khopesh at apache
Nov 19, 2009, 8:56 PM
Post #1 of 1
(229 views)
Permalink
|
|
svn commit: r882413 - in /spamassassin/trunk/rulesrc/sandbox: jm/ khopesh/
|
|
Author: khopesh
Date: Fri Nov 20 04:56:38 2009
New Revision: 882413
URL: http://svn.apache.org/viewvc?rev=882413&view=rev
Log:
selections from my sa-update channels
Added:
spamassassin/trunk/rulesrc/sandbox/khopesh/
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_bl.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_blessed.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_lists.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf
- copied, changed from r881153, spamassassin/trunk/rulesrc/sandbox/jm/20_khop_sc_bug_6114.cf
spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
Removed:
spamassassin/trunk/rulesrc/sandbox/jm/20_khop_sc_bug_6114.cf
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_bl.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_bl.cf?rev=882413&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_bl.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_bl.cf Fri Nov 20 04:56:38 2009
@@ -0,0 +1,22 @@
+# From Adam Katz (khopesh) testing grounds and live channels
+# http://khopesh.com/Anti-spam
+
+### select rules from khop-bl
+# (warren's work has already covered most of what I'd add here)
+
+ifplugin Mail::SpamAssassin::Plugin::SPF
+ ifplugin Mail::SpamAssassin::Plugin::DKIM
+ meta __NOT_SPOOFED ALL_TRUSTED || SPF_PASS || DKIM_VERIFIED
+ else
+ meta __NOT_SPOOFED ALL_TRUSTED || SPF_PASS
+ endif
+else
+ ifplugin Mail::SpamAssassin::Plugin::DKIM
+ meta __NOT_SPOOFED ALL_TRUSTED || DKIM_VERIFIED
+ else
+ # Neither DKIM nor SPF ... ugh. Approximate by looking for just the header.
+ header __DKIM_EXISTS exists:DKIM-Signature
+ meta __NOT_SPOOFED ALL_TRUSTED || __DKIM_EXISTS
+ endif
+endif
+
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_blessed.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_blessed.cf?rev=882413&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_blessed.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_blessed.cf Fri Nov 20 04:56:38 2009
@@ -0,0 +1,31 @@
+# From Adam Katz (khopesh) testing grounds and live channels
+# http://khopesh.com/Anti-spam
+
+### select rules from khop-blessed
+
+# 2007/02/27 - Syntax taken from the OpenPGP standard, RFC 2440 section 6.2
+if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP)
+ # moved from rawbody to body 20091021
+ body __KHOP_PGP_I1 /-----BEGIN PGP (?:SIGNATURE|MESSAGE|PUBLIC|PRIVATE)(?:, PART [0-9]{1,4}\/[0-9]{1,4}| KEY BLOCK)?-----/
+ body __KHOP_PGP_I2 /-----END PGP/
+ meta KHOP_PGP_INLINE ( __KHOP_PGP_I1 && __KHOP_PGP_I2 )
+ describe KHOP_PGP_INLINE BODY: Contains PGP data
+ tflags KHOP_PGP_INLINE nice noautolearn nopublish
+ #score KHOP_PGP_INLINE -2 -2 -3 -3
+
+ # 2005/12/14 - worthwhile even though we're not verifying the sig
+ header KHOP_PGP_SIGNED Content-Type =~ /multipart\/signed;.*\/pgp-signature/s
+ describe KHOP_PGP_SIGNED Message seems to contain PGP signature
+ tflags KHOP_PGP_SIGNED nice noautolearn
+ #score KHOP_PGP_SIGNED -2 -2 -3 -3 # none net bayes net+bayes
+endif
+
+# 20091016 after much testing, has yet to hit a SINGLE spam (hits ~38% of ham)
+# NOTE: This may soon move to khop-general if it is needed as a dependency
+#meta KHOP_THREADED !__MISSING_REF || !__MISSING_REPLY || !__MISSING_THREAD
+meta KHOP_THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
+# Note that this does NOT verify legitimacy of referenced MSGIDs.
