Amavis / SpamAssassin


Some random bits and pieces related to SpamAssassin and Amavis

I’ve been looking for additional rulesets to add to SpamAssassin but haven’t found many – the SARE project appears offline (for example). Eventually I found – The SOUGHT SpamAssassin ruleset which despite it’s age (published in 2007) seems to still be maintained.


To enable this on Debian Wheezy, I added a cron job (/etc/cron.d/sa-update-sought) like :

10 */3 * * * debian-spamd /usr/local/sbin/sa-update-sought

And then created /usr/local/sbin/sa-update-sought which looks a bit like :

if [ $UID != 119 ]; then
    su - debian-spamd -c "/usr/local/sbin/sa-update-sought"
    exit 0

# See
/usr/bin/sa-update -v --gpgkey 6C6191E3 --channel --channel
# so wow, so speed.

(Don’t forget to chmod 755 the script and also perhaps run it containing ‘set -x’ and/or ‘set -e’)

Amavis – deal with duplicate headers

Firstly, Amavis was complaining about duplicated headers for some emails. Typically this would be something useless like MIME-Version, which I don’t care about. So to stop Amavis moaning about duplicated headers – add to your config under /etc/amavis/conf.d/50-user (on debian) –

$allowed_header_tests{'multiple'} = 0;

Amavis – log spamassassin rulsets and generally more

The default Amavis log file will look something like :

Mar 23 06:48:18 my.server /usr/sbin/amavisd-new[13368]: (13368-03) Passed CLEAN {RelayedInbound}, [client.ip.addr]:37490 [client.ip.addr]  -> <someone@local>, Queue-ID: 3FDEC181A06, Message-ID: <>
, mail_id: d-dsS6ecM4vR, Hits: -9.49, size: 34124, queued_as: 80D4118089F,, 3203 ms

Which isn’t all that useful – especially if you need to know WHY it did (or didn’t) score against SpamAssassin (i.e. WHY was it -9.49).

So, to make Amavis more verbose in logging – so you can see which SpamAssassin tests triggered etc – add to /etc/amavis/conf.d/50-user (debian) –

$log_templ = $log_verbose_templ;

Now you’ll see something more like :

Mar 28 14:33:49 my.server /usr/sbin/amavisd-new[9149]: (09149-05) Passed SPAMMY {RelayedTaggedInbound}, [client.ip.addr]:62696 [client.ip.addr] <some.user@whatever> -> <>, Queue-ID: EF4F4180E71, Message-ID: <C46A064E2A2B52469C092EE761AD74602BFCCC@xxxxxx-Exch.xxxxxxx.xxxx>, mail_id: dzG4JS_4jH29, Hits: 6.314, size: 46717, queued_as: BBEB71819B4, Subject: "hello world this is a subject", From: Test_Person_<test@my.domain>, helo=whatever.server, Tests: [HTML_MESSAGE=0.001,LOCAL_SEX=5,URI_HEX=1.313], shortcircuit=no, autolearn=disabled, autolearnscore=6.314, asn=AS57307_188.227.240.0/21, 4714 ms

Now – you can clearly see why it scored 6.314 – without needing to find the mail and read it’s headers.

SpamAssassin – some random rules

Add into /etc/spamassassin into a file named something like ‘’

WhatCounts – spammy mailer?

# X-Mailer: WhatCounts - seems spammy.
header LOCAL_WHATCOUNTS X-Mailer =~ /WhatCounts/
describe LOCAL_WHATCOUNTS Spammy mailer (WhatCounts)


Often slipped into spammy email; presumably serious email (well, for a business at least) won’t contain such stuff.

body LOCAL_SEX /\b(sex)\b/i
describe LOCAL_SEX Email contains the word sex.
score LOCAL_SEX 5.0

PHP Eval’ed code

I saw quite a few spammy emails which contained a specific header – so this penalises such mail. It’s crude.

# Saw email headers like : X-PHP-Originating-Script: 10000:sendme.php(3) : eval()'d code
header PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/i
describe PHP_EVAL Eval()'ed PHP code as source
score PHP_EVAL 8.0

SpamAssassin – decode short urls is a useful plugin to install – allowing you to decode shortened URLs – and hopefully then score/find them in RBLs etc.

i.e. expanding to


Leave a comment

Your email address will not be published.