Skip to content

Spamassassin Rules

Jump to bottom
Marco Favero edited this page Jun 16, 2021 · 8 revisions

Every DNSBL list can be used to make Spamassassin network rules. We provide here some instances suitable for default RBL Manager config.

##
## Custom RBL MANAGER RBLs
##


##{ RCVD_IN_RBLM_SPAMIP ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_RBLM_SPAMIP       eval:check_rbl('rbl-lastexternal','spamip.rbl.example.com')
describe RCVD_IN_RBLM_SPAMIP     IP listed at spamip.rbl.example.com, very dirty spam source
tflags RCVD_IN_RBLM_SPAMIP       net noautolearn
endif
##} RCVD_IN_RBLM_SPAMIP ifplugin Mail::SpamAssassin::Plugin::DNSEval


##{ RCVD_IN_RBLM_WHITEIP ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header  RCVD_IN_RBLM_WHITEIP        eval:check_rbl('rbl-firsttrusted', 'whiteip.rbl.example.com')
describe RCVD_IN_RBLM_WHITEIP       IP listed at whiteip.rbl.example.com, high trust
tflags RCVD_IN_RBLM_WHITEIP         nice net noautolearn
endif
##} RCVD_IN_RBLM_WHITEIP ifplugin Mail::SpamAssassin::Plugin::DNSEval


if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only)

urirhssub       URIBL_RBLM_SPAM  spamdomain.rbl.example.com.        A   127.0.0.2
body            URIBL_RBLM_SPAM  eval:check_uridnsbl('URIBL_RBLM_SPAM')
describe        URIBL_RBLM_SPAM  Contains an URL listed in the Spam URIBL RBLM
tflags          URIBL_RBLM_SPAM  net domains_only
endif

if can(Mail::SpamAssassin::Plugin::HashBL::has_hashbl_bodyre)
# https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRulesAdvanced
# https://www.fileformat.info/info/unicode/char/search.htm
# à = \x{00E0}\x{c3a0}
# è = \x{00E8}\x{c3a8}
# ì = \x{00EC}\x{c3ac}
# ò = \x{00F2}\x{c3b2}
# ù = \x{00F9}\x{c3b9}
# À = \x{00C0}\x{c380}
# È = \x{00C8}\x{c388}
# Ì = \x{00CC}\x{c38c}
# Ò = \x{00D2}\x{c392}
# Ù = \x{00D9}\x{c399}

body            __HASHBL_RBLM_SPAM1      eval:check_hashbl_bodyre('spamhash.rbl.example.com', 'sha1/max=10/shuffle/case', '([\d\S(?:\xE0|\xC3\xA0)(?:\xE8|\xC3\xA8)(?:\xEC|\xC3\xAC)(?:\xF2|\xC3\xB2)(?:\xF9|\xC3\xB9)(?:\xC0|\xC3\x80)(?:\xC8|\xC3\x88)(?:\xCC|\xC3\x8C)(?:\xD2|\xC3\x92)(?:\xD9|\xC3\x99)]+[\ \t]+[\d\S(?:\xE0|\xC3\xA0)(?:\xE8|\xC3\xA8)(?:\xEC|\xC3\xAC)(?:\xF2|\xC3\xB2)(?:\xF9|\xC3\xB9)(?:\xC0|\xC3\x80)(?:\xC8|\xC3\x88)(?:\xCC|\xC3\x8C)(?:\xD2|\xC3\x92)(?:\xD9|\xC3\x99)]+)', '^127\.0\.0\.2')
describe        __HASHBL_RBLM_SPAM1      Two word pattern listed in RBLMS HASH Blocklist grouping from first word.

body            __HASHBL_RBLM_SPAM2      eval:check_hashbl_bodyre('spamhash.rbl.example.com', 'sha1/max=10/shuffle/case', '^\s*[\d\S(?:\xE0|\xC3\xA0)(?:\xE8|\xC3\xA8)(?:\xEC|\xC3\xAC)(?:\xF2|\xC3\xB2)(?:\xF9|\xC3\xB9)(?:\xC0|\xC3\x80)(?:\xC8|\xC3\x88)(?:\xCC|\xC3\x8C)(?:\xD2|\xC3\x92)(?:\xD9|\xC3\x99)]+[\ \t]+|([\d\S(?:\xE0|\xC3\xA0)(?:\xE8|\xC3\xA8)(?:\xEC|\xC3\xAC)(?:\xF2|\xC3\xB2)(?:\xF9|\xC3\xB9)(?:\xC0|\xC3\x80)(?:\xC8|\xC3\x88)(?:\xCC|\xC3\x8C)(?:\xD2|\xC3\x92)(?:\xD9|\xC3\x99)]+[\ \t]+[\d\S(?:\xE0|\xC3\xA0)(?:\xE8|\xC3\xA8)(?:\xEC|\xC3\xAC)(?:\xF2|\xC3\xB2)(?:\xF9|\xC3\xB9)(?:\xC0|\xC3\x80)(?:\xC8|\xC3\x88)(?:\xCC|\xC3\x8C)(?:\xD2|\xC3\x92)(?:\xD9|\xC3\x99)]+)', '^127\.0\.0\.2')
describe        __HASHBL_RBLM_SPAM2      Two word pattern listed in RBLMS HASH Blocklist grouping from second word.

body            __HASHBL_RBLM_SPAM3      eval:check_hashbl_bodyre('spamhash.rbl.example.com', 'sha1/max=10/shuffle/case', '([\d\S(?:\xE0|\xC3\xA0)(?:\xE8|\xC3\xA8)(?:\xEC|\xC3\xAC)(?:\xF2|\xC3\xB2)(?:\xF9|\xC3\xB9)(?:\xC0|\xC3\x80)(?:\xC8|\xC3\x88)(?:\xCC|\xC3\x8C)(?:\xD2|\xC3\x92)(?:\xD9|\xC3\x99)]+)', '^127\.0\.0\.2')
describe        __HASHBL_RBLM_SPAM3      One word pattern listed in RBLMS HASH Blocklist.

meta            HASHBL_RBLM_SPAM         ( __HASHBL_RBLM_SPAM1 || __HASHBL_RBLM_SPAM2 || __HASHBL_RBLM_SPAM3 )
describe        HASHBL_RBLM_SPAM         Residual Spam Hash listed in RBLMS SPAM Blocklist.
tflags          HASHBL_RBLM_SPAM         net multiple nosubject
endif

## Score
score RCVD_IN_RBLM_SPAMIP         10.0
score RCVD_IN_RBLM_WHITEIP       -10.0
score URIBL_RBLM_SPAM             6.5
score HASHBL_RBLM_SPAM            6.5

The HASHBL_RBLM_SPAM rule is an example about how to use an HASHBL with the Spamassassin HASHBL Plugin. Every paragraph of the mail is tested with patterns of one word or two words. The UTF8 characters à è ì ò ù are allowed.

This means that in the RBLMS you can add a text of one word or text of two words separated by spaces.

Spamassassin minimum version 3.4.6 is required. Unfortunately at this version Spamassassin doesn't support UTF8 regular expression, such as ([\p{L}\p{M}\d\S]+).

Clone this wiki locally