+describe KHOP_THREADED Message references or replies to another message
+tflags KHOP_THREADED nice
+#score KHOP_THREADED -0.5 -0.5 -1.5 -1.5 # EASILY abused -- keep minimal
+
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf?rev=882413&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf Fri Nov 20 04:56:38 2009
@@ -0,0 +1,28 @@
+# experiments based on masscheck results
+
+meta HDRS_LCASE_NOASIA __HDRS_LCASE && !__RCVD_VIA_APNIC && !__freemail_safe
+describe HDRS_LCASE_NOASIA Has a lowercase header but not from Asia
+#score HDRS_LCASE_NOASIA 0.001
+
+# also in khop-general
+# Looking at daterev 20091107-r833654-n (the latest network test),
+# __HELO_NO_DOMAIN is 17.7782/1.2064 with 08/69 overlap with HELO_LOCALHOST
+# so nodom+!localhost should translate to 16.3559/0.3740 (S/O=0.978)
+# looking at daterev 20091113-r835775-n (latest std test),
+# __HELO_NO_DOMAIN is 17.6557/0.5898 with 07/98 overlap with HELO_LOCALHOST
+# this translates to a whopping 16.4198/0.118 (S/O=0.993)
+meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
+describe HELO_NO_DOMAIN Relay has no TLD and is not localhost
+#score HELO_NO_DOMAIN 2.375 0.327 1.497 0.884
+# scores derived from 90% of RDNS_DYNAMIC's sa3.3 proposal (attachment 4565)
+# because they have such similar definitions, numbers, and merits
+
+meta MALFORMED_FREEMAIL MISSING_HEADERS && FREEMAIL_FROM
+describe MALFORMED_FREEMAIL Missing headers on message from free email
+#score MALFORMED_FREEMAIL 0.1
+
+# how often is references/in-reply-to present but lacking an email address?
+header __NO_ADDR_REF References !~ /\w\@\w+\.\w\w/ [if-unset: a [at] example]
+header __NO_ADDR_REPLY In-Reply-to !~ /\w\@\w+\.\w\w/ [if-unset: a [at] example]
+# compare to !__MISSING_REF and !__MISSING_REPLY
+
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf?rev=882413&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf Fri Nov 20 04:56:38 2009
@@ -0,0 +1,73 @@
+# From Adam Katz (khopesh) testing grounds and live channels
+# http://khopesh.com/Anti-spam
+
+### select rules from khop-general
+
+# Now looks for two DIFFERENT IPs, be they HELO or rDNS or real IP. 20091008
+# This does NOT hit assumed HELOs like Received: [10.2.3.4] (foo [1.2.3.4])
+# SpamAssassin has a bug(?) that reads ALL Received headers concatenated as one
+header TWO_IPS_RCVD Received =~ /[\[\(\s]((?:[12]?\d\d?\.){3}[12]?\d\d?)[\[\(\s][^\[\n;,]{0,99}\[.(?!\1)\d/
+describe TWO_IPS_RCVD Received: Relay identifies itself as wrong IP
+#score 1.25 # 20050729
+
+# Sendmail's FCrDNS, see http://www.sendmail.org/faq/section3#3.38
+header MAY_BE_FORGED Received =~ /\(may be forged\)/
+describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
+#score MAY_BE_FORGED 0.8 # 20050802, raised 0.15->0.8 20090603
+
+# Note: unfair regarding RFC 2821, see http://en.wikipedia.org/wiki/FCrDNS#Uses
+header KHOP_HELO_FCRDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!\1)\S/
+describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
+#score KHOP_HELO_FCRDNS 0.4 # 20090603, currently scoring 0.001
+score KHOP_HELO_FCRDNS 0.001
+
+# This doesn't fire often after greylisting ... how about w/out it?
+meta KHOP_NO_FQDN __HELO_NO_DOMAIN && (RDNS_NONE || RDNS_DYNAMIC)
+describe KHOP_NO_FQDN HELO: not a domain, no static reverse DNS on IP
+#score KHOP_NO_FQDN 0.5 # 20090603
+
+header __PREC_BULK Precedence =~ /bulk|list/
+
+header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
+header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/
+meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
+describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
+#score NAME_EMAIL_DIFF 0.375 # tot=0.5, low for noreply [at] do 20090811
+
+header ADV_SUBJ Subject =~ /\[ ?(?:ADV|A D V) ?\]/i
+describe ADV_SUBJ Marked by sender as an advertisement
+tflags ADV_SUBJ nopublish
+#score ADV_SUBJ 1.5 # 20090304
+
+body DEAR_EMAIL /^\s*Dear\b.{0,70}\w\@\w/i
+describe DEAR_EMAIL Message contains Dear email address
+score DEAR_EMAIL 0.5 # 20090424
+
+body DEAR_NOBODY /^\s*Dear\b[^a-zA-Z]{0,70}$/i
