Proxmox Mail Gateway Spamassassin Custom Rules

1. To create custom spamassassin rules under PMG, create your rules under /etc/mail/spamassassin/custom.cf.

# No hi/hai/hello greeting in emails
body            TOO_POLITE      /\b(hey|hi|hai|hello)(?!@)\b/i
describe        TOO_POLITE      Hey/Hi/Hai/Hello greetings
#score          TOO_POLITE      1.973
score           TOO_POLITE      1.0

# Subjects with UTF-8 encoding
header          SUBJ_UTF8       Subject:raw =~ /=?utf-8?.?/i
describe        SUBJ_UTF8       Subject with UTF-8 encoding
score           SUBJ_UTF8       1.0

# Subjects with EUC encoding
header          __EUC_CN        Subject:raw =~ /=?euc-cn?.?/i
header          __EUC_JP        Subject:raw =~ /=?euc-jp?.?/i
header          __EUC_KR        Subject:raw =~ /=?euc-kr?.?/i
header          __EUC_TW        Subject:raw =~ /=?euc-tw?.?/i
meta            SUBJ_EUC        ( __EUC_CN || __EUC_JP || __EUC_KR || __EUC_TW )
describe        SUBJ_EUC        Subjects with EUC encoding
score           SUBJ_EUC        1.0

# Suspicious mailinglist emails
header          LIST_UNSUB      exists:List-Unsubscribe
#header         LIST_UNSUB      ALL =~ /List-Unsubscribe/i
describe        LIST_UNSUB      Mailinglist/Newsletter emails
score           LIST_UNSUB      1.0

# Click here baits
#body           CLICK_BAIT      /\bclick here\b/i
#describe       CLICK_BAIT      Possible click bait
#score          CLICK_BAIT      1.0

body            __CLICK_BAIT1   /\bclick here\b/i
uri             __CLICK_BAIT2   /\/click/i
meta            CLICK_BAIT      ( __CLICK_BAIT1 || __CLICK_BAIT2 )
describe        CLICK_BAIT      Possible click bait
score           CLICK_BAIT      1.0

# Mails with htm or html attachement
mimeheader      HTML_ATTACHED   Content-Disposition =~ /filename\=.*\.html?/i
describe        HTML_ATTACHED   Contains .htm or .html attachment
score           HTML_ATTACHED   1.0

# Mails with zip or rar attachment
mimeheader      ARCH_ATTACHED   Content-Disposition =~ /filename\=.*\.(rar|zip)/i
describe        ARCH_ATTACHED   Contains .rar or .zip attachment
score           ARCH_ATTACHED   1.0

# Undisclosed To: recipient. Possible Spam/Mailinglist/Newsletter emails
header          UNDISC_RECIPS   To =~ /^undisclosed-recipients?:\s*;$/
describe        UNDISC_RECIPS   Undisclosed To: recipients. Possible Spam/Malinglist/Newsletter emails
score           UNDISC_RECIPS   1.0

# Subject with currency
header          SUBJ_CURRENCY1  Subject =~ /\b(dollars?|euros?|pounds?|millions?|billions?)\b/i
describe        SUBJ_CURRENCY1  Subject with currencies
score           SUBJ_CURRENCY1  1.0

header          SUBJ_CURRENCY2  Subject =~ /\b(rm|rm.\d+)\b/i
describe        SUBJ_CURRENCY2  Subject with currencies
score           SUBJ_CURRENCY2  1.0

# Mail subject end with spacial character
header          SUBJ_END_SP_CHAR        Subject =~ /(\!|\?|\`|\.|\"|\-)$/i
describe        SUBJ_END_SP_CHAR        Subject end with special character
score           SUBJ_END_SP_CHAR        1.0

# Subject with highly possible spam phrase
header          SUBJ_SPAM1      Subject =~ /\b^(your?|do|does|in|hi|dear|hey|how|our|are|is|last|please|to|free|we|what|want)\b/i
describe        SUBJ_SPAM1      Subject start with highly possible spam phrase
score           SUBJ_SPAM1      1.0

header          SUBJ_SPAM2      Subject =~ /(\$|\%)/i
describe        SUBJ_SPAM2      Subject with special characters
score           SUBJ_SPAM2      1.0

header          SUBJ_SPAM3      Subject =~ /^(\d+)/i
describe        SUBJ_SPAM3      Subject start with numeric
score           SUBJ_SPAM3      1.0

# Raw Body 1
rawbody         RAWBODY1        /.*_swift_.*/i
describe        RAWBODY1        Custom Rawbody Rule 1
score           RAWBODY1        1.0

# SPAM LINK 1
#uri            SPAM_LINK_1     /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i
#describe       SPAM_LINK_1     Spam link 1
#score          SPAM_LINK_1     1.0

# Spammy link with email address
uri             LINK_W_MAIL     /(\?|\#).*(@|%40)mydomain\.com\.my/i
describe        LINK_W_MAIL     Spammy link with email address
score           LINK_W_MAIL     1.0

# Spammy link with email address
#uri             __LINK_MAIL1   /\/\?email=.*@mydomain\.com\.my/i
#uri            __LINK_MAIL2    /\/*.php\?email=.*@mydomain\.com\.my/i
#uri             __LINK_MAIL3   /\/\#.*@mydomain\.com\.my/i
#meta           LINK_W_MAIL     ( __LINK_MAIL1 || __LINK_MAIL2 || __LINK_MAIL3 )
#describe        LINK_W_MAIL     Spammy link with email address
#score           LINK_W_MAIL     1.0

# Cloud storage links
#uri            CLOUD_SHARE     /\/drive\.google\.com/i
#describe        CLOUD_SHARE    Suspicious cloud storage links
#score           CLOUD_SHARE    1.0

uri             __G_DRV         /\/drive\.google\.com/i
uri             __ONE_DRV       /\/onedrive\.live\.com/i
meta            CLOUD_SHARE     ( __G_DRV || __ONE_DRV )
describe        CLOUD_SHARE     Suspicious cloud storage links
score           CLOUD_SHARE     1.0

# DNSBL custom blacklist
header			DNSBL_UCEPROTECT1	eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')
describe		DNSBL_UCEPROTECT1	sender listed in dnsbl-1.uceprotect.net
score			DNSBL_UCEPROTECT1	2

header			DNSBL_SPAMHAUS		eval:check_rbl('spamhaus', 'zen.spamhaus.org.')
describe		DNSBL_SPAMHAUS		sender listed in zen.spamhaus.org
score			DNSBL_SPAMHAUS		2

header			DNSBL_SURRIEL		eval:check_rbl('surriel', 'psbl.surriel.com.')
describe		DNSBL_SURRIEL		sender listed in psbl.surriel.com
score			DNSBL_SURRIEL		2

header			DNSBL_SPAMRATS		eval:check_rbl('spamrats', 'all.spamrats.com.')
describe		DNSBL_SPAMRATS		sender listed in all.spamrats.com
score			DNSBL_SPAMRATS		2

header			DNSBL_MAILSPIKE		eval:check_rbl('mailspike', 'bl.mailspike.net.')
describe		DNSBL_MAILSPIKE		sender listed in bl.mailspike.net
score			DNSBL_MAILSPIKE		2

2. Restart PMG's spamassassin service.

systemctl restart pmg-smtp-filter

3. Run below command to double check any spamassassin rules errors.

spamassassin -D all --lint 2>&1 | less

4. Check your custom spamassassin rules in action.