From: Martin Gregorie <mar...@gregorie.org> <mar...@gregorie.org> Reply: mar...@gregorie.org <mar...@gregorie.org> <mar...@gregorie.org> Date: December 4, 2019 at 4:12:22 PM To: users@spamassassin.apache.org <users@spamassassin.apache.org> <users@spamassassin.apache.org> Subject: Re: Custom rule help
On Wed, 2019-12-04 at 12:40 -0800, Chris Mulcahy wrote: > I want a rule that scores if “sitename” is not in the From: line. If > they send from i...@sitename.com, I’ll assume it’s legit. If sitename > does not exist, I’ll tick up the score a bit. I have done this for > some specific domains but they are all individual rules hardcoding the > domain name. > Presumably, you mean that if it matches, add a positive value to push it toward spam. If no match, ignore. One way would be to build a giant list of alternates along the lines of header MYRULE M:addr =~ /(site1\.com\@mydomain\.com| site2....@mydomain.com|....)/ ... I did something similar some years back, but I first designed a definition file that was easy to edit: it has fixed details such as the descriptive comments, the rule name and score on a set of lines at the front of the file. This is followed by the list of alternates, each on a separate line. It helps maintenance and the addition of new terms if you keep the alternates in alphabetic sequence too. Then I wrote a script that reads the definition and spits out a .cf file containing a correctly formatted SA rule. This is a bash script that runs a gawk script to do the heavy lifting. I used gawk because i know and like it, but any scriptable language should do: Perl, Python or even Javascript or BASIC are all possibilities. You can download my solution from here: libelle-systems.com/free/portmanteau/portmanteau.tgz ... Martin Thanks for the quick reply! Actually, I want it to score if there ISN’T a match. If I get an email addressed to slashdot....@example.com from an address that isn’t from slashdot, it’s likely spam. Currently, I am doing like you mentioned with a bunch of individual rules that look like this: header __CRM_FAMAZON From =~ /amazon/i header __CRM_TAMAZON To =~ /amazon/i meta CRM_AMAZON (!__CRM_FAMAZON && __CRM_TAMAZON) describe CRM_AMAZON amazon in to address but not from score CRM_AMAZON 1.5 But I have to edit the rules every time I find a new one that comes in. I failed to keep the list because at the time I never anticipated spam would be as prevalent as it is. I did grab your solution and will look through it. It may make this a less painful process. Thanks, Chris