SpamAssassin ruleset to try and catch India based web development spam

At work we keep receiving emails from sales-droids in India who are trying to persuade us to outsource PHP/Android/Java/whatever development to them.

Here’s my first attempt at a spamassassin rule to neutralise it – in my case, copy into a something.cf file in /etc/spamassassin/mail, and running over a suitably loaded email results in :

Content preview:  Dear Sir / Madam, I just wanted to check if you had received
   my last mails sent. Haven't heard back from you, just wondering are you interested
   in our services? Let me know if you are interested then we can discuss this
   further. [...] 

Content analysis details:   (6.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                            (globalseolinksourcing[at]gmail.com)
 0.0 DKIM_ADSP_CUSTOM_MED   No valid author signature, adsp_override is
                            CUSTOM_MED
 1.7 DEAR_SOMETHING         BODY: Contains 'Dear (something)'
 0.0 HTML_MESSAGE           BODY: HTML included in message
 5.0 LOCAL_INDIA_HITS       Web dev spam from India
 1.2 NML_ADSP_CUSTOM_MED    ADSP custom_med hit, and not from a mailing list

The spamassassin rule

(The intention is that the rule only fires if the email mentions India and at least 4 out of the other phrases (delhi, marketing, php etc)

# india based spam

body  __INDIA_01 /india/i
body  __INDIA_02 /delhi/i
body  __INDIA_03 /web services/i
body  __INDIA_04 /php/i
body  __INDIA_05 /java/i
body  __INDIA_06 /marketing/i
body  __INDIA_07 /website design/i
body  __INDIA_08 /dear sir/i

meta LOCAL_INDIA_HITS ( __INDIA_01  && ((  __INDIA_02 + __INDIA_03 + __INDIA_04 + __INDIA_05 + __INDIA_06 + __INDIA_07 + __INDIA_08 )) > 4)
describe LOCAL_INDIA_HITS Web dev spam from India
score LOCAL_INDIA_HITS 5.0

Post navigation


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>