Need some help writing my own SA rules

[ovizii]

Hi there,

I've done some digging and found out that I can write rules like this:

Code: Select all

meta            _jacob_MULTI_BL ((DIGEST_MULTIPLE + C_RBL_PSKY_BAD + C_RBL_PSKY_POOR) >= 2)
describe        _jacob_MULTI_BL Hits way too many lists
score           _jacob_MULTI_BL 3.50

meaning that rule would add 3.5 to the SA score if 2 or more of those 3 listed rules were already hit.

Alternatively I can check if 2 specific rules are being hit:

Code: Select all

meta            _jacob_MULTI_BL (DIGEST_MULTIPLE && C_RBL_PSKY_BAD)
describe        _jacob_MULTI_BL Hits way too many lists
score           _jacob_MULTI_BL 3.50

means that if those 2 rules are hit a score of 3.5 gets added

Now what I am trying and failing to do is get something like this to work:

Code: Select all

meta            _jacob_MULTI_BL ((DIGEST_MULTIPLE + (C_RBL_PSKY_BAD || C_RBL_PSKY_POOR) + (SO_PUB_URIBL_DOMAIN_BL || C_RBL_UCE1)) >= 2)
describe        _jacob_MULTI_BL Hits way too many lists
score           _jacob_MULTI_BL 3.50

meaning I want to check whether DIGEST_MULTIPLE and at least one out of each of the other 2 rule groups are being hit but

Code: Select all

||

seems not to work in this case

[pdwalker]

quick idea, can you examine the existing rule sets and see if there are any with an or conditional then use that for comparison?

otherwise, it's off to the spamassassin wiki to read about how to write the rules.

[ovizii]

The WiKi doesn't mention OR relationships: https://wiki.apache.org/spamassassin/WritingRules

The only example I can find which seems to work is this one from KAM.cf

Code: Select all

meta            KAM_REFI        (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (__KAM_SHORT ||  AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)

###edit###
It was just me missing a closing bracket

This works now!!!

Code: Select all

meta            _jacob_MULTI_BL (DIGEST_MULTIPLE + (C_RBL_PSKY_BAD || C_RBL_PSKY_POOR) + (RCVD_IN_FMBBL_CIDR28 || RCVD_IN_FMBBL_CIDR27 || RCVD_IN_FMBBL_CIDR26) + (RDNS_NONE || BOTNET_NORDNS) + (SO_PUB_SNDR_DOMAIN_DKIM_BL || SO_PUB_SNDR_DOMAIN_DKIM_10 || SO_PUB_SNDR_DOMAIN_DKIM_20) + (SENDERSCORE_BLACK || SENDERSCORE_000) + (URIBL_BLACK || RCVD_IN_IPREPDNS_0 || C_RBL_DNSBL_INPS_DE || RCVD_IN_FMBBL || RCVD_IN_PSBL || C_RBL_IMP_SPAMLIST || C_RBL_HOSTKARMA_BL || C_RBL_BLOCKLIST_DE || C_RBL_WPBL || RCVD_IN_BL_SPAMCOP_NET || SO_PUB_URIBL_DOMAIN_BL || C_RBL_UCE1 || C_RBL_S5HBL || C_RBL_UCE2) >= 3)

[pdwalker]

[ovizii]

might be nice to add this kind of info to the wiki.
I have asked for a wiki account but had no reply yet...

[shawniverson]

I'll check and see if I can add you to the wiki, sorry about that... (not sure if I can, but I'll check. If not, I'll bug darky83...)

[ovizii]

no pressure, I'm just offering.
I know I'm asking tons of questions since I'm new and I'm writing them down for myself so I thought I could add some of that info to the wiki woo

[ovizii]

I'm testing some rules based on headers in the received emails now and was wondering is there is a way to have something like a placeholder for all domains EFA is accepting emails for?

My dilemma is basically that every time I add a domain my EFA instance is supposed to accept email for I would need to go and add a copy of said rule with the new domain.
something like:

Code: Select all

/\@domain1.tld/i

Code: Select all

/\@domain2.tld/i

Code: Select all

/\@domain3.tld/i

replaced by some kind of placeholder?

Code: Select all

/\@[domain.tld]/i

[shawniverson]

Hmm...scratching my head...are these domains similar in pattern or completely different?

[ovizii]

Huh? well, I'd say they are similar as they all look like domain.tld

Maybe I should try explain a little better what I'm trying to do:

I'd like to heave a check like this for every domain hosted on my EFA panel:

Code: Select all

#header        REPLY_KE_INREPLYTO      In-Reply-To =~ /\@domain.tld/i

without having to create 1 check for each domain, hence my question for a placeholder.
Basically the placeholder would check vs entries from /etc/postfix/transport everything listed after: ###### START E.F.A ADDED DOMAINS ######

Does that make more sense now?

[pdwalker]

As far as I know, spamassassin only supports regular expressions and does not support includes. So, you'll have to create a chain of "or" conditions to test the domains, or create a rule for each tested domain.

[ovizii]

OK; thanks. Can you use "OR" inside a regex?

so instead of having:

Code: Select all

#header        REPLY_KE1_INREPLYTO      In-Reply-To =~ /\@domain1.tld/i
#header        REPLY_KE2_INREPLYTO      In-Reply-To =~ /\@domain2.tld/i
#header        REPLY_KE3_INREPLYTO      In-Reply-To =~ /\@domain3.tld/i

could you have something like:

Code: Select all

#header        REPLY_KE_INREPLYTO      In-Reply-To =~ /\@domain1.tld||domain2.tld||domain3.tld/i

I'm just really bad with regex (I assume that is regex?)

[pdwalker]

Good question. Answer? No idea.

However, we can look to the existing spamassassin tests to see if we can find a workable example for you to start with and from what I can see, they do something like the following:

Code: Select all

header    __MY_DOMAIN_1 In-Reply-To =~ /\@domain1.tld/i
header    __MY_DOMAIN_2 In-Reply-To =~ /\@domain2.tld/i
header    __MY_DOMAIN_3 In-Reply-To =~ /\@domain3.tld/i
meta      MY_DOMAINS ( __MY_DOMAIN_1 || __MY_DOMAIN_2 || __MY_DOMAIN_3 )
describe  MY_DOMAINS something to do with my domains in the in-reply-to field
score     MY_DOMAINS <some number>

Could you write that as

Code: Select all

header    MY_DOMAINS In-Reply-To =~ /\@domain1.tld/i || In-Reply-To =~ /\@domain2.tld/i || In-Reply-To =~ /\@domain3.tld/i

maybe. I don't know, I didn't find any examples of spamassassin doing it that way - so maybe it doesn't work? You can test that if you like and see if it does, otherwise run with the first example.

[pdwalker]

Alternatively, we could write your example as either of these two:

Code: Select all

#header        REPLY_KE_INREPLYTO      In-Reply-To =~ /\@domain[1-3].tld/i
#header        REPLY_KE_INREPLYTO      In-Reply-To =~ /\@(domain1.tld|domain2.tld|domain3.tld)/i

More information about writing spamassassin rules and using perl regular expressions can be found here:
https://wiki.apache.org/spamassassin/WritingRules
http://perldoc.perl.org/perlre.html
https://www.cs.tut.fi/~jkorpela/perl/regexp.html

Just be warned that I am not a regex expert, and my examples might fail spectacularly.

[ovizii]

Your second example:

Code: Select all

header        REPLY_KE_INREPLYTO      In-Reply-To =~ /\@(domain1.tld|domain2.tld|domain3.tld)/i

works perfectly, tested with: https://regex101.com/

Your help and links are highly appreciated.