SpamAssassin Rules

I use SpamAssassin to filter my mail to eliminate spam. I have spamc and spamd set up (with spamd on a seperate machine with enough grunt to easily handle the CPU-intensive spam filtering, leaving the mail/web server to do the easy work (maybe I'll document the setup sometime).

SpamAssassin tends to be pretty effective for me anyway, but I've written some extra rules to make it even better.

So, here they are, feel free to use them if you choose to do so.

If you have any comments or suggestions, wish to supply extra rules to add (which would be most appreciated) or have found false positives due to any of these rules, please do let me know! (see ==== ==== Some rules to filter out stock spams (stocks, shares, “microcap” etc) <code> # SpamAssassin rules for stock spams (“pump and dump”) # # David Precious # and # $Id: 121 2007-03-07 17:43:08Z davidp $ body DP_STOCKS_TRADING_ALERT /trading alert/i score DP_STOCKS_TRADING_ALERT 3 describe DP_STOCKS_TRADING_ALERT Contains “trading alert” (often seen in stocks spams) body DP_STOCKS_TOP_PICK /(top|hottest|super) pick/i score DP_STOCKS_TOP_PICK 2 describe DP_STOCKS_TOP_PICK Contains “top/hottest/super pick” (often seen in stocks spams) body DP_STOCKS_THE_PICK /this is the pick/i score DP_STOCKS_THE_PICK 2 describe DP_STOCKS_THE_PICK Contains “this is the pick” (often seen in stocks spams) body DP_STOCKS_GETTING_EXPOSURE /stocks getting (incredible)? exposure/i score DP_STOCKS_GETTING_EXPOSURE 2 describe DP_STOCKS_GETTING_EXPOSURE Contains “stocks getting exposure” (often seen in stocks spams) body DP_STOCKS_RELEASE_EXPECTED /release is expected (from|out of) the company/i score DP_STOCKS_RELEASE_EXPECTED 2 describe DP_STOCKS_RELEASE_EXPECTED Contains “release is expected from the company” (often seen in stocks spams) body DP_STOCKS_GET_WINNER /get this winner early/i score DP_STOCKS_GET_WINNER 2 describe DP_STOCKS_GET_WINNER Contains “get this winner early” (often seen in stocks spams) body DP_STOCKS_GOING_TO_TAKE_OFF /going to take off/i score DP_STOCKS_GOING_TO_TAKE_OFF 1.5 describe DP_STOCKS_GOING_TO_TAKE_OFF Contains “going to take off” (often seen in stocks spams) body DP_STOCKS_PRICE_OF_STOCK /price of this stock/i score DP_STOCKS_PRICE_OF_STOCK 2.5 describe DP_STOCKS_PRICE_OF_STOCK Contains “price of this stock” (often seen in stocks spams) body DP_STOCKS_BOOMING_INDUSTRY /this booming industry/i score DP_STOCKS_BOOMING_INDUSTRY 1.5 describe DP_STOCKS_BOOMING_INDUSTRY Contains “this booming industry” (often seen in stocks spams) body DP_STOCKS_CALLED_IT /we called it/i score DP_STOCKS_CALLED_IT 1.4 describe DP_STOCKS_CALLED_IT Contains “we called it” (often seen in stocks spams) body DP_STOCKS_SET_TO_RELEASE /set to release/i score DP_STOCKS_SET_TO_RELEASE 1.5 describe DP_STOCKS_SET_TO_RELEASE Contains “set to release” (often seen in stocks spams) body DP_STOCKS_GET_IN /get in (before|now|early)/i score DP_STOCKS_GET_IN 1.5 describe DP_STOCKS_GET_IN Contains “get in (before|now|early)” (often seen in stocks spams) body DP_STOCKS_EXPECTING_RESULTS /expecting (financial )?results/ score DP_STOCKS_EXPECTING_RESULTS 1.5 describe DP_STOCKS_EXPECTING_RESULTS Contains “expecting (financial )?results” (often seen in stocks spams) body DP_STOCKS_TRADING_AT /tradd?ing at/ score DP_STOCKS_TRADING_AT 1.2 describe DP_STOCKS_TRADING_AT Contains “trading at” (or “tradding”) (often seen in stocks spams) body DP_STOCKS_PUSH_PRICE /push the price/ score DP_STOCKS_PUSH_PRICE 1.4 describe DP_STOCKS_PUSH_PRICE Contains “push the price” (often seem in stocks spams) body DP_STOCKS_OFF_THE_CHARTS /off the charts/ score DP_STOCKS_OFF_THE_CHARTS 1.5 describe DP_STOCKS_OFF_THE_CHARTS Contains “off the charts” (often seen in stocks spams) </code> ==== ==== <code> # SpamAssassin rules for mortgage / finance spams # # David Precious # and # $Id: 77 2006-12-02 17:01:28Z davidp $ body DP_FINANCE_PAYING_TOO_MUCH /paying too much/i score DP_FINANCE_PAYING_TOO_MUCH 3 describe DP_FINANCE_PAYING_TOO_MUCH Phrase “paying too much” (often appears in mortgage/finance spam) body DP_FINANCE_PAYING_ANOTHER_DIME /paying (another|one more) (dime|cent)/i score DP_FINANCE_PAYING_ANOTHER_DIME 3.6 