Creating New Anti-Spam Rules

About this task

Note: It is recommended that you check with Sophos support before attempting to create any new anti-spam rules. If you are receiving false positives or false negatives, Sophos asks that you forward these messages to SophosLabs for our analysts to investigate. See "PureMessage Feedback" in the Contacting Sophos section for more information.

Follow these steps

  1. On the sidebar of the Policy tab, click Anti-Spam Rules.

    The Anti-Spam Options page is displayed.

  2. At the bottom of the page, click New.

    A set of seven editable text boxes is displayed at the bottom of the page where you can set the information for the new anti-spam rule.

  3. Fill in the information for the rule in each of the following text boxes:
    • Rule State: Select Auto, Enabled, or Disabled.
      Note: The Auto value sets the state of the rule according to whether there is a value in the rule's Weight or Probability Adjust % text box. If both scores are zero, the rule has no effect.
    • Rule Name: The unique identifier for the rule. Using the default policy, rules matched by a message appear in a spam report header called the Rule Hit Rates report.
    • Desc: A meaningful description for the rule.
    • Part: The component of the message that is tested against the rule. The name of any message header can be specified; common headers include Subject, To and From. Specific message parts include:
      • Envelope_To: The recipient addresses, as interpreted from the SMTP "RCPT TO" command; the actual delivery address, as opposed to the message's To header.
      • Envelope_From: The sender's address, as interpreted from the SMTP "MAIL FROM" command.
      • BODY: Consecutive chunks of the message's body content (that is, paragraphs) as well as the message's Subject header; HTML parts are stripped of markup tags. Useful for matching words concealed by HTML tags.
      • RAWBODY: Consecutive chunks of the message's body content (that is, paragraphs) as well as the message's Subject header; markup tags in HTML parts are left intact. Useful for matching HTML markup characteristics.
      • URI: URI strings found in the body of the message.
      • EOB: The entire message body as well as the message's Subject header; HTML parts are stripped of markup tags. EOB is resource-intensive, as the entire message must be loaded at once. Use "BODY" if possible.
      • RAWEOB: The entire message body as well as the message's Subject header; markup tags in HTML parts are left intact. RAWEOB is resource-intensive because the entire message must be loaded at once. Use "RAWBODY" if possible.
      • EOH: All of the message's headers, concatenated into a single string.
      • Full: The entire message, including headers.
    • Test: The regular expression applied to the section of the message specified in the Part text box. The expressions must be enclosed in forward slashes ("/"). For example, to test for the occurrence of the word "opportunity", enter "/opportunity/" as the test. See the Regular Expression Primer in the Appendices for more information on regular expressions.
    • Weight: The value (or "weight") added to the message's total spam score when the message matches this rule. Values can be either positive or negative; prefix negative numbers with a minus symbol. For more information about how scores are calculated, see "Test Scores" in the Policy section of the Administrator's Reference.
    • Probability Adjust %: The absolute probability for the rule in the form of a percentage. When the total spam score is calculated for the message, rules with weights are first converted to a percentage, and then rules with absolute probabilities are added. If both a rule weight and a probability adjustment percentage are specified, the rule weight is first converted to a percentage, and then the value in the Probability Adjust % text box is added to determine the total weight for that rule.
  4. Once you have set the information for the new rule, at the bottom of the page, click Save.