SpamAssassin Custom Rules not working

M

max046

Member
Feb 26, 2024
32
4
8
I'm trying to add a rule that would block all incoming letters that have a link or hyperlink in the body of the letter in the form
https://reprievefamily.org/absio/chosenmopol/?login=user@domain.local To do this, I made a rule in custom.cf:

Code: 
body URL_BLOCK /https?:\/\/[^\s"<]+@[dD][oOG][mA][iI][nN]\.[lL][oO][cC][aA][lL]\b/
describe URL_BLOCK "Blocked message containing URL with @domain.local"
score URL_BLOCK 20.0
then I run spamassassin -D --lint
then pmgconfig sync --restart 1
But when you try to send a letter that contains the link https://reprievefamily.org/absio/chosenmopol/?login=user@domain.local, the URL_BLOCK score is not applied:
Code: 
2024-11-14T15:37:03.455424+03:00 164-vm-pmg01 postfix/smtpd[14729]: connect from forward100a.mail.yandex.net[178.154.239.83]
2024-11-14T15:37:03.517489+03:00 164-vm-pmg01 postfix/smtpd[14729]: 7E38E5C38D4: client=forward100a.mail.yandex.net[178.154.239.83]
2024-11-14T15:37:03.536889+03:00 164-vm-pmg01 postfix/cleanup[14631]: 7E38E5C38D4: message-id=<164731731587797@mail.yandex.ru>
2024-11-14T15:37:03.539105+03:00 164-vm-pmg01 postfix/qmgr[858]: 7E38E5C38D4: from=<user46@yandex.ru>, size=2312, nrcpt=1 (queue active)
2024-11-14T15:37:03.539319+03:00 164-vm-pmg01 postfix/smtpd[14729]: disconnect from forward100a.mail.yandex.net[178.154.239.83] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-11-14T15:37:03.592599+03:00 164-vm-pmg01 pmg-smtp-filter[14829]: 5C38DB6735EEEF8E8BF: new mail message-id=<164731731587797@mail.yandex.ru>#012
2024-11-14T15:37:08.545683+03:00 164-vm-pmg01 pmg-smtp-filter[14829]: 5C38DB6735EEEF8E8BF: SA score=0/5 time=4.897 bayes=undefined autolearn=disabled hits=AWL(0.212),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),DMARC_PASS(-0.1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.635),MIME_HTML_ONLY(0.1),RCVD_IN_MSPIKE_H3(0.001),RCVD_IN_MSPIKE_WL(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001)
2024-11-14T15:37:08.547368+03:00 164-vm-pmg01 pmg-smtp-filter[14829]: 5C38DB6735EEEF8E8BF: added disclaimer (rule: External Sender Warning)
2024-11-14T15:37:08.548078+03:00 164-vm-pmg01 pmg-smtp-filter[14829]: 5C38DB6735EEEF8E8BF: added disclaimer (rule: External Sender Warning Withelist)
2024-11-14T15:37:08.550260+03:00 164-vm-pmg01 postfix/smtpd[14322]: connect from localhost[127.0.0.1]
2024-11-14T15:37:08.551427+03:00 164-vm-pmg01 postfix/smtpd[14322]: 868CD5C38E8: client=localhost[127.0.0.1], orig_client=forward100a.mail.yandex.net[178.154.239.83]
2024-11-14T15:37:08.596387+03:00 164-vm-pmg01 postfix/cleanup[14511]: 868CD5C38E8: message-id=<164731731587797@mail.yandex.ru>
2024-11-14T15:37:08.598793+03:00 164-vm-pmg01 postfix/qmgr[858]: 868CD5C38E8: from=<user46@yandex.ru>, size=5001, nrcpt=1 (queue active)
2024-11-14T15:37:08.599115+03:00 164-vm-pmg01 postfix/smtpd[14322]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-11-14T15:37:08.599375+03:00 164-vm-pmg01 pmg-smtp-filter[14829]: 5C38DB6735EEEF8E8BF: accept mail to <user@domain.local> (868CD5C38E8) (rule: default-accept)
2024-11-14T15:37:08.602782+03:00 164-vm-pmg01 pmg-smtp-filter[14829]: 5C38DB6735EEEF8E8BF: processing time: 5.015 seconds (4.897, 0.04, 0)
2024-11-14T15:37:08.603425+03:00 164-vm-pmg01 postfix/lmtp[4202]: 7E38E5C38D4: to=<user@domain.local>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.1, delays=0.05/0/0.04/5, dsn=2.5.0, status=sent (250 2.5.0 OK (5C38DB6735EEEF8E8BF))
2024-11-14T15:37:08.603650+03:00 164-vm-pmg01 postfix/qmgr[858]: 7E38E5C38D4: removed
2024-11-14T15:37:08.807845+03:00 164-vm-pmg01 postfix/smtp[13805]: 868CD5C38E8: to=<user@domain.local>, relay=127.0.0.1[127.0.0.1]:225, delay=0.26, delays=0.05/0/0/0.21, dsn=2.6.0, status=sent (250 2.6.0 <164731731587797@mail.yandex.ru> [InternalId=16192026708248, Hostname=HOST] 6326 bytes in 0.136, 45,145 KB/sec Queued mail for delivery)
2024-11-14T15:37:08.808192+03:00 164-vm-pmg01 postfix/qmgr[858]: 868CD5C38E8: removed

