RulesDuJour: Automatic Update of SpamAssassin Rulesets

Starting with H-Sphere 2.4.3, mail service packages come with RulesDuJour, a bash script aimed at automatical download of new versions of SpamAssassin rulesets as the authors release new versions. As FreeBSD does not include bash by default, H-Sphere mail service package containing RulesDuJour also includes the bash installation for FreeBSD. This script must run daily as a cron task to keep additional custom SpamAssassin rules up to date.

At the mail server level, RulesDuJour is implemented by the following scripts:

• Initialization script: /hsphere/local/config/mail/spamassassin/scripts/init_rules_du_jour
• Deletion script: /hsphere/local/config/mail/spamassassin/scripts/delete_rules_du_jour
• RulesDuJour SA ruleset update script: /hsphere/local/config/mail/spamassassin/scripts/rules_du_jour

Initialization Script

Initialization script is launched upon enabling the Automatic Ruleset Update (RulesDuJour) option in SpamAssassin Manager:

1. It creates the default RulesDuJour config file /hsphere/local/config/mail/spamassassin/rulesdujour. The init script syntax (run it with the -h option to get help):

   # /hsphere/local/config/mail/spamassassin/scripts/init_rules_du_jour -h
   Usage: init_rules_du_jour [ -r rulesets ] [ -e email ]
   
   rulesets: list of comma separated rule set; possible values: TRIPWIRE EVILNUMBERS SARE_RANDOM (default: all)
   email: address where e-mail notifications on SA rulesets update go (default: none)
   

2. It adds the RulesDuJour SA ruleset update script /hsphere/local/config/mail/spamassassin/scripts/rules_du_jour to mail server cron jobs starting daily at 1:00 AM:

   0 1 * * * /hsphere/local/config/mail/spamassassin/scripts/rules_du_jour

Configuration File

Initialization forms the RulesDuJour config file /hsphere/local/config/mail/spamassassin/rulesdujour. It has the following format:

# cat rulesdujour.default
TRUSTED_RULESETS="TRIPWIRE EVILNUMBERS SARE_RANDOM"
SA_DIR=/hsphere/local/config/mail/spamassassin
EMAIL_RDJ_UPDATE_ONLY=
SINGLE_EMAIL_ONLY=true
MAIL_ADDRESS=
SA_LINT="/hsphere/shared/bin/spamassassin --lint"
SA_RESTART="/etc/rc.d/init.d/spamd restart"
TMPDIR="${SA_DIR}/RulesDuJour"

This sample config file is for Linux servers. For FreeBSD, it has a different spamd restart format:

SA_RESTART="/usr/local/etc/rc.d/spamd.sh restart"

• TRUSTED_RULESETS - choose under what categories custom rulesets need to be included and updated:
  • ANTIDRUG - intended to detect common "pill spam". However, it is not appropriate for all environments. It may not be appropriate for a medical or pharmaceutical environment.
  • BIGEVIL - looks for known spammer URLs in the spam.
  • BLACKLIST - a blacklist of spammers.
  • BLACKLIST_URI - looks for these domains inside URL's in the message.
  • BOGUSVIRUS - lists bogus virus warnings and similar.
  • EVILNUMBERS - addresses and phone numbers harvested from spam.
  • EVILNUMBERS1 - addresses and phone numbers harvested from spam.
  • EVILNUMBERS2 - addresses and phone numbers harvested from spam.
  • RANDOMVAL - list of tags spammers sometimes forget to convert in spam.
  • SARE_ADULT - designed to catch spam with "Adult" material.
  • SARE_BAYES_POISON_NXM - using lists of words with equal length.
  • SARE_BML - designed to catch "business, marketing and educational" spam.
  • SARE_BML_PRE25X - designed to catch "business, marketing and educational" spam.
  • SARE_CODING - contain HTML coding rules that detect various spammer tricks applied through HTML coding within messages.
  • SARE_FRAUD - designed to catch "Nigerian 419", "International Lotto", etc. type scams.
  • SARE_FRAUD_PRE25X - designed to catch "Nigerian 419", "International Lotto", etc., type scams.
  • SARE_HEADER - contain Header rules that are not found in other SARE rule sets.
  • SARE_OEM - tries to detect people selling OEM software to consumers.
  • SARE_RANDOM - tries to detect common mis-fires on bulk mail software. Many signs are found like: %RND_NUMBER, etc.
  • SARE_RATWARE
  • SARE_SPECIFIC - rule set which flags specific spam and/or spam from specific spammers.
  • SARE_SPOOF - tries to detect common spoofing attempts by spammers. Many use a Message-ID of one provider but the message was never passed through the suggested system.
  • TRIPWIRE - searches for 3 characters that shouldn't be together. This is based on the English language.
• MAIL_ADDRESS - the e-mail address where SA ruleset update notifications will be sent. If the field is empty, no notifications will be sent.