rulesrc/sandbox/khopesh/20_khop_dynamic.cf - spamassassin - Git at Google

 ## khop-dynamic.cf	v 2010042500
 ## Khopesh's Dynamic host detection
 ## This depends on khop-trust.cf which has a lesser form in SpamAssassin 3.3.1+
 ##
 ## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
 ## http://khopesh.com/Anti-spam
 ## khopesh on irc://irc.freenode.net/#spamassassin
 ##
 ## sa-update --gpgkey E8B493D6 --channel khop-dynamic.sa.khopesh.com
 ##
 ## Additional credit goes to the original designers of the concepts knit
 ## together by these rules, namely ASAMI Hideo for S25R
 ## and Christian Rossow, Thomas Czerwinski, and Christian J. Dietrich for
 ## "Detecting Gray in Black and White"
 ##
 ## This file is fully vetted by the Spamassassin Rule QA testing system at
 ## http://ruleqa.spamassassin.org/?srcpath=20_khop_dynamic.cf


 # S25R is:  http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
 # S25R is seven regexps used to detect botnets by reverse DNS.
 # Last updated with upstream regexps on 2009-11-23
 # S25R is loosely licensed permissively with the following sentence:
 # > I don't claim any exclusive rights about my idea. And, if you invent a
 # > new means based on my idea, I hope you contribute it to the Internet
 # > world without claiming exclusive rights.
 #
 # The Upstream cleanses its list with a whitelist consisting of major sites like
 # google.com, hotmail.com, data-hotel.net, yahoo.co.jp, yahoo.com, mixi.jp,
 # home.ne.jp, softbank.ne.jp, ezweb.ne.jp, and verisign.net.  All of these
 # correctly use SPF except yahoo (which uses DKIM), home.ne.jp, and verisign.
 # The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting.

 # S25R_0 is equal to RDNS_NONE and has a host of problems.  We ignore it here.

 header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
 header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/
 header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
 header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
 header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
 header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/


 # S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
 # This was not published with S25R due to matching 'feed' and similar words.
 # PCRE lets us use negative look-ahead. This ignores 3+ consecutive hex letters.
 header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/
 # 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214  awesome score-map; avg is LOW!
 # 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420  37% of spam hits are under 6 pts

 # Relays with 5+ subdomains in their rDNS.
 header __5_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]*\.){6,}\w+ /
 # 5.7617/0.0344 spam/ham, 0.994 s/o @ 20091214
 # 6.8885/0.0129 spam/ham, 0.998 s/o @ 20100417
 # 6.8984/0.0251 spam/ham, 0.996 s/o @ 20100420
 # 20100420 results for 4_subdom=6.8577/2.0856, 3=15.3590/8.4512
 # which means 4+ was 13.7561/2.1106@0.866 and 3+ was 29.1151/10.5619@0.734
 # 6.8205/0.0232 spam/ham, 0.997 s/o @ 20100514

 # IP address in relay's rDNS or HELO
 header __IP_IN_RELAY  X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
 # 49.0895/0.4994 spam/ham, 0.990 s/o @ 20100514


 # From the 2010 MIT Spam Conference "best student paper"
 # "Detecting Gray in Black and White"
 # by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students)
 # http://bit.ly/Detecting_Gray_in_Black_and_White (PDF)
 #
 # The paper evaluates very similar methodology to the S25R concepts any my own
 # tinkering within this space (of searching for dynamic-type names in rDNS).
 # It cleanses itself with some white rDNS searches that might be interesting.
 # Named RCD for the paper's authors but the rules and regex's are mine.
 # Named MESSY because there are no delimiters (delimited versions unnecessary).

 header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i
 header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i
 header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i


 # safe, no cleansing needed
 ## jhardin added !__RCD_RDNS_MAIL_MESSY per bug#6650
 meta	 KHOP_DYNAMIC	__LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__5_SUBDOM || __RDNS_HEX || __S25R_4 || __S25R_6 || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY) && !__RCD_RDNS_MAIL_MESSY
 describe KHOP_DYNAMIC	Relay looks like a dynamic address
 score	 KHOP_DYNAMIC	2.0

 # cleansing added to make safe
 # meta	 KHOP_DYNAMIC2	!(__NOT_SPOOFED||__GREYLISTING||KHOP_DYNAMIC) && (__S25R_1 + __S25R_2 + 1.1*__S25R_3 + 1.1*__S25R_5 + __IP_IN_RELAY > 3)
 # describe KHOP_DYNAMIC2	Relay looks like a dynamic address
 # tflags	 KHOP_DYNAMIC2	nopublish
 # score	 KHOP_DYNAMIC2	1.0
	## khop-dynamic.cf v 2010042500
	## Khopesh's Dynamic host detection
	## This depends on khop-trust.cf which has a lesser form in SpamAssassin 3.3.1+
	##
	## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
	## http://khopesh.com/Anti-spam
	## khopesh on irc://irc.freenode.net/#spamassassin
	##
	## sa-update --gpgkey E8B493D6 --channel khop-dynamic.sa.khopesh.com
	##
	## Additional credit goes to the original designers of the concepts knit
	## together by these rules, namely ASAMI Hideo for S25R
	## and Christian Rossow, Thomas Czerwinski, and Christian J. Dietrich for
	## "Detecting Gray in Black and White"
	##
	## This file is fully vetted by the Spamassassin Rule QA testing system at
	## http://ruleqa.spamassassin.org/?srcpath=20_khop_dynamic.cf


