Differences between revisions 71 and 72
Revision 71 as of 2004-12-15 19:16:52
Size: 15715
Editor: pcp08157549pcs
Comment: Changed older link for exit0 that is no longer valid.
Revision 72 as of 2004-12-22 07:07:06
Size: 15715
Editor: ms
Comment:
Deletions are marked like this. Additions are marked like this.
Line 217: Line 217:
Note : Rules and scores are updated once a week by using spams reported to the anti-spam service of CCERT in the last 6 months. [[BR]] Note : Rules and scores are updated once a week by using spams reported to the anti-spam service of CCERT in the last 3 months. [[BR]]

Disclaimer

Custom or third-party rules described here are not part of the official SpamAssassin distribution. They may have a different license and are not from the Apache Software Foundation.

Available Custom Rulesets

Listed below are several custom rulesets that are available as "drop in" .cf files. To use these rules, just place the file in /etc/mail/spamassassin (if you use spamD, be sure to restart). Before running these rules please do the following:

  1. Read any extra info available with the rules, including the comments in the .cf files.
  2. Check to make sure that the default scores in these rules fit your installation. You might want to modify scores.
  3. Make sure to --lint the rules after loading them.
  4. Test the new rulesets. Keep an eye on hits from the new rules to determine if the scoring is right for you.

Use at your own risk.


Status Information BR Active: Ruleset is actively updated and maintained BR Locked: Ruleset is not actively updated, but is fine to run and considered "stable" BR Defunct: Ruleset is no longer maintained, may be out of date or have problems BR BR Auto-update: Author/Maintainer has given permission to use scripts to automate the download of the ruleset BR Please respect the wishes of the authors and/or the site hosts


antidrug.cf BR antidrug.cf is a set of rules designed to catch those pesky "pill spams".BR Created by: Matt Kettler BR Contact: TBD BR License Type: Artistic/GPL dual BR Status: Active BR Auto-update: Yes, subject to change if Comcast later objects to the practice. BR Available at: http://mywebpages.comcast.net/mkettler/sa/antidrug.cf BR Mirror: N/A BR Note: Matt Kettler says "It may not be appropriate for a medical or pharmecutical environment. If in doubt, adjust the scores of all the rules to 0.01 and see if they fire off on your daily nonspam."BR Note: SA 3.0.0 documentation indicates that much of this rule set has been incorporated into that version. This file is unnecessary with SA 3.0.0. Sample Results: MasscheckAntidrug (rev 0.65 04/28/2004)

backhair.cfBR backhair is a set of rules designed to catch those ugly, unsightly HTML tags. BR Created by: Jennifer Wheeler BR Contact: TBD BR License Type: TBD BR Status: Locked BR Auto-update: No BR Available at: http://www.emtinc.net/includes/backhair.cf BR Mirror: [http://www.rulesemporium.com/rules.htm rulesemporium.com]BR Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR More information on Jennifer's rules: http://www.emtinc.net/spamhammers.htm BR NOTE: Early versions of Rules Du Jour included this set in it's default config. This set is now considered "stable" and is no longer actively updated. Please do not use auto-update scriptsBR Note: This is a fairly aggressive ruleset that can hit on UUencoded attachments...BR Note: SA 3.0.0 documentation indicates that much of this rule set has been incorporated into that version. This file is unnecessary with SA 3.0.0. Sample Results: MasscheckBackhair (Version 1.5 2004-01-21)

bigevil.cfBR bigevil is a set of URIs that have been found in spam messages.BR Created by: Chris Santerre BR Contact: goober+sawiki@moglobal.com BR License Type: GPL (For now) BR Status: Active BR Auto-update: Yes - Please try to keep checks down to no more then once every 24 hours BR Available at: http://www.rulesemporium.com/rules/bigevil.cf BR Mirror: [http://alex.zeitform.de/mirror/bigevil.cf][[BR]] Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR Extras: Chris has been kind enough to mirror many of these rulesets on his site, as well as many other custom rulesBR More information on Chris' rules: http://www.rulesemporium.com/ BR Note: bigevil is now a static list generated from ws.surbl.org. The new file is huge and has been known to cause problems on machines with low amounts of RAM or heavy loads, please consider using the SURBL plugin instead. [http://www.surbl.org] BR

bogus-virus-warnings.cf BR bogus-virus-warnings tries to pick out 'collateral spam' caused by viruses. BR Created by: Tim Jackson with contributions from othersBR Contact: TBD BR License Type: TBD BR Status: Active BR Auto-update: Yes BR Available at: http://www.timj.co.uk/linux/bogus-virus-warnings.cf BR Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR More information on Tim's rules: http://www.timj.co.uk/linux/sa.php BR Note: Main aim is to catch warnings generated by virus scanners along the lines of "you sent us virus", which are sent to the (usually faked) 'senders' of virus-infected e-mails. Contains many "black-and-white" very-high-scoring rules. (see also http://www.exit0.us/index.php/VirusBounceRules) BR Sample Results: MasscheckBogusVirus (version 1.69 2004-03-04) BR

chickenpox.cf BR chickenpox is a set of rules designed to catch spam like "l.ooks f|or th.is kind of garb+age"BR Created by: Jennifer Wheeler BR Contact: TBD BR License Type: TBD BR Status: Locked BR Auto-update: No BR Available at: http://www.emtinc.net/includes/chickenpox.cf BR Mirror: [http://www.rulesemporium.com/rules.htm rulesemporium.com]BR Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR NOTE: Early versions of Rules Du Jour included this set in it's default config. This set is now considered "stable" and is no longer actively updated. Please do not use auto-update scriptsBR More information on Jennifer's rules: http://www.emtinc.net/spamhammers.htm BR Sample Results: MasscheckChickenpox (Version 1.15 2004-02-06)

evilnumbers.cf BR evilnumbers is a collection of phone numbers, PO boxes and street addresses harvested from spam.BR Created by: Matt Yackley BR Contact: sare@yackley.org BR License Type: Artistic BR Status: Active BR Auto-update: Yes - Please try to keep checks down to no more then once every 24 hours BR Available at: http://www.rulesemporium.com/rules/evilnumbers.cf BR Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR Extras: Localized language packs available at the link below. BR Mirror: [http://www.yackley.org/sa-rules yackley.org]BR More information on Matt Yackley's rules: http://www.yackley.org/sa-rules BR Sample Results: MasscheckEvilNumbers (Version: 1.12k 03/31/2004) BR

sa-blacklist BR sa-blacklist is a large set of blacklist entries of domains and IP addresses. BR Created by: William Stearns BR Contact: wstearns@pobox.com BR License Type: GPL BR Status: Active BR Auto-update: Yes - Please try to keep checks down to no more then once every 4 hours BR Auto-update: Preferred method rsync via zaphod.stearns.org::wstearns/sa-blacklist/ BR Available at: http://www.stearns.org/sa-blacklist/sa-blacklist.current BR Available at: ftp://ftp.stearns.org/pub/wstearns/sa-blacklist/sa-blacklist.current BR Mirror: [ftp://ftp.bascom.com/pub/wstearns/sa-blacklist/ ftp.bascom.com] BR More information on Bill's rules: http://www.stearns.org/sa-blacklist/README BR Note: These are blacklist entries and will tag emails on their own! This link is not a .cf file, you will need to save it with a .cf extension.

sa-blacklist-uri.cf BR sa-blacklist-uri is a large set of URIs BR Created by: William Stearns BR Contact: wstearns@pobox.com BR License Type: GPL BR Status: Active BR Auto-update: Yes - Please try to keep checks down to no more then once every 4 hours BR Auto-update: Preferred method rsync via zaphod.stearns.org::wstearns/sa-blacklist/ BR Available at: http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf BR Available at: ftp://ftp.stearns.org/pub/wstearns/sa-blacklist/sa-blacklist.current.uri.cf BR More information on Bill's rules: http://www.stearns.org/sa-blacklist/README BR Mirror: [ftp://ftp.bascom.com/pub/wstearns/sa-blacklist/ ftp.bascom.com] BR Note: The idea behind this list is similar to bigevil, but are pulled together from different spam. These rules are "flat" ie, one entry per rule, which uses more memory than combining multiple entries into one rule. This should not be an issue if you have lots of memory or a lighter mail load.BR Note: Using the [http://wiki.apache.org/spamassassin/SURBL] of this blacklist allows far less memory by Spamd than using the ruleset itself. BR Sample Results: MasscheckBlacklist (2004030403)

sa-random.cf BR sa-random searches for spamware mistakes like: %RANDOM_WORD BR Created by: William Stearns BR Contact: wstearns@pobox.com BR License Type: GPL BR Status: Active BR Auto-update: Yes - Please try to keep checks down to no more then once every 4 hours BR Auto-update: Preferred method rsync via zaphod.stearns.org::wstearns/sa-blacklist/ BR Available at: http://www.stearns.org/sa-blacklist/random.current.cf BR Available at: ftp://ftp.stearns.org/pub/wstearns/sa-blacklist/random.current.cf BR Mirror: [ftp://ftp.bascom.com/pub/wstearns/sa-blacklist/ ftp.bascom.com] BR More information on Bill's rules: http://www.stearns.org/sa-blacklist/README BR Sample Results: MasscheckRandom (release: 2004030501)

tripwire.cf BR tripwire searches for 3 characters that shouldn't be together.BR Created by: Fred Tarasevicius BR Contact: tech2@i-is.com BR License Type: TBD BR Status: TBD BR Auto-update: TBD BR Available at: http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf BR Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR Note: These rules are based on the English language, due to the number of rules that can be triggered, problem have been reported by exim users that it can cause the header to go over the byte limit of the exim header limits, also MS Outlook can have problems with rules that look for "message headers" due to a unknown size limit in the amount of headers it will search.BR Sample Results: MasscheckTripwire (Version 1.17)

weeds.cf 1&2 BR weeds looks for alphabet decimal and hex characters, lower and uppercase. BR Created by: Jennifer WheelerBR Contact: TBD BR License Type: TBD BR Status: Locked BR Auto-update: No BR Available at: http://www.emtinc.net/includes/weeds.cf or set 2 at: http://www.emtinc.net/includes/weeds2.cf BR Mirror: [http://www.rulesemporium.com/rules.htm rulesemporium.com]BR Mirror: [http://www.exit0.us/rules www.exit0.us/rules]BR More information on Jennifer's rules: http://www.emtinc.net/spamhammers.htm BR NOTE: Early versions of Rules Du Jour included this set in it's default config. This set is now considered "stable" and is no longer actively updated. Please do not use auto-update scriptsBR Note: Weeds2 is a more restrictive set, DO NOT run both sets at the same time.BR Sample Results: MasscheckWeeds (Version 1.0, 2003-11-13)

