## khop-sc-neighbors.cf	v 20091240
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:2(?:00|22)|187|89)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:23|89|90)|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP_CIDR8  229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:(?:23\.[12]|18\.9)6|87\.4)|203\.210|92\.85)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:1(?:23\.2[37]|89\.111|13\.22)|222\.25[34])(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
#counts  KHOP_SC_TOP_CIDR16  7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:6(?:8\.168\.138|2\.61\.164)|113\.16(?:0\.113|1\.17)|213\.233\.64|41\.140\.251)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
#counts  KHOP_SC_CIDR24  241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_CIDR24  486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_CIDR24  1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09

header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:2(?:20\.231\.12|02\.75\.3)7|(?:58\.18\.16|60\.213\.4)8|(?:111\.224\.25|0\.0\.)0)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8


# http://www.spamcop.net/w3m?action=hoshame
header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:1(?:(?:37\.132\.8|63\.249\.)3|07\.127\.10|41\.87\.135)|2(?:53\.218\.194|1\.18\.189|6\.148\.62)|8(?:9\.135\.157|0\.140\.61|8\.115\.30)|32\.8\.28)|1\.(?:1(?:16\.198\.1|34\.153\.2)14|45\.106\.130|251\.250\.3|59\.14\.107)|3\.(?:1(?:67\.201\.13|01\.104\.)2|210\.2(?:53\.154|49\.19)|90\.137\.18)|8\.(?:8(?:4\.169\.157|9\.219\.153)|53\.99\.19)|2\.75\.37\.(?:2(?:4[03]|27)|125)|6\.1(?:69\.30\.117|24\.17\.4)|5\.139\.241\.165|7\.112\.121\.43|9\.94\.196\.170)|1(?:1\.(?:1(?:7(?:6\.84\.225|5\.239\.2)|91\.174\.141|52\.12\.114)|94\.138\.45)|0\.(?:1(?:27\.253\.121|10\.49\.39)|21(?:2\.248\.22|9\.173\.6)2)|9\.(?:2(?:34\.88\.16|54\.35\.4)5|15(?:0\.139\.18|1\.41\.)6)|2\.(?:2(?:35\.111\.208|44\.73\.232)|111\.199\.30)|3\.(?:227\.219\.58|186\.62\.59|55\.78\.23)|6\.66\.7(?:8\.(?:125|54)|6\.224)|8\.(?:191\.33\.248|248\.44\.196)|7\.194\.197\.245)|2(?:0\.(?:2(?:31\.(?:1(?:01\.(?:214|86)|27\.(?:13|9))|69\.13)|27\.(?:170\.197|35\.234))|124\.249\.1|95\.232\.26)|2\.(?:2(?:5(?:5\.29\.143|2\.223\.2)|37\.(?:162\.200|78\.177))|124\.203\.27)|1\.214\.164\.240)|4\.1(?:56\.108\.188|99\.205\.252))|1(?:1(?:8\.(?:9(?:6\.2(?:16\.235|4\.156)|1\.117\.165|8\.214\.236)|130\.112\.235)|3\.(?:16(?:0\.113\.15|1\.26\.104)|255\.7\.234)|0\.(?:172\.167\.37|45\.146\.169)|7\.(?:25\.129\.200|74\.62\.49)|9\.(?:39\.253\.25|93\.11\.126)|6\.(?:47\.133\.40|50\.249\.2)|1\.224\.250\.(?:133|65|70)|4\.45\.57\.160|5\.78\.0\.21)|9(?:5\.(?:1(?:6(?:1\.(?:8\.1|9\.2)|0\.253\.4)|89\.45\.11)|2(?:45\.211\.3|52\.70\.14)6)|0\.(?:1(?:07\.134\.202|44\.93\.154)|47\.186\.250|6\.172\.98|81\.54\.33)|3\.(?:1(?:08\.38\.228|98\.8\.211)|253\.217\.21)|6\.2(?:8\.237\.185|1\.63\.111|5\.42\.162))|2(?:1\.1(?:0\.1(?:27\.158|74\.122)|85\.156\.185|66\.183\.29)|5\.(?:234\.18\.130|46\.73\.179)|4\.(?:124\.52\.162|0\.18\.130)|2\.252\.234\.74)|8(?:9\.(?:5(?:(?:5\.166\.12|2\.28\.13)2|\.120\.185)|35\.10\.164|60\.39\.162)|(?:6\.24\.19|8\.50\.76)\.3)|4(?:0\.113\.203\.84|8\.233\.80\.145)|52\.26\.20\.72)|8(?:3\.1(?:4(?:2\.111\.228|3\.151\.165|\.240\.146)|67\.114\.73)|0\.(?:(?:25\.174\.11|93\.125\.18)6|84\.120\.242)|8\.(?:(?:255\.108\.21|188\.37\.18)5|84\.200\.97)|5\.(?:1(?:70\.32\.154|53\.6\.43)|217\.201\.115)|4\.(?:22\.140\.186|17\.11\.114|32\.238\.19)|9\.(?:165\.244\.221|47\.164\.17|36\.3\.23)|2\.(?:193\.140\.168|228\.64\.89)|(?:1\.112|6\.28)\.190\.195)|7(?:7\.