Spamassassin custom rules

Custom SpamAssassin Rules in Zimbra

In this article you will learn how to add custom SpamAssassin Rules to Zimbra. This way you can filter email that may have fooled your spam filtering or mitigate vulnerabilities such as CVE-2024-21413 where file:// hyperlinks cause problems in MS Outlook.

SpamAssasin localrules

In this example we are going to filter email that contains the text file:// and move it into the Junk folder. Create the file /opt/zimbra/data/spamassassin/localrules/filelink.cf with the following content:

body FILE_URL_RULE /file:\/\//
score FILE_URL_RULE 10.0
describe FILE_URL_RULE Email contains file:// in the body

Then as the user zimbra restart SpamAssasing:

zmamavisdctl restart

Now send an email from an external email address to your Zimbra server and put file:// in the body, it should end up in the Junk folder, you can open the email and show the original message or message headers which should look like:

X-Virus-Scanned: amavis at zimbra.tech
X-Spam-Flag: YES
X-Spam-Score: 7.893
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.893 required=3 tests=[DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 DMARC_PASS_REJECT=-1.2, FILE_URL_RULE=10, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
 URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001,
 URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no

As you can see FILE_URL_RULE=10 is added to the score of the email, causing it to go into the Junk folder, if you increase the score in the filelink.cf at some point you will reach the kill percentage and then the email will be discarded. Take a look at: X-Spam-Status: Yes, score=7.893 required=3 in this example it means the email will go into the Junk folder if the score is 3 or higher. In your case the value can be something other than 3. If your score is just a little above the required level you should consider increasing the score in the filelink.cf. Don’t forget to restart using zmamavisdctl restart after making changes.

Sieve

Zimbra Sieve is based on org.apache.jsieve which unfortunately cannot filter file://. Because regex is not implemented. For reference in a vanilla Postfix/Dovecot/Sieve scenario you would be able to filter as follows:

require ["fileinto","body","editheader", "regex"];

# Check if the message body contains "file://"
if body :raw :regex "file://" {
   # Move the message to the "Junk" folder
   fileinto "Junk";
   stop;
}

Further reading

Jump to: navigation, search