## khop-sc-neighbors.cf	v 201001311
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:200|77|89|95)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:89|90)|201|93)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP_CIDR8  229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:22\.16[34]|17\.197)|59\.9[24]|95\.30)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:1(?:2(?:3\.2[37]|1\.247)|13\.22)|222\.254|93\.41)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
#counts  KHOP_SC_TOP_CIDR16  7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:13\.176\.23[01]|03\.82\.92)|64\.187\.119|195\.46\.33|93\.186\.96)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
#counts  KHOP_SC_CIDR24  241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_CIDR24  486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_CIDR24  1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09

header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:77\.24(?:1\.45|4\.40)|193\.108\.38|89\.251\.107|203\.82\.91|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8


# http://www.spamcop.net/w3m?action=hoshame
header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:1(?:9(?:5\.(?:2(?:3(?:8\.108\.131|0\.140\.18)|4\.93\.252|2\.107\.1)|1(?:8(?:4\.210\.38|9\.45\.11)|61\.9\.2)|78\.104\.253)|3\.(?:1(?:08\.38\.(?:2(?:2[89]|3[01])|181)|11\.156\.182|6\.45\.254)|227\.98\.4)|0\.(?:1(?:04\.159\.245|44\.54\.82)|220\.134\.58|41\.219\.177)|4\.(?:79\.21\.1(?:36|42|63|78)|50\.125\.26)|6\.(?:12\.226\.22|40\.10\.25)0)|2(?:2\.(?:1(?:60\.251\.30|83\.222\.34)|5(?:2\.170\.51|5\.106\.18)|252\.234\.74|3\.172\.37)|1\.(?:1\.(?:37\.14[567]|18\.250)|242\.109\.66)|4\.124\.(?:4(?:3\.32|4\.11)|214\.243|66\.114)|3\.254\.71\.71|5\.18\.138\.34|\.191\.88\.50)|1(?:1\.(?:224\.250\.(?:13[45]|66)|125\.78\.140)|(?:0\.172\.179\.|8\.96\.8\.16)3|7\.(?:25\.129\.200|120\.26\.18)|9\.6(?:8\.182\.130|4\.100\.2)|4\.143\.2\.244|6\.14\.150\.22)|8(?:(?:7\.7\.233\.20|9\.80\.178\.2)0|6\.24\.(?:1[6789]|2[0123])\.3|8\.128\.(?:118\.180|32\.242))|7(?:3\.12\.133\.210|4\.51\.89\.104)|(?:65\.132\.230|09\.72\.112)\.253|48\.243\.142\.24)|2(?:0(?:0\.(?:1(?:1(?:1\.108\.154|9\.240\.243)|50\.44\.4)|(?:42\.174\.10|6\.193\.8)9|27\.119\.130|30\.70\.202|80\.140\.61|95\.162\.53)|2\.(?:43\.18(?:2\.178|1\.7)|164\.44\.180|53\.77\.226|75\.37\.125)|1\.(?:1(?:44\.87\.36|95\.11\.34)|219\.3\.36)|3\.(?:82\.91\.10[14]|199\.72\.228)|9\.(?:129\.155\.253|94\.196\.170))|1(?:7\.(?:1(?:50\.(?:4(?:1\.16|5\.)5|56\.133)|99\.231\.249)|27\.150\.198|64\.104\.107|76\.204\.62)|(?:2\.(?:179\.130\.25|55\.66\.17)|8\.233\.189\.3)0|3\.(?:168\.32\.2|79\.125\.1)22|9\.25(?:2\.48\.67|4\.35\.45)|1\.24\.209\.253|6\.230\.133\.69)|20\.225\.(?:226\.70|91\.194))|8(?:9\.(?:2(?:5(?:1\.107\.(?:2[0125]|30)|\.77\.78)|1\.(?:93\.154|73\.2)|06\.152\.226)|1(?:05\.128\.3[23458]|89\.170\.2[156]|15\.25\.21))|2\.1(?:93\.1(?:(?:40\.16|55\.22)4|39\.226)|(?:44\.169\.19|14\.85\.1)4|50\.35\.218)|0\.(?:93\.12(?:5\.186|6\.10|4\.1)|84\.184\.126|78\.216\.24|2\.65\.127)|4\.(?:7(?:8\.223\.130|7\.48\.17)|17\.11\.114)|3\.14(?:(?:9\.17\.4|3\.32\.)2|2\.111\.228)|5\.(?:234\.16\.24[1234]|30\.67\.154)|1\.(?:198\.163\.194|201\.60\.169)|7\.2(?:26\.222\.22|42\.3\.1)|6\.64\.139\.27|8\.146\.206\.1)|9(?:1\.