+describe DEAR_NOBODY Message contains Dear but with no name
+#score DEAR_NOBODY 1.25 # 20090408
+
+# uri_detail lacks support for carrying matches across consecutive regexps
+#uri_detail SPOOFED_URL raw =~ /^https?:..(.{6,50})/ text =~ /\bhttps?:..(?!$1).{5}/
+rawbody SPOOFED_URL m/<a\s[^>]{0,99}\bhref=.?(https?:[^>"' ]{8,50})[^>]{0,99}>(?:[^<]{0,99}<(?!\/a)[^>]{1,99}>)*(?!\1)https?:\/\/[^<]{5}/i
+describe SPOOFED_URL Has a link whose text is a different URL
+#score SPOOFED_URL 2.0 # 20090408, beware of 'legit' tracking bugs
+
+uri FORGED_URL_DOM /http:\/\/[^\/]{0,30}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.[^\/]{5}/i
+describe FORGED_URL_DOM Link domain has a TLD as a subdomain
+
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
+ ifplugin Mail::SpamAssassin::Plugin::ImageInfo
+ mimeheader __MIME_GIF Content-Type =~ /image\/gif/i
+ mimeheader __MIME_PNG Content-Type =~ /image\/png/i
+ mimeheader __MIME_JPEG Content-Type =~ /image\/jpeg/i
+ body __GIF_ATTACH eval:image_count('gif',1)
+ body __PNG_ATTACH eval:image_count('png',1)
+ body __JPEG_ATTACH eval:image_count('jpeg',1)
+
+ meta IMAGE_MISMATCH (__MIME_GIF && !__GIF_ATTACH) || (__MIME_PNG && !__PNG_ATTACH) || (__MIME_JPEG && !__JPEG_ATTACH)
+ describe IMAGE_MISMATCH Contains wrong image format for MIME header
+ #score IMAGE_MISMATCH 1.0 # 20090610, proposed to sa-users @20090524
+ endif
+endif # }
+
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_lists.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_lists.cf?rev=882413&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_lists.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_lists.cf Fri Nov 20 04:56:38 2009
@@ -0,0 +1,30 @@
+# From Adam Katz (khopesh) testing grounds and live channels
+# http://khopesh.com/Anti-spam
+
+### select rules from khop-lists
+
+header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|subscrib|news|nobody)[^@ >]*@\w/i
+header __LIST_HEADER ALL =~ /^List-/
+uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
+uri __MAIL_LINK /\?.{0,200}\w@[\w-]{1,20}.\w\w\w?\b/i
+
+#meta KHOP_UNSUB_LINK __UNSUB_LINK && !SARE_UNI && !(__LIST_HEADER||__PREC_BULK||__SENDER_BOT)
+meta KHOP_UNSUB_LINK __UNSUB_LINK && !(__LIST_HEADER||__PREC_BULK||__SENDER_BOT)
+describe KHOP_UNSUB_LINK Non-list message has unsusbscribe link
+tflags KHOP_UNSUB_LINK nopublish
+score KHOP_UNSUB_LINK 0.5 0.6 0.7 0.8
+
+meta KHOP_MAIL_LINK __MAIL_LINK && !__UNSUB_LINK
+describe KHOP_MAIL_LINK A link contains an email address in the URL
+tflags KHOP_MAIL_LINK nopublish
+#score KHOP_MAIL_LINK 0.1 0.2 0.3 0.4
+
+
+# This matches foreign characters by process of elimination.
+# From: must start w/ ~uppercase, ~letters, space/punctuation, then ~uppercase.
+header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
+meta KHOP_NO_FULL_NAME !(__PREC_BULK || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)
+describe KHOP_NO_FULL_NAME Sender does not have both First and Last names
+#score KHOP_NO_FULL_NAME 0.259 # keep low! 20090220, sa-users @20090514
+score KHOP_NO_FULL_NAME 0.001 # apparently hits the same on ham v spam
+tflags KHOP_NO_FULL_NAME nopublish
Copied: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf (from r881153, spamassassin/trunk/rulesrc/sandbox/jm/20_khop_sc_bug_6114.cf)
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf?p2=spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf&p1=spamassassin/trunk/rulesrc/sandbox/jm/20_khop_sc_bug_6114.cf&r1=881153&r2=882413&rev=882413&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jm/20_khop_sc_bug_6114.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf Fri Nov 20 04:56:38 2009
@@ -1,78 +1,122 @@
-## khop-sc-neighbors.cf v 2009071520
+## khop-sc-neighbors.cf v 2009111923
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
-##
+##
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
-##
+##
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
-##
+##
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
+## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.
-header KHOP_SC_CIDR8 Received =~ /\b(?:200|78|88|85)(?:\.[012]?[0-9]{1,2}){3}\b/
+
+# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
+header KHOP_SC_CIDR8 Received =~ /(?-xism:\b(?:2(?:00|22)|187|89)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8 Relay listed in SpamCop top 8 IP/8 CIDRs
score KHOP_SC_CIDR8 0.2 0.1 0.3 0.2
-header KHOP_SC_TOP_CIDR8 Received =~ /\b(?:189|201|190|123)(?:\.[012]?[0-9]{1,2}){3}\b/
+header KHOP_SC_TOP_CIDR8 Received =~ /(?-xism:\b(?:1(?:23|89|90)|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8 Relay listed in SpamCop top 4 IP/8 CIDRs
score KHOP_SC_TOP_CIDR8 0.5 0.4 0.8 0.6
+# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
+# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
+#counts KHOP_SC_TOP_CIDR8 229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
+#counts KHOP_SC_TOP_CIDR8 457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
+#counts KHOP_SC_TOP_CIDR8 22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
+#counts KHOP_SC_TOP_CIDR8 205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
+#counts KHOP_SC_TOP_CIDR8 1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)
-header KHOP_SC_CIDR16 Received =~ /\b(?:222\.253|189\.75|189\.19|200\.102|189\.71|59\.93)\.[012]?[0-9]{1,2}\b/
+
+# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
+header KHOP_SC_CIDR16 Received =~ /(?-xism:\b(?:1(?:8(?:9\.111|7\.4)|23\.1[67]|18\.173)|203\.210)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16 Relay listed in SpamCop top 12 IP/16 CIDRs
score KHOP_SC_CIDR16 0.6 0.5 0.9 0.75
-header KHOP_SC_TOP_CIDR16 Received =~ /\b(?:123\.27|203\.210|123\.23|123\.17|222\.254|113\.22)\.[012]?[0-9]{1,2}\b/
+header KHOP_SC_TOP_CIDR16 Received =~ /(?-xism:\b(?:1(?:1(?:3\.22|7\.4)|23\.2[37])|222\.25[34])(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16 Relay listed in SpamCop top 6 IP/16 CIDRs
score KHOP_SC_TOP_CIDR16 0.9 0.8 1.3 1.2
+# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
+# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
+#counts KHOP_SC_TOP_CIDR16 7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
+#counts KHOP_SC_TOP_CIDR16 14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
+#counts KHOP_SC_TOP_CIDR16 845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
+#counts KHOP_SC_TOP_CIDR16 6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
+#counts KHOP_SC_TOP_CIDR16 33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)
-header KHOP_SC_CIDR24 Received =~ /\b(?:62\.175\.249|125\.110\.101|125\.110\.109|124\.11\.146|200\.199\.86|125\.110\.107)\.[012]?[0-9]{1,2}\b/
+
+# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
+header KHOP_SC_CIDR24 Received =~ /(?-xism:\b(?:6(?:0\.213\.48|1\.178\.81|2\.61\.164)|2(?:13\.227\.219|20\.231\.127)|193\.108\.38)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24 Relay listed in SpamCop top 12 IP/24 CIDRs
score KHOP_SC_CIDR24 0.9 0.8 1.3 1.2
+# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
+# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
+#counts KHOP_SC_CIDR24 241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
+#counts KHOP_SC_CIDR24 486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
+#counts KHOP_SC_CIDR24 1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
+#counts KHOP_SC_CIDR24 240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
+#counts KHOP_SC_CIDR24 0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
-header KHOP_SC_TOP_CIDR24 Received =~ /\b(?:125\.110\.124|125\.110\.105|125\.110\.104|125\.110\.100|94\.23\.25|125\.110\.106)\.[012]?[0-9]{1,2}\b/
+header KHOP_SC_TOP_CIDR24 Received =~ /(?-xism:\b(?:1(?:11\.224\.250|74\.143\.148)|202\.75\.37|58\.18\.168|93\.186\.96|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24 Relay listed in SpamCop top 6 IP/24 CIDRs
score KHOP_SC_TOP_CIDR24 1.7 1.5 1.9 1.8
-header KHOP_SC_TOP10 Received =~ /\b(?:94\.23\.25\.48|125\.110\.104\.185|125\.110\.105\.172|125\.110\.109\.129|124\.11\.146\.87|125\.110\.106\.218|200\.199\.86\.189|125\.110\.107\.116|62\.175\.249\.254|125\.110\.101\.14)\b/
-describe KHOP_SC_TOP10 Relay listed in SpamCop top 10 spammer IPs
-score KHOP_SC_TOP10 2.2 2.0 2.6 2.4
-# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
-header KHOP_SC_TOP20 Received =~ /\b(?:218\.198\.127\.52|125\.110\.100\.165|62\.175\.249\.249|91\.121\.160\.155|125\.110\.105\.241|125\.110\.106\.83|189\.75\.119\.18|125\.110\.124\.233|222\.138\.109\.204|174\.137\.59\.34)\b/
-describe KHOP_SC_TOP20 Relay listed in SpamCop top 20 spammer IPs
-score KHOP_SC_TOP20 1.9 1.7 2.2 2.0
-# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
+# http://www.spamcop.net/w3m?action=hoshame
+header KHOP_SC_TOP200 Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:2(?:6\.1(?:48\.62|71\.86)|16\.152\.210|53\.218\.194)|141\.87\.135|56\.224\.17|80\.140\.61|32\.8\.28)|3\.(?:1(?:71\.181\.35|01\.104\.2)|210\.2(?:24\.136|53\.154)|90\.137\.18)|9\.(?:172\.35\.112|203\.31\.194|94\.196\.170)|(?:7\.255\.196\.4|8\.89\.219\.15)3|2\.(?:75\.37\.24[02]|31\.135\.52)|1\.(?:116\.198\.114|251\.250\.3)|5\.139\.241\.165|6\.169\.30\.117)|1(?:0\.(?:21(?:2\.(?:197\.16|248\.22)|9\.173\.6)2|1(?:27\.253\.121|10\.49\.39))|3\.(?:2(?:27\.(?:219\.58|72\.146)|51\.162\.218)|157\.196\.175)|1\.(?:1(?:98\.225\.206|52\.12\.114)|202\.2\.48|47\.68\.65)|2\.(?:1(?:50\.22\.143|98\.38\.145)|59\.22\.136)|7\.1(?:9(?:4\.197\.245|9\.231\.249)|6\.69\.8)|8\.(?:248\.(?:44\.196|30\.67)|38\.12\.246)|9\.254\.35\.45)|2(?:1\.(?:2(?:1(?:2\.1(?:38\.110|82\.195)|4\.164\.240)|\.98\.206)|1(?:39\.(?:50\.41|0\.97)|20\.224\.146)|5\.67\.2)|0\.(?:2(?:27\.(?:170\.197|219\.142|35\.234)|31\.(?:101\.214|69\.13)|41\.246\.97)|95\.232\.26)|2\.2
(?:5(?:5\.(?:128\.158|29\.143)|2\.(?:142\.24|223\.)2|4\.108\.4)|37\.78\.177))|4\.1(?:56\.108\.188|43\.83\.3))|1(?:1(?:8\.(?:9(?:8\.21(?:4\.23|3\.4)6|1\.117\.165)|1(?:30\.112\.235|75\.5\.77)|70\.127\.241|69\.69\.122)|3\.(?:16(?:1\.1(?:7\.194|6\.60|98\.1)|0\.(?:248\.101|113\.15))|255\.7\.234)|1\.(?:224\.250\.(?:6[48]|132|70)|68\.111\.195)|6\.(?:47\.133\.40|1\.10\.195|50\.249\.2)|0\.(?:172\.167\.37|45\.146\.169)|7\.(?:25\.129\.200|3\.0\.8)|9\.110\.110\.254|2\.167\.153\.19)|9(?:0\.(?:1(?:44\.93\.154|96\.13\.66)|6\.172\.98|81\.54\.33)|3\.1(?:08\.38\.228|6\.45\.254|98\.8\.211)|5\.1(?:6(?:0\.253\.4|1\.9\.2)|89\.45\.11)|2\.117\.150\.233)|2(?:1\.1(?:8(?:5\.156\.185|7\.85\.114)|0\.127\.158)|5\.(?:234\.18\.130|46\.73\.179|7\.221\.146)|4\.(?:124\.52\.162|0\.18\.130)|2\.252\.234\.74|3\.30\.9\.250)|8(?:8\.217\.20\.96|9\.54\.125\.92)|48\.233\.80\.145|74\.36\.201\.222)|8(?:9\.(?:1(?:05\.158\.193|65\.244\.221|90\.197\.14)|97\.183\.195|47\.164\.17)|2\.(?:1(?:93\.140\.168|14\.85\.20)|2(?:39\.2
05\.187|28\.64\.89))|0\.(?:93\.(?:125\.18|215\.10)6|235\.105\.140)|4\.(?:22\.140\.186|17\.11\.114|32\.238\.19)|3\.14(?:2\.111\.228|3\.151\.165)|1\.1(?:12\.190\.195|92\.1\.254)|5\.1(?:70\.32\.154|92\.33\.96)|6\.28\.190\.195)|9(?:1\.(?:1(?:21\.(?:1(?:4(?:8\.189|\.198)|74\.52)|8(?:1\.99|3\.5)|23\.205)|9(?:2\.144\.9|3\.199\.4)|48\.182\.10|32\.70\.11)|200\.212\.5)|4\.(?:2(?:3\.(?:(?:215\.5|35\.18)0|45\.154|5\.161)|51\.113\.140)|1(?:59\.202\.199|73\.9\.220)|77\.48\.5)|5\.1(?:54\.146\.97|80\.68\.24)|2\.243\.17\.217|3\.122\.135\.4|8\.116\.37\.60)|6(?:1\.(?:1(?:(?:48\.102\.1|9\.40\.)10|78\.(?:126\.206|81\.100)|58\.163\.112)|42\.153\.174)|0\.(?:190\.81\.235|213\.48\.250)|2\.1(?:69\.150\.234|48\.88\.98)|6\.(?:242\.25\.198|49\.137\.29)|7\.225\.17(?:7\.110|9\.86)|5\.204\.173\.139|9\.13\.42\.151)|7(?:4\.(?:208\.167\.189|50\.85\.108)|7\.7(?:8\.161\.136|0\.54\.81)|5\.126\.49\.149|0\.38\.54\.133|2\.21\.6\.17)|5(?:8\.(?:18\.168\.16[23456]|233\.113\.129)|9\.(?:160\.177\.27|4\.157\.16)))\b)/
+describe KHOP_SC_TOP200 Relay listed in SpamCop top 200 spammer IPs
+score KHOP_SC_TOP200 3.4 3.2 3.7 3.5
+# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
+# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
+#counts KHOP_SC_TOP200 1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
+#counts KHOP_SC_TOP200 4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
+#counts KHOP_SC_TOP200 1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
+#counts KHOP_SC_TOP200 1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
+# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
-header KHOP_SC_TOP100 Received =~ /\b(?:87\.106\.128\.229|61\.135\.179\.52|125\.110\.124\.130|60\.12\.190\.58|125\.110\.124\.82|190\.202\.106\.34|60\.191\.15\.206|125\.110\.101\.104|213\.165\.88\.106|124\.11\.189\.21|219\.153\.65\.39|125\.110\.124\.7|201\.59\.24\.206|125\.110\.114\.194|75\.127\.109\.197|203\.162\.21\.201|91\.93\.107\.47|94\.23\.16\.61|221\.7\.194\.5|60\.208\.106\.34|60\.181\.164\.189|125\.110\.124\.29|212\.50\.249\.37|77\.221\.151\.194|203\.171\.235\.88|118\.219\.232\.171|125\.110\.104\.60|209\.51\.155\.138|220\.199\.6\.54|125\.110\.104\.152|91\.121\.145\.159|124\.12\.10\.36|94\.23\.49\.215|59\.30\.233\.9|212\.44\.131\.8|200\.62\.18\.19|217\.20\.170\.44|220\.190\.60\.143|125\.110\.123\.208|218\.191\.125\.43|221\.120\.240\.6|124\.11\.191\.177|125\.110\.105\.150|201\.39\.220\.3|117\.41\.164\.60|220\.190\.60\.33|202\.60\.129\.34|202\.125\.156\.122|89\.20\.136\.28|125\.110\.125\.102|217\.219\.244\.70|58\.51\.197\.246|113\.253\.14\.210|84\.247\.200\.150|125\.1
10\.126\.191|96\.56\.54\.171|165\.132\.230\.253|87\.98\.217\.19|217\.168\.64\.58|64\.76\.150\.229|190\.65\.170\.58|210\.210\.113\.2|220\.190\.61\.168|125\.110\.100\.247|148\.223\.175\.2|195\.91\.54\.121|213\.141\.145\.16|148\.245\.196\.93|200\.223\.226\.200|200\.234\.200\.143|201\.16\.206\.1|74\.94\.173\.234|201\.6\.156\.229|119\.30\.121\.11|195\.91\.54\.120|125\.110\.99\.234|88\.191\.99\.50|213\.199\.252\.130|201\.30\.99\.126|58\.65\.245\.87)\b/
-describe KHOP_SC_TOP100 Relay listed in SpamCop top 100 spammer IPs
-score KHOP_SC_TOP100 1.4 1.3 1.8 1.7
+#header KHOP_SC_TOP100 Received =~ /(?-xism:\b(?:2(?:1(?:0\.(?:1(?:27\.253\.121|10\.49\.39)|212\.248\.222)|(?:3\.227\.72\.14|8\.248\.44\.19)6|1\.(?:152\.12\.114|202\.2\.48)|7\.199\.231\.249|2\.198\.38\.145)|0(?:0\.(?:2(?:16\.152\.210|6\.171\.86)|141\.87\.135|80\.140\.61)|3\.1(?:71\.181\.35|01\.104\.2)|1\.116\.198\.114|6\.169\.30\.117)|2(?:1\.(?:2(?:14\.164\.240|\.98\.206)|120\.224\.146|5\.67\.2)|0\.2(?:27\.(?:170\.197|35\.234)|31\.101\.214)|2\.237\.78\.177)|4\.156\.108\.188)|1(?:2(?:1\.1(?:8(?:5\.156\.185|7\.85\.114)|0\.127\.158)|4\.(?:124\.52\.162|0\.18\.130)|2\.252\.234\.74|5\.7\.221\.146|3\.30\.9\.250)|9(?:0\.(?:196\.13\.66|6\.172\.98|81\.54\.33)|5\.1(?:89\.45\.11|61\.9\.2)|2\.117\.150\.233|3\.108\.38\.228)|1(?:8\.(?:70\.127\.241|69\.69\.122|175\.5\.77)|0\.172\.167\.37|1\.224\.250\.68)|89\.54\.125\.92)|8(?:0\.(?:235\.105\.140|93\.215\.106)|3\.14(?:2\.111\.228|3\.151\.165)|9\.(?:190\.197\.14|97\.183\.195)|1\.1(?:12\.190\.195|92\.1\.254)|2\.239\.205\.187|4\.17\.11\.114)|
