spamassassin rules
118 views
Skip to first unread message
Sophie Loe
Dec 5, 2017, 7:35:26 PM12/5/17
to rspamd
Hi,
Can I use regexes and rawbody in the spamassassin module in rspamd, or can rspamd take care of this. Few examples below.
And do I put the config in this file?
# cat /etc/rspamd/local.d/spamassassin.conf
spamassassin {
ruleset = "/etc/rspamd/spamassassin/local.cf";
# Limit search size to 100 kilobytes for all regular expressions
match_limit = 100k;
# Those regexp atoms will not be passed through hyperscan:
pcre_only = ["RULE1", "__RULE2"];
alpha = 0.1
}
describe SJL_OBFU_SUBJ_VIAGRA Obfuscated viagra in Subject
header SJL_OBFU_SUBJ_VIAGRA Subject =~ /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\W_]{0,3}(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\W_]{0,3}(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\W_]{0,3}(?:[g6]|\xC4[\x9C-\xA3]])[\W_]{0,3}(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\W_]{0,3}(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)\B)/i
score SJL_OBFU_SUBJ_VIAGRA 2.5
# ASCII-0
rawbody SJL_MIME_ASCII0 /\0/
describe SJL_MIME_ASCII0 Message body contains ASCII-0 character
score SJL_MIME_ASCII0 5
# Detect excessive multiple htmlline breaks <br/>
rawbody __LOC_BR /<br>/
tflags __LOC_BR multiple maxhits=21
meta LOC_MULT_BR __LOC_BR > 20
score LOC_MULT_BR 0.2
describe LOC_MULT_BR At least 20 br tags found
Can I use regexes and rawbody in the spamassassin module in rspamd, or can rspamd take care of this. Few examples below.
And do I put the config in this file?
# cat /etc/rspamd/local.d/spamassassin.conf
spamassassin {
ruleset = "/etc/rspamd/spamassassin/local.cf";
# Limit search size to 100 kilobytes for all regular expressions
match_limit = 100k;
# Those regexp atoms will not be passed through hyperscan:
pcre_only = ["RULE1", "__RULE2"];
alpha = 0.1
}
describe SJL_OBFU_SUBJ_VIAGRA Obfuscated viagra in Subject
header SJL_OBFU_SUBJ_VIAGRA Subject =~ /(?:\b[vu]|\B(?:\\\/|\xCE\xBD))[\W_]{0,3}(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\W_]{0,3}(?:[a4\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)[\W_]{0,3}(?:[g6]|\xC4[\x9C-\xA3]])[\W_]{0,3}(?:[r\xAE]|\xC5[\x94-\x99]|\xD1\x93)[\W_]{0,3}(?:[a4]\b|(?:[\*\@\xC0-\xC5\xAA\xE0-\xE5]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|\xD0\x90|\xD0\xB0)\B)/i
score SJL_OBFU_SUBJ_VIAGRA 2.5
# ASCII-0
rawbody SJL_MIME_ASCII0 /\0/
describe SJL_MIME_ASCII0 Message body contains ASCII-0 character
score SJL_MIME_ASCII0 5
# Detect excessive multiple htmlline breaks <br/>
rawbody __LOC_BR /<br>/
tflags __LOC_BR multiple maxhits=21
meta LOC_MULT_BR __LOC_BR > 20
score LOC_MULT_BR 0.2
describe LOC_MULT_BR At least 20 br tags found
Andrew Lewis
Dec 6, 2017, 3:51:24 AM12/6/17
to rsp...@googlegroups.com
Hi,
> Can I use regexes and rawbody in the spamassassin module in rspamd,
> or can rspamd take care of this. Few examples below.
particular reason you need to use SA rules but SA plugin works too.
https://rspamd.com/doc/tutorials/writing_rules.html
> # cat /etc/rspamd/local.d/spamassassin.conf
> spamassassin {
There should be no spamassassin {} wrapping in this file, it's already
in this section of the config.
Best,
-AL.
Sophie Loe
Dec 6, 2017, 12:04:47 PM12/6/17
to rspamd
Hi Andrew,
Wrappers removed. I have a few custom rules that I want to keep so shall drop them in.
This is in the logs. Should I see more? Does rspamd indicate a certain number of SA rules were loaded?
2017-12-06 17:01:20 #3359(main) <bh8kdd>; lua; spamassassin.lua:1596: loaded 0 freemail domains definitions
2017-12-06 17:01:20 #3359(main) <bh8kdd>; lua; spamassassin.lua:1599: loaded 0 blacklist/whitelist elements
2017-12-06 17:01:20 #3359(main) <bh8kdd>; cfg; rspamd_init_lua_filters: init lua module spamassassin
Thanks.
Reply all
Reply to author
Forward
0 new messages