## khop-dynamic.cf v 2010042500 ## Khopesh's Dynamic host detection ## This depends on khop-trust.cf which has a lesser form in SpamAssassin 3.3.1+ ## ## Spamassassin rules written by Adam Katz ## http://khopesh.com/Anti-spam ## khopesh on irc://irc.freenode.net/#spamassassin ## ## sa-update --gpgkey E8B493D6 --channel khop-dynamic.sa.khopesh.com ## ## These rules are Copyright (C) 2001-2009 by Adam Katz ## Licensed under the Apache License 2.0 or Creative Commons Share-alike 2.0 ## The author is receptive to relicensing requests. ## ## Additional credit goes to the original designers of the concepts knit ## together by these rules, namely ASAMI Hideo for S25R ## and Christian Rossow, Thomas Czerwinski, and Christian J. Dietrich for ## "Detecting Gray in Black and White" ## ## This file is fully vetted by the Spamassassin Rule QA testing system at ## http://ruleqa.spamassassin.org/?srcpath=20_khop_dynamic.cf # S25R is: http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html # S25R is seven regexps used to detect botnets by reverse DNS. # Last updated with upstream regexps on 2009-11-23 # S25R is loosely licensed permissively with the following sentence: # > I don't claim any exclusive rights about my idea. And, if you invent a # > new means based on my idea, I hope you contribute it to the Internet # > world without claiming exclusive rights. # # The Upstream cleanses its list with a whitelist consisting of major sites like # google.com, hotmail.com, data-hotel.net, yahoo.co.jp, yahoo.com, mixi.jp, # home.ne.jp, softbank.ne.jp, ezweb.ne.jp, and verisign.net. All of these # correctly use SPF except yahoo (which uses DKIM), home.ne.jp, and verisign. # The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting. # S25R_0 is equal to RDNS_NONE and has a host of problems. We ignore it here. header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./ header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/ header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/ header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/ header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./ header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/ # S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number") # This was not published with S25R due to matching 'feed' and similar words. # PCRE lets us use negative look-ahead. This ignores 3+ consecutive hex letters. header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/ # 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214 awesome score-map; avg is LOW! # 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420 37% of spam hits are under 6 pts # From the 2010 MIT Spam Conference "best student paper" # "Detecting Gray in Black and White" # by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students) # http://bit.ly/Detecting_Gray_in_Black_and_White (PDF) # # The paper evaluates very similar methodology to the S25R concepts any my own # tinkering within this space (of searching for dynamic-type names in rDNS). # It cleanses itself with some white rDNS searches that might be interesting. # Named RCD for the paper's authors but the rules and regex's are mine. # Named MESSY because there are no delimiters (delimited versions unnecessary). header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i # safe, no cleansing needed meta KHOP_DYNAMIC __LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__5_SUBDOM || __RDNS_HEX || __S25R_4 || __S25R_6 || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY) describe KHOP_DYNAMIC Relay looks like a dynamic address tflags KHOP_DYNAMIC nopublish score KHOP_DYNAMIC 2.0 # cleansing added to make safe meta KHOP_DYNAMIC2 !(__NOT_SPOOFED||__GREYLISTING||KHOP_DYNAMIC) && (1.4*__S25R_1 + 1.4*__S25R_2 + 1.8*__S25R_3 + 1.8*__S25R_5 + 1.4*__IP_IN_RELAY > 3) describe KHOP_DYNAMIC2 Relay looks like a dynamic address tflags KHOP_DYNAMIC2 nopublish score KHOP_DYNAMIC2 1.0