rulesrc/sandbox/khopesh/20_khop_bl.cf - spamassassin - Git at Google

 ## From Adam Katz (khopesh) testing grounds and live channels
 ## http://khopesh.com/Anti-spam
 #
 #### select rules from khop-bl
 ## (warren's work has already covered most of what I'd add here)
 #
 ## I'm using the RCVD_VIA_ prefix to represent regional internet registries
 ## rather than blocklists' RCVD_IN_ prefix.  It is VERY important that people
 ## not consider these to be DNS blocklists ... especially given the fact that
 ## their mass-check stats at https://ruleqa.spamassassin.org/?rule=/RCVD_VIA are
 ## quite competitive with the DNSBLs, which is more a reflection of our lack of
 ## foreign ham in the corpora than any real facts.
 #
 ## Asia-Pacific Network Information Centre (APNIC)
 ## from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125
 ## updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html
 #header  __RCVD_VIA_APNIC       X-Spam-Relays-External =~ /^\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/
 #
 ## Matches ANY external relay.  This was __RCVD_VIA_APNIC until 2010-04-24.
 #header  __RCVD_VIA_APNIC_E     X-Spam-Relays-External  =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/
 #tflags  __RCVD_VIA_APNIC_E     nopublish
 #
 ## African Network Informati Center (AfriNIC)
 ## from http://www.afrinic.net/Registration/resources.htm at 20100524
 ## Note that APNIC claims to have transferred 202.123.0.0/19 to AfriNIC
 ## although AfriNIC appears to have no recognition of this.
 ## Also note APNIC and RIPE have some kind of proxy allocation deal assigning
 ## 196.192.0.0/13 for AfriNIC (though it belongs to AfriNIC anyway...)
 ## APNIC's site says the range is "used to make /22 allocations to future
 ## members of AfriNIC" while RIPE says it allocates /24s from the same block to
 ## "Local Internet Registries (LIRs) and End Users in African countries north
 ## of the equator."
 #header  __RCVD_VIA_AFRINIC     X-Spam-Relays-External =~ /^\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/
 #header  __RCVD_VIA_AFRINIC_E   X-Spam-Relays-External  =~ /\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/
 #tflags  __RCVD_VIA_AFRINIC_E   nopublish
 #
 ## Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
 ## (Europe, Middle East, parts of Central Asia)
 ## from command:
 ##     whois -h whois.ripe.net ' -rTrs RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA '
 ## as noted at http://www.ripe.net/ripe/docs/ripe-493.html at 20100524
 #header  __RCVD_VIA_RIPE        X-Spam-Relays-External =~ /^\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/
 #header  __RCVD_VIA_RIPE_E      X-Spam-Relays-External  =~ /\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/
 #tflags  __RCVD_VIA_RIPE_E      nopublish
 #
 ## Latin American and Caribbean Internet Addresses Registry (LACNIC)
 ## from http://lacnic.net/en/registro/ at 20100115
 #header  __RCVD_VIA_LACNIC      X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/
 ##tflags         __RCVD_VIA_LACNIC      nopublish
 #header  __RCVD_VIA_LACNIC_E    X-Spam-Relays-External  =~ /\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/
 #tflags  __RCVD_VIA_LACNIC_E    nopublish
 #
 ## American Registry of Internet Numbers (ARIN)
 ## (Canada, many Carribbean and North Atlantic islands, the United States)
 ## from https://www.arin.net/knowledge/ip_blocks.html at 20100524
 ## ... that page is out of date.  Using IANA page instead:
 ## https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
 ##header         __RCVD_VIA_ARIN        X-Spam-Relays-External =~ /^\[ ip=(?:1(?:0[78]|7[34]|84|99)|2(?:0[4-9]|16|4)|6[3-9]|7[0-6]|9[6-9]|50)\.\d/
 #header  __RCVD_VIA_ARIN        X-Spam-Relays-External =~ /^\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/
 #header  __RCVD_VIA_ARIN_E      X-Spam-Relays-External  =~ /\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/
 #tflags  __RCVD_VIA_ARIN_E      nopublish
 #
 ## IP Space allocated before RIRs, mostly to corporations in the United States.
 ## from iana source at 20100524 via command
 ## (note, it doesn't collaps ranges, e.g. [1234567] -> [1-7] )
 ## perl -w -mRegexp::Assemble -e 'open (IANA, "<ipv4-address-space.txt"); my $re = Regexp::Assemble->new; while (<IANA>) { next if /RESERVED|IANA|whois\.(?:ripe|arin|apnic|afrinic|lacnic)\.net/; next unless m{^\s*\d{3}/\d+\s}; chomp; print "$_\n"; s:/8.*| |^0+::g; $re->add($_); } print "$re\n"'
 #header  __RCVD_VIA_NON_RIR     X-Spam-Relays-External =~ /^\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/
 #header  __RCVD_VIA_NON_RIR_E   X-Spam-Relays-External  =~ /\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/
 #tflags  __RCVD_VIA_NON_RIR_E   nopublish
 #
 ## Note that none of the above RCVD_VIA rules account for IPv6,
 ## nor do any of the RCVD_ILLEGAL_IP rules.
 #header  __RCVD_VIA_IPV6        X-Spam-Relays-External =~ /^\[ ip=[0-9a-f:]+ /i
 #header  __RCVD_VIA_IPV6_E      X-Spam-Relays-External  =~ /\[ ip=[0-9a-f:]+ /i
 #
 ## This should never hit anything.  If it does, there is a hole in a subrules.
 #meta    UNKNOWN_ORIGIN !(__RCVD_VIA_AFRINIC || __RCVD_VIA_APNIC || __RCVD_VIA_ARIN || __RCVD_VIA_LACNIC || __RCVD_VIA_RIPE || __RCVD_VIA_NON_RIR || RCVD_ILLEGAL_IP || __RCVD_VIA_IPV6)
 #
 #
 ## The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/
 ## Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net:
 ## http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html
 ## Since this is run by Heise and already decently advertised, I don't anticipate
 ## problems testing here.  Flagged 'nopublish' to keep it in testing for now.
 ## https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6529
 ## "reuse" flag because this DNSBL only keeps IP's for 12 hours, testing older mail is
 ## not useful.  It must rely on tagging during delivery.
 #header  RCVD_IN_NIX_SPAM       eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
 #describe RCVD_IN_NIX_SPAM      Received via a relay in NiX Spam (heise.de)
 #tflags  RCVD_IN_NIX_SPAM       net nopublish   # 20091123
 #reuse   RCVD_IN_NIX_SPAM
 #
 ## Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this?
 ## ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07
 ## ...                        @20091128, 18.87/2.16 became 5.30/0.09
 ##header         RCVD_IN_SPAMCOP        eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.')
 ##header         RCVD_IN_SPAMCOP        eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)')
 ##describe RCVD_IN_SPAMCOP      Received via a relay in bl.spamcop.net
 ##tflags         RCVD_IN_SPAMCOP        net nopublish   # 20091123
 #
 #meta    PUBLISHED_DNSBLS       RCVD_IN_XBL || RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SORBS_DUL || RCVD_IN_SORBS_WEB || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_RP_RNBL
 #tflags  PUBLISHED_DNSBLS       net nopublish   # 20110127
 #meta    PUBLISHED_DNSBLS_BRBL  PUBLISHED_DNSBLS || RCVD_IN_BRBL_LASTEXT
 #tflags  PUBLISHED_DNSBLS_BRBL  net nopublish   # 20110127
 #
 #ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
 #
 ## we have the non-lastext data; let's see how good it is if we clean it up a bit
 ## we'll exclude anything that might have too much info relaying (mailling lists
 ## and freemail).  my intuition is 35-50% spam, 2-4% ham, but we could get lucky.
 ## the original version ensured multiple external relays and a hit in either
 ## spamcop or barracuda.  now i've added zen, and sorbs.
 ##
 ## bug 6634 removed __RCVD_IN_BRBL
 ##header  __RCVD_IN_BRBL        eval:check_rbl('brbl','bb.barracudacentral.org')
 ##tflags         __RCVD_IN_BRBL         net nopublish
 ##
 ##meta   DNSBL_INDIRECT         !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL)
 #meta    DNSBL_INDIRECT         !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL)
 #describe DNSBL_INDIRECT                Received indirectly through a relay in a DNSBL
 #tflags  DNSBL_INDIRECT         net nopublish   # 20091203
 ##meta   DNSBL_INDIRECT_UNSAFE  (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL)
 #meta    DNSBL_INDIRECT_UNSAFE  (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL)
 #describe DNSBL_INDIRECT_UNSAFE Received ~indirectly through a relay in a DNSBL
 #tflags  DNSBL_INDIRECT_UNSAFE  net nopublish   # 20091207
 ##meta   DNSBL_INDIRECT_UNSAFE_2        !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS >1)
 #meta    DNSBL_INDIRECT_UNSAFE_2        !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_ZEN+__RCVD_IN_SORBS>1)
 #describe DNSBL_INDIRECT_UNSAFE_2       Received ~indirectly through a relay in 2+ DNSBLs
 #tflags  DNSBL_INDIRECT_UNSAFE_2        net nopublish   # 20091207
 #
 #endif # } Mail::SpamAssassin::Plugin::DNSEval
 #
	## From Adam Katz (khopesh) testing grounds and live channels
	## http://khopesh.com/Anti-spam
	#
	#### select rules from khop-bl
	## (warren's work has already covered most of what I'd add here)
	#
	## I'm using the RCVD_VIA_ prefix to represent regional internet registries
	## rather than blocklists' RCVD_IN_ prefix. It is VERY important that people
	## not consider these to be DNS blocklists ... especially given the fact that
	## their mass-check stats at https://ruleqa.spamassassin.org/?rule=/RCVD_VIA are
	## quite competitive with the DNSBLs, which is more a reflection of our lack of
	## foreign ham in the corpora than any real facts.
	#
	## Asia-Pacific Network Information Centre (APNIC)
	## from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125
	## updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html
	#header __RCVD_VIA_APNIC X-Spam-Relays-External =~ /^\[ ip=(?-xism:1\|27\|5[89]\|6[01]\|1(?:[12][0-6]\|1[7-9]\|75\|8[0123])\|2(?:03\|1[0189]\|2[012]\|02(?!\.123\.(?:[012]?\d\|3[01])))\|169\.2(?:0[89]\|1\d\|2[01]\|223)\|169\.2(?:1[04]\|22))\.\d/
	#
	## Matches ANY external relay. This was __RCVD_VIA_APNIC until 2010-04-24.
	#header __RCVD_VIA_APNIC_E X-Spam-Relays-External =~ /\[ ip=(?-xism:1\|27\|5[89]\|6[01]\|1(?:[12][0-6]\|1[7-9]\|75\|8[0123])\|2(?:03\|1[0189]\|2[012]\|02(?!\.123\.(?:[012]?\d\|3[01])))\|169\.2(?:0[89]\|1\d\|2[01]\|223)\|169\.2(?:1[04]\|22))\.\d/
	#tflags __RCVD_VIA_APNIC_E nopublish
	#
	## African Network Informati Center (AfriNIC)
	## from http://www.afrinic.net/Registration/resources.htm at 20100524
	## Note that APNIC claims to have transferred 202.123.0.0/19 to AfriNIC
	## although AfriNIC appears to have no recognition of this.
	## Also note APNIC and RIPE have some kind of proxy allocation deal assigning
	## 196.192.0.0/13 for AfriNIC (though it belongs to AfriNIC anyway...)
	## APNIC's site says the range is "used to make /22 allocations to future
	## members of AfriNIC" while RIPE says it allocates /24s from the same block to
	## "Local Internet Registries (LIRs) and End Users in African countries north
	## of the equator."
	#header __RCVD_VIA_AFRINIC X-Spam-Relays-External =~ /^\[ ip=(?:(?:41\|19[67])\|202\.123\.(?:[12]?\d\|3[01]))\.\d/
	#header __RCVD_VIA_AFRINIC_E X-Spam-Relays-External =~ /\[ ip=(?:(?:41\|19[67])\|202\.123\.(?:[12]?\d\|3[01]))\.\d/
	#tflags __RCVD_VIA_AFRINIC_E nopublish
	#
	## Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
	## (Europe, Middle East, parts of Central Asia)
	## from command:
	## whois -h whois.ripe.net ' -rTrs RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA '
	## as noted at http://www.ripe.net/ripe/docs/ripe-493.html at 20100524
	#header __RCVD_VIA_RIPE X-Spam-Relays-External =~ /^\[ ip=(?:1(?:9[345]\|7[68]\|09\|88)\|2(?:1(?:[23]\|7))?\|7[789]\|9[0-5]\|8\d\|31\|46\|62)\.\d/
	#header __RCVD_VIA_RIPE_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:9[345]\|7[68]\|09\|88)\|2(?:1(?:[23]\|7))?\|7[789]\|9[0-5]\|8\d\|31\|46\|62)\.\d/
	#tflags __RCVD_VIA_RIPE_E nopublish
	#
	## Latin American and Caribbean Internet Addresses Registry (LACNIC)
	## from http://lacnic.net/en/registro/ at 20100115
	#header __RCVD_VIA_LACNIC X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90\|8[679]\|20(?:[01]\.\|6\.223\.1(?:24\|30))))\.\d/
	##tflags __RCVD_VIA_LACNIC nopublish
	#header __RCVD_VIA_LACNIC_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:90\|8[679]\|20(?:[01]\.\|6\.223\.1(?:24\|30))))\.\d/
	#tflags __RCVD_VIA_LACNIC_E nopublish
	#
	## American Registry of Internet Numbers (ARIN)
	## (Canada, many Carribbean and North Atlantic islands, the United States)
	## from https://www.arin.net/knowledge/ip_blocks.html at 20100524
	## ... that page is out of date. Using IANA page instead:
	## https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
	##header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?:1(?:0[78]\|7[34]\|84\|99)\|2(?:0[4-9]\|16\|4)\|6[3-9]\|7[0-6]\|9[6-9]\|50)\.\d/
	#header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?!169\.254\|172\.(?:1[6-9]\|2\d\|3[01])\.\|192\.(?:0\.[02]\|168)\.\|198\.51\.100)(?:1(?:3[0124-9]\|6[0124-9]\|4[02346-9]\|5[25-9]\|7[0234]\|9[289]\|0[78]\|2[89]\|84)\|2(?:0[4-9]\|16\|4)\|7[0-6]?\|6[3-9]\|9[6-9]\|50)\.\d/
	#header __RCVD_VIA_ARIN_E X-Spam-Relays-External =~ /\[ ip=(?!169\.254\|172\.(?:1[6-9]\|2\d\|3[01])\.\|192\.(?:0\.[02]\|168)\.\|198\.51\.100)(?:1(?:3[0124-9]\|6[0124-9]\|4[02346-9]\|5[25-9]\|7[0234]\|9[289]\|0[78]\|2[89]\|84)\|2(?:0[4-9]\|16\|4)\|7[0-6]?\|6[3-9]\|9[6-9]\|50)\.\d/
	#tflags __RCVD_VIA_ARIN_E nopublish
	#
	## IP Space allocated before RIRs, mostly to corporations in the United States.
	## from iana source at 20100524 via command
	## (note, it doesn't collaps ranges, e.g. [1234567] -> [1-7] )
	## perl -w -mRegexp::Assemble -e 'open (IANA, "<ipv4-address-space.txt"); my $re = Regexp::Assemble->new; while (<IANA>) { next if /RESERVED\|IANA\|whois\.(?:ripe\|arin\|apnic\|afrinic\|lacnic)\.net/; next unless m{^\s\d{3}/\d+\s}; chomp; print "$_\n"; s:/8.\| \|^0+::g; $re->add($_); } print "$re\n"'
	#header __RCVD_VIA_NON_RIR X-Spam-Relays-External =~ /^\[ ip=(?:0(?:1[1235-9]\|2[012689]\|3[02-58]\|4[034578]\|5[2-7]\|0[34689])\|21[45])\.\d/
	#header __RCVD_VIA_NON_RIR_E X-Spam-Relays-External =~ /\[ ip=(?:0(?:1[1235-9]\|2[012689]\|3[02-58]\|4[034578]\|5[2-7]\|0[34689])\|21[45])\.\d/
	#tflags __RCVD_VIA_NON_RIR_E nopublish
	#
	## Note that none of the above RCVD_VIA rules account for IPv6,
	## nor do any of the RCVD_ILLEGAL_IP rules.
	#header __RCVD_VIA_IPV6 X-Spam-Relays-External =~ /^\[ ip=[0-9a-f:]+ /i
	#header __RCVD_VIA_IPV6_E X-Spam-Relays-External =~ /\[ ip=[0-9a-f:]+ /i
	#
	## This should never hit anything. If it does, there is a hole in a subrules.
	#meta UNKNOWN_ORIGIN !(__RCVD_VIA_AFRINIC \|\| __RCVD_VIA_APNIC \|\| __RCVD_VIA_ARIN \|\| __RCVD_VIA_LACNIC \|\| __RCVD_VIA_RIPE \|\| __RCVD_VIA_NON_RIR \|\| RCVD_ILLEGAL_IP \|\| __RCVD_VIA_IPV6)
	#
	#
	## The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/
	## Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net:
	## http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html
	## Since this is run by Heise and already decently advertised, I don't anticipate
	## problems testing here. Flagged 'nopublish' to keep it in testing for now.
	## https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6529
	## "reuse" flag because this DNSBL only keeps IP's for 12 hours, testing older mail is
	## not useful. It must rely on tagging during delivery.
	#header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
	#describe RCVD_IN_NIX_SPAM Received via a relay in NiX Spam (heise.de)
	#tflags RCVD_IN_NIX_SPAM net nopublish # 20091123
	#reuse RCVD_IN_NIX_SPAM
	#
	## Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this?
	## ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07
	## ... @20091128, 18.87/2.16 became 5.30/0.09
	##header RCVD_IN_SPAMCOP eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.')
	##header RCVD_IN_SPAMCOP eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)')
	##describe RCVD_IN_SPAMCOP Received via a relay in bl.spamcop.net
	##tflags RCVD_IN_SPAMCOP net nopublish # 20091123
	#
	#meta PUBLISHED_DNSBLS RCVD_IN_XBL \|\| RCVD_IN_PBL \|\| RCVD_IN_PSBL \|\| RCVD_IN_SORBS_DUL \|\| RCVD_IN_SORBS_WEB \|\| RCVD_IN_BL_SPAMCOP_NET \|\| RCVD_IN_RP_RNBL
	#tflags PUBLISHED_DNSBLS net nopublish # 20110127
	#meta PUBLISHED_DNSBLS_BRBL PUBLISHED_DNSBLS \|\| RCVD_IN_BRBL_LASTEXT
	#tflags PUBLISHED_DNSBLS_BRBL net nopublish # 20110127
	#
	#ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
	#
	## we have the non-lastext data; let's see how good it is if we clean it up a bit
	## we'll exclude anything that might have too much info relaying (mailling lists
	## and freemail). my intuition is 35-50% spam, 2-4% ham, but we could get lucky.
	## the original version ensured multiple external relays and a hit in either
	## spamcop or barracuda. now i've added zen, and sorbs.
	##
	## bug 6634 removed __RCVD_IN_BRBL
	##header __RCVD_IN_BRBL eval:check_rbl('brbl','bb.barracudacentral.org')
	##tflags __RCVD_IN_BRBL net nopublish
	##
	##meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET\|\|__RCVD_IN_BRBL\|\|__RCVD_IN_ZEN\|\|__RCVD_IN_SORBS) && !(__VIA_ML\|\|__DOS_HAS_LIST_UNSUB\|\|__SENDER_BOT\|\|__freemail_safe\|\|ALL_TRUSTED\|\|RCVD_IN_SPAMCOP\|\|RCVD_IN_BRBL_LASTEXT\|\|RCVD_IN_XBL\|\|RCVD_IN_PBL\|\|RCVD_IN_SORBS_DUL)
	#meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET\|\|__RCVD_IN_ZEN\|\|__RCVD_IN_SORBS) && !(__VIA_ML\|\|__DOS_HAS_LIST_UNSUB\|\|__SENDER_BOT\|\|__freemail_safe\|\|ALL_TRUSTED\|\|RCVD_IN_SPAMCOP\|\|RCVD_IN_XBL\|\|RCVD_IN_PBL\|\|RCVD_IN_SORBS_DUL)
	#describe DNSBL_INDIRECT Received indirectly through a relay in a DNSBL
	#tflags DNSBL_INDIRECT net nopublish # 20091203
	##meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET\|\|__RCVD_IN_BRBL\|\|__RCVD_IN_ZEN\|\|__RCVD_IN_SORBS) && !(ALL_TRUSTED\|\|RCVD_IN_SPAMCOP\|\|RCVD_IN_BRBL_LASTEXT\|\|RCVD_IN_SORBS_DUL)
	#meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET\|\|__RCVD_IN_ZEN\|\|__RCVD_IN_SORBS) && !(ALL_TRUSTED\|\|RCVD_IN_SPAMCOP\|\|RCVD_IN_SORBS_DUL)
	#describe DNSBL_INDIRECT_UNSAFE Received ~indirectly through a relay in a DNSBL
	#tflags DNSBL_INDIRECT_UNSAFE net nopublish # 20091207
	##meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED\|\|RCVD_IN_SPAMCOP\|\|RCVD_IN_BRBL_LASTEXT\|\|RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS >1)
	#meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED\|\|RCVD_IN_SPAMCOP\|\|RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_ZEN+__RCVD_IN_SORBS>1)
	#describe DNSBL_INDIRECT_UNSAFE_2 Received ~indirectly through a relay in 2+ DNSBLs
	#tflags DNSBL_INDIRECT_UNSAFE_2 net nopublish # 20091207
	#
	#endif # } Mail::SpamAssassin::Plugin::DNSEval
	#