SpamAssassin performs its spam-checking by applying a series of rules to an email message. Most rules examine the message headers or body for patterns that are suggestive of spam while others perform Internet lookups against network-based blacklists of IP addresses or checksums of spam messages. Each positive test yields a score, and the sum of the scores is the total spam score of the message.
| Directive | Description |
|---|---|
| Name | A test name, consisting of up to 22 uppercase letters, numbers, or underscores. Names that begin T_ refer to rules in testing. |
| Description | A more verbose description of the test, which is used in the reports generated by SpamAssassin. Typically, descriptions are up to 50 characters long. |
| Type | An indication of where to look. Tests can be applied to the message headers only, the message body only, uniform resource identifiers (URIs) in the message body, or the complete message. |
| Value | A description of what to look for. Tests can specify a header to check for existence, a Perl regular expression pattern to match, a DNS-based blacklist to query, or a SpamAssassin function to evaluate. |
| Score | A score or scores for the test. Tests can have a single score that is always used, or they can have separate scores for messages that test positive under each of a set of conditions. |
| Type | Description |
|---|---|
| body | Search the body of the message with a regular expression and if it matches, the corresponding score is assigned. Body rules also include the Subject as the first line of the body content. |
| header | Check a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones. |
| uri | Match text in the URI's contained in plain text and HTML sections of mail. This is very handy for searching for links containing spam advertised sites. |
| rawbody | Search the body of the email without certain kinds of preprocessing that SA normally does before trying body rules. In particular HTML tags won't be stripped and line breaks will still be present. This allows you to create rules searching for HTML tags or HTML comments that are signs of spam or nonspam, or particular patterns of line-break. |
| meta | Boolean or arithmetic combinations of other rules. This allows you to do things like create a meta rule which fires off when both a header and a body rule are true at the same time. |
| mimeheader | Perform tests against the MIME headers of a message. |
| uri_block_cc | Used by the URILocalBL plugin to match country codes. This rule applies to the URIs found in the HTML portion of a message. |
| uri_block_cont | Used by the URILocalBL plugin to match continents. This rule applies to the URIs found in the HTML portion of a message. |
| uri_block_cidr | Used by the URILocalBL plugin to match CIDRs. This rule applies to the URIs found in the HTML portion of a message. |
| uri_block_isp | Used by the URILocalBL plugin to match ISPs. This rule applies to the URIs found in the HTML portion of a message. This requires the GeoIPISP database. There is no fremium version of this database, so commercial licensing is required. |
| uri_block_exclude | Used by the URILocalBL plugin to exclude URIs. This rule applies to the URIs found in the HTML portion of a message. |
• Any value not wrapped in delimiters will be escaped and have their delimiters added automatically.
• Adding i after the value delimiter e.g./test/imeans that patern match will be case insensitive.
Used to override an existing rule score.
| Directive | Value |
|---|---|
| Name | DCC_CHECK |
| Description | Override the DCC default rule score to add more weight. |
| Type | no type |
| Value | leave empty |
| Score | 5.0 |
Simple case-sensitive search of the body of the email for the string "test" and adds a 0.1 to the score of the email if it finds it:
| Directive | Value |
|---|---|
| Name | LOCAL_DEMONSTRATION_RULE |
| Description | This is a simple test rule to check the body for matching text |
| Type | body |
| Value | /test/ |
| Score | 0.1 |
Header rules let you check a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones. Simple case-insensitive search of the subject of the email for the string "test" and adds a 0.1 to the score of the email if it finds it:
| Directive | Value |
|---|---|
| Name | LOCAL_DEMONSTRATION_SUBJECT |
| Description | This is a simple test rule to check the subject for matching text |
| Type | header |
| Value | Subject =~ /test/i |
| Score | 0.1 |
URI rules are very simple, they only match text in the URI's contained in plain text and HTML sections of mail. This is very handy for searching for links containing spam advertised sites.
This rule will check for web links to www.example.com/OrderViagra/
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to check for a matching URL |
| Type | uri |
| Value | /www\.example\.com\/OrderViagra\// |
| Score | 0.1 |
Meta rules are rules that are boolean or arithmetic combinations of other rules. This allows you to do things like create a meta rule which fires off when both a header and a body rule are true at the same time. The following example uses a boolean check and will add a negative score to emails from test@example.com containing the body text "Monthly Sales Figures"
Add the sub rule for the header leaving the description and score blank:
| Directive | Value |
|---|---|
| Name | __LOCAL_FROM_NEWS |
| Description | |
| Type | header |
| Value | From =~ /test\@example\.com/i |
| Score |
Add the sub rule for the body leaving the description and score blank:
| Directive | Value |
|---|---|
| Name | __LOCAL_SALES_FIGURES |
| Description | |
| Type | body |
| Value | /\bMonthly Sales Figures\b/ |
| Score |
Add the meta rule to match both sub rules filling in the score and description:
| Directive | Value |
|---|---|
| Name | LOCAL_NEWS_SALES_FIGURES |
| Description | Test for sales figures |
| Type | meta |
| Value | (__LOCAL_FROM_NEWS && __LOCAL_SALES_FIGURES) |
| Score | -1.0 |
Memheader rules will allow you to match any mimeheaders.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to check for a matching exe file extension. |
| Type | mimeheader |
| Value | Content-Type =~ /name=\".*\.exe\"/i |
| Score | 3.25 |
Used by the URILocalBL plugin to match country codes. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with URIs found in Afganista and Armenia. |
| Type | uri_block_cc |
| Value | af am |
| Score | 3.25 |
Used by the URILocalBL plugin to match continents. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with URIs found in Africa and South America. |
| Type | uri_block_cont |
| Value | af sa |
| Score | 3.25 |
Used by the URILocalBL plugin to match CIDRs This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with the CIDRs 198.51.100.0/24 and 203.0.113.0/24. |
| Type | uri_block_cidr |
| Value | 198.51.100.0/24 203.0.113.0/24 |
| Score | 3.25 |
Used by the URILocalBL plugin to match ISPs. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with ISPs. |
| Type | uri_block_isp |
| Value | "DataRancid" "McCarrier" "Phishers-r-Us" |
| Score | 3.25 |
Used by the URILocalBL plugin to exclude URIs. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to exclude URIs. |
| Type | uri_block_exclude |
| Value | www.baidu.com" |
| Score | leave blank |
Score commands can have 1 or 4 parameters. If there is only one parameter then that score is used all the time. Example:
score LOCAL_DEMONSTRATION_ALL 0.1With four parameters. Example:
score LOCAL_DEMONSTRATION_ALL 0.1 0.3 0.3. 0.1