Page 1 of 1
can anyone suggest a custom SA rule
Posted: 15 Jun 2017, 13:51
by keat63
After a week, i'm finally getting to grips with MS and spam assisin, however, could anyone suggest a custom SA rule to score these.
We get a number of spam where the from field contains a valid user with = followed by domainand @
eg: anyword-user=
mydomain.co.uk@spammersdomain.com
Basically I'm looking to add a score if the 'from field' contains the exact phrase '
=mydomain.co.uk@'
Re: can anyone suggest a custom SA rule
Posted: 15 Jun 2017, 15:52
by keat63
example headers from one of the emails
Received: from mail208.atl61.xxxx.net ([xxx.xx.xxx.xxx]:20649)
by my.server.co.uk with esmtp (Exim 4.89)
(envelope-from <bounce-mc.us4_8899577.1056541-sales=
mydomain.co.uk@mail208.atl61.xxxx.net>)
id 1dLVyp-0001AS-3Z
Re: can anyone suggest a custom SA rule
Posted: 16 Jun 2017, 18:20
by keat63
this seems to work
header MY_RULE_NAME Received =~ /bounce/
score MY_RULE_NAME 1..0
I'm still experimenting with a domain name
Re: can anyone suggest a custom SA rule
Posted: 30 Jun 2017, 13:48
by keat63
I'm still struggling with this one if anyone can help at all.
(envelope-from <bounce-mc.us4_8899577.1056541-sales=
mydomain.co.uk@mail208.atl61.xxxx.net>)
I'm looking to score this phrase "sales=mydomain.co.uk@"
I see a rule in SA which may do the trick if I could get the rejex right.
header LOCAL_DEMONSTRATION_ALL ALL =~
/test\.com/i
score LOCAL_DEMONSTRATION_ALL 0.1
Re: can anyone suggest a custom SA rule
Posted: 30 Jun 2017, 15:25
by keat63
After a number of experiments and waiting for these emails to arrive, I may have figured it out.
Just in case anyone else needs this, this is what I came up with.
header FROM_YOURRULENAME ALL =~ /mydomain\.co\.uk@/i
score FROM_YOURRULENAME 0.1
Giving it a very low score for testing purposes.
Re: can anyone suggest a custom SA rule
Posted: 29 Jul 2017, 18:09
by Sergio
Hi, Keat63.
SA rules have a lot of futures that make them to run faster or slow when you check the email.
If you want to check for a FROM domain or email address the best way on doing this is to use "From:" instead of "All", The reason is very simple, FROM will check only that, header while ALL will check all headers in a message and make that more time consuming for your server.
The rule that you want will be better as:
header FROM_YOURRULENAME From: =~ /mydomain\.co\.uk@/i
score FROM_YOURRULENAME 0.1
describe FROM_YOURRULENAME Blocked domain
The "describe" section is optional but I like to use in all my SA rules as MailScanner will save that info to show what rule has been triggered.
Sergio