SpamAssassin performs its spam-checking by applying a series of rules to an email message. Most rules examine the message headers or body for patterns that are suggestive of spam while others perform Internet lookups against network-based blacklists of IP addresses or checksums of spam messages. Each positive test yields a score, and the sum of the scores is the total spam score of the message.
| Directive | Description |
|---|---|
| Name | A test name, consisting of up to 22 uppercase letters, numbers, or underscores. Names that begin T_ refer to rules in testing. |
| Description | A more verbose description of the test, which is used in the reports generated by SpamAssassin. Typically, descriptions are up to 50 characters long. |
| Type | An indication of where to look. Tests can be applied to the message headers only, the message body only, uniform resource identifiers (URIs) in the message body, or the complete message. |
| Value | A description of what to look for. Tests can specify a header to check for existence, a Perl regular expression pattern to match, a DNS-based blacklist to query, or a SpamAssassin function to evaluate. |
| Score | A score or scores for the test. Tests can have a single score that is always used, or they can have separate scores for messages that test positive under each of a set of conditions. |
| Type | Description |
|---|---|
| body | Search the body of the message with a regular expression and if it matches, the corresponding score is assigned. Body rules also include the Subject as the first line of the body content. |
| header | Check a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones. |
| uri | Match text in the URI's contained in plain text and HTML sections of mail. This is very handy for searching for links containing spam advertised sites. |
| rawbody | Search the body of the email without certain kinds of preprocessing that SA normally does before trying body rules. In particular HTML tags won't be stripped and line breaks will still be present. This allows you to create rules searching for HTML tags or HTML comments that are signs of spam or nonspam, or particular patterns of line-break. |
| meta | Boolean or arithmetic combinations of other rules. This allows you to do things like create a meta rule which fires off when both a header and a body rule are true at the same time. |
| mimeheader | Perform tests against the MIME headers of a message. |
| uri_block_cc | Used by the URILocalBL plugin to match country codes. This rule applies to the URIs found in the HTML portion of a message. |
| uri_block_cont | Used by the URILocalBL plugin to match continents. This rule applies to the URIs found in the HTML portion of a message. |
| uri_block_cidr | Used by the URILocalBL plugin to match CIDRs. This rule applies to the URIs found in the HTML portion of a message. |
| uri_block_isp | Used by the URILocalBL plugin to match ISPs. This rule applies to the URIs found in the HTML portion of a message. This requires the GeoIPISP database. There is no fremium version of this database, so commercial licensing is required. |
| uri_block_exclude | Used by the URILocalBL plugin to exclude URIs. This rule applies to the URIs found in the HTML portion of a message. |
• Any value not wrapped in delimiters will be escaped and have their delimiters added automatically.
• Adding i after the value delimiter e.g./test/imeans that patern match will be case insensitive.
Used to override an existing rule score.
| Directive | Value |
|---|---|
| Name | DCC_CHECK |
| Description | Override the DCC default rule score to add more weight. |
| Type | no type |
| Value | leave empty |
| Score | 5.0 |
Simple case-sensitive search of the body of the email for the string "test" and adds a 0.1 to the score of the email if it finds it:
| Directive | Value |
|---|---|
| Name | LOCAL_DEMONSTRATION_RULE |
| Description | This is a simple test rule to check the body for matching text |
| Type | body |
| Value | /test/ |
| Score | 0.1 |
Header rules let you check a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones. Simple case-insensitive search of the subject of the email for the string "test" and adds a 0.1 to the score of the email if it finds it:
| Directive | Value |
|---|---|
| Name | LOCAL_DEMONSTRATION_SUBJECT |
| Description | This is a simple test rule to check the subject for matching text |
| Type | header |
| Value | Subject =~ /test/i |
| Score | 0.1 |
URI rules are very simple, they only match text in the URI's contained in plain text and HTML sections of mail. This is very handy for searching for links containing spam advertised sites.
