Menü schliessen
Created: December 4th 2024
Last updated: December 4th 2024
Categories: Cyber Security
Author: Marcus Fleuti

SpamAssassin Plugin: Detecting Email Usernames in Subject Lines for Enhanced Spam Detection - clone

Tags:  Antispam,  bulk mail detection,  email filtering,  email security,  email security tools,  email username detection,  mail server security,  newsletter detection,  perl plugin,  spam detection,  spam prevention,  spam scoring,  Spamassassin,  spamassassin plugin,  subject line analysis
Donation Section: Background
Monero Badge: QR-Code
Monero Badge: Logo Icon Donate with Monero Badge: Logo Text
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC

Introduction

Spam emails and unwanted newsletters often employ a common technique: using the recipient's username (the part before the @ symbol) in the subject line to create a false sense of personalization. This article shows you how to implement a SpamAssassin rule that detects this pattern and scores emails accordingly.

Understanding the Spam Pattern

Spammers frequently include the recipient's username in their subject lines for various reasons:

  • Basic attempt at personalization (e.g., "Hello john.doe")
  • Common in mass newsletter campaigns
  • Typical in certain types of phishing attempts
  • Automated bulk mailing systems that expose poor mail merge practices

Plugin Implementation

Copy/Paste the following plugin code and proceed as described in the Installation and Configuration section below:

package Mail::SpamAssassin::Plugin::CheckUsernameInSubject;
use strict;
use warnings;
use Mail::SpamAssassin::Plugin;
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);

sub new {
    my ($class, $mailsa) = @_;
    $class = ref($class) || $class;
    my $self = $class->SUPER::new($mailsa);
    bless ($self, $class);
    $self->register_eval_rule('check_username_in_subject');
    return $self;
}

sub check_username_in_subject {
    my ($self, $pms, @header_names) = @_;
    
    # Get the subject line
    my $subject = $pms->get('Subject');
    return 0 unless $subject;
    $subject = lc($subject);
    
    # Check each email address in the specified headers
    foreach my $header (@header_names) {
        my @addresses = $pms->get("${header}:addr");
        foreach my $addr (@addresses) {
            next unless $addr;
            $addr =~ s/^s+|s+$//g;
            
            # Extract username part (everything before @)
            if ($addr =~ /^([^@]+)@/) {
                my $username = $1;
                
                # Clean up username for comparison
                $username = lc($username);
                
                # Check if username appears in subject
                if ($subject =~ /bQ$usernameEb/i) {
                    # Skip if it's a very short username (to avoid false positives)
                    next if length($username) < 4;
                    
                    # Skip common words that might be usernames
                    next if $username =~ /^(info|contact|support|admin|sales|service)$/i;
                    
                    return 1;
                }
            }
        }
    }
    
    return 0;
}

1;

 

Installation and Configuration

Create the plugin file

Save the plugin code into a file named username_in_subject.pm in your SpamAssassin plugin directory (typically):

  • /usr/share/perl5/Mail/SpamAssassin/Plugin/ or
  • /etc/spamassassin

SpamAssassin local.cf Configuration

Add the following lines to your spamassassin config filenano /etc/spamassassin/local.cf

# Load the CheckAddress plugin
loadplugin Mail::SpamAssassin::Plugin::CheckUsernameInSubject check_username_in_subject.pm

### Check if the username part of TO or CC e-mail addresses appears in the subject line.
### For this, the function check_username_in_subject() is used which is a custom function in the plugin username_in_subject.pm
### The plugin extracts the part before the @ symbol from each recipient's email address and checks if it appears in the subject.
### To prevent false positives: Usernames shorter than 4 characters are ignored, and common words like 'info', 'contact', 'support' are skipped.
### This check helps identify spam/newsletters that commonly include the recipient's username in the subject line.
header          USERNAME_IN_SUBJECT      eval:check_username_in_subject('To','Cc')
describe        USERNAME_IN_SUBJECT      E-Mail Benutzername im Betreff - Hohe Spam oder Newsletter Wahrscheinlichkeit
score           USERNAME_IN_SUBJECT      2.0

Testing the new plugin/rule

After adding these lines, verify the configuration:

  1. Check for syntax errors:
    spamassassin --lint
  2. Check if the plugin has been loaded successfully:
    spamassassin -D --lint 2>&1 |grep CheckUsername
  3. You should see a line like this:
    Nov 12 11:50:45.047 [688419] dbg: plugin: loading Mail::SpamAssassin::Plugin::CheckAddress from /etc/spamassassin/check_username_in_subject.pm
  4. If you're running SpamAssassin as a service, restart or reload it:
    sudo systemctl reload spamassassin
    or on older systems:
    sudo service spamassassin restart
  5. Test the rule with a sample email:
    spamassassin -D --test-mode < test_email.txt | grep USERNAME_IN_SUBJECT

How We Prevent False Positives

The plugin implements several intelligent safeguards to minimize false positives:

  1. Length Check
    • Ignores usernames shorter than 4 characters
    • Prevents matches with common short words that might appear in legitimate subjects
  2. Common Username Filtering
    • Skips common service-related usernames like:
      • info
      • contact
      • support
      • admin
      • sales
      • service
  3. Word Boundary Matching
    • Uses Perl's word boundary matching (b) to ensure the username appears as a complete word
    • Prevents partial matches within larger words

Scoring Guidelines

The plugin's scoring can be adjusted based on your needs:

  • 1.0 - 2.0: Conservative scoring, recommended for initial testing
    • Good starting point to evaluate effectiveness
    • Minimal impact on overall spam scores
  • 2.0 - 3.0: Moderate scoring, use if you see good correlation with spam
    • Our recommended production setting
    • Provides meaningful contribution to spam detection
  • 3.0+: Aggressive scoring, use only if you have very few false positives
    • For environments where this pattern strongly correlates with spam
    • Consider this after monitoring effectiveness with lower scores

Understanding the Perl Code

The plugin uses several key Perl features:

  • Regular Expressions
    • Extracts username from email address: /^([^@]+)@/
    • Uses word boundaries (b) for precise matching
    • Case-insensitive matching with /i flag
  • String Manipulation
    • Converts strings to lowercase for consistent comparison
    • Trims whitespace from addresses and usernames
  • Pattern Matching
    • Uses Perl's powerful =~ operator for regex matching
    • Employs the Q...E quotemeta construct to escape special characters in usernames

Conclusion

This SpamAssassin plugin provides an effective way to detect spam emails that use recipient usernames in their subject lines. Its intelligent false-positive prevention makes it suitable for production environments, while the configurable scoring allows for fine-tuning based on your specific needs. The implementation is lightweight and efficient, making it an excellent addition to your spam-fighting toolkit.

When implementing this plugin, start with a conservative score and monitor its effectiveness in your environment. The rule can be particularly effective in identifying bulk mailings and certain types of phishing attempts that rely on basic personalization techniques.