| ## From Adam Katz (khopesh) testing grounds and live channels |
| ## http://khopesh.com/Anti-spam |
| # |
| #### select rules from khop-bl |
| ## (warren's work has already covered most of what I'd add here) |
| # |
| ## I'm using the RCVD_VIA_ prefix to represent regional internet registries |
| ## rather than blocklists' RCVD_IN_ prefix. It is VERY important that people |
| ## not consider these to be DNS blocklists ... especially given the fact that |
| ## their mass-check stats at https://ruleqa.spamassassin.org/?rule=/RCVD_VIA are |
| ## quite competitive with the DNSBLs, which is more a reflection of our lack of |
| ## foreign ham in the corpora than any real facts. |
| # |
| ## Asia-Pacific Network Information Centre (APNIC) |
| ## from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125 |
| ## updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html |
| #header __RCVD_VIA_APNIC X-Spam-Relays-External =~ /^\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/ |
| # |
| ## Matches ANY external relay. This was __RCVD_VIA_APNIC until 2010-04-24. |
| #header __RCVD_VIA_APNIC_E X-Spam-Relays-External =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/ |
| #tflags __RCVD_VIA_APNIC_E nopublish |
| # |
| ## African Network Informati Center (AfriNIC) |
| ## from http://www.afrinic.net/Registration/resources.htm at 20100524 |
| ## Note that APNIC claims to have transferred 202.123.0.0/19 to AfriNIC |
| ## although AfriNIC appears to have no recognition of this. |
| ## Also note APNIC and RIPE have some kind of proxy allocation deal assigning |
| ## 196.192.0.0/13 for AfriNIC (though it belongs to AfriNIC anyway...) |
| ## APNIC's site says the range is "used to make /22 allocations to future |
| ## members of AfriNIC" while RIPE says it allocates /24s from the same block to |
| ## "Local Internet Registries (LIRs) and End Users in African countries north |
| ## of the equator." |
| #header __RCVD_VIA_AFRINIC X-Spam-Relays-External =~ /^\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/ |
| #header __RCVD_VIA_AFRINIC_E X-Spam-Relays-External =~ /\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/ |
| #tflags __RCVD_VIA_AFRINIC_E nopublish |
| # |
| ## Reseaux IP Europeens Network Coordination Centre (RIPE NCC) |
| ## (Europe, Middle East, parts of Central Asia) |
| ## from command: |
| ## whois -h whois.ripe.net ' -rTrs RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA ' |
| ## as noted at http://www.ripe.net/ripe/docs/ripe-493.html at 20100524 |
| #header __RCVD_VIA_RIPE X-Spam-Relays-External =~ /^\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/ |
| #header __RCVD_VIA_RIPE_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/ |
| #tflags __RCVD_VIA_RIPE_E nopublish |
| # |
| ## Latin American and Caribbean Internet Addresses Registry (LACNIC) |
| ## from http://lacnic.net/en/registro/ at 20100115 |
| #header __RCVD_VIA_LACNIC X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/ |
| ##tflags __RCVD_VIA_LACNIC nopublish |
| #header __RCVD_VIA_LACNIC_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/ |
| #tflags __RCVD_VIA_LACNIC_E nopublish |
| # |
| ## American Registry of Internet Numbers (ARIN) |
| ## (Canada, many Carribbean and North Atlantic islands, the United States) |
| ## from https://www.arin.net/knowledge/ip_blocks.html at 20100524 |
| ## ... that page is out of date. Using IANA page instead: |
| ## https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt |
| ##header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?:1(?:0[78]|7[34]|84|99)|2(?:0[4-9]|16|4)|6[3-9]|7[0-6]|9[6-9]|50)\.\d/ |
| #header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/ |
| #header __RCVD_VIA_ARIN_E X-Spam-Relays-External =~ /\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/ |
| #tflags __RCVD_VIA_ARIN_E nopublish |
| # |
| ## IP Space allocated before RIRs, mostly to corporations in the United States. |
| ## from iana source at 20100524 via command |
| ## (note, it doesn't collaps ranges, e.g. [1234567] -> [1-7] ) |
