How do I add custom SpamAssassin rules for content filtering?

Dave's Answer:

While I'm also a big fan of SpamAssassin, I'm the first to admit that the rules can be more than a bit confusing, and when you have a bad rule, odd things can occur, especially if you don't actually test your rules before you install them.

But let's start at the beginning...

Your local SpamAssassin rules should be stored in a file called /etc/mail/spamassassin/local.cf if you want the rules applied to every user on the system, or ~/.spamassassin/user_pref if you want to have them only apply to your own email. All rules have three components:

• The rule itself
• A 2-5 word description of the rule for SpamAssassin reports (optional),
• A commensurate scoring for the rule if matched

As a simple example, here's a rule that applies against the body of messages that are being filtered:

body        NO_VIOXX    /vioxx/i
score       NO_VIOXX   10
description NO_VIOXX   messages that contain the word Vioxx

In this case, any message that contains "Vioxx" (without regard to the mix of upper and lower case, which is what the 'i' accomplishes in the pattern) will be given a score of +10, which might by itself make this an undelivered spam message (it actually depends on what threshold you specify in your configuration file).

Having shown that, I use rawbody rather than body so that it catches words that appear in HTML formatted messages and messages with base64 or any other encoding scheme. Here are two actual rules from my own SpamAssassin rule set:

rawbody BECAUSE_OPTIN           /because you opted-in/i
score   BECAUSE_OPTIN           5.0

rawbody DEALSMINUTE             /dealsbytheminute/i
score   DEALSMINUTE             5.0

The first thing you'll notice is that I don't bother with the description field. I just try to use sufficiently mnemonic rule names.

Don't be fooled into thinking that you can only match rules and have things be more spammy. You can do the opposite instead, as shown here:

header  ITS_DEREK               ALL =~ /derek\@farmprints.com/i
score   ITS_DEREK               -100

Finally, you can also reassign the scoring of built-in rules too, by simply restating the score:

score   SUBJ_FREE_CAP           4.0
score   FREE_PREVIEW            4.0
score   HTTP_ESCAPED_HOST       4.0

Finally, don't forget to always run the command

spamassassin --lint

immediately after editing your configuration file to ensure that you haven't introduced any errors or typos into the ruleset!

If you'd still like more information on SpamAssassin, a good place to go is SpamAssassin Rule Help, and you can always pop over to the SpamAssassin site itself.