[Rspamd-Users] Convert spamassassin rules

Marc Risse risse at citkomm.de
Mon Nov 5 11:28:22 UTC 2018

Hi list,

I have a lot of SA rules and want to convert them to rspamd rules/maps. 
But it looks very complicated or I didn't get the idea behind multimaps.
Two examples of my rules:

header __WP_X_PHP_ORIG_SCRIPT X-PHP-Originating-Script =~ 
header __WP_X_PHP_SCRIPT X-PHP-Script =~ /(post|gallery|user)\.php/i
header __WP_X_SOURCE X-Source =~ /php-cgi/i
header __WP_X_SOURCE_ARGS X-Source-Args =~ /(post|gallery|user)\.php/i
header __WP_PATH_X_SOURCE_ARGS X-Source-Args =~ 
header __JO_COMP_X_SOURCE_ARGS X-Source-Args =~ /components\/com_/i
header __JO_X_SOURCE_ARGS X-Source-Args =~ /\/joomla\//i
score SIT_CMS_MAIL 1.25
describe SIT_CMS_MAIL Mail sent from a probably hacked CMS (like 
Wordpress or Joomla)

header SIT_OUTDATED_PHP X-Mailer =~ /PHP v?5\.[1234].*/i
describe SIT_OUTDATED_PHP Mail send from an outdated PHP version

Should I generate entries in multimap.conf like this?

|SIT_PHP_MAIL { type = "header"; filter = "||||headers||";|
||multi = true; | map = "file:///etc/rspamd/maps.local/php.map";|
||symbols = ["||||SIT_OUTDATED_PHP", "||||SIT_CMS_MAIL"]; regexp = true;| }|

but how should  /etc/rspamd/maps.local/php.map look like to match the 
different Headers?

I need some ideas or examples, maybe someone has a script to convert SA 
rules to maps?
I'm lost

| Regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3433 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.rspamd.com/pipermail/users/attachments/20181105/ab228920/attachment.bin>

More information about the Users mailing list