Page 1 of 1
Need some help writing my own SA rules
Posted: 24 May 2016 07:35
by ovizii
Hi there,
I've done some digging and found out that I can write rules like this:
Code: Select all
meta _jacob_MULTI_BL ((DIGEST_MULTIPLE + C_RBL_PSKY_BAD + C_RBL_PSKY_POOR) >= 2)
describe _jacob_MULTI_BL Hits way too many lists
score _jacob_MULTI_BL 3.50
meaning that rule would add 3.5 to the SA score if 2 or more of those 3 listed rules were already hit.
Alternatively I can check if 2 specific rules are being hit:
Code: Select all
meta _jacob_MULTI_BL (DIGEST_MULTIPLE && C_RBL_PSKY_BAD)
describe _jacob_MULTI_BL Hits way too many lists
score _jacob_MULTI_BL 3.50
means that if those 2 rules are hit a score of 3.5 gets added
Now what I am trying and failing to do is get something like this to work:
Code: Select all
meta _jacob_MULTI_BL ((DIGEST_MULTIPLE + (C_RBL_PSKY_BAD || C_RBL_PSKY_POOR) + (SO_PUB_URIBL_DOMAIN_BL || C_RBL_UCE1)) >= 2)
describe _jacob_MULTI_BL Hits way too many lists
score _jacob_MULTI_BL 3.50
meaning I want to check whether DIGEST_MULTIPLE and at least one out of each of the other 2 rule groups are being hit but
seems not to work in this case
Re: Need some help writing my own SA rules
Posted: 24 May 2016 09:33
by pdwalker
quick idea, can you examine the existing rule sets and see if there are any with an or conditional then use that for comparison?
otherwise, it's off to the spamassassin wiki to read about how to write the rules.
Re: Need some help writing my own SA rules
Posted: 24 May 2016 09:41
by ovizii
The WiKi doesn't mention OR relationships:
https://wiki.apache.org/spamassassin/WritingRules
The only example I can find which seems to work is this one from KAM.cf
Code: Select all
meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (__KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
It was just me missing a closing bracket 
This works now!!!
Code: Select all
meta _jacob_MULTI_BL (DIGEST_MULTIPLE + (C_RBL_PSKY_BAD || C_RBL_PSKY_POOR) + (RCVD_IN_FMBBL_CIDR28 || RCVD_IN_FMBBL_CIDR27 || RCVD_IN_FMBBL_CIDR26) + (RDNS_NONE || BOTNET_NORDNS) + (SO_PUB_SNDR_DOMAIN_DKIM_BL || SO_PUB_SNDR_DOMAIN_DKIM_10 || SO_PUB_SNDR_DOMAIN_DKIM_20) + (SENDERSCORE_BLACK || SENDERSCORE_000) + (URIBL_BLACK || RCVD_IN_IPREPDNS_0 || C_RBL_DNSBL_INPS_DE || RCVD_IN_FMBBL || RCVD_IN_PSBL || C_RBL_IMP_SPAMLIST || C_RBL_HOSTKARMA_BL || C_RBL_BLOCKLIST_DE || C_RBL_WPBL || RCVD_IN_BL_SPAMCOP_NET || SO_PUB_URIBL_DOMAIN_BL || C_RBL_UCE1 || C_RBL_S5HBL || C_RBL_UCE2) >= 3)
Re: Need some help writing my own SA rules
Posted: 24 May 2016 09:50
by pdwalker
Re: Need some help writing my own SA rules
Posted: 24 May 2016 10:01
by ovizii
might be nice to add this kind of info to the wiki.
I have asked for a wiki account but had no reply yet...
Re: Need some help writing my own SA rules
Posted: 30 May 2016 12:15
by shawniverson
I'll check and see if I can add you to the wiki, sorry about that... (not sure if I can, but I'll check. If not, I'll bug darky83...)
Re: Need some help writing my own SA rules
Posted: 30 May 2016 12:20
by ovizii
no pressure, I'm just offering.
I know I'm asking tons of questions since I'm new and I'm writing them down for myself so I thought I could add some of that info to the wiki woo
Re: Need some help writing my own SA rules
Posted: 06 Jul 2016 08:26
by ovizii
I'm testing some rules based on headers in the received emails now and was wondering is there is a way to have something like a placeholder for all domains EFA is accepting emails for?