describe DP_FINANCE_PAYING_ANOTHER_DIME Phrase “paying another/one more cent/dime” (seen in finance/debt spam) body DP_FINANCE_BANK_LOOPHOLE /loophole in the bank law/i score DP_FINANCE_BANK_LOOPHOLE 3 describe DP_FINANCE_BANK_LOOPHOLE Phrase “loophole in the bank laws” (seen in finance/debt spam) body DP_FINANCE_CREDITCARDDEBT /credit \s* card \s* debt/xi score DP_FINANCE_CREDITCARDDEBT 3 describe DP_FINANCE_CREDITCARDDEBT Contains “credit card debt” (with or without spaces) body DP_FINANCE_DEBT_FREE /debt \s* free/xi score DP_FINANCE_DEBT_FREE 2.8 describe DP_FINANCE_DEBT_FREE Contains “debt free” (with or without space) body DP_FINANCE_LOOPHOLE /discovered a loophole/i score DP_FINANCE_LOOPHOLE 2.5 describe DP_FINANCE_LOOPHOLE Contains “discovered a loophole” </code> ==== ==== <code> # SpamAssassin rules for common phishing phrases # # David Precious # and # $Id: 78 2006-12-02 17:07:06Z davidp $ body DP_PHISH_CONFIRM_ACC_INFO /confirm your account information/i score DP_PHISH_CONFIRM_ACC_INFO 3 describe DP_PHISH_CONFIRM_ACC_INFO Phrase “confirm your account information” body DP_PHISH_SECURE_FUNDS /secure the funds/i score DP_PHISH_SECURE_FUNDS 2.8 describe DP_PHISH_SECURE_FUNDS Phrase “secure the funds” </code> ==== ==== Some general custom rules which don't justify their own file. <code> # some random SpamAssassin rules for common spams I see # # David Precious # and # $Id: 79 2006-12-04 15:52:00Z davidp $ body DP_CUSTOM_BRITNEY_TAPES /britney sex tapes/i score DP_CUSTOM_BRITNEY_TAPES 6 describe DP_CUSTOM_BRITNEY_TAPES Phrase “Britney Sex Tapes” body DP_CUSTOM_UPLOADED_NEW_SW /has uploaded new software/i score DP_CUSTOM_UPLOADED_NEW_SW 6 describe DP_CUSTOM_UPLOADED_NEW_SW Phrase “has uploaded new software” header DP_CUSTOM_SUBJ_HI_ITS Subject =~ /^Hi it's/ score DP_CUSTOM_SUBJ_HI_ITS 3 describe DP_CUSTOM_SUBJ_HI_ITS Subject starts “Hi it's ...” # work from home/“payment representative” spam/fraud mails body DP_CUSTOM_SRCH_REPS /searching for representatives/i score DP_CUSTOM_SRCH_REPS 2 describe DP_CUSTOM_SRCH_REPS Contains “searching for representatives” body DP_CUSTOM_MAKING_PAYMENTS /making payments through you/i score DP_CUSTOM_MAKING_PAYMENTS 1.8 describe DP_CUSTOM_MAKING_PAYMENTS Contains “making payments through you” body DP_CUSTOM_AGENT_IN_YOUR_REGION /agents? in your region/i score DP_CUSTOM_AGENT_IN_YOUR_REGION 2 describe DP_CUSTOM_AGENT_IN_YOUR_REGION Contains “agent(s) in your region” # to catch some of the automated messages demanding that you # reply to confirm that you are “a real human being and not a # spam source” before the message gets delivered. # That has to be one of the most irresponsible, retarded solutions # for dealing with spam, ever. # NOTE: don't use this if you care about your messages to people using # these braindead “anti-spam” solutions getting through... personally, # if someone is irresponsible enough to use them then I'm not interested. # this is a definate stupid one from “boxtrapper” (part of cPanel # apparently...) header DP_CUSTOM_BOXTRAPPER exists:X-Boxtrapper score DP_CUSTOM_BOXTRAPPER 10 describe DP_CUSTOM_BOXTRAPPER Automated Boxtrapper “anti-spam” confirm message body DP_CUSTOM_CFRM_MSG /requires that you verify/i score DP_CUSTOM_CFRM_MSG 2 describe DP_CUSTOM_CFRM_MSG Spammy auto-reply demanding verification before delivery header DP_CUSTOM_CFRM_MSG_2 Subject =~ /Your email requires verification/i score DP_CUSTOM_CFRM_MSG_2 2 describe DP_CUSTOM_CFRM_MSG_2 Spammy auto-reply demanding verification before delivery body DP_CUSTOM_SENT_BY_HUMAN /(prove|verify) your (message|e-?mail) was sent by a human/i score DP_CUSTOM_SENT_BY_HUMAN 3 describe DP_CUSTOM_SENT_BY_HUMAN Demands that you prove the message was sent by a human header DP_CUSTOM_CHALLENGE_RESPONSE Subject =~ /^\[Challenge Response\]/i score DP_CUSTOM_CHALLENGE_RESPONSE 3 describe DP_CUSTOM_CHALLENGE_RESPONSE Subject contains ”[Challenge Response]” </code> ===== See also ===== * from Tim Jackson (doesn't seem to be being actively worked on any more, but effective at blocking stupid virus warning mails)

sarules.txt · Last modified: 2010/02/26 10:45 (external edit)
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki