1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251
|
### khop-sc-neighbors.cf v 201405817
### Khopesh's syndication of SpamCop's top offenders and top offending networks.
###
### Spamassassin rules written by Adam Katz <antispamATkhopiscom>
### http://khopesh.com/Anti-spam
### khopesh on irc://irc.freenode.net/#spamassassin
###
### sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com
###
### These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
### Licensed under the Apache License 2.0.
### The code that generated this output is GNU Affero General Public License v3.
### Source data (copyright Cisco) was taken from links below.
###
### Frequent updates are needed for these rules, so they are marked 'nopublish'
### This keeps them from being automatically promoted to SpamAssassin proper
### from the testing system, which affirms their usefulness. You can check
### their efficiency at https://ruleqa.spamassassin.org/?rule=%2FKHOP_SC
#
#meta __KHOP_SC_EXCLUSIONS __VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || RCVD_IN_HOSTKARMA_WL
#
## http://spamcop.net/w3m?action=map;mask=4294967295;net=0;sort=56
## Due to the massive block size, this rule only examines the last untrusted
#header __KHOP_SC_CIDR8 X-Spam-Relays-Untrusted =~ /^[^\]]* (?:by|ip)=(?-xism:\b(?:117|46|95|2)(?:\.[012]?\d{1,2}){3}\b) /
## and gets cleaned up a bit
#meta KHOP_SC_CIDR8 __KHOP_SC_CIDR8 && !__KHOP_SC_EXCLUSIONS
#describe KHOP_SC_CIDR8 Relay CIDR /8 is among worst in SpamCop
#tflags KHOP_SC_CIDR8 nopublish
#score KHOP_SC_CIDR8 0.1 0.02 0.2 0.1
## spam/ham s/o corpus
## 12.3692/1.0099 0.925 20100211 .2 .1 .3 .2 -> .1 .01 .1 .01
## 8.9412/1.1532 0.886 20100325
## 9.4362/0.4074 0.959 20100329
## 11.8281/0.4788 0.961 20100401 without meta
## 11.8578/0.4495 0.961 20100402 half meta (oops). decreased worst 4/8->4/7
## 7.8856/0.1388 0.983 20100403 meta, net, solo=7.9236/0.4189
## changed from rank by spam count to rank by hosts reported, back to 4/8
## 12.1963/0.0356 0.997 20100406 (wow) solo=12.2454/0.0408@0.997
## 12.0753/0.0359 0.997 20100409 solo=12.1265/0.0412@0.997
## 12.1449/0.0139 0.999 20100410 net, solo=12.1966/0.0197@0.998, ->.2 .1 .3 .2
## 10.3554/0.0112 0.999 20110227@510k solo=10.3717/0.0119@0.999, ->.3 .1 .3 .1
## 1.5335/0.5063 0.752 20130629@465k net, solo=1.5947/0.5379@0.748
## 2.0256/0.7432 0.732 20130705@376k solo=2.0429/0.7595@0.729, ->.1 .02 .2 .1
#
#header __KHOP_SC_TOP_CIDR8 X-Spam-Relays-Untrusted =~ /^[^\]]* (?:by|ip)=(?-xism:\b(?:1(?:13|78|90)|37)(?:\.[012]?\d{1,2}){3}\b) /
#meta KHOP_SC_TOP_CIDR8 __KHOP_SC_TOP_CIDR8 && !__KHOP_SC_EXCLUSIONS
#describe KHOP_SC_TOP_CIDR8 Relay CIDR /8 leads SpamCop in worst /8s
#tflags KHOP_SC_TOP_CIDR8 nopublish
#score KHOP_SC_TOP_CIDR8 0.1 0 0.1 0
## spam/ham s/o corpus
## 15.6795/0.1173 0.993 20100211 .5 .4 .8 .6 -> .6 .5 .8 .5
## 11.0578/0.3614 0.968 20100325
## 13.7809/0.4860 0.966 20100329 .9 .1 .9 .1 masscheck promoted
## 14.1773/0.4799 0.967 20100401
## 14.1807/0.4960 0.966 20100402 without meta
## 14.0841/0.0926 0.993 20100402 added meta (wow!)
## 14.2553/0.0424 0.997 20100403 net, solo=14.3609/0.4888@0.967
## 11.6252/0.1263 0.989 20100406 solo=11.7104/0.5366@0.956
## 11.5987/0.1295 0.989 20100409 solo=11.6856/0.5731@0.953
## 11.6286/0.0475 0.996 20100410 net, solo=11.7224/0.6900@0.944, ->LE as above
## 10.6798/0.1269 0.993 20110227@510k solo=10.6996/0.5918@0.948 -> .2 0 .2 0
## 3.6096/0.2502 0.935 20130629@465k net, solo=3.7125/1.5080@0.711
## 4.1386/0.8450 0.830 20130705@376k solo=4.1707/1.5958@0.723 ->.1 0 .1 0
#
## http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
#header KHOP_SC_CIDR16 Received =~ /___ FAILED TO POPULATE ___/
#describe KHOP_SC_CIDR16 Relay CIDR /16 is among worst in SpamCop
#tflags KHOP_SC_CIDR16 nopublish
#score KHOP_SC_CIDR16 0.4 0.1 0.4 0.1
## spam/ham s/o corpus
## 0.7444/0.0129 0.983 20100211
## 0.5943/0.0139 0.977 20100325 .6 .5 .9 .75
## 0.8767/0.0167 0.981 20100329 1.6 .5 1.6 .5 masscheck promoted
## 0.6952/0.0011 0.998 20100401 increased worst offenders 6/12->9/15 @ 20100401
## 0.6814/0.0149 0.979 20100402
## 0.4399/0.0008 0.998 20100403 net run
## 0.2102/0.0011 0.995 20100406
## 0 /0 0 20100409 (wha!?)
## crap, still empty 20100410 bad scrape, script failed to populate rule
## crap, still empty 20110227 this is due to safety net exclns -> 1 .2 1 .2
## crap, still empty 20130629@465k net
## crap, still empty 20130705@376k net. lowering for low vol -> .4 .1 .4 .1
#
#header KHOP_SC_TOP_CIDR16 Received =~ /(?-xism:\b211\.186(?:\.[012]?\d{1,2}){2}\b)/
#describe KHOP_SC_TOP_CIDR16 Relay CIDR /16 leads SpamCop in worst /16s
#tflags KHOP_SC_TOP_CIDR16 nopublish
#score KHOP_SC_TOP_CIDR16 0.6 0.2 0.7 0.3
## spam/ham s/o corpus
## 0.8862/0.0008 0.999 20100211
## 0.5738/0.0008 0.999 20100325 .9 .8 1.3 1.2
## 0.6658/0 1.000 20100329 2 .5 2 .5 masscheck promoted
## 0.8374/0 1.000 20100401
## 1.1534/0 1.000 20100402
## 1.2077/0.0145 0.988 20100403 net run
## 1.2155/0.0142 0.988 20100406
## 1.2779/0.0142 0.989 20100409
## 1.0611/0.0009 0.999 20100410 net
## 0.5034/0 1.000 20110227@510k 2 .3 2 .4
## 0.0140/0 1.000 20130629@465k net
## 0/0 - 20130705@376k lowering for low vol -> .6 .2 .7 .3
#
#
## http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
#header KHOP_SC_CIDR24 Received =~ /(?-xism:\b(?:1(?:2(?:3\.114\.110|0\.43\.94)|84\.(?:82\.171|22\.44)|07\.158\.214|73\.208\.241|17\.19\.216|94\.105\.9|\.93\.58)|69\.175\.114|2\.230\.25)\.[012]?\d{1,2}\b)/
#describe KHOP_SC_CIDR24 Relay CIDR /24 is among worst in SpamCop
#tflags KHOP_SC_CIDR24 nopublish
#score KHOP_SC_CIDR24 0.6 0 0.6 0
## spam/ham s/o corpus
## 0.1350/0 1.000 20100211
## 0.0798/0 1.000 20100325 .9 .8 1.3 1.2
## 0.0159/0 1.000 20100329 2.5 .6 2.5 .6 masscheck promoted
## 0.1577/0 1.000 20100401
## added top host-count /24s, increased worst offenders 6/12->8/15 @ 20100401
## 0.1223/0 1.000 20100402 (oops, too small a pool)
## host-count 84/64->84/50, offenders 8/15->10/20 @ 20100402
## 0.2547/0 1.000 20100403 net
## 0.2126/0 1.000 20100406
## 0.2960/0 1.000 20100409
## 0.2905/0 1.000 20100410 net
## 0.4157/0.5009 0.454 20110227 something is wrong here! -> .1 0 .1 0
## 0.0004/0 1.000 20130629@465k net
## 0.4428/0 1.000 20130705@376k resume scores -> .6 0 .6 0
#
#
#header KHOP_SC_TOP_CIDR24 Received =~ /(?-xism:\b(?:1(?:7(?:3\.45\.(?:111|94)|8\.216\.50)|17\.19\.217|84\.22\.53)|6(?:3\.141\.245|8\.233\.239|4\.79\.92)|91\.215\.13[6789]|23\.92\.60|74\.91\.25)\.[012]?\d{1,2}\b)/
#describe KHOP_SC_TOP_CIDR24 Relay CIDR /24 leads SpamCop in worst /24s
#tflags KHOP_SC_TOP_CIDR24 nopublish
#score KHOP_SC_TOP_CIDR24 1.7 0.5 1.7 0.5
## spam/ham s/o corpus
## 0.2528/0.0092 0.965 20100211
## 0.2231/0.0112 0.952 20100325 1.7 1.5 1.9 1.8
## 0.0249/0 1.000 20100329 2.7 .6 2.7 .6 masscheck promoted
## 0.1594/0 1.000 20100401
## 0.6448/0 1.000 20100402 (wow!)
## 0.6896/0 1.000 20100403 net
## 0.6255/0.0045 0.993 20100406
## 0.7261/0.0045 0.994 20100409
## 0.7447/0.0054 0.993 20100410 net
## 0.5722/0 1.000 20110227@510k 2.7 .5 2.7 .5
## 0.1483/0 1.000 20130629@465k net
## 0.0197/0 1.000 20130705@376k -> 1.7 .5 1.7 .5
#
#
## http://www.spamcop.net/w3m?action=hoshame
#header KHOP_SC_TOP200 Received =~ /(?-xism:\b(?:1(?:2(?:4\.(?:1(?:56\.251\.1(?:22|54)|13\.149\.160|27\.197\.62|73\.122\.75)|7(?:3\.14(?:0\.119|\.88)|7\.184\.130))|5\.(?:4(?:3\.78\.105|6\.61\.12)|79\.9(?:3\.231|5\.9)|65\.77\.24[01]|91\.130\.95)|3\.1(?:14\.110\.127|25\.19\.44)|0\.43\.9(?:2\.196|4\.107)|1\.12\.125\.47)|8(?:4\.(?:22\.(?:53\.(?:190?|201)|197\.216|44\.143|83\.154)|82\.1(?:7(?:1\.234|9\.117)|23\.85))|3\.(?:1(?:60\.1(?:82\.229|26\.17)|0\.122\.169)|61\.243\.9)|7\.(?:102\.153\.146|23\.42\.59)|9\.205\.184\.161|2\.37\.217\.243)|9(?:9\.(?:19(?:2\.15(?:3\.158|4\.114|2\.42)|3\.66\.195)|36\.76\.(?:190|241))|8\.(?:23\.158\.162|46\.135\.217|52\.165\.155)|2\.1(?:87\.114\.14[02]|61\.177\.73)|4\.105\.9\.85)|1(?:(?:5\.(?:28\.82\.14|71\.28\.5)|6\.112\.66\.10|0\.88\.241\.4)2|8\.(?:123\.4\.7[56]|244\.229\.168|69\.198\.212)|7\.19\.21(?:6\.150|7\.235)|9\.254\.66\.7)|7(?:3\.(?:45\.(?:94\.(?:2(?:1[12456789]|20)|4[135]|38)|111\.(?:8[3456789]|9[012]))|2(?:08\.241\.9[1234]|12\.205\.158))|8\.216\.50\.39)|\.93\.(?:5(?:8\.(?:1(?:63|70)|2(?:29|53))|7\.1[89]6)|4(?:1\.160|6\.156|5\.67|7\.65))|0(?:(?:6\.186\.22\.15|3\.21\.198\.8)9|1\.14\.252\.236)|4\.(?:18\.207\.225|23\.106\.202))|2(?:1(?:9\.138\.23(?:6\.2(?:2[04]|39)|9\.(?:[013]|212)|7\.2(?:03|22)|8\.5)|2\.(?:1(?:46\.101\.154|54\.154\.220)|99\.249\.5)|1\.1(?:62\.79\.6[589]|86\.255\.122|03\.210\.38)|0\.(?:189\.77\.129|51\.4\.11)|7\.33\.146\.210|8\.90\.174\.167)|2(?:(?:2\.78\.127\.12|0\.68\.224\.4)5|3\.240\.1(?:28\.221|33\.134)|1\.143\.50\.236)|3\.(?:92\.60\.(?:1(?:[46]|72)|6[26]|81)|239\.106\.103)|0(?:2\.234\.40\.41|3\.100\.0\.34)|\.23(?:5\.162\.168|0\.25\.144))|6(?:0\.(?:1(?:68\.113\.147|73\.14\.80)|2(?:13\.63\.138|35\.43\.226))|1\.(?:1(?:57\.96\.1(?:0[59]|11)|64\.43\.140)|93\.246\.49)|3\.(?:141\.245\.(?:2[024]|18)|221\.140\.143)|8\.233\.239\.(?:1(?:[123]|0[012]?)|9[789]?)|(?:6\.197\.231\.14|2\.48\.186\.15)8|4\.79\.92\.(?:5[123456789]|60))|5(?:9\.(?:37\.162\.187|58\.242\.216|63\.182\.125)|8\.2(?:15\.52\.159|2\.103\.208|46\.179\.82))|7(?:4\.91\.25\.(?:5[012489]|62)|8\.129\.194\.(?:118|83)|2\.11\.148\.188)|9(?:3\.63\.141\.186|4\.41\.90\.109)|46\.249\.54\.104|80\.227\.12\.90)\b)/
#describe KHOP_SC_TOP200 Relay listed in SpamCop top 200 spammer IPs
#tflags KHOP_SC_TOP200 nopublish
#score KHOP_SC_TOP200 4 0 4 0 # unnecessary if DNSBLs work
## spam/ham s/o corpus
## 1.2552/0 1.000 20100211
## 0.8558/0 1.000 20100325 3.4 3.2 3.7 3.5
## 0.1265/0 1.000 20100329 4 0 4 0 masscheck promoted
## 0.7066/0 1.000 20100401
## 0.6558/0 1.000 20100403 net
## 0.6211/0 1.000 20100406
## 0.5307/0 1.000 20100409
## 0.5617/0 1.000 20100410 net
## 0.3655/0 1.000 20110227@510k
## 2.6827/0.0069 0.997 20130629@465k net
## 2.9091/0.0056 0.998 20130705@376k
#
#
## Spamhaus DROP, https://www.spamhaus.org/drop/
#header KHOP_SPAMHAUS_DROP X-Spam-Relays-Untrusted =~ /___ FAILED TO POPULATE ___/
#describe KHOP_SPAMHAUS_DROP Relay listed in Spamhaus Don't Route Or Peer List
#tflags KHOP_SPAMHAUS_DROP nopublish
#score KHOP_SPAMHAUS_DROP 1 0.2 1 0.2
## spam/ham s/o corpus
## 0.0349/0.0029 0.924 20110227@510k
#
#header KHOP_SPAMHAUS_DROP_LE X-Spam-Relays-External =~ /^[^]]*___ FAILED TO POPULATE ___/
#describe KHOP_SPAMHAUS_DROP_LE Relay listed in Spamhaus Don't Route Or Peer List
#tflags KHOP_SPAMHAUS_DROP_LE nopublish
#score KHOP_SPAMHAUS_DROP_LE 2 0 2 0 # adds to KHOP_SPAMHAUS_DROP
## spam/ham s/o corpus
## 0.0241/0 1.000 20110227@510k
#
#
## PSBL-neighbors: any /24 with 73+ (2/7, 29%) IPs in the PSBL (not SpamCop),
## as obtained from rsync://psbl-mirror.surriel.com::psbl/psbl.txt
#header KHOP_PSBL_CIDR24 X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?-xism:\b(?:1(?:1(?:1\.176\.(?:[67]|(?:12|8)[4567]|4[89]?|5[01]?)|6\.207\.(?:6[0123]|4[89]|5\d))|8(?:6\.(?:1(?:3\.[0124567]|22\.4[4567])|37\.202)|1\.66\.15[67]|8\.73\.252)|0(?:3\.(?:2(?:5(?:1\.157|3\.21)|42\.7)|19\.16[013])|9\.127\.80)|9(?:0\.234\.106|4\.219\.240|8\.23\.198|9\.19\.92)|2(?:3\.136\.106|2\.155\.34)|30\.193\.1(?:47|65)|77\.36\.17)|2(?:7\.20\.(?:[89]|1(?:0[0123]?|[28][89]|[39][01]|7[6789]|1)|24[01234567]|4[0123]|5[6789])|1(?:2\.(?:73\.15[89]|5\.158)|1\.91\.22[01])|0(?:0\.(?:63\.160|81\.44)|3\.191\.25))|5(?:8\.50\.1(?:[2345]|1[012356789]|0[456789])|\.172\.24[67])|9(?:1\.215\.13[6789]|4\.230\.93|5\.159\.68)|41\.254\.[2568])\.[012]?\d{1,2}\b)/
#describe KHOP_PSBL_CIDR24 Relay's IP/24 CIDR contains many PSBL hits
#tflags KHOP_PSBL_CIDR24 nopublish
#score KHOP_PSBL_CIDR24 2 0.6 2 0.6
