# Includes updates through 2010-02-12 (as last referenced 2010-03-24)
# and now checks for test-net and link-local reserved blocks.
# Formally defined at http://www.iana.org/assignments/ipv4-address-space/
# Updates itemized by date at http://www.cymru.com/Documents/bogon-list.html
header	 T_KHOP_RCVD_ILLEGAL_IP	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?:[05]|14|23|3[1679]|4[29]|1(?:0[0-6]|7[679]|8[15])|2(?:2[3-9]|[3-5]\d)|169\.254|192\.0\.2|198\.51\.100|203\.0\.113)\./
describe T_KHOP_RCVD_ILLEGAL_IP	Received: contains reserved or unallocated IP

# Test Jon Hardin's supposition that this should be restricted to Last-Untrusted
# ... I named this LE instead of LU but it doesn't matter as it has no hits.
# Keeping as a reference point until we finalize the bug
header	 T_KHOP_RCVD_ILLEGAL_IP_LE	X-Spam-Relays-Untrusted =~ /^[\]]+ (?:by|ip)=(?:[05]|14|23|3[1679]|4[29]|50|1(?:0[0-7]|7[679]|8[15])|2(?:2[3-9]|[3-5]\d)|169\.254|192\.0\.2|198\.51\.100|203\.0\.113)\./


# pre-merging, pre-pruning of unparsable items
#header	 T_KHOP_RCVD_ILLEGAL_IP	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?:[05]|14|23|3[1679]|4[29]|50|1(?:0[0-7]|7[679]|8[15])|2(?:2[3-9]|[3-9]\d)|\d{4,}|[3-9]\d\d)\.\d+\.\d+\.\d+ /

# TEST-NET addresses are for documentation and examples only
#header	 RCVD_TEST_NET	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?:192\.0\.2|198\.51\.100|203\.0\.113)\./
#describe RCVD_TEST_NET	Received: uses test IP address, violating RFC 5737

# My understanding of the link-local block is that it is used by DHCP-driven
# clients that cannot find a DHCP server, allowing local-only communications
# (like 127/8) plus anything *directly* connected to it (that means no
# routable addresses are available, e.g. in an ad hoc network).
#header	 RCVD_LINK_LOCAL  X-Spam-Relays-Untrusted =~ / (?:by|ip)=169\.254\./
#describe RCVD_LINK_LOCAL  Received: uses link-local IP, violating RFC 3927