## khop-sc-neighbors.cf	v 201002520
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:1?89|77|94)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:9[25]|190|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP_CIDR8  229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:09\.184|78\.93)|59\.9[23]|222\.253|94\.179)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:1(?:2(?:3\.2[37]|1\.247)|90\.24)|92\.(?:47|80))(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
#counts  KHOP_SC_TOP_CIDR16  7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:1(?:1\.60\.219|3\.87\.76)|21\.143\.49)|111\.224\.250|81\.192\.199|93\.91\.196)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
#counts  KHOP_SC_CIDR24  241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_CIDR24  486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_CIDR24  1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09

header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:203\.82\.(?:80|92)|81\.192\.211|121\.54\.32|77\.73\.139|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8


# http://www.spamcop.net/w3m?action=hoshame
header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:2\.(?:1(?:6(?:4\.52\.100|5\.199\.27)|5(?:2\.42|4\.81)\.242|29\.196\.210|42\.153\.21)|4(?:3\.18(?:2\.178|1\.7)|1\.92\.146)|7(?:4\.171\.214|5\.62\.10)|53\.(?:80\.203|79\.74)|62\.122\.118|39\.48\.221|87\.47\.130)|0\.(?:(?:95\.162\.20|54\.72\.3)0|8(?:0\.140\.61|7\.116\.58)|3(?:5\.38\.129|3\.214\.2)|234\.200\.93|49\.183\.202|74\.158\.135|6\.193\.89)|1\.(?:2(?:2(?:0\.232\.61|8\.3\.2)|34\.147\.213|51\.76\.132)|116\.36\.98)|8\.(?:101\.(?:55\.162|61\.60)|46\.105\.195|70\.160\.8)|3\.1(?:76\.142\.137|99\.72\.228)|9\.(?:216\.227\.33|94\.196\.170)|7\.(?:248\.35\.244|57\.90\.161))|1(?:7\.(?:1(?:9(?:8\.160\.218|9\.231\.249)|50\.4(?:1\.16|5\.)5|74\.229\.221|69\.219\.20)|64\.104\.107|76\.2\.129)|1\.(?:2(?:4(?:7\.239\.239|1\.111\.3)|34\.93\.154|02\.2\.97)|(?:105\.37\.5|43\.80\.24)8|60\.219\.183)|2\.(?:1(?:7(?:5\.53\.118|9\.75\.114)|54\.58\.90)|63\.221\.10)|3\.2(?:51\.1(?:34\.138|69\.132)|26\.144\.65)|8\.(?:248\.11\.69|38\.12\.246)|6\.230\.133\.69|9\.95\.129\.206|0\.5\.68\.20)|2(?:2\.(?:124\.198\.131|237\.78\.177)|0\.22(?:7\.154\.244|5\.226\.70)|1\.143\.49\.246))|1(?:9(?:0\.(?:1(?:5(?:6\.232\.132|8\.228\.179|9\.90\.201)|46\.1\.28)|2(?:10\.28\.193|08\.36\.90)|9(?:6\.68\.17|2\.26\.)9|4\.44\.237)|5\.(?:2(?:4\.(?:209\.14|93\.252)|30\.140\.18|2\.107\.1)|1(?:89\.46\.253|28\.56\.20)|95\.223\.25|88\.93\.92)|6\.(?:2(?:20\.57\.60|8\.240\.2)|12\.22(?:6\.220|8\.119))|4\.(?:126\.204\.31|63\.136\.18)|3\.(?:106\.64\.36|227\.98\.4))|2(?:2\.(?:1(?:83\.212\.113|69\.125\.35|55\.1\.174)|252\.234\.74|55\.106\.18)|1\.(?:1\.(?:37\.14[567]|18\.242)|5(?:2\.155\.13|8\.193\.)3)|5\.(?:2(?:35\.128\.246|12\.67\.102)|60\.164\.[25])|3\.(?:237\.123\.193|49\.45\.154)|4\.124\.4(?:3\.32|4\.10)|\.191\.88\.50)|1(?:6\.(?:50\.1(?:54\.130|75\.101)|118\.107\.[34])|0\.(?:139\.148\.109|45\.144\.227)|4\.14(?:3\.230\.162|1\.5\.3)|3\.1(?:62\.70\.74|9\.94\.2)|1\.224\.250\.13[025]|8\.102\.131\.130|5\.133\.151\.85|9\.226\.23\.8)|8(?:6\.2(?:4\.(?:1[6789]|2[0123])\.3|8\.228\.1)|9\.182\.132\.168)|57\.100\.228\.178|40\.111\.153\.4)|6(?:1\.(?:1(?:2\.62\.234|7\.76\.197)|9(?:7\.32\.104|\.6\.245)|4\.104\.38)|2\.(?:14(?:9\.(?:166\.45|226\.69)|2\.11\.3)|77\.221\.54|38\.54\.81)|6\.