9(?:4\.(?:23\.(?:(?:215\.5|35\.18)0|45\.154)|1(?:59\.202\.199|73\.9\.220)|77\.48\.5)|1\.(?:1(?:21\.14\.198|92\.144\.9)|200\.212\.5)|2\.243\.17\.217|3\.122\.135\.4)|6(?:1\.(?:1(?:48\.102\.110|78\.126\.206)|42\.153\.174)|(?:6\.242\.25\.1|2\.148\.88\.)98|0\.190\.81\.235)|7(?:(?:4\.208\.167\.18|5\.126\.49\.14)9|7\.70\.54\.81|2\.21\.6\.17)|5(?:8\.18\.168\.165|9\.160\.177\.27))\b)/
+#describe KHOP_SC_TOP100 Relay listed in SpamCop top 100 spammer IPs
+#score KHOP_SC_TOP100 1.4 1.3 1.8 1.7
+# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
+# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
+#counts KHOP_SC_TOP100 2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
+#counts KHOP_SC_TOP100 5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
+#counts KHOP_SC_TOP100 6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
+#counts KHOP_SC_TOP100 2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
+#counts KHOP_SC_TOP100 1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)
-header KHOP_SC_TOP200 Received =~ /\b(?:125\.110\.100\.71|195\.161\.9\.2|84\.38\.66\.78|91\.120\.21\.34|61\.225\.196\.28|189\.74\.131\.212|202\.90\.124\.50|77\.239\.179\.72|94\.25\.126\.174|211\.234\.122\.24|221\.120\.240\.2|201\.54\.4\.253|218\.38\.151\.109|60\.181\.165\.245|201\.80\.224\.106|213\.226\.192\.126|217\.243\.173\.37|148\.208\.160\.33|125\.76\.228\.201|202\.134\.85\.194|125\.110\.105\.140|85\.254\.172\.60|189\.112\.196\.111|189\.59\.236\.20|210\.83\.80\.41|213\.79\.125\.122|218\.191\.122\.205|91\.121\.117\.95|200\.37\.164\.34|92\.50\.131\.106|61\.4\.104\.38|198\.173\.64\.139|78\.107\.5\.63|200\.80\.140\.61|218\.38\.16\.55|200\.223\.178\.254|116\.63\.237\.2|121\.28\.49\.131|115\.93\.208\.114|190\.54\.31\.34|66\.77\.151\.20|62\.38\.54\.81|187\.16\.246\.3|125\.110\.109\.245|125\.110\.126\.18|205\.234\.100\.194|91\.121\.71\.147|201\.65\.243\.3|93\.122\.135\.1|187\.12\.68\.122|91\.186\.16\.23|189\.19\.248\.132|58\.211\.75\.8|201\.82\.144\.97|200\.71\.175\.15|89\.1
56\.160\.96|121\.28\.7\.181|189\.59\.7\.187|124\.207\.168\.39|89\.21\.93\.154|85\.25\.136\.151|200\.203\.105\.243|200\.71\.175\.13|124\.124\.244\.174|200\.144\.5\.41|200\.43\.109\.166|200\.195\.138\.35|189\.4\.227\.125|58\.244\.22\.102|78\.108\.69\.156|82\.151\.131\.153|200\.71\.149\.82|212\.97\.132\.139|24\.39\.25\.82|213\.251\.187\.187|211\.53\.169\.2|77\.81\.240\.5|200\.71\.175\.18|75\.125\.124\.50|61\.50\.219\.170|94\.23\.58\.45|117\.25\.160\.198|189\.20\.181\.130|200\.161\.93\.39|189\.51\.32\.106|122\.121\.213\.148|69\.215\.26\.194|201\.55\.128\.10|61\.150\.76\.190|200\.216\.113\.58|218\.107\.15\.32|190\.107\.134\.202|203\.160\.67\.112|121\.246\.84\.83|200\.71\.175\.17|94\.80\.184\.178|200\.152\.54\.196|202\.75\.37\.222|218\.69\.16\.74|212\.97\.132\.134)\b/
-describe KHOP_SC_TOP200 Relay listed in SpamCop top 200 spammer IPs
-score KHOP_SC_TOP200 0.9 0.8 1.4 1.3
-# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
+#header KHOP_SC_TOP20 Received =~ /(?-xism:\b(?:1(?:1(?:1\.(?:224\.250\.64|68\.111\.195)|3\.160\.248\.101|7\.25\.129\.200|6\.50\.249\.2)|25\.46\.73\.179)|58\.18\.168\.16[23]|219\.254\.35\.45|80\.93\.125\.186)\b)/
+#describe KHOP_SC_TOP20 Relay listed in SpamCop top 20 spammer IPs