This rule will check for web links to www.example.com/OrderViagra/
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to check for a matching URL |
| Type | uri |
| Value | /www\.example\.com\/OrderViagra\// |
| Score | 0.1 |
Meta rules are rules that are boolean or arithmetic combinations of other rules. This allows you to do things like create a meta rule which fires off when both a header and a body rule are true at the same time. The following example uses a boolean check and will add a negative score to emails from test@example.com containing the body text "Monthly Sales Figures"
Add the sub rule for the header leaving the description and score blank:
| Directive | Value |
|---|---|
| Name | __LOCAL_FROM_NEWS |
| Description | |
| Type | header |
| Value | From =~ /test\@example\.com/i |
| Score |
Add the sub rule for the body leaving the description and score blank:
| Directive | Value |
|---|---|
| Name | __LOCAL_SALES_FIGURES |
| Description | |
| Type | body |
| Value | /\bMonthly Sales Figures\b/ |
| Score |
Add the meta rule to match both sub rules filling in the score and description:
| Directive | Value |
|---|---|
| Name | LOCAL_NEWS_SALES_FIGURES |
| Description | Test for sales figures |
| Type | meta |
| Value | (__LOCAL_FROM_NEWS && __LOCAL_SALES_FIGURES) |
| Score | -1.0 |
Memheader rules will allow you to match any mimeheaders.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to check for a matching exe file extension. |
| Type | mimeheader |
| Value | Content-Type =~ /name=\".*\.exe\"/i |
| Score | 3.25 |
Used by the URILocalBL plugin to match country codes. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with URIs found in Afganista and Armenia. |
| Type | uri_block_cc |
| Value | af am |
| Score | 3.25 |
Used by the URILocalBL plugin to match continents. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with URIs found in Africa and South America. |
| Type | uri_block_cont |
| Value | af sa |
| Score | 3.25 |
Used by the URILocalBL plugin to match CIDRs This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with the CIDRs 198.51.100.0/24 and 203.0.113.0/24. |
| Type | uri_block_cidr |
| Value | 198.51.100.0/24 203.0.113.0/24 |
| Score | 3.25 |
Used by the URILocalBL plugin to match ISPs. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to match messages with ISPs. |
| Type | uri_block_isp |
| Value | "DataRancid" "McCarrier" "Phishers-r-Us" |
| Score | 3.25 |
Used by the URILocalBL plugin to exclude URIs. This rule applies to the URIs found in the HTML portion of a message.
| Directive | Value |
|---|---|
| Name | LOCAL_URI_EXAMPLE |
| Description | This is a simple test rule to exclude URIs. |
| Type | uri_block_exclude |
| Value | www.baidu.com" |
| Score | leave blank |
• If only the first score is provided then it will be used for every score.
• Rules with a score set to 0 are not evaluated at all.
• Rules with no score statement will be scored at 1.0, unless 3 or 4 is true.
• Rules starting with a double underscore are evaluated with no score, and are intended for use in meta rules where you don't want the sub-rules to have a score.
• Although intended for the sa development effort, any rule starting with T_ will be treated as a "test" rule and will be run with a score of 0.01 (nearly 0).
| Column | Description |
|---|---|
| Name | The rule name. |
| Description | The rule description. |
| Channel | The rule update channel. |
| Category | The rule category determined by the current score. |
| First score | Bayesian classifier and network tests are not in use. |
| Second score | Bayesian classifier is not in use, but the network tests are. |
| Third Score | Bayesian classifier is in use, but network tests are not. |
| Fourth Score | Bayesian classifier and network tests are both in use. |
• You must enable the RuleStatistics plugin under Warden -> Anti-spam Settings -> Plugin Settings -> RuleStatistics in order to Log real-time per-rule statistics for each email.
• Rule names containing the patternsWHITELIST,BLACKLISTorGTUBEare not logged as they would skew the contribution scores for the statistics.
| Column | Description |
|---|---|
| Created | The date and time the entry was created. |
| Name | The rule name. |
| Description | The rule description. |
| Category | The rule category determined by the current score. |
| Ham | The number of messages detected as spam. |
| Spammy | The number of messages detected as spammy. |
| Spam | The number of messages detected as spam. |
| Total | The total number of messages. |
| Score | The current score of the rule. |
| Min score | The minimum score of a message that the rule contributed to. |
| Max score | The maximum score of a message that the rule contributed to. |
| Avg score | The average score of a message that the rule contributed to. |
| Total score | The total score of a message that the rule contributed to. |
| Ham rate | The ham hit rate. |
| Spammy rate | The spammy hit rate. |
| Spam rate | The spam hit rate. |
| Ham/Spammy | The ham to spammy hit ratio. |
| Ham/Spam | The ham to spam hit ratio. |