‚ < ‚ Day Day Up ‚ > ‚ |
Most SpamAssassin tests consist of the same basic components :
Example 3-1 shows the complete definition of a test that matches when a message's From address begins with at least two numbers. This test is defined in the file /usr/share/spamassassin/20_head_tests.cf (although its score appears in the 50_scores.cf file). Example 3-1. A test definition and scoreheader FROM_STARTS_WITH_NUMS From =~ /^\d\d/ describe FROM_STARTS_WITH_NUMS From: starts with nums score FROM_STARTS_WITH_NUMS 0.390 1.574 1.044 0.579 How does this test work? The header directive defines it as a test that will be applied to the message headers and gives the test name ( FROM_STARTS_WITH_NUMS ) and the test itself, a match of the From header against the regular expression /^\d\d/ . That regular expression denotes a string that begins with two digits.
The describe directive provides a human-readable description of the test that SpamAssassin will insert in reports when the test matches. The score directive determines how many points SpamAssassin will add to the spam score of a message if the test matches. Higher scores mean that a message that matches the test is more likely to be spam. In this example, SpamAssassin will add 0.39 points to the spam score of a matching message if network and Bayesian tests are not in use, 1.574 points if network tests are in use but Bayesian tests are not, 1.044 points if Bayesian tests are in use but network tests are not, and 0.579 points if both network and Bayesian tests are in use. The tests distributed with SpamAssassin are typically stored in files in /usr/share/spamassassin . Tests are stored in a set of ruleset files based on the type of test being performed, and scores for all tests are stored together in one file. These tests are discussed in detail later in this chapter. Following are some other examples of test definitions from the distributed tests, along with their scores. Testing for a To , From , or Cc header that mentions friend@public.com (this test is distributed disabled): header FRIEND_PUBLIC ALL =~ /^(?:toccfrom):.*friend\@public\.com/im describe FRIEND_PUBLIC sent from or to friend@public.com score FRIEND_PUBLIC 0 Testing for the existence of the X-PMFLAGS header: header X_PMFLAGS_PRESENT exists:X-PMFLAGS describe X_PMFLAGS_PRESENT Message has X-PMFLAGS header score X_PMFLAGS_PRESENT 2.900 2.800 2.800 2.700 Testing for long lines of hexadecimal code in the message body: body LARGE_HEX /[0-9a-fA-F]{70,}/ describe LARGE_HEX Contains a large block of hexadecimal code score LARGE_HEX 0.633 1.595 1.193 1.160 Testing for a Subject header in all capital letters, by evaluating a SpamAssassin function: header SUBJ_ALL_CAPS eval:subject_is_all_caps( ) describe SUBJ_ALL_CAPS Subject is all capitals score SUBJ_ALL_CAPS 0.550 0.567 0 0 Testing for a message that includes HTML to open a new window with JavaScript (disabled by default): body HTML_WIN_OPEN eval:html_test('window_open') describe HTML_WIN_OPEN Javascript to open a new window score HTML_WIN_OPEN 0 Testing for an HTTP (Hypertext Transfer Protocol) URI anywhere in the message that uses a numeric IP address (e.g., http:// 3502894884 ): uri NUMERIC_HTTP_ADDR /^https?\:\/\/\d{7,}/is describe NUMERIC_HTTP_ADDR Uses a numeric IP address in URL score NUMERIC_HTTP_ADDR 2.899 2.800 2.696 0.989 |
‚ < ‚ Day Day Up ‚ > ‚ |