File: 20_khop_sc_bug_6114.cf

package info (click to toggle)
spamassassin 3.4.6-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 23,540 kB
  • sloc: perl: 75,702; ansic: 5,005; sh: 3,775; makefile: 377; sql: 263; python: 49
file content (251 lines) | stat: -rw-r--r-- 15,015 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
 
### khop-sc-neighbors.cf        v 201405817
### Khopesh's syndication of SpamCop's top offenders and top offending networks.
###
### Spamassassin rules written by Adam Katz <antispamATkhopiscom>
### http://khopesh.com/Anti-spam
### khopesh on irc://irc.freenode.net/#spamassassin
###
### sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com
###
### These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
### Licensed under the Apache License 2.0.
### The code that generated this output is GNU Affero General Public License v3.
### Source data (copyright Cisco) was taken from links below.
###
### Frequent updates are needed for these rules, so they are marked 'nopublish'
### This keeps them from being automatically promoted to SpamAssassin proper
### from the testing system, which affirms their usefulness.  You can check
### their efficiency at https://ruleqa.spamassassin.org/?rule=%2FKHOP_SC
#
#meta   __KHOP_SC_EXCLUSIONS    __VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || RCVD_IN_HOSTKARMA_WL
#
## http://spamcop.net/w3m?action=map;mask=4294967295;net=0;sort=56
## Due to the massive block size, this rule only examines the last untrusted
#header __KHOP_SC_CIDR8  X-Spam-Relays-Untrusted =~ /^[^\]]* (?:by|ip)=(?-xism:\b(?:117|46|95|2)(?:\.[012]?\d{1,2}){3}\b) /
## and gets cleaned up a bit
#meta    KHOP_SC_CIDR8  __KHOP_SC_CIDR8 && !__KHOP_SC_EXCLUSIONS
#describe KHOP_SC_CIDR8  Relay CIDR /8 is among worst in SpamCop
#tflags  KHOP_SC_CIDR8  nopublish
#score   KHOP_SC_CIDR8  0.1 0.02 0.2 0.1
##    spam/ham     s/o   corpus
## 12.3692/1.0099 0.925 20100211  .2 .1 .3 .2 -> .1 .01 .1 .01
##  8.9412/1.1532 0.886 20100325
##  9.4362/0.4074 0.959 20100329
## 11.8281/0.4788 0.961 20100401  without meta
## 11.8578/0.4495 0.961 20100402  half meta (oops).  decreased worst 4/8->4/7
##  7.8856/0.1388 0.983 20100403  meta, net, solo=7.9236/0.4189
## changed from rank by spam count to rank by hosts reported, back to 4/8
## 12.1963/0.0356 0.997 20100406  (wow) solo=12.2454/0.0408@0.997
## 12.0753/0.0359 0.997 20100409  solo=12.1265/0.0412@0.997
## 12.1449/0.0139 0.999 20100410  net, solo=12.1966/0.0197@0.998, ->.2 .1 .3 .2
## 10.3554/0.0112 0.999 20110227@510k  solo=10.3717/0.0119@0.999, ->.3 .1 .3 .1
##  1.5335/0.5063 0.752 20130629@465k net, solo=1.5947/0.5379@0.748
##  2.0256/0.7432 0.732 20130705@376k  solo=2.0429/0.7595@0.729, ->.1 .02 .2 .1
#
#header __KHOP_SC_TOP_CIDR8  X-Spam-Relays-Untrusted =~ /^[^\]]* (?:by|ip)=(?-xism:\b(?:1(?:13|78|90)|37)(?:\.[012]?\d{1,2}){3}\b) /
