File: 20_fake_helo_tests.cf

package info (click to toggle)
spamassassin 3.4.6-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 23,540 kB
  • sloc: perl: 75,702; ansic: 5,005; sh: 3,775; makefile: 377; sql: 263; python: 49
file content (160 lines) | stat: -rw-r--r-- 9,046 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
 
# SpamAssassin rules file: fake-HELO tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# We should write a new ruletype for these, to save typing.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

require_version @@VERSION@@

#---------------------------------------------------------------------------
# Handle hosts that look like HELO_DYNAMIC hosts

# cmr-208-124-139-194.cr.net.cable.rogers.com) [208.124.139.194]
# cmr-208-97-119-114.cr.net.cable.rogers.com) [208.97.119.114]
header __HELO_STATIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ helo=cmr-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\S+\.rogers\.com[^\]]+ auth= /i

# o167-89-97-77.outbound-mail.sendgrid.net (bug 7592)
header __HELO_STATIC_SENDGRID X-Spam-Relays-External =~ /^[^\]]+ helo=o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net\s[^\]]+ auth= /i

# 50-203-126-142-static.hfc.comcastbusiness.net
header __HELO_STATIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}-static\.hfc\.comcastbusiness\.net\s[^\]]+ auth= /i

describe HELO_STATIC_HOST Relay HELO'd using static hostname
meta HELO_STATIC_HOST (__HELO_STATIC_ROGERS || __HELO_STATIC_SENDGRID || __HELO_STATIC_COMCAST)

# ---------------------------------------------------------------------------

# Suresh says: these will never be used as HELOs from real mail.com relays.
# Just check the most recent handover; the connection to a internal host.
# This way a legit sender can send to their MSA using that HELO (quite a few
# MUAs will do that), but a spammer gets caught.  (List of domains comes from
# the drop-down list on the Mail.com signup page.)
#header FAKE_HELO_MAIL_COM_DOM  X-Spam-Relays-External =~ /^[^\]]+ helo=(?:\S+\.|)(?:(?:mail|email|iname|cheerful|consultant|europe|mindless|myself|post|techie|usa|writeme|2die4|artlover|bikerider|catlover|cliffhanger|cutey|doglover|gardener|hot-shot|inorbit|loveable|mad\.scientist|playful|poetic|popstar|saintly|seductive|soon|whoever|winning|witty|yours|africamail|arcticmail|asia|australiamail|europe|japan|samerica|usa|berlin|dublin|london|madrid|moscowmail|munich|nycmail|paris|rome|sanfranmail|singapore|tokyo|accountant|adexec|allergist|alumnidirector|archaeologist|chemist|clerk|columnist|comic|consultant|counsellor|deliveryman|diplomats|doctor|dr|engineer|execs|financier|geologist|graphic-designer|insurer|journalist|lawyer|legislator|lobbyist|minister|optician|pediatrician|presidency|priest|publicist|realtyagent|registerednurses|repairman|representative|rescueteam|scientist|sociologist|teacher|techietechnologist|umpire)\.com|(?:programmer|earthling|hairdresser)\.net|musician\.org) /i
#describe FAKE_HELO_MAIL_COM_DOM Relay HELO'd with suspicious hostname (mail.com)


# ---------------------------------------------------------------------------
# Interesting new feature; spamware HELO'ing, from a dialup IP addr,
# using that IP's rDNS entry.  We can catch this easily.  There aren't
# many legit mailservers calling themselves
# 'dhcp024-210-034-053.columbus.rr.com'. ;)
#
# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.

# See bug #5856, all references of trusted were changed to internal

# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# c-66-176-16-108.se.client2.attbi.com [66.176.16.108]
# c-67-168-174-61.client.comcast.net [67.168.174.61]
# NNN-NNN-NNN-NNN.fibertel.com.ar
# NN.NN.NNN.NNN.ap.yournet.ne.jp
# NN.NNN.NN-NN.rev.gaoland.net
# vaise-1-82-67-44-166.fbx.proxad.net [82.67.44.166]
# lns-vlq-11-62-147-186-141.adsl.proxad.net [62.147.186.141]
# dsl-200-95-109-107.prod-infinitum.com.mx [200.95.109.107]
# port-212-202-77-203.reverse.qsc.de [212.202.77.203]
# pool-151-203-32-68.bos.east.verizon.net [151.203.32.68]
# c-67-164-133-216.client.comcast.net [67.164.133.216]
# 200-171-228-6.customer.telesp.net.br [200.171.228.6]
# modemcable090.28-201-24.mc.videotron.ca [24.201.28.90]
# 80-218-47-160.dclient.hispeed.ch [80.218.47.160]
# cdm-68-226-239-16.laft.cox-internet.com [68.226.239.16]
# d53-64-35-171.nap.wideopenwest.com [64.53.171.35]
# 74.67-201-80.adsl.skynet.be [80.201.67.74]
# 12-218-225-223.client.mchsi.com [12.218.225.223]
# (require an alpha first, as legit HELO'ing-as-IP-address is hit otherwise)
header __HELO_DYNAMIC_IPADDR X-Spam-Relays-External =~ /^[^\]]+ helo=(?![^\s\]]+[-.]static[-.])[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+ auth= /i
meta HELO_DYNAMIC_IPADDR (__HELO_DYNAMIC_IPADDR && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)

# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# catv-506237d8.miskcatv.broadband.hu [80.98.55.216]
# node-c-8b22.a2000.nl
# cm89.omega139.maxonline.com.sg
# cm114.gamma208.maxonline.com.sg
header __HELO_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:(?<!a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
meta HELO_DYNAMIC_DHCP (__HELO_DYNAMIC_DHCP && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)

# fia83-8.dsl.hccnet.nl [62.251.8.83]
# fia160-115-100.dsl.hccnet.nl [80.100.115.160]
header __HELO_DYNAMIC_HCC   X-Spam-Relays-External =~ /^[^\]]+ helo=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\.[^\]]+ auth= /i
meta HELO_DYNAMIC_HCC (__HELO_DYNAMIC_HCC && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)

# h0002a5d76857.ne.client2.attbi.com [65.96.12.59]

# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com
# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140]
header HELO_DYNAMIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ helo=CPE\d+\S+\.rogers\.com[^\]]+ auth= /i
describe HELO_DYNAMIC_ROGERS Relay HELO'd using suspicious hostname (Rogers)

# pD9E4F89F.dip.t-dialin.net [217.228.248.159]
header HELO_DYNAMIC_DIALIN X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z][A-F0-9]+\.dip\./
describe HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin)

# 0xd5aaf40b.dhcp.kabelnettet.dk
# 0x50a46949.virnxx11.adsl-dhcp.tele.dk
header HELO_DYNAMIC_HEXIP X-Spam-Relays-External =~ /^[^\]]+ helo=0x[a-f0-9]{8}\./
describe HELO_DYNAMIC_HEXIP Relay HELO'd using suspicious hostname (Hex IP)

# 118.Red-80-35-201.pooles.rima-tde.net
header HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
describe HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)

# YahooBB219173000034.bbtec.net [219.173.0.34]

# 10-35-124-91.pool.ukrtel.net [91.124.35.10]
# 89-215-186-91.2073241113.ddns-lan.rakovski.ekk.bg [217.18.240.147]
# 200.109.193-29.dyn.dsl.cantv.net [200.109.193.29]
# 113x35x70x11.ap113.ftth.ucom.ne.jp [113.35.70.11]
# 98x9x3p5siouq.kvknv3sv1quk.3ejp4xzv.com [213.250.20.156]
# 1.0/24.137.95.202.in-addr.arpa [202.95.137.1]
header __HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=(?![^\s\]]+[-.](?:static|mail|smtp|mx)\d*[-.])\d{1,3}(?:[\Wx_]\d{1,3}){3}[^\d\s][^\s.]*\.\S+\.\S+[^\]]+ auth= /i
meta HELO_DYNAMIC_IPADDR2  (__HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP)
describe HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)

# h234n2fls32o895.telia.com [217.208.73.234]
# h53n2fls32o828.telia.com
# h116n2fls32o1111.telia.com
# h29n1fls306o1003.telia.com

# CM-vina5-168-207.cm.vtr.net [200.104.168.207]
# CM-anto1-98-153.cm.vtr.net [200.104.98.153]

# ec9z5l.cm.chello.no

# g225174.upc-g.chello.nl
# a151145.upc-a.chello.nl
# a96134.upc-a.chello.nl
header HELO_DYNAMIC_CHELLO_NL  X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z]\d+\.upc-[a-z]\.chello\.nl[^\]]+ auth= /i
describe HELO_DYNAMIC_CHELLO_NL Relay HELO'd using suspicious hostname (Chello.nl)

# cp160000-a.mill1.nb.home.nl
# cp341468-b.venra1.lb.home.nl
header HELO_DYNAMIC_HOME_NL  X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i
describe HELO_DYNAMIC_HOME_NL Relay HELO'd using suspicious hostname (Home.nl)