My dilemma is basically that every time I add a domain my EFA instance is supposed to accept email for I would need to go and add a copy of said rule with the new domain.
something like:
replaced by some kind of placeholder?
Re: Need some help writing my own SA rules
Posted: 06 Jul 2016 22:19
by shawniverson
Hmm...scratching my head...are these domains similar in pattern or completely different?
Re: Need some help writing my own SA rules
Posted: 07 Jul 2016 06:32
by ovizii
Huh? well, I'd say they are similar as they all look like domain.tld
Maybe I should try explain a little better what I'm trying to do:
I'd like to heave a check like this for every domain hosted on my EFA panel:
Code: Select all
#header REPLY_KE_INREPLYTO In-Reply-To =~ /\@domain.tld/i
without having to create 1 check for each domain, hence my question for a placeholder.
Basically the placeholder would check vs entries from /etc/postfix/transport everything listed after: ###### START E.F.A ADDED DOMAINS ######
Does that make more sense now?
Re: Need some help writing my own SA rules
Posted: 07 Jul 2016 07:30
by pdwalker
As far as I know, spamassassin only supports regular expressions and does not support includes. So, you'll have to create a chain of "or" conditions to test the domains, or create a rule for each tested domain.
Re: Need some help writing my own SA rules
Posted: 07 Jul 2016 07:39
by ovizii
OK; thanks. Can you use "OR" inside a regex?
so instead of having:
Code: Select all
#header REPLY_KE1_INREPLYTO In-Reply-To =~ /\@domain1.tld/i
#header REPLY_KE2_INREPLYTO In-Reply-To =~ /\@domain2.tld/i
#header REPLY_KE3_INREPLYTO In-Reply-To =~ /\@domain3.tld/i
could you have something like:
Code: Select all
#header REPLY_KE_INREPLYTO In-Reply-To =~ /\@domain1.tld||domain2.tld||domain3.tld/i
I'm just really bad with regex (I assume that is regex?)
Re: Need some help writing my own SA rules
Posted: 07 Jul 2016 08:39
by pdwalker
Good question. Answer? No idea.
However, we can look to the existing spamassassin tests to see if we can find a workable example for you to start with and from what I can see, they do something like the following:
Code: Select all
header __MY_DOMAIN_1 In-Reply-To =~ /\@domain1.tld/i
header __MY_DOMAIN_2 In-Reply-To =~ /\@domain2.tld/i
header __MY_DOMAIN_3 In-Reply-To =~ /\@domain3.tld/i
meta MY_DOMAINS ( __MY_DOMAIN_1 || __MY_DOMAIN_2 || __MY_DOMAIN_3 )
describe MY_DOMAINS something to do with my domains in the in-reply-to field
score MY_DOMAINS <some number>
Could you write that as
Code: Select all
header MY_DOMAINS In-Reply-To =~ /\@domain1.tld/i || In-Reply-To =~ /\@domain2.tld/i || In-Reply-To =~ /\@domain3.tld/i
maybe. I don't know, I didn't find any examples of spamassassin doing it that way - so maybe it doesn't work? You can test that if you like and see if it does, otherwise run with the first example.
Re: Need some help writing my own SA rules
Posted: 07 Jul 2016 08:52
by pdwalker
Alternatively, we could write your example as either of these two:
Code: Select all
#header REPLY_KE_INREPLYTO In-Reply-To =~ /\@domain[1-3].tld/i
#header REPLY_KE_INREPLYTO In-Reply-To =~ /\@(domain1.tld|domain2.tld|domain3.tld)/i
More information about writing spamassassin rules and using perl regular expressions can be found here:
https://wiki.apache.org/spamassassin/WritingRules
http://perldoc.perl.org/perlre.html
https://www.cs.tut.fi/~jkorpela/perl/regexp.html
Just be warned that I am not a regex expert, and my examples might fail spectacularly.
Re: Need some help writing my own SA rules
Posted: 07 Jul 2016 08:59
by ovizii
Your second example:
Code: Select all
header REPLY_KE_INREPLYTO In-Reply-To =~ /\@(domain1.tld|domain2.tld|domain3.tld)/i
works perfectly, tested with:
https://regex101.com/
Your help and links are highly appreciated.