(?:2(?:3(?:1\.167\.70|5\.160\.11)|42\.21\.64)|46\.179\.10)|0\.25(?:0\.102\.209|4\.104\.18)|4\.76\.123\.98)|8(?:0\.(?:93\.12(?:5\.186|4\.1)|82\.181\.20|237\.31\.1)|5\.(?:11(?:8\.193\.158|3\.203\.82)|235\.164\.166)|3\.1(?:70\.123\.102|3\.218\.106|6\.167\.14)|(?:9\.121\.245\.19|7\.204\.24\.10)0|4\.22\.63\.74)|9(?:1\.121\.1(?:5(?:0\.6|8\.7)|71\.3)0|3\.(?:91\.196\.9[19]|62\.200\.26)|5\.1(?:70\.208\.114|54\.240\.98)|4\.(?:153\.224\.26|23\.37\.55))|7(?:7\.(?:73\.139\.(?:2(?:43)?|3)|246\.179\.13|36\.153\.21)|(?:9\.174\.66\.7|8\.97\.11\.3)5|5\.126\.213\.58)|5(?:8\.(?:6(?:8\.66\.25[012]|9\.225\.234)|248\.4\.67)|9\.163\.26\.211))\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
#counts  KHOP_SC_TOP200  1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
#counts  KHOP_SC_TOP200  4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
#counts  KHOP_SC_TOP200  1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
#counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:1(?:9(?:5\.(?:1(?:89\.46\.253|28\.56\.20)|2(?:30\.140\.18|4\.93\.252))|0\.(?:208\.36\.90|96\.68\.179|146\.1\.28|4\.44\.237)|6\.(?:12\.228\.119|28\.240\.2)|4\.63\.136\.18|3\.227\.98\.4)|2(?:(?:5\.(?:212\.67\.10|60\.164\.)|4\.124\.43\.3)2|1\.(?:1\.(?:37\.14[567]|18\.242)|58\.193\.3)|2\.(?:155\.1\.174|55\.106\.18)|3\.49\.45\.154|\.191\.88\.50)|1(?:1\.224\.250\.13[025]|6\.50\.154\.130|9\.226\.23\.8)|86\.24\.(?:1[6789]|2[0123])\.3|40\.111\.153\.4)|2(?:0(?:2\.(?:4(?:1\.92\.146|3\.181\.7)|15(?:2\.42|4\.81)\.242|62\.122\.118|74\.171\.214|87\.47\.130)|0\.(?:234\.200\.93|80\.140\.61|33\.214\.2|54\.72\.30)|8\.(?:101\.55\.162|46\.105\.195)|9\.(?:216\.227\.33|94\.196\.170)|1\.220\.232\.61|3\.199\.72\.228)|1(?:(?:1\.247\.239\.23|6\.230\.133\.6)9|7\.(?:174\.229\.221|76\.2\.129)|2\.1(?:75\.53\.118|54\.58\.90)|3\.251\.134\.138)|22\.(?:124\.198\.131|237\.78\.177))|6(?:1\.(?:9(?:7\.32\.104|\.6\.245)|4\.104\.38)|6\.(?:235\.160\.11|46\.179\.10)|2\.38\.54\.81)|8(?:(?:3\.16\.167\.1|4\.22\.63\.7)4|5\.118\.193\.158|0\.93\.124\.1)|9(?:1\.121\.150\.60|5\.154\.240\.98|3\.91\.196\.91|4\.23\.37\.55)|(?:59\.163\.26\.21|77\.36\.153\.2)1)\b)/
#describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
#score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP100  2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP100  5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP100  6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP100  2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP100  1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:2(?:0(?:1\.251\.76\.132|2\.39\.48\.221|0\.6\.193\.89)|1(?:1\.2(?:41\.111\.3|02\.2\.97)|7\.169\.219\.20))|9(?:1\.121\.158\.70|3\.91\.196\.99)|60\.250\.102\.209|77\.246\.179\.13)\b)/
#describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
#score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:1(?:1\.(?:234\.93\.154|60\.219\.183)|2\.63\.221\.10)|21\.143\.49\.246|07\.57\.90\.161)|11(?:0\.45\.144\.227|4\.141\.5\.3)|62\.149\.(?:166\.45|226\.69)|77\.73\.139\.2)\b)/
#describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
#score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP100 	 4.7 	# RCVD_IN_BL_SPAMCOP_NET ++
  #score KHOP_SC_TOP20  	 4.8 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP10  	 4.9 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif