I'm attempting to setup a custom SpamAssassin filter to deal with the huge amount of SEO & web dev spam we get from GMail & Hotmail accounts - ideally, server-wide, since there are multiple mail hosted on that server. I've trained SA against thousands of examples of those spam messages, but SA usually scores below the spam threshold because they pass all of the other tests (SPF, RBL checks, etc), even if the bayesian filter catches them.
I've added the following to my /etc/mail/spamassassin/local.cf file:
# GMAIL & HOTMAIL SEO SPAM
header GMAIL_HOTMAIL_SEO_SPAM From =~ /\@gmail\.com|\@hotmail\.com|\@outlook\.com/i
body GMAIL_HOTMAIL_SEO_SPAM /seo|india/i
score GMAIL_HOTMAIL_SEO_SPAM 15
describe GMAIL_HOTMAIL_SEO_SPAM Web dev and SEO spam from GMail & Hotmail
Obviously the goal is to catch messages that match BOTH the "header" and "body" rules - and at first it appeared to be working. When I sent test messages to accounts on that server from GMail & Hotmail accounts that included words in the "body" rule, the filter was triggered - and when I sent messages from the same GMail and Hotmail accounts without any of the words in the "body" rule, they didn't trigger the filter.
But when I send a test message from a non-GMail/Hotmail account, containing one of the words from the "body" rule, that also triggers the filter. For some reason, the "header" rule only seems to trigger the filter if the conditions in the "body" rule are also met - but not vice-versa, the "body" rule triggers even if the conditions in the "header" rule aren't met.
Any idea how to get that working properly?
After some more testing/searching, I managed to get it working with meta rules:
# GMAIL & HOTMAIL SEO SPAM USING META RULES
header __GMAIL_HOTMAIL_SPAM_FROM From =~ /\@gmail\.com|\@hotmail\.com|\@outlook\.com/i
body __GMAIL_HOTMAIL_SPAM_BODY /india|seo proposal|seo quote|top ranking guaranteed|front page of google|top in google|google 1st page|guaranteed 1st page|top rankings on google|top ranking on google|top rank in google|top 10 positions in google|top 3 positions|1st ranking on google|1st page of google|1st page on google|1st position in Google|google page 1|ranking proposal/i
meta GMAIL_HOTMAIL_SPAM __GMAIL_HOTMAIL_SPAM_FROM && __GMAIL_HOTMAIL_SPAM_BODY
score GMAIL_HOTMAIL_SPAM 15
The double underscores in the from & body rules are to prevent those rules from being applied on their own - without them, those rules will be applied & add a score of "1.0".