# S25R is:  http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
# S25R is seven regexps used to detect botnets by reverse DNS.
# The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting.
# Last updated with upstream regexps on 2009-11-23

# With RDNS_DYNAMIC, this represents a decent poor-man's botnet detector

# Limited via __HELO_NO_DOMAIN to distinguish from (and improve upon) RDNS_NONE
#meta	 S25R_0 __LAST_EXTERNAL_RELAY_NO_AUTH && RDNS_NONE && __HELO_NO_DOMAIN && !__NOT_SPOOFED && !__GREYLISTED
#describe S25R_0	S25R: Reverse lookup failure
#score	 S25R_0	0.1
#tflags	 S25R_0 nopublish
# still trying to figure out whether to push this or just let RDNS_NONE do it.

header __S25R_1 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
describe S25R_1 S25R: Bottom of rDNS has num, non-num, num
meta	 S25R_1 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_1 && !(__S25R_2||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
#score	 S25R_1 0.1

header __S25R_2 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d{5}/
describe S25R_2 S25R: Bottom of rDNS has 5+ digits in a row
meta	 S25R_2 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_2 && !(__S25R_1||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
#score	 S25R_2 0.1

header __S25R_3 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
describe S25R_3 S25R: A low-level of rDNS starts w/ a number
meta	 S25R_3 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_3 && !(__S25R_1||__S25R_2||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
#score	 S25R_3 0.1

header __S25R_4 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
describe S25R_4 S25R: Bottom of rDNS ends w/ num, next lvl has num-num
meta	 S25R_4 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_4 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
#score	 S25R_4 0.1

header __S25R_5 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
describe S25R_5 S25R: rDNS has 5+ layers, bottom 2 end in numbers
meta	 S25R_5 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_5 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
#score	 S25R_5 0.1

header __S25R_6 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/
describe S25R_6 S25R: rDNS looks dynamic or customer-facing
meta	 S25R_6 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_6 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_5 || __NOT_SPOOFED || __GREYLISTED)
#score	 S25R_6 0.1

# Testing the union.  Limits S25R_0 (RDNS_NONE) for high FPs.
# Ordered by popularity in an effort to improve short-circuiting.
meta	 S25R	__LAST_EXTERNAL_RELAY_NO_AUTH && ((RDNS_NONE&&__HELO_NO_DOMAIN)||__S25R_1||__S25R_3||__S25R_5||__S25R_2||__S25R_6||__S25R_4) && !__NOT_SPOOFED && !__GREYLISTED
describe S25R	Selective SMTP Rejection: Relay has dynamic rDNS
tflags	 S25R	nopublish

# here it is, my full-blown poor-man's botnet (limits S25R 0 and 1 for high FPs)
# based on 20091124 masscheck, ham% is 0.6-1.8% while spam% is 25.9%-83.0%
meta	 KHOP_BOTNET	__LAST_EXTERNAL_RELAY_NO_AUTH && (RDNS_DYNAMIC || (__HELO_NO_DOMAIN&&RDNS_NONE) || (__S25R_1&&!__DOS_RELAYED_EXT) || __S25R_3 || __S25R_5 || __S25R_2 || __S25R_6 || __S25R_4) && !__NOT_SPOOFED && !__GREYLISTED
describe KHOP_BOTNET	Relay looks like a dynamic address
tflags	 KHOP_BOTNET	nopublish