can anyone suggest a custom SA rule

Discuss the ConfigServer MailScanner Front-End script
Post Reply
keat63
Junior Member
Posts: 93
Joined: 17 Dec 2014, 14:50

can anyone suggest a custom SA rule

Post by keat63 »

After a week, i'm finally getting to grips with MS and spam assisin, however, could anyone suggest a custom SA rule to score these.

We get a number of spam where the from field contains a valid user with = followed by domainand @

eg: anyword-user=mydomain.co.uk@spammersdomain.com

Basically I'm looking to add a score if the 'from field' contains the exact phrase '=mydomain.co.uk@'
keat63
Junior Member
Posts: 93
Joined: 17 Dec 2014, 14:50

Re: can anyone suggest a custom SA rule

Post by keat63 »

example headers from one of the emails

Received: from mail208.atl61.xxxx.net ([xxx.xx.xxx.xxx]:20649)
by my.server.co.uk with esmtp (Exim 4.89)
(envelope-from <bounce-mc.us4_8899577.1056541-sales=mydomain.co.uk@mail208.atl61.xxxx.net>)
id 1dLVyp-0001AS-3Z
keat63
Junior Member
Posts: 93
Joined: 17 Dec 2014, 14:50

Re: can anyone suggest a custom SA rule

Post by keat63 »

this seems to work

header MY_RULE_NAME Received =~ /bounce/
score MY_RULE_NAME 1..0


I'm still experimenting with a domain name
keat63
Junior Member
Posts: 93
Joined: 17 Dec 2014, 14:50

Re: can anyone suggest a custom SA rule

Post by keat63 »

I'm still struggling with this one if anyone can help at all.

(envelope-from <bounce-mc.us4_8899577.1056541-sales=mydomain.co.uk@mail208.atl61.xxxx.net>)

I'm looking to score this phrase "sales=mydomain.co.uk@"


I see a rule in SA which may do the trick if I could get the rejex right.
header LOCAL_DEMONSTRATION_ALL ALL =~ /test\.com/i
score LOCAL_DEMONSTRATION_ALL 0.1
keat63
Junior Member
Posts: 93
Joined: 17 Dec 2014, 14:50

Re: can anyone suggest a custom SA rule

Post by keat63 »

After a number of experiments and waiting for these emails to arrive, I may have figured it out.
Just in case anyone else needs this, this is what I came up with.

header FROM_YOURRULENAME ALL =~ /mydomain\.co\.uk@/i
score FROM_YOURRULENAME 0.1

Giving it a very low score for testing purposes.
Sergio
Junior Member
Posts: 1427
Joined: 12 Dec 2006, 14:56

Re: can anyone suggest a custom SA rule

Post by Sergio »

Hi, Keat63.

SA rules have a lot of futures that make them to run faster or slow when you check the email.

If you want to check for a FROM domain or email address the best way on doing this is to use "From:" instead of "All", The reason is very simple, FROM will check only that, header while ALL will check all headers in a message and make that more time consuming for your server.

The rule that you want will be better as:
header FROM_YOURRULENAME From: =~ /mydomain\.co\.uk@/i
score FROM_YOURRULENAME 0.1
describe FROM_YOURRULENAME Blocked domain

The "describe" section is optional but I like to use in all my SA rules as MailScanner will save that info to show what rule has been triggered.

Sergio
Post Reply