(?:19(?:3\.(?:253\.233|175\.32)|7\.(?:127\.2|5\.1)|4\.235\.54)|20(?:2\.8(?:6\.80|\.38)|3\.140\.32|6\.148\.54)|67\.82\.32)|3\.(?:1(?:86\.96\.150|22\.135\.4)|91\.196\.99)|2\.(?:125\.202\.61|86\.26\.74)|4\.25\.(?:10\.66|3\.10)|8\.126\.177\.8)|6(?:2\.(?:3(?:3\.188\.17|8\.54\.81)|193\.144\.194)|1\.(?:1(?:00\.228\.1|7\.76\.197)|4\.104\.38)|4\.(?:187\.119\.(?:9[89]|101)|76\.123\.98)|7\.181\.106\.181|0\.213\.48\.250)|7(?:7\.(?:2(?:32\.141\.61|44\.40\.82)|76\.144\.11[04]|109\.9\.10|52\.172\.1)|8\.(?:38\.132\.101|56\.5\.75))|41\.204\.190\.12)\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
#counts  KHOP_SC_TOP200  1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
#counts  KHOP_SC_TOP200  4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
#counts  KHOP_SC_TOP200  1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
#counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:1(?:9(?:3\.1(?:08\.38\.(?:2(?:2[89]|30)|181)|11\.156\.182|6\.45\.254)|5\.(?:2(?:38\.108\.13|2\.107\.)|189\.45\.1)1|4\.79\.21\.1(?:42|78))|2(?:1\.(?:1\.37\.14[567]|242\.109\.66)|2\.(?:183\.222\.3|252\.234\.7)4|4\.124\.(?:66\.114|44\.11)|\.191\.88\.50)|8(?:6\.24\.(?:1[6789]|2[0123])\.3|8\.128\.(?:118\.180|32\.242)|7\.7\.233\.200)|1(?:1\.224\.250\.135|4\.143\.2\.244|7\.120\.26\.18|9\.64\.100\.2)|74\.51\.89\.104)|8(?:9\.(?:2(?:5(?:1\.107\.2[0125]|\.77\.78)|06\.152\.226|1\.73\.2)|105\.128\.35)|(?:7\.226\.222\.2|3\.149\.17\.4)2|1\.(?:198\.163\.194|201\.60\.169)|4\.(?:78\.223\.130|17\.11\.114)|5\.234\.16\.24[23]|2\.144\.169\.194|6\.64\.139\.27)|2(?:1(?:7\.(?:150\.56\.133|27\.150\.198|76\.204\.62)|1\.24\.209\.253|3\.168\.32\.222|6\.230\.133\.69|2\.55\.66\.170)|0(?:0\.(?:111\.108\.154|27\.119\.130|30\.70\.202|80\.140\.61)|2\.(?:75\.37\.125|43\.181\.7)))|9(?:1\.(?:19(?:(?:3\.175\.3|7\.127\.)2|4\.235\.54)|202\.8\.38|67\.82\.32)|4\.25\.3\.10)|6(?:2\.(?:193\.144\.194|38\.54\.81)|0\.213\.48\.250|1\.4\.104\.38)|7(?:7\.76\.144\.110|8\.38\.132\.101)|41\.204\.190\.12)\b)/
#describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
#score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP100  2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP100  5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP100  6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP100  2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP100  1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:2(?:0(?:9\.94\.196\.170|0\.6\.193\.89)|17\.150\.4(?:1\.16|5\.)5)|1(?:24\.124\.43\.32|93\.227\.98\.4)|8(?:2\.114\.85\.14|3\.143\.32\.2)|9(?:3\.91\.196\.99|1\.197\.5\.1))\b)/
#describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
#score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:03\.82\.91\.10[14]|17\.199\.231\.249)|19(?:3\.108\.38\.231|5\.230\.140\.18)|8(?:9\.251\.107\.3|0\.93\.126\.1)0|64\.187\.119\.9[89]|98\.126\.177\.8)\b)/
#describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
#score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP100 	 4.7 	# RCVD_IN_BL_SPAMCOP_NET ++
  #score KHOP_SC_TOP20  	 4.8 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP10  	 4.9 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif