rulesrc/sandbox/khopesh/20_rcd_rdns.cf - spamassassin - Git at Google

 # From the 2010 MIT Spam Conference "best student paper"
 # "Detecting Gray in Black and White"
 # by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students)
 # http://bit.ly/Detecting_Gray_in_Black_and_White (PDF)
 #
 # The paper evaluates very similar methodology to the S25R concepts any my own
 # tinkering within this space (of searching for dynamic-type names in rDNS).
 # It cleanses itself with some white rDNS searches that might be interesting.
 # Named RCD for the paper's authors but the rules and regex's are mine.

 header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
 header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
 header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
 header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
 header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
 header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
 # should be fully overlapped and eclipsed by __RDNS_STATIC
 header __RCD_RDNS_STATIC_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*static/i
 header __RCD_RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bstatics?[^a-z]/i
 # Based on the paper's results, OB shouldn't hit much
 header __RCD_RDNS_OB_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*outbound/i
 header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
 header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
 header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i

 tflags __RCD_RDNS_MX_MESSY nice
 tflags __RCD_RDNS_MX nice
 tflags __RCD_RDNS_SMTP_MESSY nice
 tflags __RCD_RDNS_SMTP nice
 tflags __RCD_RDNS_MTA_MESSY nice
 tflags __RCD_RDNS_MTA nice
 tflags __RCD_RDNS_STATIC_MESSY nice
 tflags __RCD_RDNS_STATIC nice
 tflags __RCD_RDNS_OB_MESSY nice
 tflags __RCD_RDNS_OB nice
 tflags __RCD_RDNS_MAIL_MESSY nice
 tflags __RCD_RDNS_MAIL nice

 meta RCD_RDNS_SERVER __RCD_RDNS_MX || __RCD_RDNS_SMTP || __RCD_RDNS_MTA || __RCD_RDNS_STATIC || __RCD_RDNS_OB || __RCD_RDNS_MAIL
 tflags RCD_RDNS_SERVER nice nopublish
 meta RCD_RDNS_SERVER_MESSY __RCD_RDNS_MX_MESSY || __RCD_RDNS_SMTP_MESSY || __RCD_RDNS_MTA_MESSY || __RCD_RDNS_STATIC_MESSY || __RCD_RDNS_OB_MESSY || __RCD_RDNS_MAIL_MESSY
 tflags RCD_RDNS_SERVER_MESSY nice nopublish

 # expected to be fully overlapped and eclipsed by __RDNS_INDICATOR_TYPE
 header __RCD_RDNS_DIAL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dial/i
 header __RCD_RDNS_DIAL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdial(?:ing?)?s?[^a-z]/i
 # expected to be near identical to __RDNS_INDICATOR_DYN
 #GRADUATED to khop-dynamic# header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i
 header __RCD_RDNS_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdyna?(?:mic)?s?[^a-z]/i
 header __RCD_RDNS_PROXY_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*proxy/i
 header __RCD_RDNS_PROXY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bprox(?:y(?:ing)?|ie[ds])[^a-z]/i
 # should be superset of __RDNS_DYNAMIC_ASAHI
 #GRADUATED to khop-dynamic# header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i
 header __RCD_RDNS_PPP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bppp[^a-z]/i
 #GRADUATED to khop-dynamic# header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i
 header __RCD_RDNS_PPOE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bp?ppoe[^a-z]/i

 meta RCD_RDNS_DYNAMIC_MESSY __RCD_RDNS_DIAL_MESSY || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PROXY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY
 tflags RCD_RDNS_DYNAMIC_MESSY nopublish
 meta RCD_RDNS_DYNAMIC __RCD_RDNS_DIAL_MESSY || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PROXY_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY
 tflags RCD_RDNS_DYNAMIC nopublish
 meta RCD_RDNS_DYNAMIC_CLEAN RCD_RDNS_DYNAMIC_MESSY && !RCD_RDNS_SERVER_MESSY
 tflags RCD_RDNS_DYNAMIC_CLEAN nopublish
	# From the 2010 MIT Spam Conference "best student paper"
	# "Detecting Gray in Black and White"
	# by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students)
	# http://bit.ly/Detecting_Gray_in_Black_and_White (PDF)
	#
	# The paper evaluates very similar methodology to the S25R concepts any my own
	# tinkering within this space (of searching for dynamic-type names in rDNS).
	# It cleanses itself with some white rDNS searches that might be interesting.
	# Named RCD for the paper's authors but the rules and regex's are mine.

	header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
	header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
	header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
	header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
	header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
	header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
	# should be fully overlapped and eclipsed by __RDNS_STATIC
	header __RCD_RDNS_STATIC_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*static/i
	header __RCD_RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bstatics?[^a-z]/i
	# Based on the paper's results, OB shouldn't hit much
	header __RCD_RDNS_OB_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*outbound/i
	header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
	header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
	header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i

	tflags __RCD_RDNS_MX_MESSY nice
	tflags __RCD_RDNS_MX nice
	tflags __RCD_RDNS_SMTP_MESSY nice
	tflags __RCD_RDNS_SMTP nice
	tflags __RCD_RDNS_MTA_MESSY nice
	tflags __RCD_RDNS_MTA nice
	tflags __RCD_RDNS_STATIC_MESSY nice
	tflags __RCD_RDNS_STATIC nice
	tflags __RCD_RDNS_OB_MESSY nice
	tflags __RCD_RDNS_OB nice
	tflags __RCD_RDNS_MAIL_MESSY nice
	tflags __RCD_RDNS_MAIL nice

	meta RCD_RDNS_SERVER __RCD_RDNS_MX \|\| __RCD_RDNS_SMTP \|\| __RCD_RDNS_MTA \|\| __RCD_RDNS_STATIC \|\| __RCD_RDNS_OB \|\| __RCD_RDNS_MAIL
	tflags RCD_RDNS_SERVER nice nopublish
	meta RCD_RDNS_SERVER_MESSY __RCD_RDNS_MX_MESSY \|\| __RCD_RDNS_SMTP_MESSY \|\| __RCD_RDNS_MTA_MESSY \|\| __RCD_RDNS_STATIC_MESSY \|\| __RCD_RDNS_OB_MESSY \|\| __RCD_RDNS_MAIL_MESSY
	tflags RCD_RDNS_SERVER_MESSY nice nopublish

	# expected to be fully overlapped and eclipsed by __RDNS_INDICATOR_TYPE
	header __RCD_RDNS_DIAL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dial/i
	header __RCD_RDNS_DIAL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdial(?:ing?)?s?[^a-z]/i
	# expected to be near identical to __RDNS_INDICATOR_DYN
	#GRADUATED to khop-dynamic# header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i
	header __RCD_RDNS_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdyna?(?:mic)?s?[^a-z]/i
	header __RCD_RDNS_PROXY_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*proxy/i
	header __RCD_RDNS_PROXY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bprox(?:y(?:ing)?\|ie[ds])[^a-z]/i
	# should be superset of __RDNS_DYNAMIC_ASAHI
	#GRADUATED to khop-dynamic# header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i
	header __RCD_RDNS_PPP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bppp[^a-z]/i
	#GRADUATED to khop-dynamic# header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i
	header __RCD_RDNS_PPOE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bp?ppoe[^a-z]/i

	meta RCD_RDNS_DYNAMIC_MESSY __RCD_RDNS_DIAL_MESSY \|\| __RCD_RDNS_DYN_MESSY \|\| __RCD_RDNS_PROXY \|\| __RCD_RDNS_PPP_MESSY \|\| __RCD_RDNS_PPOE_MESSY
	tflags RCD_RDNS_DYNAMIC_MESSY nopublish
	meta RCD_RDNS_DYNAMIC __RCD_RDNS_DIAL_MESSY \|\| __RCD_RDNS_DYN_MESSY \|\| __RCD_RDNS_PROXY_MESSY \|\| __RCD_RDNS_PPP_MESSY \|\| __RCD_RDNS_PPOE_MESSY
	tflags RCD_RDNS_DYNAMIC nopublish
	meta RCD_RDNS_DYNAMIC_CLEAN RCD_RDNS_DYNAMIC_MESSY && !RCD_RDNS_SERVER_MESSY
	tflags RCD_RDNS_DYNAMIC_CLEAN nopublish