| # From the 2010 MIT Spam Conference "best student paper" |
| # "Detecting Gray in Black and White" |
| # by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students) |
| # http://bit.ly/Detecting_Gray_in_Black_and_White (PDF) |
| # |
| # The paper evaluates very similar methodology to the S25R concepts any my own |
| # tinkering within this space (of searching for dynamic-type names in rDNS). |
| # It cleanses itself with some white rDNS searches that might be interesting. |
| # Named RCD for the paper's authors but the rules and regex's are mine. |
| |
| header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ |
| header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i |
| header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ |
| header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i |
| header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i |
| header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i |
| # should be fully overlapped and eclipsed by __RDNS_STATIC |
| header __RCD_RDNS_STATIC_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*static/i |
| header __RCD_RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bstatics?[^a-z]/i |
| # Based on the paper's results, OB shouldn't hit much |
| header __RCD_RDNS_OB_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*outbound/i |
| header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i |
| header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i |
| header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i |
| |
| tflags __RCD_RDNS_MX_MESSY nice |
| tflags __RCD_RDNS_MX nice |
| tflags __RCD_RDNS_SMTP_MESSY nice |
| tflags __RCD_RDNS_SMTP nice |
| tflags __RCD_RDNS_MTA_MESSY nice |
| tflags __RCD_RDNS_MTA nice |
| tflags __RCD_RDNS_STATIC_MESSY nice |
| tflags __RCD_RDNS_STATIC nice |
| tflags __RCD_RDNS_OB_MESSY nice |
| tflags __RCD_RDNS_OB nice |
| tflags __RCD_RDNS_MAIL_MESSY nice |
| tflags __RCD_RDNS_MAIL nice |
| |
| meta RCD_RDNS_SERVER __RCD_RDNS_MX || __RCD_RDNS_SMTP || __RCD_RDNS_MTA || __RCD_RDNS_STATIC || __RCD_RDNS_OB || __RCD_RDNS_MAIL |
| tflags RCD_RDNS_SERVER nice nopublish |
| meta RCD_RDNS_SERVER_MESSY __RCD_RDNS_MX_MESSY || __RCD_RDNS_SMTP_MESSY || __RCD_RDNS_MTA_MESSY || __RCD_RDNS_STATIC_MESSY || __RCD_RDNS_OB_MESSY || __RCD_RDNS_MAIL_MESSY |
| tflags RCD_RDNS_SERVER_MESSY nice nopublish |
| |
| # expected to be fully overlapped and eclipsed by __RDNS_INDICATOR_TYPE |
| header __RCD_RDNS_DIAL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dial/i |
| header __RCD_RDNS_DIAL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdial(?:ing?)?s?[^a-z]/i |
| # expected to be near identical to __RDNS_INDICATOR_DYN |
| #GRADUATED to khop-dynamic# header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i |
| header __RCD_RDNS_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdyna?(?:mic)?s?[^a-z]/i |
| header __RCD_RDNS_PROXY_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*proxy/i |
| header __RCD_RDNS_PROXY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bprox(?:y(?:ing)?|ie[ds])[^a-z]/i |
| # should be superset of __RDNS_DYNAMIC_ASAHI |
| #GRADUATED to khop-dynamic# header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i |
| header __RCD_RDNS_PPP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bppp[^a-z]/i |
| #GRADUATED to khop-dynamic# header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i |
| header __RCD_RDNS_PPOE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bp?ppoe[^a-z]/i |
| |
| meta RCD_RDNS_DYNAMIC_MESSY __RCD_RDNS_DIAL_MESSY || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PROXY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY |
| tflags RCD_RDNS_DYNAMIC_MESSY nopublish |
| meta RCD_RDNS_DYNAMIC __RCD_RDNS_DIAL_MESSY || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PROXY_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY |
| tflags RCD_RDNS_DYNAMIC nopublish |
| meta RCD_RDNS_DYNAMIC_CLEAN RCD_RDNS_DYNAMIC_MESSY && !RCD_RDNS_SERVER_MESSY |
| tflags RCD_RDNS_DYNAMIC_CLEAN nopublish |
| |