Rules

SpamAssassin performs its spam-checking by applying a series of rules to an email message. Most rules examine the message headers or body for patterns that are suggestive of spam while others perform Internet lookups against network-based blacklists of IP addresses or checksums of spam messages. Each positive test yields a score, and the sum of the scores is the total spam score of the message.

Rule Components

Directive Description
Name A test name, consisting of up to 22 uppercase letters, numbers, or underscores. Names that begin T_ refer to rules in testing.
Description A more verbose description of the test, which is used in the reports generated by SpamAssassin. Typically, descriptions are up to 50 characters long.
Type An indication of where to look. Tests can be applied to the message headers only, the message body only, uniform resource identifiers (URIs) in the message body, or the complete message.
Value A description of what to look for. Tests can specify a header to check for existence, a Perl regular expression pattern to match, a DNS-based blacklist to query, or a SpamAssassin function to evaluate.
Score A score or scores for the test. Tests can have a single score that is always used, or they can have separate scores for messages that test positive under each of a set of conditions.

Rule Types

Type Description
body Search the body of the message with a regular expression and if it matches, the corresponding score is assigned. Body rules also include the Subject as the first line of the body content.
header Check a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones.
URI Match text in the URI's contained in plain text and HTML sections of mail. This is very handy for searching for links containing spam advertised sites.
Rawbody Search the body of the email without certain kinds of preprocessing that SA normally does before trying body rules. In particular HTML tags won't be stripped and line breaks will still be present. This allows you to create rules searching for HTML tags or HTML comments that are signs of spam or nonspam, or particular patterns of line-break.
Meta Boolean or arithmetic combinations of other rules. This allows you to do things like create a meta rule which fires off when both a header and a body rule are true at the same time.

Rule Examples

Body rule

Simple case-sensitive search of the body of the email for the string "test" and adds a 0.1 to the score of the email if it finds it:

Directive Value
Name LOCAL_DEMONSTRATION_RULE
Description This is a simple test rule to check the body for matching text
Type body
Value /test/
Score 0.1

Header rule

Header rules let you check a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones. Simple case-insensitive search of the subject of the email for the string "test" and adds a 0.1 to the score of the email if it finds it:

Directive Value
Name LOCAL_DEMONSTRATION_SUBJECT
Description This is a simple test rule to check the subject for matching text
Type header
Value Subject =~ /test/i
Score 0.1

URI rule

URI rules are very simple, they only match text in the URI's contained in plain text and HTML sections of mail. This is very handy for searching for links containing spam advertised sites. This rule will check for web links to www.example.com/OrderViagra/

Directive Value
Name LOCAL_URI_EXAMPLE
Description This is a simple test rule to check for a matching URL
Type uri
Value /www\.example\.com\/OrderViagra\//
Score 0.1

Meta rule

Meta rules are rules that are boolean or arithmetic combinations of other rules. This allows you to do things like create a meta rule which fires off when both a header and a body rule are true at the same time. The following example uses a boolean check and will add a negative score to emails from test@example.com containing the body text "Monthly Sales Figures"

Add the sub rule for the header leaving the description and score blank:

Directive Value
Name __LOCAL_FROM_NEWS
Description
Type header
Value From =~ /test\@example\.com/i
Score

Add the sub rule for the body leaving the description and score blank:

Directive Value
Name __LOCAL_SALES_FIGURES
Description
Type body
Value /\bMonthly Sales Figures\b/
Score

Add the meta rule to match both sub rules filling in the score and description:

Directive Value
Name LOCAL_NEWS_SALES_FIGURES
Description Test for sales figures
Type meta
Value (__LOCAL_FROM_NEWS && __LOCAL_SALES_FIGURES)
Score -1.0

Scoring

  • rules with a score set to 0 are not evaluated at all
  • rules with no score statement will be scored at 1.0, unless 3 or 4 is true
  • rules starting with a double underscore are evaluated with no score, and are intended for use in meta rules where you don't want the sub-rules to have a score.
  • although intended for the sa development effort, any rule starting with T_ will be treated as a "test" rule and will be run with a score of 0.01 (nearly 0). This can be handy when testing rules so you don't have to create score lines for them if you think you're not going to keep them.

Advanced Scoring

Score commands can have 1 or 4 parameters. If there is only one parameter then that score is used all the time. Example:

score LOCAL_DEMONSTRATION_ALL   0.1

With four parameters. Example:

score LOCAL_DEMONSTRATION_ALL   0.1 0.3 0.3. 0.1
  1. The first parameter applies when the Bayesian classifier and network tests are not in use.
  2. The second parameter applies when the Bayesian classifier is not in use, but the network tests are.
  3. The third parameter applies when the Bayesian classifier is in use, but network tests are not.
  4. The fourth parameter applies when the Bayesian classifier and network tests are both in use.