# From Adam Katz (khopesh) testing grounds and live channels
# http://khopesh.com/Anti-spam

### select rules from khop-bl
# (warren's work has already covered most of what I'd add here)

# Detect milter-greylist, scam-grey, postgrey, SQLgrey, and hopefully others
header	 __GREYLISTING	ALL =~ /(?:^|\n)X-(?:Scam-Grey|Greylist(?:ing)?):\s/m
header	 __GREYLISTED	ALL =~ /(?:^|\n)X-(?:Scam-Grey|Greylist(?:ing)?):\s+delay(?:ed)? (?:for )?\d+(?: ?s(?:ec(?:ond)?s?)?|:\d\d)/im

meta KHOP_GREYED __GREYLISTED && (RDNS_NONE || RDNS_DYNAMIC || __HELO_NO_DOMAIN)
describe KHOP_GREYED	Greylisted and sent from dynamically-named relay
score	 KHOP_GREYED	0.1

header	 __DKIM_EXISTS	exists:DKIM-Signature
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta	   DKIM_INVALID	__DKIM_EXISTS&&!(DKIM_SIGNED||DKIM_VALID||DKIM_VERIFIED)
  describe DKIM_INVALID	DKIM-Signature header exists but is not valid
endif

ifplugin Mail::SpamAssassin::Plugin::SPF
# ifplugin Mail::SpamAssassin::Plugin::DKIM
    meta   __NOT_SPOOFED	ALL_TRUSTED || SPF_PASS || DKIM_VERIFIED
# else
#   meta   __NOT_SPOOFED	ALL_TRUSTED || SPF_PASS
# endif
else
# ifplugin Mail::SpamAssassin::Plugin::DKIM
    meta   __NOT_SPOOFED	ALL_TRUSTED || DKIM_VERIFIED
# else
#   # Neither DKIM nor SPF ... ugh.  Approximate by looking for just the header.
#   header __DKIM_EXISTS        exists:DKIM-Signature
#   meta   __NOT_SPOOFED       ALL_TRUSTED || __DKIM_EXISTS
# endif
endif
tflags	   __NOT_SPOOFED	nice


# Some tests:

# The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/
# Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net:
# http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html
# Since this is run by Heise and already decently advertised, I don't anticipate
# problems testing here.  Flagged 'nopublish' to keep it in testing for now.
header	 RCVD_IN_NIX_SPAM	eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM	Received via a relay in NiX Spam (heise.de)
tflags	 RCVD_IN_NIX_SPAM	net nopublish	# 20091123

# Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this?
#header	 RCVD_IN_SPAMCOP	eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)')
header	 RCVD_IN_SPAMCOP	eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.')
describe RCVD_IN_SPAMCOP	Received via a relay in bl.spamcop.net
tflags	 RCVD_IN_SPAMCOP	net nopublish	# 20091123