on
dns
technitium
ubuntu
- Get link
- X
- Other Apps
1. To create custom spamassassin rules under PMG, create your rules under /etc/mail/spamassassin/custom.cf.
# No hi/hai/hello greeting in emails
body TOO_POLITE /\b(hey|hi|hai|hello)(?!@)\b/i
describe TOO_POLITE Hey/Hi/Hai/Hello greetings
#score TOO_POLITE 1.973
score TOO_POLITE 1.0
# Subjects with UTF-8 encoding
header SUBJ_UTF8 Subject:raw =~ /=?utf-8?.?/i
describe SUBJ_UTF8 Subject with UTF-8 encoding
score SUBJ_UTF8 1.0
# Subjects with EUC encoding
header __EUC_CN Subject:raw =~ /=?euc-cn?.?/i
header __EUC_JP Subject:raw =~ /=?euc-jp?.?/i
header __EUC_KR Subject:raw =~ /=?euc-kr?.?/i
header __EUC_TW Subject:raw =~ /=?euc-tw?.?/i
meta SUBJ_EUC ( __EUC_CN || __EUC_JP || __EUC_KR || __EUC_TW )
describe SUBJ_EUC Subjects with EUC encoding
score SUBJ_EUC 1.0
# Suspicious mailinglist emails
header LIST_UNSUB exists:List-Unsubscribe
#header LIST_UNSUB ALL =~ /List-Unsubscribe/i
describe LIST_UNSUB Mailinglist/Newsletter emails
score LIST_UNSUB 1.0
# Click here baits
#body CLICK_BAIT /\bclick here\b/i
#describe CLICK_BAIT Possible click bait
#score CLICK_BAIT 1.0
body __CLICK_BAIT1 /\bclick here\b/i
uri __CLICK_BAIT2 /\/click/i
meta CLICK_BAIT ( __CLICK_BAIT1 || __CLICK_BAIT2 )
describe CLICK_BAIT Possible click bait
score CLICK_BAIT 1.0
# Mails with htm or html attachement
mimeheader HTML_ATTACHED Content-Disposition =~ /filename\=.*\.html?/i
describe HTML_ATTACHED Contains .htm or .html attachment
score HTML_ATTACHED 1.0
# Mails with zip or rar attachment
mimeheader ARCH_ATTACHED Content-Disposition =~ /filename\=.*\.(rar|zip)/i
describe ARCH_ATTACHED Contains .rar or .zip attachment
score ARCH_ATTACHED 1.0
# Undisclosed To: recipient. Possible Spam/Mailinglist/Newsletter emails
header UNDISC_RECIPS To =~ /^undisclosed-recipients?:\s*;$/
describe UNDISC_RECIPS Undisclosed To: recipients. Possible Spam/Malinglist/Newsletter emails
score UNDISC_RECIPS 1.0
# Subject with currency
header SUBJ_CURRENCY1 Subject =~ /\b(dollars?|euros?|pounds?|millions?|billions?)\b/i
describe SUBJ_CURRENCY1 Subject with currencies
score SUBJ_CURRENCY1 1.0
header SUBJ_CURRENCY2 Subject =~ /\b(rm|rm.\d+)\b/i
describe SUBJ_CURRENCY2 Subject with currencies
score SUBJ_CURRENCY2 1.0
# Mail subject end with spacial character
header SUBJ_END_SP_CHAR Subject =~ /(\!|\?|\`|\.|\"|\-)$/i
describe SUBJ_END_SP_CHAR Subject end with special character
score SUBJ_END_SP_CHAR 1.0
# Subject with highly possible spam phrase
header SUBJ_SPAM1 Subject =~ /\b^(your?|do|does|in|hi|dear|hey|how|our|are|is|last|please|to|free|we|what|want)\b/i
describe SUBJ_SPAM1 Subject start with highly possible spam phrase
score SUBJ_SPAM1 1.0
header SUBJ_SPAM2 Subject =~ /(\$|\%)/i
describe SUBJ_SPAM2 Subject with special characters
score SUBJ_SPAM2 1.0
header SUBJ_SPAM3 Subject =~ /^(\d+)/i
describe SUBJ_SPAM3 Subject start with numeric
score SUBJ_SPAM3 1.0
# Raw Body 1
rawbody RAWBODY1 /.*_swift_.*/i
describe RAWBODY1 Custom Rawbody Rule 1
score RAWBODY1 1.0
# SPAM LINK 1
#uri SPAM_LINK_1 /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i
#describe SPAM_LINK_1 Spam link 1
#score SPAM_LINK_1 1.0
# Spammy link with email address
uri LINK_W_MAIL /(\?|\#).*(@|%40)mydomain\.com\.my/i
describe LINK_W_MAIL Spammy link with email address
score LINK_W_MAIL 1.0
# Spammy link with email address
#uri __LINK_MAIL1 /\/\?email=.*@mydomain\.com\.my/i
#uri __LINK_MAIL2 /\/*.php\?email=.*@mydomain\.com\.my/i
#uri __LINK_MAIL3 /\/\#.*@mydomain\.com\.my/i
#meta LINK_W_MAIL ( __LINK_MAIL1 || __LINK_MAIL2 || __LINK_MAIL3 )
#describe LINK_W_MAIL Spammy link with email address
#score LINK_W_MAIL 1.0
# Cloud storage links
#uri CLOUD_SHARE /\/drive\.google\.com/i
#describe CLOUD_SHARE Suspicious cloud storage links
#score CLOUD_SHARE 1.0
uri __G_DRV /\/drive\.google\.com/i
uri __ONE_DRV /\/onedrive\.live\.com/i
meta CLOUD_SHARE ( __G_DRV || __ONE_DRV )
describe CLOUD_SHARE Suspicious cloud storage links
score CLOUD_SHARE 1.0
# DNSBL custom blacklist
header DNSBL_UCEPROTECT1 eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')
describe DNSBL_UCEPROTECT1 sender listed in dnsbl-1.uceprotect.net
score DNSBL_UCEPROTECT1 2
header DNSBL_SPAMHAUS eval:check_rbl('spamhaus', 'zen.spamhaus.org.')
describe DNSBL_SPAMHAUS sender listed in zen.spamhaus.org
score DNSBL_SPAMHAUS 2
header DNSBL_SURRIEL eval:check_rbl('surriel', 'psbl.surriel.com.')
describe DNSBL_SURRIEL sender listed in psbl.surriel.com
score DNSBL_SURRIEL 2
header DNSBL_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe DNSBL_SPAMRATS sender listed in all.spamrats.com
score DNSBL_SPAMRATS 2
header DNSBL_MAILSPIKE eval:check_rbl('mailspike', 'bl.mailspike.net.')
describe DNSBL_MAILSPIKE sender listed in bl.mailspike.net
score DNSBL_MAILSPIKE 2
2. Restart PMG's spamassassin service.
systemctl restart pmg-smtp-filter3. Run below command to double check any spamassassin rules errors.
spamassassin -D all --lint 2>&1 | less4. Check your custom spamassassin rules in action.
Comments