French Rules BR Catches spams written in French.BR Created by: Maxime RitterBR Contact: mritter@alussinan.org BR License Type: Public Domain BR Status: Active BR Auto-update: On the mirror (updates of the mirror are automatic) BR Available at: [http://maxime.ritter.eu.org/Spam/french_rules.cf] BR GPG-signature: [http://maxime.ritter.eu.org/Spam/french_rules.cf.sig Yes] BR Mirror: [http://airmex.nerim.net/rule-get/french_rules.cf][[BR]] More information on my site : (in French only at the moment) : [http://maxime.ritter.eu.org/article.php3?id_article=11] BR Sample Results: None yet.

Airmax.cf BR Misc rules I use. Use them if you find them usefull. BR Created by: Maxime RitterBR Contact: mritter@alussinan.org BR License Type: Public Domain BR Status: Active BR Auto-update: On the mirror (auto-updated) BR Available at: [http://maxime.ritter.eu.org/Spam/airmax.cf] BR GPG-signature: [http://maxime.ritter.eu.org/Spam/airmax.cf.sig Yes]BR Mirror: [http://airmex.nerim.net/rule-get/airmax.cf] BR More information on my site : (in French only at the moment) : [http://maxime.ritter.eu.org/article.php3?id_article=11] BR Sample Results: None yet.

Chinese Rules BR Rules to catch spams written in Chinese.BR Created by: Quang-Anh Tran, at CCERT Anti-Spam TeamBR Contact: chenguangying@tsinghua.org.cn BR License Type: GPL BR Status: Active BR Available at: [http://www.ccert.edu.cn/spam/sa/Chinese_rules.cf] BR More information (in Chinese): [http://www.ccert.edu.cn/spam/sa/Chinese_rules.htm] BR Note : Rules and scores are updated once a week by using spams reported to the anti-spam service of CCERT in the last 3 months. BR Sample Results: MasscheckChineserules

GEE Whiz Chinese Ruleset BR We developed a set of SpamAssassin rules which apply to Simplified Chinese, based on GB2312. They include head rules, phrase rules.BR Created by: Zhong(Adam) Wang at Submersion CorporationBR Contact: adamwang@submersion.com BR License Type: GPL BR Status: Active BR Available at: [http://www.geewhiz.ca/index.php/GEE%E3%80%80Whiz_SpamAssassin_%E4%B8%AD%E6%96%87%E8%A7%84%E5%88%99%E9%9B%86%E4%B8%8B%E8%BD%BD|GEE Whiz Chinese Ruleset] BR More detail: [http://www.geewhiz.ca] BR Note : Rules are masschecked by CCERT.BR Sample Results: MasscheckGeeWhizChineseRuleset

MIME Validation Ruleset BR This is a tiny set of rules, designed to find MIME errors commonly encountered in mails sent by the bulk mailers used by spammers.BR Created by: Byteplant GmbHBR Contact: nstsupport@byteplant.com BR License Type: GPL BR Status: Active BR Available at: [http://www.nospamtoday.com/download/mime_validate.cf] BR Sample Results: None yet.


Automatic Updates BR If you find these rulesets useful and get tired of downloading updates, Chris Thielen, has kindly provided a shell script to automatically update these sets. You can find the script and instructions at: http://www.exit0.us/index.php?pagename=RulesDuJour BR Another tool is now available, featuring GPG check of the rulesets which have a known signature and an apt-get-like syntax : http://maxime.ritter.eu.org/article.php3?id_article=10

Additional collections BR Here are some additional collections of custom rulesets:

The SARE Ninjas have a collection of custom rules available at the SpamAssassin Rules Emporium (started by Chris Santerre) - http://www.rulesemporium.com - this collection includes HTML rules, Header abuse rules, ratware rules, specific spammer rules, adult rules, fraud rules, subject rules, business and marketing rules, etc. Several of those rule sets are multi-file rule sets, a practice started by Bob Menschel, allowing you to pick and choose based on the quality or applicability of rules within the MultiFileRuleSets. BR

The Hebrew SpamAssassin rules project is located at http://www.deltaforce.net/hebrewspam

There's an additional SpamAssassin wiki at http://www.exit0.us . This wiki seems more focused on rules and includes a German Ruleset.


CategorySoftware

CustomRulesets (last edited 2018-11-26 01:55:30 by BillCole)