[Rspamd-Users] Dynamic score by sender or hostname
Gerald Galster
list+rspamd at gcore.biz
Wed May 24 17:20:15 UTC 2023
> actually I recieve a lot of spam from GMail accounts with just an URL in the body.
>
> The symbol HFILTER_URL_ONLY is by default set to a score of 2,200 and I like to screw that up only for those e-mails coming from GMail:
>
> *HFILTER_URL_ONLY (1.283333) [0.58333333333333]*
> FREEMAIL_TO (0) [hotmail.com,googlemail.com,hotmail.de,web.de]
> REDIRECTOR_URL (0) [bit.ly]
See https://rspamd.com/doc/configuration/composites.html
Maybe something like this:
FREEMAIL_URL_ONLY {
expression = "HFILTER_URL_ONLY and FREEMAIL_TO"
score = 5.0;
}
or in combination with a custom multimap symbol.
Alternatively there are YARA rules in clamav:
(this rule needs complete emails including headers)
rule BitlySpam {
meta:
descrption = "bit.ly url only"
strings:
$a = "://bit.ly/"
// \r\n\r\n in hex
$b = { 0D 0A 0D 0A }
// \n\n in hex
$c = { 0A 0A }
condition:
$a in (@b[1].. at b[1]+13) or $a in (@c[1].. at c[1]+15)
}
https://yara.readthedocs.io/en/latest/
Best regards,
Gerald
More information about the Users
mailing list