(?:22(?:2\.149\.7|3\.130\.8)4|48\.106\.146|70\.54\.81)|2\.(?:52\.239\.50|71\.33\.237|21\.6\.22)|4\.(?:208\.167\.189|77\.141\.143)|5\.(?:126\.49\.149|64\.138\.57)|9\.1(?:72\.39\.25|24\.13\.7)4)|6(?:(?:0\.213\.48\.25|2\.168\.65\.17)0|(?:8\.168\.138\.5|7\.11\.55\.13)4|1\.1(?:58\.163\.112|78\.126\.206)|9\.179\.(?:187\.18|27\.10)7|5\.204\.173\.139|4\.150\.138\.18|6\.98\.69\.145)|9(?:1\.(?:1(?:21\.(?:1(?:20\.108|61\.101)|23\.205)|32\.70\.11|44\.144\.9|93\.199\.4)|214\.16\.42)|(?:5\.154\.146\.9|2\.50\.244\.7)7|3\.122\.135\.(?:19|4)|8\.116\.37\.60|4\.77\.48\.5)|5(?:8\.(?:2(?:11\.218\.74|6\.2\.212)|18\.168\.16[2356])|9\.(?:160\.177\.27|4\.157\.16)))\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
#counts  KHOP_SC_TOP200  1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
#counts  KHOP_SC_TOP200  4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
#counts  KHOP_SC_TOP200  1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
#counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:1(?:41\.87\.135|63\.249\.3)|8(?:9\.135\.157|0\.140\.61)|2(?:1\.18\.189|6\.148\.62))|1\.(?:116\.198\.114|59\.14\.107)|2\.75\.37\.(?:2(?:27|43)|125)|6\.1(?:69\.30\.117|24\.17\.4)|3\.210\.249\.19|7\.112\.121\.43)|1(?:0\.(?:1(?:27\.253\.121|10\.49\.39)|212\.248\.222)|1\.(?:152\.12\.114|94\.138\.45)|9\.(?:234\.88\.165|151\.41\.6)|2\.111\.199\.30|8\.248\.44\.196|3\.186\.62\.59|6\.66\.78\.54)|2(?:0\.(?:227\.(?:170\.197|35\.234)|124\.249\.1)|2\.2(?:37\.78\.177|52\.223\.2)|1\.214\.164\.240)|4\.1(?:56\.108\.188|99\.205\.252))|1(?:9(?:0\.(?:144\.93\.154|6\.172\.98|81\.54\.33)|5\.1(?:89\.45\.11|61\.9\.2)|3\.108\.38\.228|6\.28\.237\.185)|1(?:(?:8\.96\.216\.23|9\.39\.253\.2)5|4\.45\.57\.160|6\.50\.249\.2)|2(?:(?:1\.10\.174\.12|4\.124\.52\.16)2|2\.252\.234\.74)|8(?:9\.5(?:2\.28\.132|\.120\.185)|8\.50\.76\.3))|8(?:8\.(?:(?:255\.108\.21|188\.37\.18)5|84\.200\.97)|1\.112\.190\.195|3\.142\.111\.228|0\.25\.174\.116|4\.17\.11\.114|9\.36\.3\.23)|9(?:1\.(?:121\.1(?:20\.108|61\.101)|214\.16\.42)|3\.122\.135\.(?:19|4)|5\.154\.146\.97|8\.116\.37\.60|4\.77\.48\.5)|6(?:5\.204\.173\.139|2\.168\.65\.170|4\.150\.138\.18|6\.98\.69\.145|7\.11\.55\.134)|7(?:7\.(?:223\.130\.84|48\.106\.146)|4\.208\.167\.189|9\.172\.39\.254)|5(?:8\.(?:18\.168\.16[35]|211\.218\.74)|9\.160\.177\.27))\b)/
#describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
#score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP100  2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP100  5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP100  6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP100  2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP100  1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:1(?:2(?:1\.10\.127\.158|5\.46\.73\.179)|11\.224\.250\.(?:133|65))|7(?:7\.70\.54\.81|2\.21\.6\.22)|58\.18\.168\.16[26]|219\.254\.35\.45|80\.93\.125\.186)\b)/
#describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
#score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:1(?:3\.227\.219\.58|6\.66\.78\.125)|09\.94\.196\.170)|6(?:1\.158\.163\.112|0\.213\.48\.250|8\.168\.138\.54)|11(?:1\.224\.250\.7|7\.25\.129\.20)0|84\.22\.140\.186|91\.132\.70\.11)\b)/
#describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
#score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP100 	 4.7 	# RCVD_IN_BL_SPAMCOP_NET ++
  #score KHOP_SC_TOP20  	 4.8 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP10  	 4.9 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif