## khop-sc-neighbors.cf	v 2009121423
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:1(?:17|22)|200|59)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:23|89|90)|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP_CIDR8  229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:22\.1(?:62|73)|90\.253)|59\.9[24]|222\.254)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b1(?:1(?:3\.(?:169|22)|7\.197)|2(?:3\.2[37]|1\.247))(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
#counts  KHOP_SC_TOP_CIDR16  7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:0(?:2\.75\.37|3\.82\.80)|19\.254\.35)|9(?:3\.186\.224|8\.126\.177)|121\.54\.32)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
#counts  KHOP_SC_CIDR24  241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_CIDR24  486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_CIDR24  1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09

header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:1(?:11\.224\.250|21\.1\.37)|203\.82\.9[12]|72\.21\.6|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8


# http://www.spamcop.net/w3m?action=hoshame
header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:2(?:7\.1(?:19\.130|38\.74)|1\.184\.66)|6(?:8\.117\.197|\.193\.89)|141\.87\.135|76\.129\.133|80\.140\.61)|2\.(?:1(?:81\.234\.218|64\.44\.180)|75\.37\.(?:125|227)|31\.135\.52|87\.47\.130)|3\.(?:1(?:13\.118\.18|93\.187\.66)|82\.(?:91\.10[14]|79\.107)|217\.145\.80)|8\.(?:101\.55\.162|89\.219\.153|233\.32\.8)|9\.(?:239\.(?:35\.12|47\.20)5|94\.196\.170)|4\.2(?:27\.175\.2|00\.166\.)36|1\.161\.22\.77|7\.57\.121\.29)|1(?:1\.(?:1(?:9(?:1\.174\.141|8\.225\.206)|19\.98\.147)|2(?:39\.16(?:2\.41|3\.13)|02\.2\.97)|43\.80\.248)|7\.(?:1(?:6(?:9\.213\.246|\.69\.8)|99\.231\.249|45\.1\.16)|64\.104\.107|73\.31\.11)|3\.(?:2(?:51\.1(?:34\.138|69\.132)|27\.219\.58)|140\.0\.221)|0\.2(?:12\.180\.162|45\.122\.38|53\.114\.57)|6\.(?:230\.133\.69|150\.32\.34)|2\.150\.22\.143|8\.38\.12\.246|9\.254\.35\.45)|2(?:0\.(?:2(?:25\.117\.249|41\.246\.97)|9(?:0\.136\.61|5\.232\.26))|2\.(?:2(?:37\.78\.177|52\.223\.2)|122\.1(?:56\.30|97\.38))|1\.1(?:3(?:5\.132\.14|9\.0\.97)|43\.4(?:3\.204|8\.107))))|1(?:9(?:5\.(?:2(?:25\.46\.236|05\.141\.3|4\.209\.14)|1(?:58\.5\.12|61\.9\.)2|95\.228\.150)|0\.(?:2(?:4\.(?:150\.185|218\.149)|7\.214\.130|04\.66\.59)|65\.170\.206)|(?:3\.108\.38\.22|4\.63\.136\.1)8|6\.207\.237\.130|2\.220\.65\.106|9\.239\.229\.13)|2(?:2\.(?:16(?:0\.(?:99\.2(?:38|42)|208\.62)|6\.15\.115)|(?:252\.231\.1|55\.106\.)4)|1\.(?:1(?:\.(?:37\.14[567]|18\.242)|43\.193\.179)|242\.79\.66)|4\.(?:2(?:17\.19(?:8\.233|9\.142)|47\.194\.48)|124\.39\.106)|5\.46\.73\.179)|1(?:9\.(?:4(?:0\.98\.34|6\.26\.93)|93\.105\.5)|8\.1(?:02\.181\.250|75\.6\.138)|1\.224\.250\.(?:6[56]|132|70)|4\.141\.(?:22\.65|5\.3)|6\.193\.163\.138|0\.172\.152\.47|7\.25\.129\.200|5\.68\.2\.15)|8(?:6\.2(?:4\.(?:1[6789]|2[013])\.3|8\.228\.1)|9\.1(?:12\.218\.23|\.168\.4)4)|(?:4(?:8\.243\.142\.2|0\.111\.153\.)|58\.170\.64\.7)4|6(?:8\.143\.(?:17\.100|44\.181)|1\.58\.28\.39)|38\.210\.136\.199)|9(?:1\.(?:1(?:21\.(?:1(?:05\.224|36\.218)|(?:74\.10|66\.5)5|83\.216)|96\.96\.67)|210\.148\.172|92\.230\.227)|4\.(?:23(?:\.(?:12\.122|25\.83|37\.55)|0\.166\.5)|102\.11\.56)|5\.1(?:72\.103\.251|54\.240\.98)|3\.(?:122\.135\.4|91\.196\.99)|6\.45\.176\.153|2\.63\.240\.36|8\.126\.177\.8)|6(?:7\.(?:22(?:5\.17(?:7\.110|9\.86)|8\.26\.146)|43\.56\.15)|1\.1(?:00\.1(?:2\.193|4\.234)|58\.163\.112|9\.120\.35)|6\.