Category: rules


Steve Freegard’s new rule SMF_BRACKETS_TO seems pretty effective at catching certain recent spam campaigns, roughly 3% of common spam.  While the majority of this spam is already stopped by DNSBL’s, this may add a tiny bit of extra confidence in case an unlisted spammer gets through the network rules unscathed.

header SMF_BRACKETS_TO To:raw =~ /<<[^<>]+>>/
describe SMF_BRACKETS_TO Double-brackets around To header address

Rule FSL_RU_URL is dangerous

This rule was accidentally auto-promoted into the live sa-update rules channel. It might be very effective against the many .ru URL’s common in spam, but it is entirely too prejudiced to be safe as a default rule.  Spamassasin upstream has corrected procedures to prevent an issue like this from happening again, but unfortunately they’ve been having some temporary problems in pushing a new rule update.  Meanwhile, it might be a good idea to disable this rule in your

score FSL_RU_URL 0

On the other hand, if you really never expect to have legitimate mail with a .ru URL, you may want to explicitly include this prejudiced rule in your  It is not recommended though.


Apparently AHBL_RHSBL has been performing very poorly, detecting 0.072% spam during the August 2009 rescore masscheck and 0.02% spam in recent masschecks. This is not worth a DNS query for every mail you scan. Well, this rule is not harmful, but you may want to disable it if you want a little more efficiency.  Insert this line below into your and restart your spamd daemon.


CACHEREDIR Rule: Prevent Google cache redirector abuse

UPDATE: 2/2/2011
Masscheck results indicate spammers have stopped abusing Google cache as a redirector about 3 weeks ago. It appears that previous redirects already in the cache still work, but perhaps Google changed their system to prevent future redirects from getting into their cache.  We’ll continue to keep an eye on this.

UPDATE: 1/6/2011 – now catches more variations

For the past month or more spammers have been abusing Google’s cache as a link redirector.  Normally if a spammer includes links in their message body, it is easy to identify that message as spam because the domain of that URI is listed in the numerous URIBL’s.  But by using Google cache as a redirector they often sneak past the URIBL’s with an overall low score.  Read more for the custom rule syntax and analysis.