## khop-sc-neighbors.cf	v 2009112519
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:2(?:00|22)|187|89)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:23|89|90)|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP_CIDR8  229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b1(?:1(?:3\.22|5\.75|7\.4)|2(?:2\.168|3\.16)|89\.111)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:2(?:22\.25[34]|03\.210)|1(?:23\.2[37]|90\.24))(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
#counts  KHOP_SC_TOP_CIDR16  7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:1(?:40\.113\.121|74\.143\.147)|6(?:0\.213\.48|2\.61\.164)|220\.231\.127|89\.232\.105)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
#counts  KHOP_SC_CIDR24  241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_CIDR24  486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_CIDR24  1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09

header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:1(?:11\.224\.250|74\.143\.151)|(?:91\.132\.7|0\.0\.)0|202\.75\.37|58\.18\.168)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8


# http://www.spamcop.net/w3m?action=hoshame
header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:2(?:1(?:6\.152\.210|\.18\.189)|6\.1(?:48\.62|71\.86)|7\.138\.74)|1(?:(?:95\.158\.16|41\.87\.13)5|60\.49\.12)|80\.140\.61|91\.248\.84)|2\.(?:75\.(?:37\.2(?:4[03]|27|53)|62\.10)|(?:31\.135\.5|69\.111\.7)2)|1\.(?:116\.198\.114|251\.250\.3|59\.14\.107|6\.119\.118)|3\.(?:210\.249\.19|101\.104\.2|90\.137\.18)|9\.(?:172\.(?:35\.112|44\.13)|94\.196\.170)|6\.169\.30\.117|8\.89\.219\.134)|1(?:0\.(?:2(?:1(?:2\.248\.22|9\.173\.6)2|45\.25\.114)|1(?:07\.195\.173|27\.253\.121|10\.49\.39))|3\.(?:1(?:49\.131\.201|57\.196\.175|86\.62\.59)|227\.(?:219\.58|72\.146))|1\.(?:1(?:71\.255\.237|52\.12\.114)|2(?:45\.104\.106|02\.2\.97))|2\.1(?:(?:50\.22\.14|43\.76\.9)3|98\.38\.145)|8\.(?:38\.1(?:2\.246|8\.201)|248\.44\.196)|(?:6\.66\.78\.12|9\.254\.35\.4)5|7\.1(?:99\.231\.249|6\.69\.8))|2(?:0\.(?:2(?:27\.(?:170\.197|35\.234)|31\.101\.214|41\.246\.97)|95\.232\.26)|2\.(?:2(?:37\.(?:162\.200|78\.177)|52\.223\.2)|122\.158\.185)|1\.(?:1(?:20\.224\.146|39\.0\.97)|2\.98\.206))|4\.1(?:56\.108\.188|99\.205\.252))|1(?:1(?:0\.(?:1(?:39\.56\.125|72\.167\.37)|45\.146\.169)|8\.(?:9(?:1\.117\.165|6\.24\.156)|130\.112\.235)|6\.(?:47\.133\.40|1\.10\.195|50\.249\.2)|(?:9\.39\.253\.2|5\.68\.2\.1)5|1\.224\.250\.(?:7[01]|133|67)|3\.169\.176\.24|7\.25\.129\.200|4\.141\.5\.3)|9(?:0\.(?:1(?:4(?:7\.205\.103|4\.93\.154)|07\.134\.202)|254\.222\.210|6\.172\.98|81\.54\.33)|5\.(?:2(?:45\.211\.36|24\.29\.20)|1(?:89\.45\.11|61\.9\.2))|3\.1(?:08\.38\.228|89\.86\.72|98\.8\.211)|6\.28\.237\.185)|2(?:1\.(?:1(?:8(?:5\.156\.185|7\.85\.114)|0\.127\.158)|241\.32\.49)|5\.(?:(?:7\.221\.14|20\.67\.6)6|46\.(?:49\.131|73\.179))|4\.(?:124\.52\.162|2\.205\.254|0\.18\.130)|2\.252\.234\.74)|74\.(?:143\.1(?:51\.(?:65|80)|45\.248)|36\.201\.222)|8(?:8\.217\.20\.96|9\.52\.28\.132|6\.24\.19\.3)|(?:40\.113\.121\.10|39\.175\.55\.22)1|52\.26\.20\.72)|9(?:1\.(?:1(?:21\.(?:1(?:4(?:8\.1(?:17|89)|\.198)|20\.108|51\.212)|2(?:3\.205|8\.84)|8(?:1\.99|3\.5)|9\.185)|9(?:2\.144\.9|7\.5\.1)|32\.70\.11)|2(?:00\.212\.5|14\.16\.42))|4\.(?:2(?:3\.(?:(?:215\.5|35\.18)0|12\.122|45\.154|5\.161)|51\.113\.140)|1(?:0(?:3\.33\.128|2\.7\.104)|59\.202\.199)|77\.48\.5)|5\.(?:154\.240\.98|86\.78\.80)|2\.243\.17\.217|3\.122\.135\.4|8\.116\.37\.60)|8(?:2\.(?:1(?:46\.245\.105|93\.140\.168)|2(?:39\.205\.187|28\.64\.89))|5\.1(?:(?:70\.32\.15|0\.194\.3)4|92\.33\.96)|4\.(?:22\.140\.186|17\.11\.114|32\.238\.19)|0\.(?:235\.105\.140|93\.125\.186)|3\.14(?:2\.111\.228|3\.151\.165)|9\.(?:190\.197\.14|97\.183\.195)|8\.(?:188\.37\.185|84\.200\.97)|1\.112\.190\.195|7\.117\.253\.240|\.7\.26\.142)|6(?:1\.(?:1(?:7(?:5\.236\.114|8\.126\.206)|48\.102\.110|58\.163\.112|00\.14\.234)|0\.70\.9)|6\.(?:4(?:6\.179\.10|9\.137\.29)|242\.25\.198)|2\.169\.150\.234|5\.204\.173\.139|0\.213\.48\.250|7\.205\.111\.46)|7(?:7\.(?:7(?:8\.161\.136|0\.54\.81)|223\.130\.84)|(?:4\.208\.167\.18|5\.126\.49\.14)9|9\.165\.208\.16)|5(?:8\.(?:1(?:8\.168\.16[2356]|20\.227\.149)|20\.46\.11)|9\.160\.177\.27)|41\.220\.166\.15)\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
#counts  KHOP_SC_TOP200  1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
#counts  KHOP_SC_TOP200  4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
#counts  KHOP_SC_TOP200  1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
#counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:2(?:1(?:0\.(?:1(?:27\.253\.121|10\.49\.39)|212\.248\.222)|3\.(?:227\.72\.146|186\.62\.59)|8\.(?:248\.44\.196|38\.18\.201)|7\.1(?:99\.231\.249|6\.69\.8)|2\.143\.76\.93)|0(?:0\.(?:2(?:16\.152\.210|6\.171\.86)|160\.49\.12|91\.248\.84)|3\.(?:210\.249\.19|101\.104\.2|90\.137\.18)|2\.75\.37\.2(?:4[03]|27)|6\.169\.30\.117)|2(?:(?:1\.(?:120\.224\.14|2\.98\.20)|0\.95\.232\.2)6|2\.2(?:37\.78\.177|52\.223\.2))|4\.1(?:56\.108\.188|99\.205\.252))|1(?:2(?:4\.(?:124\.52\.162|0\.18\.130)|5\.(?:46\.49\.131|7\.221\.146)|1\.10\.127\.158|2\.252\.234\.74)|9(?:0\.(?:144\.93\.154|6\.172\.98|81\.54\.33)|3\.108\.38\.228|6\.28\.237\.185|5\.189\.45\.11)|1(?:1\.224\.250\.7[01]|3\.169\.176\.24|9\.39\.253\.25|6\.50\.249\.2)|74\.(?:143\.151\.(?:65|80)|36\.201\.222)|39\.175\.55\.221|89\.52\.28\.132)|9(?:1\.1(?:21\.(?:(?:23\.20|83\.)5|120\.108)|92\.144\.9)|4\.23\.(?:215\.50|45\.154|5\.161)|3\.122\.135\.4|5\.86\.78\.80)|8(?:2\.(?:146\.245\.105|239\.205\.187)|3\.14(?:2\.111\.228|3\.151\.165)|0\.235\.105\.140|4\.17\.11\.114|5\.192\.33\.96)|6(?:1\.(?:1(?:48\.102\.110|78\.126\.206)|0\.70\.9)|5\.204\.173\.139|6\.242\.25\.198)|7(?:(?:4\.208\.167\.18|5\.126\.49\.14)9|7\.(?:223\.130\.84|70\.54\.81))|5(?:8\.(?:18\.168\.16[235]|20\.46\.11)|9\.160\.177\.27))\b)/
#describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
#score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP100  2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP100  5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP100  6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP100  2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP100  1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:1(?:1(?:1\.224\.250\.(?:133|67)|7\.25\.129\.200)|25\.46\.73\.179|95\.161\.9\.2)|2(?:00\.(?:141\.87\.135|80\.140\.61)|16\.66\.78\.125)|(?:58\.18\.168\.16|80\.93\.125\.18)6)\b)/
#describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
#score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:0(?:0\.195\.158\.165|9\.94\.196\.170)|1(?:3\.227\.219\.58|9\.254\.35\.45))|1(?:40\.113\.121\.101|93\.189\.86\.72)|6(?:1\.158\.163\.112|0\.213\.48\.250)|84\.22\.140\.186|91\.132\.70\.11)\b)/
#describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
#score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP100 	 4.7 	# RCVD_IN_BL_SPAMCOP_NET ++
  #score KHOP_SC_TOP20  	 4.8 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP10  	 4.9 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif