## khop-sc-neighbors.cf v 2009071520
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
##
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
##
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
##
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## The author is receptive to relicensing requests for this and its generator.

header   KHOP_SC_CIDR8  Received =~ /\b(?:200|78|88|85)(?:\.[012]?[0-9]{1,2}){3}\b/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /\b(?:189|201|190|123)(?:\.[012]?[0-9]{1,2}){3}\b/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)

header   KHOP_SC_CIDR16  Received =~ /\b(?:222\.253|189\.75|189\.19|200\.102|189\.71|59\.93)\.[012]?[0-9]{1,2}\b/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /\b(?:123\.27|203\.210|123\.23|123\.17|222\.254|113\.22)\.[012]?[0-9]{1,2}\b/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)

header   KHOP_SC_CIDR24  Received =~ /\b(?:62\.175\.249|125\.110\.101|125\.110\.109|124\.11\.146|200\.199\.86|125\.110\.107)\.[012]?[0-9]{1,2}\b/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2

header   KHOP_SC_TOP_CIDR24  Received =~ /\b(?:125\.110\.124|125\.110\.105|125\.110\.104|125\.110\.100|94\.23\.25|125\.110\.106)\.[012]?[0-9]{1,2}\b/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8

header   KHOP_SC_TOP10  Received =~ /\b(?:94\.23\.25\.48|125\.110\.104\.185|125\.110\.105\.172|125\.110\.109\.129|124\.11\.146\.87|125\.110\.106\.218|200\.199\.86\.189|125\.110\.107\.116|62\.175\.249\.254|125\.110\.101\.14)\b/
describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

header   KHOP_SC_TOP20  Received =~ /\b(?:218\.198\.127\.52|125\.110\.100\.165|62\.175\.249\.249|91\.121\.160\.155|125\.110\.105\.241|125\.110\.106\.83|189\.75\.119\.18|125\.110\.124\.233|222\.138\.109\.204|174\.137\.59\.34)\b/
describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

header   KHOP_SC_TOP100  Received =~ /\b(?:87\.106\.128\.229|61\.135\.179\.52|125\.110\.124\.130|60\.12\.190\.58|125\.110\.124\.82|190\.202\.106\.34|60\.191\.15\.206|125\.110\.101\.104|213\.165\.88\.106|124\.11\.189\.21|219\.153\.65\.39|125\.110\.124\.7|201\.59\.24\.206|125\.110\.114\.194|75\.127\.109\.197|203\.162\.21\.201|91\.93\.107\.47|94\.23\.16\.61|221\.7\.194\.5|60\.208\.106\.34|60\.181\.164\.189|125\.110\.124\.29|212\.50\.249\.37|77\.221\.151\.194|203\.171\.235\.88|118\.219\.232\.171|125\.110\.104\.60|209\.51\.155\.138|220\.199\.6\.54|125\.110\.104\.152|91\.121\.145\.159|124\.12\.10\.36|94\.23\.49\.215|59\.30\.233\.9|212\.44\.131\.8|200\.62\.18\.19|217\.20\.170\.44|220\.190\.60\.143|125\.110\.123\.208|218\.191\.125\.43|221\.120\.240\.6|124\.11\.191\.177|125\.110\.105\.150|201\.39\.220\.3|117\.41\.164\.60|220\.190\.60\.33|202\.60\.129\.34|202\.125\.156\.122|89\.20\.136\.28|125\.110\.125\.102|217\.219\.244\.70|58\.51\.197\.246|113\.253\.14\.210|84\.247\.200\.150|125\.110\.126\.191|96\.56\.54\.171|165\.132\.230\.253|87\.98\.217\.19|217\.168\.64\.58|64\.76\.150\.229|190\.65\.170\.58|210\.210\.113\.2|220\.190\.61\.168|125\.110\.100\.247|148\.223\.175\.2|195\.91\.54\.121|213\.141\.145\.16|148\.245\.196\.93|200\.223\.226\.200|200\.234\.200\.143|201\.16\.206\.1|74\.94\.173\.234|201\.6\.156\.229|119\.30\.121\.11|195\.91\.54\.120|125\.110\.99\.234|88\.191\.99\.50|213\.199\.252\.130|201\.30\.99\.126|58\.65\.245\.87)\b/
describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

header   KHOP_SC_TOP200  Received =~ /\b(?:125\.110\.100\.71|195\.161\.9\.2|84\.38\.66\.78|91\.120\.21\.34|61\.225\.196\.28|189\.74\.131\.212|202\.90\.124\.50|77\.239\.179\.72|94\.25\.126\.174|211\.234\.122\.24|221\.120\.240\.2|201\.54\.4\.253|218\.38\.151\.109|60\.181\.165\.245|201\.80\.224\.106|213\.226\.192\.126|217\.243\.173\.37|148\.208\.160\.33|125\.76\.228\.201|202\.134\.85\.194|125\.110\.105\.140|85\.254\.172\.60|189\.112\.196\.111|189\.59\.236\.20|210\.83\.80\.41|213\.79\.125\.122|218\.191\.122\.205|91\.121\.117\.95|200\.37\.164\.34|92\.50\.131\.106|61\.4\.104\.38|198\.173\.64\.139|78\.107\.5\.63|200\.80\.140\.61|218\.38\.16\.55|200\.223\.178\.254|116\.63\.237\.2|121\.28\.49\.131|115\.93\.208\.114|190\.54\.31\.34|66\.77\.151\.20|62\.38\.54\.81|187\.16\.246\.3|125\.110\.109\.245|125\.110\.126\.18|205\.234\.100\.194|91\.121\.71\.147|201\.65\.243\.3|93\.122\.135\.1|187\.12\.68\.122|91\.186\.16\.23|189\.19\.248\.132|58\.211\.75\.8|201\.82\.144\.97|200\.71\.175\.15|89\.156\.160\.96|121\.28\.7\.181|189\.59\.7\.187|124\.207\.168\.39|89\.21\.93\.154|85\.25\.136\.151|200\.203\.105\.243|200\.71\.175\.13|124\.124\.244\.174|200\.144\.5\.41|200\.43\.109\.166|200\.195\.138\.35|189\.4\.227\.125|58\.244\.22\.102|78\.108\.69\.156|82\.151\.131\.153|200\.71\.149\.82|212\.97\.132\.139|24\.39\.25\.82|213\.251\.187\.187|211\.53\.169\.2|77\.81\.240\.5|200\.71\.175\.18|75\.125\.124\.50|61\.50\.219\.170|94\.23\.58\.45|117\.25\.160\.198|189\.20\.181\.130|200\.161\.93\.39|189\.51\.32\.106|122\.121\.213\.148|69\.215\.26\.194|201\.55\.128\.10|61\.150\.76\.190|200\.216\.113\.58|218\.107\.15\.32|190\.107\.134\.202|203\.160\.67\.112|121\.246\.84\.83|200\.71\.175\.17|94\.80\.184\.178|200\.152\.54\.196|202\.75\.37\.222|218\.69\.16\.74|212\.97\.132\.134)\b/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  0.9 0.8 1.4 1.3
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8          (0.5)
  score  KHOP_SC_TOP_CIDR8      (0.9)   # RCVD_IN_PBL
  score  KHOP_SC_CIDR16         (0.8)   # RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16     (0.9)   # RCVD_IN_PBL
  score  KHOP_SC_CIDR24         (0.9)   # RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24     (1.5)   # RCVD_IN_PBL ++
  score  KHOP_SC_TOP10           4.9    # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  score  KHOP_SC_TOP20           4.8    # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  score  KHOP_SC_TOP100          4.7    # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  score  KHOP_SC_TOP200         (2.0)   # RCVD_IN_BL_SPAMCOP_NET ++
endif