sahostking
Verified User
Calling all mail server admins
I’m putting together a community-driven SpamAssassin rule set (similar idea to what CSF did with shared regex rules).
Looking for:
My current custom rules (phishing-focused)
Share your rules if you have any
Also happy for feedback — if anything here can be improved or I got something wrong, please let me know.
I’m putting together a community-driven SpamAssassin rule set (similar idea to what CSF did with shared regex rules).
Looking for:
- Low false-positive rules (important for shared hosting)
- Real-world phishing/spam patterns
- Useful META rules
My current custom rules (phishing-focused)
Code:
########################################################################
# CUSTOM PHISHING RULES (Hosting-safe)
########################################################################
# 1. IMAP/POP3 delay phishing theme
body LOCAL_IMAP_DELAY_PHISH /IMAP\/POP3.*(Delay|Notice|Delivery)/i
describe LOCAL_IMAP_DELAY_PHISH Fake IMAP/POP3 delay phishing email
score LOCAL_IMAP_DELAY_PHISH 3.0
# 2. "Retrieve messages" phishing lure
body LOCAL_RETRIEVE_MESSAGES /Retrieve all \d+ messages/i
describe LOCAL_RETRIEVE_MESSAGES Phishing message retrieval lure
score LOCAL_RETRIEVE_MESSAGES 2.5
# 3. "Erase messages" phishing scare tactic
body LOCAL_ERASE_MESSAGES /Erase all \d+ messages/i
describe LOCAL_ERASE_MESSAGES Phishing deletion scare tactic
score LOCAL_ERASE_MESSAGES 2.5
# 4. Fake cPanel branding abuse
body LOCAL_FAKE_CPANEL /Copyright.*cPanel/i
describe LOCAL_FAKE_CPANEL Fake cPanel branding in email
score LOCAL_FAKE_CPANEL 2.0
# 6. Suspicious .shop sender (LOW weight to avoid false positives)
header LOCAL_BAD_TLD From =~ /\b[\w.-]+\.shop\b/i
describe LOCAL_BAD_TLD Suspicious .shop sender domain
score LOCAL_BAD_TLD 1.5
# 7. HTML-only (really: HTML content-type signal)
header LOCAL_HTML_ONLY_HIGH Content-Type =~ /text\/html/i
describe LOCAL_HTML_ONLY_HIGH HTML content-type present
score LOCAL_HTML_ONLY_HIGH 0.5
# 8. Google Groups Spam
header HK_GOOGLE_GROUPS exists:X-Google-Group-Id
score HK_GOOGLE_GROUPS 6
describe HK_GOOGLE_GROUPS Message sent via Google Groups
# 9. META / Facebook phishing spam
body LOCAL_META_PHISH /(meta|facebook).*(verification|account|intellectual)/i
score LOCAL_META_PHISH 3.5
describe LOCAL_META_PHISH Meta/Facebook phishing attempt
########################################################################
# ADDITIONAL PHISHING RULES (Domain mismatch + modern phishing patterns)
########################################################################
# 10. Account deactivation phishing (combo rule)
body HK_DEACTIVATE_WORD /de-?activat(ed|ion)/i
body HK_ACCOUNT_WORD /(account|mailbox|webmail)/i
meta HK_ACCOUNT_THREAT (HK_DEACTIVATE_WORD && HK_ACCOUNT_WORD)
describe HK_ACCOUNT_THREAT Account deactivation phishing wording
score HK_ACCOUNT_THREAT 2.5
# 11. Urgent phishing CTA wording (LOW weight)
body HK_URGENT_CTA /(upgrade now|verify (your )?(account|mailbox)|click (below|here))/i
describe HK_URGENT_CTA Urgent phishing-style call-to-action
score HK_URGENT_CTA 1.5
# 12. Generic greeting (VERY LOW weight)
body HK_GENERIC_GREETING /Dear\s+(customer|user|client|support@)/i
describe HK_GENERIC_GREETING Generic phishing greeting
score HK_GENERIC_GREETING 1.0
# 13. Suspicious TLDs (conservative list only)
uri HK_SUSPICIOUS_TLD /\.(store|xyz|top|click)\b/i
describe HK_SUSPICIOUS_TLD Suspicious TLD in URL
score HK_SUSPICIOUS_TLD 1.5
# 14. HTML button phishing pattern (LOW signal only)
body HK_HTML_BUTTON /<a[^>]+style=.*padding:.*(10px|12px)/i
describe HK_HTML_BUTTON HTML button-style phishing link
score HK_HTML_BUTTON 1.0
# 15. Webmail upgrade phishing theme
body HK_WEBMAIL_UPGRADE /(webmail).*(upgrade|update|version)/i
describe HK_WEBMAIL_UPGRADE Fake webmail upgrade phishing
score HK_WEBMAIL_UPGRADE 2.0
# 16. Fake IT Support / Admin impersonation
body HK_FAKE_IT_SUPPORT /(IT Support|Mail Admin|Email Administrator)/i
describe HK_FAKE_IT_SUPPORT Impersonation of IT support
score HK_FAKE_IT_SUPPORT 1.5
# 17. External login portal keyword (combined with link later)
body HK_LOGIN_KEYWORDS /(sign in|login|access mailbox)/i
describe HK_LOGIN_KEYWORDS Login lure wording
score HK_LOGIN_KEYWORDS 1.5Share your rules if you have any
Also happy for feedback — if anything here can be improved or I got something wrong, please let me know.