Create a simple spamassassin rule to catch words

Author:

Not so often we need to write our custom rules for fighting against spam, but sometimes we need it, because a spammer just wanted to target specifically our server or clients. If you use spamassassin here what you can do to create a simple rule to find words and rate the message with a desired score, which will (probably) mark it as a spam.
The template is as follows:

  • headers search, the example template is for the Subject header, but you could any other header name.
    header <RULENAME> Subject =~ /word1, word2, word3, ..., wordN/
    score <RULENAME> <score>
    describe <RULENAME> <description>
    
  • body search
    body <RULENAME> /word1, word2, word3, ..., wordN/
    score <RULENAME> <score>
    describe <RULENAME> <description>
    

Set these 3 lines (or the 6 above for the headers and body) in your user_prefs.cf file, which is probably here:

  • /etc/mail/spamassassin/local.cf – CentOS 7
  • /etc/spamassassin/ – Ubuntu 16/17, Gentoo
  • ~/.spamassassin/user_prefs.cf – custom file per user

Here is example of the rules:

header CONTAINS_VIG Subject =~ /apple, orange/
score CONTAINS_VIG 1.5
describe CONTAINS_VIG Bad Word fruits in the Subject
body CONTAINS_PEN /apple, orange/
score CONTAINS_PEN 1.5
describe CONTAINS_PEN Bad Word in the Body

Catch messages in the Subject and body containing apple and orange and add to the scoring system 1.5, for your purses you may need to increase the scoring drastically it depends on your required score for spam (check for it in local.cf).

* Update

As of Rob Morin proposed in the comments it is a good idea to add “/i” to catch lower and capital letters (“ignore case”) like this:

header CONTAINS_VIG Subject =~ /apple, orange/i
score CONTAINS_VIG 1.5
describe CONTAINS_VIG Bad Word fruits in the Subject
body CONTAINS_PEN /apple, orange/i
score CONTAINS_PEN 1.5
describe CONTAINS_PEN Bad Word in the Body

2 thoughts on “Create a simple spamassassin rule to catch words”

  1. But header CONTAINS_VIG Subject =~ /apple, orange/
    will only catch lower case you should add /i for any case.
    🙂
    Rob…

  2. Shouldn’t it be in this form to catch word “apple” or word “orange” (or both)?
    header CONTAINS_VIG Subject =~ /(apple|orange)/i

Leave a Reply

Your email address will not be published. Required fields are marked *