| ## perl -w -mRegexp::Assemble -e 'open (IANA, "<ipv4-address-space.txt"); my $re = Regexp::Assemble->new; while (<IANA>) { next if /RESERVED|IANA|whois\.(?:ripe|arin|apnic|afrinic|lacnic)\.net/; next unless m{^\s*\d{3}/\d+\s}; chomp; print "$_\n"; s:/8.*| |^0+::g; $re->add($_); } print "$re\n"' |
| #header __RCVD_VIA_NON_RIR X-Spam-Relays-External =~ /^\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/ |
| #header __RCVD_VIA_NON_RIR_E X-Spam-Relays-External =~ /\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/ |
| #tflags __RCVD_VIA_NON_RIR_E nopublish |
| # |
| ## Note that none of the above RCVD_VIA rules account for IPv6, |
| ## nor do any of the RCVD_ILLEGAL_IP rules. |
| #header __RCVD_VIA_IPV6 X-Spam-Relays-External =~ /^\[ ip=[0-9a-f:]+ /i |
| #header __RCVD_VIA_IPV6_E X-Spam-Relays-External =~ /\[ ip=[0-9a-f:]+ /i |
| # |
| ## This should never hit anything. If it does, there is a hole in a subrules. |
| #meta UNKNOWN_ORIGIN !(__RCVD_VIA_AFRINIC || __RCVD_VIA_APNIC || __RCVD_VIA_ARIN || __RCVD_VIA_LACNIC || __RCVD_VIA_RIPE || __RCVD_VIA_NON_RIR || RCVD_ILLEGAL_IP || __RCVD_VIA_IPV6) |
| # |
| # |
| ## The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/ |
| ## Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net: |
| ## http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html |
| ## Since this is run by Heise and already decently advertised, I don't anticipate |
| ## problems testing here. Flagged 'nopublish' to keep it in testing for now. |
| ## https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6529 |
| ## "reuse" flag because this DNSBL only keeps IP's for 12 hours, testing older mail is |
| ## not useful. It must rely on tagging during delivery. |
| #header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.') |
| #describe RCVD_IN_NIX_SPAM Received via a relay in NiX Spam (heise.de) |
| #tflags RCVD_IN_NIX_SPAM net nopublish # 20091123 |
| #reuse RCVD_IN_NIX_SPAM |
| # |
| ## Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this? |
| ## ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07 |
| ## ... @20091128, 18.87/2.16 became 5.30/0.09 |
| ##header RCVD_IN_SPAMCOP eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.') |
| ##header RCVD_IN_SPAMCOP eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)') |
| ##describe RCVD_IN_SPAMCOP Received via a relay in bl.spamcop.net |
| ##tflags RCVD_IN_SPAMCOP net nopublish # 20091123 |
| # |
| #meta PUBLISHED_DNSBLS RCVD_IN_XBL || RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SORBS_DUL || RCVD_IN_SORBS_WEB || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_RP_RNBL |
| #tflags PUBLISHED_DNSBLS net nopublish # 20110127 |
| #meta PUBLISHED_DNSBLS_BRBL PUBLISHED_DNSBLS || RCVD_IN_BRBL_LASTEXT |
| #tflags PUBLISHED_DNSBLS_BRBL net nopublish # 20110127 |
| # |
| #ifplugin Mail::SpamAssassin::Plugin::DNSEval # { |
| # |
| ## we have the non-lastext data; let's see how good it is if we clean it up a bit |
| ## we'll exclude anything that might have too much info relaying (mailling lists |
| ## and freemail). my intuition is 35-50% spam, 2-4% ham, but we could get lucky. |
| ## the original version ensured multiple external relays and a hit in either |
| ## spamcop or barracuda. now i've added zen, and sorbs. |
| ## |
| ## bug 6634 removed __RCVD_IN_BRBL |
| ##header __RCVD_IN_BRBL eval:check_rbl('brbl','bb.barracudacentral.org') |
| ##tflags __RCVD_IN_BRBL net nopublish |
| ## |
| ##meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL) |
| #meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL) |
| #describe DNSBL_INDIRECT Received indirectly through a relay in a DNSBL |
| #tflags DNSBL_INDIRECT net nopublish # 20091203 |
| ##meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) |
| #meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) |
| #describe DNSBL_INDIRECT_UNSAFE Received ~indirectly through a relay in a DNSBL |
| #tflags DNSBL_INDIRECT_UNSAFE net nopublish # 20091207 |
| ##meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS >1) |
| #meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_ZEN+__RCVD_IN_SORBS>1) |
| #describe DNSBL_INDIRECT_UNSAFE_2 Received ~indirectly through a relay in 2+ DNSBLs |
| #tflags DNSBL_INDIRECT_UNSAFE_2 net nopublish # 20091207 |
| # |
| #endif # } Mail::SpamAssassin::Plugin::DNSEval |
| # |