## spam/ham s/o corpus
## 0.5363/0 1.000 20100401
## 0.7486/0 1.000 20100402
## 0.7317/0 1.000 20100403 net run. min hosts 73->65
## 0.9316/0 1.000 20100406
## 0.9473/0 1.000 20100409
## 0.9545/0 1.000 20100410 net
## 0.6985/0.0014 0.998 20110227@510k 2 .6 2 .6
## 0.4298/0 1.000 20130629@465k net
## 1.0958/0 1.000 20130705@376k
#
## test for ruleqa, 20100409, https://ruleqa.spamassassin.org/?rule=/KHOP_SPAMMY
#meta __KHOP_SPAMMY_CIDR24 KHOP_PSBL_CIDR24||KHOP_SC_CIDR24||KHOP_SC_TOP_CIDR24
## est. 1.2/0.0050@.996, floor: 1.0/0.0112@.989, ceiling: 1.4/0@1
## spam/ham s/o corpus
## 1.2645/0.0054 0.996 20100410 net
## 1.1562/0.0058 0.995 20100417 net
## 1.1332/0.5023 0.693 20110227@510k
## 0.5785/0 1.000 20130629@465k net
## 1.5583/0 1.000 20130705@376k
#
#meta __KHOP_SPAMMY_CIDR16 KHOP_SC_CIDR16||KHOP_SC_TOP_CIDR16
## est. 1.4/0.02@.986, floor: 1.3/0.0312@.977, ceiling: 2.0/0.0150@.993
## spam/ham s/o corpus
## 1.0611/0.0009 0.999 20100410 net
## 1.9539/0.0152 0.992 20100417 net
## 0.5034/0 1.000 20110227@510k
## 0.0140/0 1.000 20130629@465k net
## 0/0 - 20130705@376k
#
#meta __KHOP_SPAMMY_CIDR8 KHOP_SC_CIDR8||KHOP_SC_TOP_CIDR8
## est. 23.7/0.15@.994, floor: 23/0.2685@.988, ceiling: 26.5/0.0789@.997
## spam/ham s/o corpus
## 23.7686/0.0614 0.997 20100410 net
## 22.2300/0.0616 0.997 20100417 net
## 21.0352/0.1381 0.993 20110227@510k
## 5.1431/0.7565 0.872 20130629@465k net
## 6.1642/1.5881 0.795 20130705@376k
#
#meta __KHOP_SPAMMY_SUBNET __KHOP_SPAMMY_CIDR24||__KHOP_SPAMMY_CIDR16
## est. 26.2/0.175@.993, floor: 24.5/0.5@.980, ceiling: 30.1/0.1@.997
## spam/ham s/o corpus
## 25.6744/0.0677 0.997 20100410 net, beat estimated ceiling (for ham)!
## 23.7846/0.0826 0.997 20100417 net, beat ceiling ham, but beat floor spam
## 23.7505/0.1041 0.996 20100418 too much ham, nixing /8, new est. 3.0/.02@.993
## 1.6366/0.5023 0.765 20110227@510k
## 0.5925/0 1.000 20130629@465k net
## 1.5583/0 1.000 20130705@376k
#
#
#
## Bump these up to compensate for expected but absent overlap (94+% noted below)
#if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
# score KHOP_SC_CIDR8 (0) (0.2) (0) (0.2) # BRBL(98%)
# score KHOP_SC_TOP_CIDR8 (0) (0.9) (0) (0.9) # BRBL(98%)
# score KHOP_SC_CIDR16 (0) (1.5) (0) (1.5) # BRBL(99%), PBL(98%)
# score KHOP_SC_TOP_CIDR16 (0) (1.7) (0) (1.7) # BRBL(99%), PBL(94%)
# score KHOP_SC_CIDR24 (0) (0.9) (0) (0.9) # SC(99) BRBL(96) MSPIKE(96)
# score KHOP_SC_TOP_CIDR24 (0) (2.5) (0) (2.5) # MSPIKE(99) SC(98) BRBL(97) ...
# # PSBL(97) HOSTKARMA(97)
# score KHOP_SC_TOP200 (0) (4.4) (0) (4.4) # SC(99) PSBL(99) ...
# # HOSTKARMA(99) SEMBLACK(99) BRBL(98) MSPIKE(94)
# score KHOP_SPAMHAUS_DROP (0) (3) (0) (3) # SBL(78)
# score KHOP_PSBL_CIDR24 (0) (1.5) (0) (1.5) # BRBL(98) XBL(95)
#endif
#
#
|