	# S25R is: http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
	# S25R is seven regexps used to detect botnets by reverse DNS.
	# Last updated with upstream regexps on 2009-11-23
	# S25R is loosely licensed permissively with the following sentence:
	# > I don't claim any exclusive rights about my idea. And, if you invent a
	# > new means based on my idea, I hope you contribute it to the Internet
	# > world without claiming exclusive rights.
	#
	# The Upstream cleanses its list with a whitelist consisting of major sites like
	# google.com, hotmail.com, data-hotel.net, yahoo.co.jp, yahoo.com, mixi.jp,
	# home.ne.jp, softbank.ne.jp, ezweb.ne.jp, and verisign.net. All of these
	# correctly use SPF except yahoo (which uses DKIM), home.ne.jp, and verisign.
	# The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting.

	# S25R_0 is equal to RDNS_NONE and has a host of problems. We ignore it here.

	header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]\d[^0-9. ]+\d\S\./
	header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/
	header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
	header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]\d\.[^. ]\d-\d/
	header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]\d\.[^. ]\d\.[^. ]+\.\S+\./
	header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp\|dialup\|ppp\|[achrsvx]?dsl)[^. ]*\d/


	# S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
	# This was not published with S25R due to matching 'feed' and similar words.
	# PCRE lets us use negative look-ahead. This ignores 3+ consecutive hex letters.
	header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]\d(?![0-9a-f][a-f]{3})[0-9a-f]{7}/
	# 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214 awesome score-map; avg is LOW!
	# 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420 37% of spam hits are under 6 pts

	# Relays with 5+ subdomains in their rDNS.
	header __5_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]*\.){6,}\w+ /
	# 5.7617/0.0344 spam/ham, 0.994 s/o @ 20091214
	# 6.8885/0.0129 spam/ham, 0.998 s/o @ 20100417
	# 6.8984/0.0251 spam/ham, 0.996 s/o @ 20100420
	# 20100420 results for 4_subdom=6.8577/2.0856, 3=15.3590/8.4512
	# which means 4+ was 13.7561/2.1106@0.866 and 3+ was 29.1151/10.5619@0.734
	# 6.8205/0.0232 spam/ham, 0.997 s/o @ 20100514

	# IP address in relay's rDNS or HELO
	header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns\|helo)=\S*(?:\1\D\2\D\3\D\4\|\4\D\3\D\2\D\1)/
	# 49.0895/0.4994 spam/ham, 0.990 s/o @ 20100514


	# From the 2010 MIT Spam Conference "best student paper"
	# "Detecting Gray in Black and White"
	# by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students)
	# http://bit.ly/Detecting_Gray_in_Black_and_White (PDF)
	#
	# The paper evaluates very similar methodology to the S25R concepts any my own
	# tinkering within this space (of searching for dynamic-type names in rDNS).
	# It cleanses itself with some white rDNS searches that might be interesting.
	# Named RCD for the paper's authors but the rules and regex's are mine.
	# Named MESSY because there are no delimiters (delimited versions unnecessary).

	header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i
	header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i
	header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i



	# safe, no cleansing needed
	## jhardin added !__RCD_RDNS_MAIL_MESSY per bug#6650
	meta KHOP_DYNAMIC __LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__5_SUBDOM \|\| __RDNS_HEX \|\| __S25R_4 \|\| __S25R_6 \|\| __RCD_RDNS_DYN_MESSY \|\| __RCD_RDNS_PPP_MESSY \|\| __RCD_RDNS_PPOE_MESSY) && !__RCD_RDNS_MAIL_MESSY
	describe KHOP_DYNAMIC Relay looks like a dynamic address
	score KHOP_DYNAMIC 2.0

	# cleansing added to make safe
	# meta KHOP_DYNAMIC2 !(__NOT_SPOOFED\|\|__GREYLISTING\|\|KHOP_DYNAMIC) && (__S25R_1 + __S25R_2 + 1.1__S25R_3 + 1.1__S25R_5 + __IP_IN_RELAY > 3)
	# describe KHOP_DYNAMIC2 Relay looks like a dynamic address
	# tflags KHOP_DYNAMIC2 nopublish
	# score KHOP_DYNAMIC2 1.0