I don't understand what's wrong. Help please
 
As said a few times in the forum - In general we recommend against creating custom rules, as they can be hard to get right and/or they might cause performance issues.

In this case:
max046 said:
URIBL_DBL_BLOCKED_OPENDNS(0.001)
Click to expand...
checking the getting started guide (and potentially setting up a dedicated resolver as explained in a page linked from there):
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
is probably the better alternative.


max046 said:
/https?:\/\/[^\s"<]+@[dD][oOG][mA][iI][nN]\.[lL][oO][cC][aA][lL]\b/
Click to expand...
the regular-expression does not match - specifically `[dD][oOG][mA][iI][nN]` - would match domin, doain, but not domain ([mA]) - also you can add a 'i' after the last / to make the match case-insensitive IIRC

I hope this helps!
 
Stoiko Ivanov said:
the regular-expression does not match - specifically `[dD][oOG][mA][iI][nN]` - would match domin, doain, but not domain ([mA]) - also you can add a 'i' after the last / to make the match case-insensitive IIRC

I hope this helps!
Click to expand...
Good afternoon I apologize, I made a mistake when writing this message.
The regular expression looks like this:
https?:\/\/[\S,\s]+@domain\.local
I checked it on regex101.com and in the Proxmox GUI and the regex is composed correctly.
But if the letter contains links like:
https://link.dhfg.org=user@domain.local
https://reprievefamily.org/absio/chosenmopol/?login=user@domain.local,
https://accounts.consideration.best/management.aspx?review=user@domain.local
The custom rule is not applied. Such links are contained in phishing emails that are sent to users in order to steal their password.
The letters come from different domains, but what they all have in common is that the link contains the recipient’s address, so based on this principle I want to block such letters.
Please help me implement this
 
I managed to block emails that contain links of this type
spamassassin filters:

header DOMAIN_LOCAL_CHECK eval:check_text_plain() || check_body_html()
body DOMAIN_LOCAL_CHECK /https?:\/\/[^\s"']*\?[^\s"']*(?:@|%40)domain\.local\b/
describe DOMAIN_LOCAL_CHECK Checking for mentions of domain.local (except email addresses)
score DOMAIN_LOCAL_CHECK 20.0

header CUSTOM_DOMAIN_LOCAL_URI_CHECK eval:check_uri()
uri CUSTOM_DOMAIN_LOCAL_URI_CHECK /https?:\/\/[^\s"']*\?[^\s"']*(?:@|%40)domain\.local\b/
describe CUSTOM_DOMAIN_LOCAL_URI_CHECK Checking for links from @domain.local in the URI parameters
score CUSTOM_DOMAIN_LOCAL_URI_CHECK 20.0
 
You must log in or register to reply here.
Top Bottom