# From Adam Katz (khopesh) testing grounds and live channels
# http://khopesh.com/Anti-spam

### select rules from khop-bl
# (warren's work has already covered most of what I'd add here)

# I'm using the RCVD_VIA_ prefix to represent regional internet registries
# rather than blocklists' RCVD_IN_ prefix.  It is VERY important that people
# not consider these to be DNS blocklists ... especially given the fact that
# their mass-check stats at http://ruleqa.spamassassin.org/?rule=/RCVD_VIA are
# quite competitive with the DNSBLs, which is more a reflection of our lack of
# foreign ham in the corpora than any real facts.

# from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125
# updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html
header __RCVD_VIA_APNIC   X-Spam-Relays-External =~ /^\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.0?(?:[012]\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/

# Matches ANY external relay.  This was __RCVD_VIA_APNIC until 2010-04-24.
header __RCVD_VIA_APNIC_E X-Spam-Relays-External =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.0?(?:[012]\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/
tflags __RCVD_VIA_APNIC_E nopublish # not production-grade but useful for tests

# from http://lacnic.net/en/registro/ at 20100115
header	 __RCVD_VIA_LACNIC	X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/
#tflags	 __RCVD_VIA_LACNIC	nopublish
header	 __RCVD_VIA_LACNIC_E	X-Spam-Relays-External =~ /\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/
tflags	 __RCVD_VIA_LACNIC_E	nopublish



ifplugin Mail::SpamAssassin::Plugin::DNSEval # {

# The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/
# Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net:
# http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html
# Since this is run by Heise and already decently advertised, I don't anticipate
# problems testing here.  Flagged 'nopublish' to keep it in testing for now.
header	 RCVD_IN_NIX_SPAM	eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM	Received via a relay in NiX Spam (heise.de)
tflags	 RCVD_IN_NIX_SPAM	net nopublish	# 20091123

# Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this?
# ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07
# ...                        @20091128, 18.87/2.16 became 5.30/0.09
#header	 RCVD_IN_SPAMCOP	eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.')
header	 RCVD_IN_SPAMCOP	eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_SPAMCOP	Received via a relay in bl.spamcop.net
tflags	 RCVD_IN_SPAMCOP	net nopublish	# 20091123

# we have the non-lastext data; let's see how good it is if we clean it up a bit
# we'll exclude anything that might have too much info relaying (mailling lists
# and freemail).  my intuition is 35-50% spam, 2-4% ham, but we could get lucky.
# the original version ensured multiple external relays and a hit in either 
# spamcop or barracuda.  now i've added zen, and sorbs.
#meta	 DNSBL_INDIRECT		!__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT)
meta	 DNSBL_INDIRECT		!__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL)
describe DNSBL_INDIRECT		Received indirectly through a relay in a DNSBL
tflags	 DNSBL_INDIRECT		net nopublish	# 20091203
meta	 DNSBL_INDIRECT_UNSAFE	(RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL)
describe DNSBL_INDIRECT_UNSAFE	Received ~indirectly through a relay in a DNSBL
tflags	 DNSBL_INDIRECT_UNSAFE	net nopublish	# 20091207
meta	 DNSBL_INDIRECT_UNSAFE_2	!(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS+__RCVD_IN_NJABL >1)
describe DNSBL_INDIRECT_UNSAFE_2	Received ~indirectly through a relay in 2+ DNSBLs
tflags	 DNSBL_INDIRECT_UNSAFE_2	net nopublish	# 20091207

endif # } Mail::SpamAssassin::Plugin::DNSEval