Setup spamassassin in Debian is easy: just apt-get. Exim users might need sa-exim for rejecting mails at the gateway.

The SARE (Spam Assassin Rules Emporium, http://www.rulesemporium.com/) has a bunch of rule for download. Put them into /etc/spamassassin/ and restart the spamd.

Writing rules

Customized rules can be written and put to either /etc/spamassassin for global use or put to ~/.spamassassin/. Detailed configuration please consult the manpage of spamd.

The syntax for the rules is as follows:

body     NEW_RULE   /regex/
score    NEW_RULE   0.1
describe NEW_RULE   This is a rule

It checks the body for a regex match. If found, it add the score to the mail (negative means non-spam) and the describe line is for information only and appears in the verbose report. The regex is in Perl’s dialect and flags are allowed.

Instead of checking body, one can also check the header. In the header, you can check for the Subject, From or To, for example:

header ANOTHER_RULE   Subject =~ /regex/i
score  ANOTHER_RULE   0.1

The header field to check is put before =~. It can be anything that can happen in the header, including obscured ones. The stuff behind =~ is the regex to match. The name for the header field is case insensitive, which means the rule

header YET_ANOTHER_RULE   Foobar =~ /regex/i

matches any one below:

foobar: something with that regex
FooBar: something with that regex
fOObaR: something with that regex

To match anything in the header, use ALL, such as:

header SHOWING_ALL  ALL =~ /regex/

To search for links in particular, we can use the uri rules: which only matches with links’ URI:

uri  EXAMPLE   /regex\.com/

To search for the body of email without any preprocessing, use rawbody:

 rawbody RAWBODY_EXAMPLE /\<\-\-! created with spamware 1\.0 \-\-\>/

To combine rules for forming a new rule, it is called meta rules: It uses a boolean for the combination:

 header  __BANK_SEND  From =~ /cs\@bank\.com/
 body    __FOR_LOAN   /(loan|money)/
 meta    BANK_LOAN  (__BANK_SEND && __FOR_LOAN)
 score   BANK_LOAN  -1.0

Alternatively, meta can also check if more than a number of rules matched:

 body    __FOR_LOAN   /loan/
 body    __MONEY      /money/
 body    __INTEREST   /interest/
 body    __CREDIT     /credit/
 meta    LOAN_MAIL    ( (__FOR_LOAN + __MONEY + __INTEREST + __CREDIT)>2 )
 describe LOAN_MAIL   Matched more than 2 items
 score   LOAN_MAIL    1.0

Or you can do a weighted measure:

 meta    LOAN_MAIL    ( (0.5*__FOR_LOAN + 0.5*__MONEY + 0.3*__INTEREST + 0.8*__CREDIT)>1.3 )