jbminn

2 minute read

Tech Tip – Spamassassin Custom Rule

I had been inundated with so much spam lately that I added some custom rules to my spamassassin setup. These rules are added to your local.cf (don’t put them in /usr/share/spamassassion, as they’ll get overwritten with the next SA update). The single most useful one for me in this bunch is the LOCAL_RETURNED_MAIL rule.

Because spammers spoof my domains (like everybody else on the planet), I end up get bounce messages from their target. Sorry, but on my end these bounce messages ARE SPAM. So, I block them with this rule.

body LOCAL_RETURNED_MAIL /Delivery Status Notification|mail could not be delivered|Undelivered Mail Returned to Sender|Returned mail: see transcript for details/i
score LOCAL_RETURNED_MAIL 5.0

Adding that rule has removed over 200 bounce messages from my daily life. There’s one more rule that I’d like to run, but haven’t figured out how to implement. (Edit. See update below) I want to use a header rule that will trigger on any mail sent to my domains that is to an address that is not in my test block, for example:

header TO_ADDRESS_BOGUS To !~ /my|real|addresses|here/i
describe TO_ADDRESS_BOGUS To: contains bogus address

I know all about blacklists and whitelists and have a solution in place that works ok, but I really want a header rule like the one above. Yes, I’ve searched. Yes, I have found many rules that implement a To: match test but have not found an rule that implement a non-match test. I suspect that my use of !~ is incorrect, but lint is happy with that rule as-is.

Update: I did figure it out. The guys on the SA mailing list (users@spamassassin.apche.org) gave me a hint about using ToCc, and that prompted me to realize my error. I hadn’t supplied FQ addresses in the rule, only user names. The rule would have never fired (and it didn’t). The corrected rule is below:

header TO_ADDRESS_BOGUS ToCc !~ /name1@domain.com|name2@domain.com|name3@domain.com/i
score TO_ADDRESS_BOGUS 4.0

Tags: , , ,