| ## khop-dynamic.cf v 2010042500 |
| ## Khopesh's Dynamic host detection |
| ## This depends on khop-trust.cf which has a lesser form in SpamAssassin 3.3.1+ |
| ## |
| ## Spamassassin rules written by Adam Katz <antispamATkhopiscom> |
| ## http://khopesh.com/Anti-spam |
| ## khopesh on irc://irc.freenode.net/#spamassassin |
| ## |
| ## sa-update --gpgkey E8B493D6 --channel khop-dynamic.sa.khopesh.com |
| ## |
| ## Additional credit goes to the original designers of the concepts knit |
| ## together by these rules, namely ASAMI Hideo for S25R |
| ## and Christian Rossow, Thomas Czerwinski, and Christian J. Dietrich for |
| ## "Detecting Gray in Black and White" |
| ## |
| ## This file is fully vetted by the Spamassassin Rule QA testing system at |
| ## http://ruleqa.spamassassin.org/?srcpath=20_khop_dynamic.cf |
| |
| |
| # S25R is: http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html |
| # S25R is seven regexps used to detect botnets by reverse DNS. |
| # Last updated with upstream regexps on 2009-11-23 |
| # S25R is loosely licensed permissively with the following sentence: |
| # > I don't claim any exclusive rights about my idea. And, if you invent a |
| # > new means based on my idea, I hope you contribute it to the Internet |
| # > world without claiming exclusive rights. |
| # |
| # The Upstream cleanses its list with a whitelist consisting of major sites like |
| # google.com, hotmail.com, data-hotel.net, yahoo.co.jp, yahoo.com, mixi.jp, |
| # home.ne.jp, softbank.ne.jp, ezweb.ne.jp, and verisign.net. All of these |
| # correctly use SPF except yahoo (which uses DKIM), home.ne.jp, and verisign. |
| # The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting. |
| |
| # S25R_0 is equal to RDNS_NONE and has a host of problems. We ignore it here. |
| |
| header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./ |
| header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/ |
| header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/ |
| header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/ |
| header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./ |
| header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/ |
| |
| |
| # S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number") |
| # This was not published with S25R due to matching 'feed' and similar words. |
| # PCRE lets us use negative look-ahead. This ignores 3+ consecutive hex letters. |
| header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/ |
| # 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214 awesome score-map; avg is LOW! |
| # 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420 37% of spam hits are under 6 pts |
| |
| # Relays with 5+ subdomains in their rDNS. |
| header __5_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]*\.){6,}\w+ / |
| # 5.7617/0.0344 spam/ham, 0.994 s/o @ 20091214 |
| # 6.8885/0.0129 spam/ham, 0.998 s/o @ 20100417 |
| # 6.8984/0.0251 spam/ham, 0.996 s/o @ 20100420 |
| # 20100420 results for 4_subdom=6.8577/2.0856, 3=15.3590/8.4512 |
| # which means 4+ was 13.7561/2.1106@0.866 and 3+ was 29.1151/10.5619@0.734 |
| # 6.8205/0.0232 spam/ham, 0.997 s/o @ 20100514 |
| |
| # IP address in relay's rDNS or HELO |
| header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ |
| # 49.0895/0.4994 spam/ham, 0.990 s/o @ 20100514 |
| |
| |
| # From the 2010 MIT Spam Conference "best student paper" |
| # "Detecting Gray in Black and White" |
| # by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students) |
| # http://bit.ly/Detecting_Gray_in_Black_and_White (PDF) |
| # |
| # The paper evaluates very similar methodology to the S25R concepts any my own |
| # tinkering within this space (of searching for dynamic-type names in rDNS). |
| # It cleanses itself with some white rDNS searches that might be interesting. |
| # Named RCD for the paper's authors but the rules and regex's are mine. |
| # Named MESSY because there are no delimiters (delimited versions unnecessary). |
| |
| header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i |
| header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i |
| header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i |
| |
| |
| |
| # safe, no cleansing needed |
| ## jhardin added !__RCD_RDNS_MAIL_MESSY per bug#6650 |
| meta KHOP_DYNAMIC __LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__5_SUBDOM || __RDNS_HEX || __S25R_4 || __S25R_6 || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY) && !__RCD_RDNS_MAIL_MESSY |
| describe KHOP_DYNAMIC Relay looks like a dynamic address |
| score KHOP_DYNAMIC 2.0 |
| |
| # cleansing added to make safe |
| # meta KHOP_DYNAMIC2 !(__NOT_SPOOFED||__GREYLISTING||KHOP_DYNAMIC) && (__S25R_1 + __S25R_2 + 1.1*__S25R_3 + 1.1*__S25R_5 + __IP_IN_RELAY > 3) |
| # describe KHOP_DYNAMIC2 Relay looks like a dynamic address |
| # tflags KHOP_DYNAMIC2 nopublish |
| # score KHOP_DYNAMIC2 1.0 |
| |