#meta    KHOP_SC_TOP_CIDR8  __KHOP_SC_TOP_CIDR8 && !__KHOP_SC_EXCLUSIONS
#describe KHOP_SC_TOP_CIDR8  Relay CIDR /8 leads SpamCop in worst /8s
#tflags  KHOP_SC_TOP_CIDR8  nopublish
#score   KHOP_SC_TOP_CIDR8  0.1 0 0.1 0
##    spam/ham     s/o   corpus
## 15.6795/0.1173 0.993 20100211  .5 .4 .8 .6 -> .6 .5 .8 .5
## 11.0578/0.3614 0.968 20100325
## 13.7809/0.4860 0.966 20100329  .9 .1 .9 .1  masscheck promoted
## 14.1773/0.4799 0.967 20100401
## 14.1807/0.4960 0.966 20100402  without meta
## 14.0841/0.0926 0.993 20100402  added meta (wow!)
## 14.2553/0.0424 0.997 20100403  net, solo=14.3609/0.4888@0.967
## 11.6252/0.1263 0.989 20100406  solo=11.7104/0.5366@0.956
## 11.5987/0.1295 0.989 20100409  solo=11.6856/0.5731@0.953
## 11.6286/0.0475 0.996 20100410  net, solo=11.7224/0.6900@0.944, ->LE as above
## 10.6798/0.1269 0.993 20110227@510k  solo=10.6996/0.5918@0.948 -> .2 0 .2 0
##  3.6096/0.2502 0.935 20130629@465k net, solo=3.7125/1.5080@0.711
##  4.1386/0.8450 0.830 20130705@376k  solo=4.1707/1.5958@0.723 ->.1 0 .1 0
#
## http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
#header  KHOP_SC_CIDR16  Received =~ /___ FAILED TO POPULATE ___/
#describe KHOP_SC_CIDR16  Relay CIDR /16 is among worst in SpamCop
#tflags  KHOP_SC_CIDR16  nopublish
#score   KHOP_SC_CIDR16  0.4 0.1 0.4 0.1
##    spam/ham    s/o   corpus
## 0.7444/0.0129 0.983 20100211
## 0.5943/0.0139 0.977 20100325   .6 .5 .9 .75
## 0.8767/0.0167 0.981 20100329  1.6 .5 1.6 .5  masscheck promoted
## 0.6952/0.0011 0.998 20100401  increased worst offenders 6/12->9/15 @ 20100401
## 0.6814/0.0149 0.979 20100402
## 0.4399/0.0008 0.998 20100403  net run
## 0.2102/0.0011 0.995 20100406
## 0     /0      0     20100409  (wha!?)
## crap, still empty   20100410  bad scrape, script failed to populate rule
## crap, still empty   20110227  this is due to safety net exclns -> 1 .2 1 .2
## crap, still empty   20130629@465k net
## crap, still empty   20130705@376k net. lowering for low vol -> .4 .1 .4 .1
#
#header  KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b211\.186(?:\.[012]?\d{1,2}){2}\b)/
#describe KHOP_SC_TOP_CIDR16  Relay CIDR /16 leads SpamCop in worst /16s
#tflags  KHOP_SC_TOP_CIDR16  nopublish
#score   KHOP_SC_TOP_CIDR16  0.6 0.2 0.7 0.3
##    spam/ham     s/o   corpus
## 0.8862/0.0008 0.999 20100211
## 0.5738/0.0008 0.999 20100325  .9 .8 1.3 1.2
## 0.6658/0      1.000 20100329  2 .5 2 .5     masscheck promoted
## 0.8374/0      1.000 20100401
## 1.1534/0      1.000 20100402
## 1.2077/0.0145 0.988 20100403  net run
## 1.2155/0.0142 0.988 20100406
## 1.2779/0.0142 0.989 20100409
## 1.0611/0.0009 0.999 20100410  net
## 0.5034/0      1.000 20110227@510k  2 .3 2 .4
## 0.0140/0      1.000 20130629@465k net
##      0/0      -     20130705@376k  lowering for low vol -> .6 .2 .7 .3
#
#
## http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
#header  KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:1(?:2(?:3\.114\.110|0\.43\.94)|84\.(?:82\.171|22\.44)|07\.158\.214|73\.208\.241|17\.19\.216|94\.105\.9|\.93\.58)|69\.175\.114|2\.230\.25)\.[012]?\d{1,2}\b)/
#describe KHOP_SC_CIDR24  Relay CIDR /24 is among worst in SpamCop
#tflags  KHOP_SC_CIDR24  nopublish
#score   KHOP_SC_CIDR24  0.6 0 0.6 0
##   spam/ham     s/o   corpus
## 0.1350/0      1.000 20100211
## 0.0798/0      1.000 20100325  .9 .8 1.3 1.2
## 0.0159/0      1.000 20100329  2.5 .6 2.5 .6 masscheck promoted
## 0.1577/0      1.000 20100401
## added top host-count /24s, increased worst offenders 6/12->8/15 @ 20100401
## 0.1223/0      1.000 20100402 (oops, too small a pool)
## host-count 84/64->84/50, offenders 8/15->10/20 @ 20100402
## 0.2547/0      1.000 20100403  net
## 0.2126/0      1.000 20100406
## 0.2960/0      1.000 20100409
## 0.2905/0      1.000 20100410  net
## 0.4157/0.5009 0.454 20110227  something is wrong here! -> .1 0 .1 0
## 0.0004/0      1.000 20130629@465k net
## 0.4428/0      1.000 20130705@376k  resume scores -> .6 0 .6 0
#
#
#header  KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:1(?:7(?:3\.45\.(?:111|94)|8\.216\.50)|17\.19\.217|84\.22\.53)|6(?:3\.141\.245|8\.233\.239|4\.79\.92)|91\.215\.13[6789]|23\.92\.60|74\.91\.25)\.[012]?\d{1,2}\b)/
#describe KHOP_SC_TOP_CIDR24  Relay CIDR /24 leads SpamCop in worst /24s
#tflags  KHOP_SC_TOP_CIDR24  nopublish
#score   KHOP_SC_TOP_CIDR24  1.7 0.5 1.7 0.5
##    spam/ham     s/o   corpus
## 0.2528/0.0092 0.965 20100211
## 0.2231/0.0112 0.952 20100325  1.7 1.5 1.9 1.8
## 0.0249/0      1.000 20100329  2.7 .6 2.7 .6 masscheck promoted
## 0.1594/0      1.000 20100401
## 0.6448/0     1.000 20100402  (wow!)
## 0.6896/0      1.000 20100403  net
## 0.6255/0.0045 0.993 20100406
## 0.7261/0.0045 0.994 20100409
## 0.7447/0.0054 0.993 20100410  net
## 0.5722/0      1.000 20110227@510k  2.7 .5 2.7 .5
## 0.1483/0      1.000 20130629@465k net
## 0.0197/0      1.000 20130705@376k -> 1.7 .5 1.7 .5
#
#
## http://www.spamcop.net/w3m?action=hoshame
#header  KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:1(?:2(?:4\.(?:1(?:56\.251\.1(?:22|54)|13\.149\.160|27\.197\.62|73\.122\.75)|7(?:3\.14(?:0\.119|\.88)|7\.184\.130))|5\.(?:4(?:3\.78\.105|6\.61\.12)|79\.9(?:3\.231|5\.9)|65\.77\.24[01]|91\.130\.95)|3\.1(?:14\.110\.127|25\.19\.44)|0\.43\.9(?:2\.196|4\.107)|1\.12\.125\.47)|8(?:4\.(?:22\.(?:53\.(?:190?|201)|197\.216|44\.143|83\.154)|82\.1(?:7(?:1\.234|9\.117)|23\.85))|3\.(?:1(?:60\.1(?:82\.229|26\.17)|0\.122\.169)|61\.243\.9)|7\.(?:102\.153\.146|23\.42\.59)|9\.205\.184\.161|2\.37\.217\.243)|9(?:9\.(?:19(?:2\.15(?:3\.158|4\.114|2\.42)|3\.66\.195)|36\.76\.(?:190|241))|8\.(?:23\.158\.162|46\.135\.217|52\.165\.155)|2\.1(?:87\.114\.14[02]|61\.177\.73)|4\.105\.9\.85)|1(?:(?:5\.(?:28\.82\.14|71\.28\.5)|6\.112\.66\.10|0\.88\.241\.4)2|8\.(?:123\.4\.7[56]|244\.229\.168|69\.198\.212)|7\.19\.21(?:6\.150|7\.235)|9\.254\.66\.7)|7(?:3\.(?:45\.(?:94\.(?:2(?:1[12456789]|20)|4[135]|38)|111\.(?:8[3456789]|9[012]))|2(?:08\.241\.9[1234]|12\.205\.158))|8\.216\.50\.39)|\.93\.(?:5(?:8\.(?:1(?:63|70)|2(?:29|53))|7\.1[89]6)|4(?:1\.160|6\.156|5\.67|7\.65))|0(?:(?:6\.186\.22\.15|3\.21\.198\.8)9|1\.14\.252\.236)|4\.(?:18\.207\.225|23\.106\.202))|2(?:1(?:9\.138\.23(?:6\.2(?:2[04]|39)|9\.(?:[013]|212)|7\.2(?:03|22)|8\.5)|2\.(?:1(?:46\.101\.154|54\.154\.220)|99\.249\.5)|1\.1(?:62\.79\.6[589]|86\.255\.122|03\.210\.38)|0\.(?:189\.77\.129|51\.4\.11)|7\.33\.146\.210|8\.90\.174\.167)|2(?:(?:2\.78\.127\.12|0\.68\.224\.4)5|3\.240\.1(?:28\.221|33\.134)|1\.143\.50\.236)|3\.(?:92\.60\.(?:1(?:[46]|72)|6[26]|81)|239\.106\.103)|0(?:2\.234\.40\.41|3\.100\.0\.34)|\.23(?:5\.162\.168|0\.25\.144))|6(?:0\.(?:1(?:68\.113\.147|73\.14\.80)|2(?:13\.63\.138|35\.43\.226))|1\.(?:1(?:57\.96\.1(?:0[59]|11)|64\.43\.140)|93\.246\.49)|3\.(?:141\.245\.(?:2[024]|18)|221\.140\.143)|8\.233\.239\.(?:1(?:[123]|0[012]?)|9[789]?)|(?:6\.197\.231\.14|2\.48\.186\.15)8|4\.79\.92\.(?:5[123456789]|60))|5(?:9\.(?:37\.162\.187|58\.242\.216|63\.182\.125)|8\.2(?:15\.52\.159|2\.103\.208|46\.179\.82))|7(?:4\.91\.25\.(?:5[012489]|62)|8\.129\.194\.(?:118|83)|2\.11\.148\.188)|9(?:3\.63\.141\.186|4\.41\.90\.109)|46\.249\.54\.104|80\.227\.12\.90)\b)/
#describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
#tflags  KHOP_SC_TOP200  nopublish
#score   KHOP_SC_TOP200  4 0 4 0        # unnecessary if DNSBLs work
## spam/ham       s/o   corpus
## 1.2552/0      1.000 20100211
## 0.8558/0      1.000 20100325  3.4 3.2 3.7 3.5
## 0.1265/0      1.000 20100329  4 0 4 0            masscheck promoted
## 0.7066/0      1.000 20100401
## 0.6558/0      1.000 20100403  net
## 0.6211/0      1.000 20100406
## 0.5307/0      1.000 20100409
## 0.5617/0      1.000 20100410  net
## 0.3655/0      1.000 20110227@510k
## 2.6827/0.0069 0.997 20130629@465k net
## 2.9091/0.0056 0.998 20130705@376k
#
#
## Spamhaus DROP, https://www.spamhaus.org/drop/
#header  KHOP_SPAMHAUS_DROP     X-Spam-Relays-Untrusted =~ /___ FAILED TO POPULATE ___/
#describe KHOP_SPAMHAUS_DROP    Relay listed in Spamhaus Don't Route Or Peer List
#tflags  KHOP_SPAMHAUS_DROP     nopublish
#score   KHOP_SPAMHAUS_DROP     1 0.2 1 0.2
##   spam/ham     s/o   corpus
## 0.0349/0.0029 0.924  20110227@510k
#
#header  KHOP_SPAMHAUS_DROP_LE  X-Spam-Relays-External =~ /^[^]]*___ FAILED TO POPULATE ___/
#describe KHOP_SPAMHAUS_DROP_LE Relay listed in Spamhaus Don't Route Or Peer List
#tflags  KHOP_SPAMHAUS_DROP_LE  nopublish
#score   KHOP_SPAMHAUS_DROP_LE  2 0 2 0         # adds to KHOP_SPAMHAUS_DROP
##   spam/ham     s/o   corpus
## 0.0241/0      1.000  20110227@510k
#
#
## PSBL-neighbors:  any /24 with 73+ (2/7, 29%) IPs in the PSBL (not SpamCop),
## as obtained from rsync://psbl-mirror.surriel.com::psbl/psbl.txt
#header  KHOP_PSBL_CIDR24       X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?-xism:\b(?:1(?:1(?:1\.176\.(?:[67]|(?:12|8)[4567]|4[89]?|5[01]?)|6\.207\.(?:6[0123]|4[89]|5\d))|8(?:6\.(?:1(?:3\.[0124567]|22\.4[4567])|37\.202)|1\.66\.15[67]|8\.73\.252)|0(?:3\.(?:2(?:5(?:1\.157|3\.21)|42\.7)|19\.16[013])|9\.127\.80)|9(?:0\.234\.106|4\.219\.240|8\.23\.198|9\.19\.92)|2(?:3\.136\.106|2\.155\.34)|30\.193\.1(?:47|65)|77\.36\.17)|2(?:7\.20\.(?:[89]|1(?:0[0123]?|[28][89]|[39][01]|7[6789]|1)|24[01234567]|4[0123]|5[6789])|1(?:2\.(?:73\.15[89]|5\.158)|1\.91\.22[01])|0(?:0\.(?:63\.160|81\.44)|3\.191\.25))|5(?:8\.50\.1(?:[2345]|1[012356789]|0[456789])|\.172\.24[67])|9(?:1\.215\.13[6789]|4\.230\.93|5\.159\.68)|41\.254\.[2568])\.[012]?\d{1,2}\b)/
#describe KHOP_PSBL_CIDR24      Relay's IP/24 CIDR contains many PSBL hits
#tflags  KHOP_PSBL_CIDR24       nopublish
#score   KHOP_PSBL_CIDR24       2 0.6 2 0.6
##   spam/ham     s/o   corpus
## 0.5363/0      1.000 20100401
## 0.7486/0      1.000 20100402
## 0.7317/0      1.000 20100403  net run.  min hosts 73->65
## 0.9316/0      1.000 20100406
## 0.9473/0      1.000 20100409
## 0.9545/0      1.000 20100410  net
## 0.6985/0.0014 0.998 20110227@510k  2 .6 2 .6
## 0.4298/0      1.000 20130629@465k net
## 1.0958/0      1.000 20130705@376k
#
## test for ruleqa, 20100409, https://ruleqa.spamassassin.org/?rule=/KHOP_SPAMMY
#meta __KHOP_SPAMMY_CIDR24  KHOP_PSBL_CIDR24||KHOP_SC_CIDR24||KHOP_SC_TOP_CIDR24
## est. 1.2/0.0050@.996, floor: 1.0/0.0112@.989, ceiling: 1.4/0@1
##   spam/ham     s/o   corpus
## 1.2645/0.0054 0.996 20100410  net
## 1.1562/0.0058 0.995 20100417  net
## 1.1332/0.5023 0.693 20110227@510k
## 0.5785/0      1.000 20130629@465k net
## 1.5583/0      1.000 20130705@376k
#
#meta __KHOP_SPAMMY_CIDR16  KHOP_SC_CIDR16||KHOP_SC_TOP_CIDR16
## est. 1.4/0.02@.986,   floor: 1.3/0.0312@.977, ceiling: 2.0/0.0150@.993
##   spam/ham     s/o   corpus
## 1.0611/0.0009 0.999 20100410  net
## 1.9539/0.0152 0.992 20100417  net
## 0.5034/0      1.000 20110227@510k
## 0.0140/0      1.000 20130629@465k net
##      0/0      -     20130705@376k
#
#meta __KHOP_SPAMMY_CIDR8   KHOP_SC_CIDR8||KHOP_SC_TOP_CIDR8
## est. 23.7/0.15@.994,  floor:  23/0.2685@.988, ceiling: 26.5/0.0789@.997
##    spam/ham     s/o   corpus
## 23.7686/0.0614 0.997 20100410  net
## 22.2300/0.0616 0.997 20100417  net
## 21.0352/0.1381 0.993 20110227@510k
##  5.1431/0.7565 0.872 20130629@465k net
##  6.1642/1.5881 0.795 20130705@376k
#
#meta __KHOP_SPAMMY_SUBNET __KHOP_SPAMMY_CIDR24||__KHOP_SPAMMY_CIDR16
## est. 26.2/0.175@.993, floor: 24.5/0.5@.980,   ceiling: 30.1/0.1@.997
##    spam/ham     s/o   corpus
## 25.6744/0.0677 0.997 20100410  net, beat estimated ceiling (for ham)!
## 23.7846/0.0826 0.997 20100417  net, beat ceiling ham, but beat floor spam
## 23.7505/0.1041 0.996 20100418  too much ham, nixing /8, new est. 3.0/.02@.993
##  1.6366/0.5023 0.765 20110227@510k
##  0.5925/0      1.000 20130629@465k net
##  1.5583/0      1.000 20130705@376k
#
#
#
## Bump these up to compensate for expected but absent overlap (94+% noted below)
#if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
#  score  KHOP_SC_CIDR8      (0) (0.2) (0) (0.2) # BRBL(98%)
#  score  KHOP_SC_TOP_CIDR8  (0) (0.9) (0) (0.9) # BRBL(98%)
#  score  KHOP_SC_CIDR16     (0) (1.5) (0) (1.5) # BRBL(99%), PBL(98%)
#  score  KHOP_SC_TOP_CIDR16 (0) (1.7) (0) (1.7) # BRBL(99%), PBL(94%)
#  score  KHOP_SC_CIDR24     (0) (0.9) (0) (0.9) # SC(99) BRBL(96) MSPIKE(96)
#  score  KHOP_SC_TOP_CIDR24 (0) (2.5) (0) (2.5) # MSPIKE(99) SC(98) BRBL(97) ...
#                                               # PSBL(97) HOSTKARMA(97)
#  score  KHOP_SC_TOP200     (0) (4.4) (0) (4.4) # SC(99) PSBL(99) ...
#                               # HOSTKARMA(99) SEMBLACK(99) BRBL(98) MSPIKE(94)
#  score  KHOP_SPAMHAUS_DROP (0) (3)   (0) (3)  # SBL(78)
#  score  KHOP_PSBL_CIDR24   (0) (1.5) (0) (1.5) # BRBL(98) XBL(95)
#endif
#
#