## khop-sc-neighbors.cf	v 2010032810
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.
## 
## Frequent updates are needed for these rules, so they are marked 'nopublish'
## This keeps them from being automatically promoted to SpamAssassin proper 
## from the testing system, which affirms their usefulness.  You can check
## their efficiency at http://ruleqa.spamassassin.org/?rule=/KHOP_SC


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
# Due to the massive block size, this rule only examines the last untrusted
header	 KHOP_SC_CIDR8  X-Spam-Relays-Untrusted =~ /^[^]]* (?:by|ip)=(?-xism:\b(?:9[24]|117|89)(?:\.[012]?\d{1,2}){3}\b) /
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
tflags	 KHOP_SC_CIDR8  nopublish
score	 KHOP_SC_CIDR8  0.1 0.01 0.1 0.01
# 12.3692/1.0099 spam/ham, 0.925 s/o @ 20100211.  .2 .1 .3 .2 -> .1 .01 .1 .01
#  8.9412/1.1532 spam/ham, 0.886 s/o @ 20100325.

# Due to the massive block size, this rule only examines untrusted relays
header	 KHOP_SC_TOP_CIDR8  X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?-xism:\b(?:1(?:22|90)|201|95)(?:\.[012]?\d{1,2}){3}\b) /
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
tflags	 KHOP_SC_TOP_CIDR8  nopublish
score	 KHOP_SC_TOP_CIDR8  0.6 0.5 0.8 0.5
# notable overlap: 98% overlap w/ BRBL (14% return), 84% w/ PBL (17% return)
# 15.6795/0.1173 spam/ham, 0.993 s/o @ 20100211.  .5 .4 .8 .6 -> .6 .5 .8 .5
# 11.0578/0.3614 spam/ham, 0.968 s/o @ 20100325.


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header	 KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:2(?:2\.16[48]|3\.238)|13\.22)|41\.140|59\.92)(?:\.[012]?\d{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
tflags	 KHOP_SC_CIDR16  nopublish
score	 KHOP_SC_CIDR16  0.6 0.5 0.9 0.75
# 0.7444/0.0129 spam/ham, 0.983 s/o @ 20100211
# 0.5943/0.0139 spam/ham, 0.977 s/o @ 20100325

header	 KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:1(?:8[36]\.8|23\.2)7|9(?:2\.47|3\.41)|41\.141)(?:\.[012]?\d{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
tflags	 KHOP_SC_TOP_CIDR16  nopublish
score	 KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)
# 0.8862/0.0008 spam/ham, 0.999 s/o @ 20100211
# 0.5738/0.0008 spam/ham, 0.999 s/o @ 20100325


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header	 KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:0(?:3\.82\.(?:81|94)|5\.209\.97)|12\.63\.221)|189\.112\.218|72\.21\.6)\.[012]?\d{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
tflags	 KHOP_SC_CIDR24  nopublish
score	 KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
# 0.1350/0      spam/ham, 1.000 s/o @ 20100211
# 0.0798/0      spam/ham, 1.000 s/o @ 20100325

header	 KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:2(?:03\.82\.(?:80|92)|13\.163\.116)|1(?:11\.224\.250|73\.45\.96)|61\.19\.71)\.[012]?\d{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
tflags	 KHOP_SC_TOP_CIDR24  nopublish
score	 KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8
# 0.2528/0.0092 spam/ham, 0.965 s/o @ 20100211
# 0.2231/0.0112 spam/ham, 0.952 s/o @ 20100325


# http://www.spamcop.net/w3m?action=hoshame
header	 KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:1(?:3\.(?:1(?:63\.116\.(?:1(?:1[08]|46?|38|74|82)|2(?:2[26]?|[13]0)|46|78)|98\.11(?:3\.1(?:44|9)|1\.207|2\.90))|226\.144\.65)|1\.(?:1(?:15\.202\.4[126]|91\.174\.141|71\.31\.100)|2(?:4\.209\.253|25\.30\.85))|2\.(?:(?:1(?:56\.123\.25|75\.53\.11)|63\.221\.1)0|52\.148\.109)|7\.(?:1(?:74\.229\.221|14\.11\.35)|76\.[24]\.129)|9\.(?:143\.156\.112|95\.148\.97)|6\.(?:230\.133\.69|155\.39\.23)|0\.(?:206\.236\.18|5\.68\.20)|8\.158\.156\.103)|0(?:2\.(?:(?:1(?:75\.232\.25|64\.52\.10)|87\.47\.13)0|4(?:3\.18(?:2\.178|1\.7)|2\.133\.58)|93\.37\.11[34])|0\.(?:1(?:11\.161\.194|04\.58\.227)|95\.162\.200|80\.140\.61|33\.214\.2|6\.193\.89)|3\.(?:1(?:2(?:1\.88\.162|9\.231\.66)|12\.192\.26|66\.207\.18)|249\.162\.7)|9\.(?:222\.0\.(?:13|29)|94\.196\.170)|1\.(?:144\.87\.36|228\.3\.2)|5\.209\.97\.(?:15[03]|201)|7\.248\.51\.158)|2(?:0\.(?:227\.1(?:4\.141|13\.9)|149\.255\.194)|2\.(?:124\.156\.231|252\.223\.2)|1\.143\.(?:109\.250|46\.33)))|1(?:9(?:0\.(?:(?:14(?:6\.247\.8|5\.51\.6)|60\.100\.10)6|2(?:04\.59\.234|6\.67\.230|7\.80\.93)|34\.154\.204|86\.207\.218|96\.68\.179)|5\.(?:1(?:89\.46\.253|60\.253\.4)|24\.93\.252|95\.223\.26)|6\.1(?:\.209\.(?:83|98)|2\.226\.220)|3\.10(?:7\.184\.192|8\.38\.228))|2(?:1\.(?:1(?:(?:68\.226\.23|90\.176\.16)1|\.(?:37\.14[567]|18\.244))|241\.168\.162)|2\.(?:1(?:66\.60\.118|80\.6\.30)|252\.2(?:46\.23|34\.7)4)|3\.(?:1(?:40\.250\.254|6\.147\.68)|255\.248\.99)|4\.(?:217\.216\.11|124\.43\.3)2|5\.2(?:12\.73\.60|2\.85\.134))|7(?:3\.(?:45\.96\.(?:2(?:1[02578]|0[0237])|1(?:9[235678]|00)|9[89])|161\.201\.158|79\.15\.189)|4\.(?:121\.63\.141|51\.89\.104))|1(?:8\.1(?:02\.131\.131|31\.101\.164)|1\.224\.250\.13[02345]|2\.221\.100\.172|5\.118\.134\.54|6\.50\.191\.198|7\.110\.24\.250)|8(?:9\.(?:112\.218\.234|72\.230\.76)|6\.24\.(?:1[6789]|2[0123])\.3)|48\.233\.150\.147|68\.187\.187\.193|51\.76\.31\.58)|8(?:0\.(?:1(?:79\.231\.205|22\.70\.11)|93\.12(?:5\.186|4\.1))|2\.1(?:14\.(?:7(?:8\.11|0\.5)4|65\.246)|40\.91\.41)|9\.2(?:36\.202\.134|11\.46\.210)|4\.22\.(?:56\.50|63\.74)|8\.48\.39\.138|3\.234\.89\.2|5\.154\.5\.90)|7(?:(?:2\.(?:92\.89\.24|21\.6\.2)|9\.101\.99\.15)4|7\.(?:120\.192\.66|22\.162\.99|73\.139\.2)|1\.(?:197\.102\.19|8\.69\.7)|4\.50\.85\.(?:227|18)|0\.165\.35\.242)|9(?:3\.(?:91\.196\.(?:132|99)|87\.53\.130|188\.9\.34)|(?:8\.108\.72\.11|7\.67\.160\.3)4|9\.245\.130\.201|1\.150\.127\.93)|6(?:1\.(?:7\.2(?:31\.23|41\.7)0|28\.150\.162|19\.71\.74)|3\.255\.22\.42|4\.70\.190\.10)|41\.215\.18\.110|58\.27\.196\.84)\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
tflags	 KHOP_SC_TOP200  nopublish
score	 KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
# overlap: 97% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
# 1.2552/0 spam/ham, 1.000 s/o @ 20100211
# 0.8558/0 spam/ham, 1.000 s/o @ 20100325


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif

# PSBL-neighbors appending, updated Sun Mar 28 14:58:35 2010 (UTC)
header	 KHOP_PSBL_CIDR24	X-Spam-Relay-Untrusted =~ /(?-xism:\b(?:1(?:1(?:3\.(?:16(?:7\.1(?:3[01])?|8\.1(?:36|41)|2\.(?:80|97))|22\.(?:6?8|10|9))|8\.(?:6(?:8\.19[26]|9\.13[89])|71\.(?:10|68))|5\.147\.(?:2(?:3[0127]|0[123]|29)|192)|7\.24(?:1\.25[23]|2\.28))|23\.1(?:7\.(?:22[489]|165)|8\.177)|49\.254\.48|80\.234\.3)|2(?:0(?:2\.(?:70\.5[489]|152\.243)|3\.82\.(?:9[234]|8[01]))|22\.252\.157|13\.87\.76)|8(?:1\.192\.(?:199|211)|5\.26\.(?:164|241)|2\.178\.69|3\.149\.3)|5(?:8\.186\.(?:21[6789]|12)|9\.98\.152)|41\.(?:1(?:40\.251|89\.193)|254\.[12])|6(?:1\.19\.6[567]|2\.61\.164))\.[012]?\d{1,2} )/
describe KHOP_PSBL_CIDR24	Relay's IP/24 CIDR contains many PSBL hits
tflags	 KHOP_PSBL_CIDR24	nopublish # for khop-sc-neighbors, not SA proper
score	 KHOP_PSBL_CIDR24	1.8 1.0 1.8 1.1

if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_PSBL_CIDR24	(0) (1.5) (0) (1.5)
endif