+#score KHOP_SC_TOP20 1.9 1.7 2.2 2.0
+# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
+
+#header KHOP_SC_TOP10 Received =~ /(?-xism:\b(?:2(?:09\.94\.196\.170|13\.227\.219\.58|22\.252\.223\.2)|6(?:1\.1(?:58\.163\.112|78\.81\.100)|0\.213\.48\.250)|(?:58\.18\.168\.16|84\.22\.140\.18)6|111\.224\.250\.(?:132|70))\b)/
+#describe KHOP_SC_TOP10 Relay listed in SpamCop top 10 spammer IPs
+#score KHOP_SC_TOP10 2.2 2.0 2.6 2.4
+# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
+
# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
- score KHOP_SC_CIDR8 (0.5)
- score KHOP_SC_TOP_CIDR8 (0.9) # RCVD_IN_PBL
- score KHOP_SC_CIDR16 (0.8) # RCVD_IN_PBL
- score KHOP_SC_TOP_CIDR16 (0.9) # RCVD_IN_PBL
- score KHOP_SC_CIDR24 (0.9) # RCVD_IN_PBL
- score KHOP_SC_TOP_CIDR24 (1.5) # RCVD_IN_PBL ++
- score KHOP_SC_TOP10 4.9 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
- score KHOP_SC_TOP20 4.8 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
- score KHOP_SC_TOP100 4.7 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
- score KHOP_SC_TOP200 (2.0) # RCVD_IN_BL_SPAMCOP_NET ++
+ score KHOP_SC_CIDR8 (0.1)
+ score KHOP_SC_TOP_CIDR8 (0.2) # RCVD_IN_PBL
+ score KHOP_SC_CIDR16 (0.8) # RCVD_IN_PBL
+ score KHOP_SC_TOP_CIDR16 (0.9) # RCVD_IN_PBL
+ score KHOP_SC_CIDR24 (0.9) # RCVD_IN_PBL
+ score KHOP_SC_TOP_CIDR24 (1.5) # RCVD_IN_PBL ++
+ score KHOP_SC_TOP200 4.6 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
+ #score KHOP_SC_TOP100 4.7 # RCVD_IN_BL_SPAMCOP_NET ++
+ #score KHOP_SC_TOP20 4.8 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
+ #score KHOP_SC_TOP10 4.9 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf?rev=882413&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf Fri Nov 20 04:56:38 2009
@@ -0,0 +1,43 @@
+# S25R is: http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
+# S25R is seven regexps. rule 0 is in SA as RDNS_NONE and the rest follow.
+# The whitelist is way too big to be worthwhile, so I'm using SPF/DKIM instead.
+
+# I do NOT currently trust S25R, especially rules 4-6,
+# but it might be more good fodder for poor-man's-botnet like RDNS_DYNAMIC
+
+header __S25R_1 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
+describe S25R_1 S25R Rule 1: Bottom of rDNS has num, non-num, num
+meta S25R_1 !__NOT_SPOOFED && __S25R_1
+tflags S25R_1 nopublish
+score S25R_1 0.2
+
+header __S25R_2 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d{5}/
+describe S25R_2 S25R Rule 2: Bottom of rDNS has 5+ digits in a row
+meta S25R_2 !__NOT_SPOOFED && __S25R_2
+tflags S25R_2 nopublish
+score S25R_2 0.1
+
+header __S25R_3 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
+describe S25R_3 S25R Rule 3: A low-level of rDNS starts w/ a number
+meta S25R_3 !__NOT_SPOOFED && __S25R_3
+tflags S25R_3 nopublish
+score S25R_3 0.1
+
+header __S25R_4 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
+describe S25R_4 S25R Rule 4: Bottom of rDNS ends w/ num, next lvl has num-num
+meta S25R_4 !__NOT_SPOOFED && __S25R_4
+tflags S25R_4 nopublish
+score S25R_4 0.001
+
+header __S25R_5 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
+describe S25R_5 S25R Rule 5: rDNS has 5+ layers, bottom 2 end in numbers
+meta S25R_5 !__NOT_SPOOFED && __S25R_5
+tflags S25R_5 nopublish
+score S25R_5 0.001
+
+header __S25R_6 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/
+describe S25R_6 S25R Rule 6: rDNS looks dynamic or customer-facing
+meta S25R_6 !__NOT_SPOOFED && __S25R_6
+tflags S25R_6 nopublish
+score S25R_6 0.001
+
|
