Spamassassin - Privileged Settings

These settings differ from the other spamassassin options, in that they are considered 'privileged'. Only users running spamassassin from their procmailrc's or forward files, or sysadmins editing a file in /etc/mail/spamassassin, can use them. spamd users cannot use them in their user_prefs files, for security and efficiency reasons, unless allow_user_rules is enabled (and then, they may only add rules from below).

allow_user_rules { 0 | 1 } (default: 0)
This setting allows users to create rules (and only rules) in their user_prefs files for use with spamd. It defaults to off, because this could be a severe security hole. It may be possible for users to gain root level access if spamd is run as root. It is NOT a good idea, unless you have some other way of ensuring that users' tests are safe. Don't use this unless you are certain you know what you are doing. Furthermore, this option causes spamassassin to recompile all the tests each time it processes a message for a user with a rule in his/her user_prefs file, which could have a significant effect on server load. It is not recommended.

Note that it is not currently possible to use allow_user_rules to modify an existing system rule from a user_prefs file with spamd.

header SYMBOLIC_TEST_NAME header op /pattern/modifiers [if-unset: STRING]
Define a test. SYMBOLIC_TEST_NAME is a symbolic test name, such as 'FROM_ENDS_IN_NUMS'. header is the name of a mail header, such as 'Subject', 'To', etc.

'ALL' can be used to mean the text of all the message's headers. 'ToCc' can be used to mean the contents of both the 'To' and 'Cc' headers.

'MESSAGEID' is a symbol meaning all Message-Id's found in the message; some mailing list software moves the real Message-Id to 'Resent-Message-Id' or 'X-Message-Id', then uses its own one in the 'Message-Id' header. The value returned for this symbol is the text from all 3 headers, separated by newlines.

op is either =~ (contains regular expression) or !~ (does not contain regular expression), and pattern is a valid Perl regular expression, with modifiers as regexp modifiers in the usual style. Note that multi-line rules are not supported, even if you use x as a modifier.

If the [if-unset: STRING] tag is present, then STRING will be used if the header is not found in the mail message.

Test names should not start with a number, and must contain only alphanumerics and underscores. It is suggested that lower-case characters not be used, as an informal convention. Dashes are not allowed.

Note that test names which begin with '__' are reserved for meta-match sub-rules, and are not scored or listed in the 'tests hit' reports. Test names which begin with 'T_' are reserved for tests which are undergoing QA, and these are given a very low score.

If you add or modify a test, please be sure to run a sanity check afterwards by running spamassassin --lint. This will avoid confusing error messages, or other tests being skipped as a side-effect.

header SYMBOLIC_TEST_NAME exists:name_of_header
Define a header existence test. name_of_header is the name of a header to test for existence. This is just a very simple version of the above header tests.
header SYMBOLIC_TEST_NAME eval:name_of_eval_method([arguments])
Define a header eval test. name_of_eval_method is the name of a method on the Mail::SpamAssassin::EvalTests object. arguments are optional arguments to the function call.
header SYMBOLIC_TEST_NAME eval:check_rbl('set', 'zone')
Check a DNSBL (DNS blacklist), also known as RBLs (realtime blacklists). This will retrieve Received headers from the mail, parse the IP addresses, select which ones are 'untrusted' based on the trusted_networks logic, and query that blacklist. There's a few things to note:

Duplicated or reserved IPs
These are stripped, and the DNSBLs will not be queried for them. Reserved IPs are those listed in <http://www.iana.org/assignments/ipv4-address-space>, <http://duxcw.com/faq/network/privip.htm>, or <http://duxcw.com/faq/network/autoip.htm>.
The first argument, 'set'
This is used as a 'zone ID'. If you want to look up a multi-meaning zone like relays.osirusoft.com, you can then query the results from that zone using it; but all check_rbl_sub() calls must use that zone ID.

Also, if an IP gets a hit in one lookup in a zone using that ID, any further hits in other rules using that zone ID will *not* be added to the score.

Selecting all IPs except for the originating one
This is accomplished by naming the set 'foo-notfirsthop'. Useful for querying against DNS lists which list dialup IP addresses; the first hop may be a dialup, but as long as there is at least one more hop, via their outgoing SMTP server, that's legitimate, and so should not gain points. If there is only one hop, that will be queried anyway, as it should be relaying via its outgoing SMTP server instead of sending directly to your MX.
Selecting IPs by whether they are trusted
When checking a 'nice' DNSBL (a DNS whitelist), you cannot trust the IP addresses in Received headers that were not added by trusted relays. To test the first IP address that can be trusted, name the set 'foo-firsttrusted'. That should test the IP address of the relay that connected to the most remote trusted relay.