(?:177\.148\.62|46\.179\.10)|2\.1(?:68\.168\.185|42\.11\.3)|0\.213\.48\.250|5\.167\.95\.182)|8(?:(?:4\.(?:22\.140\.18|51\.241\.)|2\.98\.132\.21|9\.200\.168\.3)6|0\.(?:(?:235\.105\.14|179\.155\.3)0|93\.125\.186|55\.84\.242)|3\.1(?:6\.1(?:49\.50|67\.14)|8\.234\.166|9\.164\.58)|7\.237\.233\.2|5\.21\.9\.4)|7(?:7\.(?:105\.133\.10|236\.64\.198|70\.54\.81)|(?:1\.249\.193\.3|5\.126\.138\.4)2|2\.(?:21\.6\.2[23]|52\.239\.50)|4\.(?:63\.57\.79|7\.71\.220)|9\.171\.120\.23)|5(?:8\.(?:1(?:20\.227\.149|8\.168\.166)|2(?:6\.100\.250|48\.4\.67)|68\.(?:66\.25[012]|4\.18))|9\.160\.177\.27))\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
#counts  KHOP_SC_TOP200  1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
#counts  KHOP_SC_TOP200  4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
#counts  KHOP_SC_TOP200  1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
#counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:2(?:1(?:1\.(?:2(?:39\.16(?:2\.41|3\.13)|02\.2\.97)|1(?:98\.225\.206|19\.98\.147))|3\.(?:2(?:51\.134\.13|27\.219\.5)8|140\.0\.221)|7\.16(?:9\.213\.246|\.69\.8)|0\.253\.114\.57|2\.150\.22\.143|6\.230\.133\.69)|0(?:(?:2\.181\.234\.2|3\.113\.118\.)18|8\.(?:89\.219\.153|233\.32\.8)|0\.(?:27\.138\.74|6\.193\.89)|4\.227\.175\.236|9\.239\.47\.205|7\.57\.121\.29)|2(?:1\.1(?:3(?:5\.132\.14|9\.0\.97)|43\.48\.107)|0\.(?:225\.117\.249|95\.232\.26)|2\.237\.78\.177))|1(?:1(?:(?:9\.93\.105\.|5\.68\.2\.1)5|1\.224\.250\.(?:132|65|70)|8\.175\.6\.138|4\.141\.5\.3)|(?:4(?:8\.243\.142\.2|0\.111\.153\.)|89\.1(?:12\.218\.23|\.168\.4))4|9(?:5\.2(?:25\.46\.236|05\.141\.3)|9\.239\.229\.13|4\.63\.136\.18)|2(?:1\.1\.37\.14[567]|4\.217\.199\.142|2\.166\.15\.115)|6(?:8\.143\.17\.100|1\.58\.28\.39))|9(?:1\.(?:1(?:21\.(?:1(?:05\.224|36\.218)|83\.216|66\.55)|96\.96\.67)|92\.230\.227)|6\.45\.176\.153|3\.91\.196\.99|4\.23\.12\.122)|7(?:7\.(?:105\.133\.10|236\.64\.198)|2\.(?:52\.239\.50|21\.6\.22)|5\.126\.138\.42|9\.171\.120\.23|4\.7\.71\.220)|8(?:0\.(?:235\.105\.14|179\.155\.3)0|3\.1(?:8\.234\.166|6\.149\.50)|4\.22\.140\.186|7\.237\.233\.2|5\.21\.9\.4)|6(?:1\.100\.1(?:2\.193|4\.234)|7\.225\.17(?:7\.110|9\.86)|0\.213\.48\.250)|5(?:8\.26\.100\.250|9\.160\.177\.27))\b)/
#describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
#score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP100  2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP100  5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP100  6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP100  2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP100  1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:9(?:1\.(?:210\.148\.172|121\.74\.105)|5\.154\.240\.98)|1(?:24\.217\.198\.233|68\.143\.44\.181)|2(?:08\.101\.55\.162|20\.241\.246\.97)|58\.(?:120\.227\.149|248\.4\.67)|66\.46\.179\.10)\b)/
#describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
#score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:0(?:3\.82\.91\.10[14]|4\.200\.166\.36|1\.161\.22\.77)|1(?:(?:1\.191\.174\.14|7\.73\.31\.1)1|9\.254\.35\.45))|9(?:8\.126\.177\.8|4\.23\.25\.83)|72\.21\.6\.23)\b)/
#describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
#score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP100 	 4.7 	# RCVD_IN_BL_SPAMCOP_NET ++
  #score KHOP_SC_TOP20  	 4.8 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP10  	 4.9 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif