Community SpamAssassin Rules – Feedback & Contributions Welcome

[Hostking]

Calling all mail server admins (SpamAssassin)

I’m working on building a community-driven SpamAssassin rule set — similar in concept to how CSF shares regex rules.

I’m specifically looking for:

Rules with low false positives (especially important for shared hosting environments)
Real-world phishing and spam patterns
Effective META rules

If you have any solid rules or insights, I’d really appreciate you sharing them.

Setup notes:

Add your rules to the bottom of:

/etc/mail/spamassassin/local.cf

Then restart the spamd service.

To monitor how the rules are performing in your environment, check the mail log:

tail -f /var/log/maillog

This will help you quickly see whether the rules are behaving well or causing issues.

---

My current custom rules (phishing-focused)

########################################################################
# CUSTOM PHISHING RULES (Hosting-safe)
########################################################################

# 1. IMAP/POP3 delay phishing theme
body LOCAL_IMAP_DELAY_PHISH /IMAP\/POP3.*(Delay|Notice|Delivery)/i
describe LOCAL_IMAP_DELAY_PHISH Fake IMAP/POP3 delay phishing email
score LOCAL_IMAP_DELAY_PHISH 3.0

# 2. "Retrieve messages" phishing lure
body LOCAL_RETRIEVE_MESSAGES /Retrieve all \d+ messages/i
describe LOCAL_RETRIEVE_MESSAGES Phishing message retrieval lure
score LOCAL_RETRIEVE_MESSAGES 2.5

# 3. "Erase messages" phishing scare tactic
body LOCAL_ERASE_MESSAGES /Erase all \d+ messages/i
describe LOCAL_ERASE_MESSAGES Phishing deletion scare tactic
score LOCAL_ERASE_MESSAGES 2.5

# 4. Fake cPanel branding abuse
body LOCAL_FAKE_CPANEL /Copyright.*cPanel/i
describe LOCAL_FAKE_CPANEL Fake cPanel branding in email
score LOCAL_FAKE_CPANEL 2.0

# 6. Suspicious .shop sender (LOW weight to avoid false positives)
header LOCAL_BAD_TLD From =~ /\b[\w.-]+\.shop\b/i
describe LOCAL_BAD_TLD Suspicious .shop sender domain
score LOCAL_BAD_TLD 1.5

# 7. HTML-only (really: HTML content-type signal)
header LOCAL_HTML_ONLY_HIGH Content-Type =~ /text\/html/i
describe LOCAL_HTML_ONLY_HIGH HTML content-type present
score LOCAL_HTML_ONLY_HIGH 0.5

# 8. Google Groups Spam
header HK_GOOGLE_GROUPS exists:X-Google-Group-Id
score HK_GOOGLE_GROUPS 6
describe HK_GOOGLE_GROUPS Message sent via Google Groups

# 9. META / Facebook phishing spam
body LOCAL_META_PHISH /(meta|facebook).*(verification|account|intellectual)/i
score LOCAL_META_PHISH 3.5
describe LOCAL_META_PHISH Meta/Facebook phishing attempt

########################################################################
# ADDITIONAL PHISHING RULES (Domain mismatch + modern phishing patterns)
########################################################################

# 10. Account deactivation phishing (combo rule)
body     HK_DEACTIVATE_WORD /de-?activat(ed|ion)/i
body     HK_ACCOUNT_WORD /(account|mailbox|webmail)/i
meta     HK_ACCOUNT_THREAT (HK_DEACTIVATE_WORD && HK_ACCOUNT_WORD)
describe HK_ACCOUNT_THREAT Account deactivation phishing wording
score    HK_ACCOUNT_THREAT 2.5

# 11. Urgent phishing CTA wording (LOW weight)
body     HK_URGENT_CTA /(upgrade now|verify (your )?(account|mailbox)|click (below|here))/i
describe HK_URGENT_CTA Urgent phishing-style call-to-action
score    HK_URGENT_CTA 1.5

# 12. Generic greeting (VERY LOW weight)
body     HK_GENERIC_GREETING /Dear\s+(customer|user|client|support@)/i
describe HK_GENERIC_GREETING Generic phishing greeting
score    HK_GENERIC_GREETING 1.0

# 13. Suspicious TLDs (conservative list only)
uri      HK_SUSPICIOUS_TLD /\.(store|xyz|top|click)\b/i
describe HK_SUSPICIOUS_TLD Suspicious TLD in URL
score    HK_SUSPICIOUS_TLD 1.5

# 14. HTML button phishing pattern (LOW signal only)
body     HK_HTML_BUTTON /<a[^>]+style=.*padding:.*(10px|12px)/i
describe HK_HTML_BUTTON HTML button-style phishing link
score    HK_HTML_BUTTON 1.0

# 15. Webmail upgrade phishing theme
body     HK_WEBMAIL_UPGRADE /(webmail).*(upgrade|update|version)/i
describe HK_WEBMAIL_UPGRADE Fake webmail upgrade phishing
score    HK_WEBMAIL_UPGRADE 2.0

# 16. Fake IT Support / Admin impersonation
body     HK_FAKE_IT_SUPPORT /(IT Support|Mail Admin|Email Administrator)/i
describe HK_FAKE_IT_SUPPORT Impersonation of IT support
score    HK_FAKE_IT_SUPPORT 1.5

# 17. External login portal keyword (combined with link later)
body     HK_LOGIN_KEYWORDS /(sign in|login|access mailbox)/i
describe HK_LOGIN_KEYWORDS Login lure wording
score    HK_LOGIN_KEYWORDS 1.5

---

Share your rules if you have any

Also happy for feedback — if anything here can be improved or I got something wrong, please let me know.

 

[Hostking]

body HK_GAMBLING_LEADS /(casino|betting|gambling).*(leads|database|contacts)/i
describe HK_GAMBLING_LEADS Gambling-related lead spam
score HK_GAMBLING_LEADS 4.0

 

[Richard G]

Also happy for feedback

Yes, a little one. Great idea this.

But you post rules, but what are these for? Spamassassin or rspamd and in which file do you place them?

 

[Hostking]

Well I thought being in the Spamassassin section under Email it would be known automatically that its for spamassassin.

I am sure it can be used for Rspamd too but this is mainly for spamassassin.

Secondly you place it at the bottom of /etc/mail/spamassassin/local.cf and then restart spamd service like:
systemctl restart spamd

Hope that helps.

PS - I'll update the main post shortly

 

[adam12]

The retreive/purge messages ones are good. I only had one derivitave of that one.

Most of my rules are hyper-specific but perhaps there are some I could share.

 

[Richard G]

Well I thought being in the Spamassassin section under Email it would be known automatically that its for spamassassin.

Correct but as long time forum admin of other forums and long time user here, experiencing that some people don't always use the correct forum thread I thought I could better ask to be sure.

I already had a feeling it would be the local.cf hoping this is not overwritten on updates.
Thank you!

 

[Hostking]

What do you guys think of these to tighten up spk and dkim checks in local.cf:

########################################################################
# SPF — stricter scoring
########################################################################

score SPF_FAIL 4.0
score SPF_SOFTFAIL 2.5
score SPF_HELO_FAIL 2.5
score SPF_HELO_SOFTFAIL 1.5
score SPF_NONE 2.0
score SPF_HELO_NONE 1.0


########################################################################
# DKIM — stricter scoring
########################################################################

score DKIM_INVALID 4.0
score DKIM_SIGNED 0.5
score DKIM_ADSP_DISCARD 3.0


########################################################################
# Reduce the bonus for valid DKIM
########################################################################

score DKIM_VALID -0.1
score DKIM_VALID_AU -0.1
score DKIM_VALID_EF -0.1


########################################################################
# DMARC
########################################################################

score DMARC_FAIL 5.0
score DMARC_MISSING 1.5

 

[Richard G]

score DMARC_FAIL 5.0
score DMARC_MISSING 1.5

I don't think that's a good one. Because DMARC is almost always failing on a forward which could lead to too many legitimate mails reported as spam.
A missing dmarc is not an option for me. Loads of sites don't have dmarc and it's not required either and same with forwards again. So I wouldn't reduce the score if a DMARC record is present but I won't add a score either.
Next to that it's for spammers the same as with SPF and DKIM, they all have it so it's not really of any use anymore to reward mails for having these records.

Using more strict values for SPF and DKIM it is only a good thing to get a negative score if they are missing or wrong.
I wouldn't give a positive score anymore for correct SPF and DKIM records.
But that's just my 2 cents.