In addition, you can test all untrusted IP addresses by naming the set 'foo-untrusted'.

Note that this requires that SpamAssassin know which relays are trusted. For simple cases, SpamAssassin can make a good estimate. For complex cases, you may get better results by setting trusted_networks manually.

header SYMBOLIC_TEST_NAME eval:check_rbl_txt('set', 'zone')
Same as check_rbl(), except querying using IN TXT instead of IN A records. If the zone supports it, it will result in a line of text describing why the IP is listed, typically a hyperlink to a database entry.
header SYMBOLIC_TEST_NAME eval:check_rbl_sub('set', 'sub-test')
Create a sub-test for 'set'. If you want to look up a multi-meaning zone like relays.osirusoft.com, you can then query the results from that zone using the zone ID from the original query. The sub-test may either be an IPv4 dotted address for RBLs that return multiple A records or a non-negative decimal number to specify a bitmask for RBLs that return a single A record containing a bitmask of results.
body SYMBOLIC_TEST_NAME /pattern/modifiers
Define a body pattern test. pattern is a Perl regular expression.

The 'body' in this case is the textual parts of the message body; any non-text MIME parts are stripped, and the message decoded from Quoted-Printable or Base-64-encoded format if necessary. The message Subject header is considered part of the body and becomes the first paragraph when running the rules. All HTML tags and line breaks will be removed before matching.

body SYMBOLIC_TEST_NAME eval:name_of_eval_method([args])
Define a body eval test. See above.
uri SYMBOLIC_TEST_NAME /pattern/modifiers
Define a uri pattern test. pattern is a Perl regular expression.

The 'uri' in this case is a list of all the URIs in the body of the email, and the test will be run on each and every one of those URIs, adjusting the score if a match is found. Use this test instead of one of the body tests when you need to match a URI, as it is more accurately bound to the start/end points of the URI, and will also be faster.

rawbody SYMBOLIC_TEST_NAME /pattern/modifiers
Define a raw-body pattern test. pattern is a Perl regular expression.

The 'raw body' of a message is the text, including all textual parts. The text will be decoded from base64 or quoted-printable encoding, but HTML tags and line breaks will still be present.

rawbody SYMBOLIC_TEST_NAME eval:name_of_eval_method([args])
Define a raw-body eval test. See above.
full SYMBOLIC_TEST_NAME /pattern/modifiers
Define a full-body pattern test. pattern is a Perl regular expression.

The 'full body' of a message is the un-decoded text, including all parts (including images or other attachments). SpamAssassin no longer tests full tests against decoded text; use rawbody for that.

full SYMBOLIC_TEST_NAME eval:name_of_eval_method([args])
Define a full-body eval test. See above.
meta SYMBOLIC_TEST_NAME boolean expression
Define a boolean expression test in terms of other tests that have been hit or not hit. For example:

meta META1 TEST1 && !(TEST2 || TEST3)

Note that English language operators (``and'', ``or'') will be treated as rule names, and that there is no XOR operator.

meta SYMBOLIC_TEST_NAME boolean arithmetic expression
Can also define a boolean arithmetic expression in terms of other tests, with a hit test having the value ``1'' and an unhit test having the value ``0''. For example:

meta META2 (3 * TEST1 - 2 * TEST2) > 0

Note that Perl builtins and functions, like abs(), can't be used, and will be treated as rule names.

If you want to define a meta-rule, but do not want its individual sub-rules to count towards the final score unless the entire meta-rule matches, give the sub-rules names that start with '__' (two underscores). SpamAssassin will ignore these for scoring.

tflags SYMBOLIC_TEST_NAME [ { net | nice | learn | userconf } ... ]
Used to set flags on a test. These flags are used in the score-determination back end system for details of the test's behaviour. The following flags can be set:

net
The test is a network test, and will not be run in the mass checking system or if -L is used, therefore its score should not be modified.
nice
The test is intended to compensate for common false positives, and should be assigned a negative score.
userconf
The test requires user configuration before it can be used (like language- specific tests).
learn
The test requires training before it can be used.