll soon. Everything takes longer than I expect it to.)

--

Check out the forum guidelines!

Topic locked