# Most of this has migrated to the khop-dynamic channel, new as of 2010-04-24. # The channel's content lives here in svn as 20_khop_dynamic.cf describe S25R_1 S25R: Bottom of rDNS has num, non-num, num meta S25R_1 __S25R_1 && !(__DOS_RELAYED_EXT||__S25R_2||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING) tflags S25R_1 nopublish #score S25R_1 0.1 describe S25R_2 S25R: Bottom of rDNS has 5+ digits in a row meta S25R_2 __S25R_2 && !(__S25R_1||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING) tflags S25R_2 nopublish #score S25R_2 0.1 describe S25R_3 S25R: A low-level of rDNS starts w/ a number meta S25R_3 __S25R_3 && !(__S25R_1||__S25R_2||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING) tflags S25R_3 nopublish #score S25R_3 0.1 describe S25R_4 S25R: Bottom of rDNS ends w/ num, next lvl has num-num meta S25R_4 __S25R_4 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING) #tflags S25R_4 nopublish #score S25R_4 0.1 describe S25R_5 S25R: rDNS has 5+ layers, bottom 2 end in numbers meta S25R_5 __S25R_5 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_6 || __NOT_SPOOFED || __GREYLISTING) tflags S25R_5 nopublish #score S25R_5 0.1 describe S25R_6 S25R: rDNS looks dynamic or customer-facing meta S25R_6 __S25R_6 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_5 || __NOT_SPOOFED || __GREYLISTING) #tflags S25R_6 nopublish #score S25R_6 0.1 # Testing the union. Limits S25R_0 (RDNS_NONE) for high FPs. # Ordered by popularity in an effort to improve short-circuiting. #meta S25R ((RDNS_NONE&&__HELO_NO_DOMAIN)||__S25R_1||__S25R_3||__S25R_5||__S25R_2||__S25R_6||__S25R_4) && !__NOT_SPOOFED && !__GREYLISTING # using __MAY_BE_FORGED (sendmail-only?) instead of RDNS_NONE as S25R_0 meta S25R !(__NOT_SPOOFED||__GREYLISTING) && (__MAY_BE_FORGED||__S25R_1||__S25R_3||__S25R_5||__S25R_2||__S25R_6||__S25R_4) describe S25R Selective SMTP Rejection: Relay has dynamic rDNS tflags S25R nopublish # Early poor-mani's botnet attempts (replaced by KHOP_DYNAMIC and KHOP_DYNAMIC2) meta KHOP_BOTNET_4 __LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTING) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || RDNS_DYNAMIC + __S25R_1*.8 + __S25R_2*.8 > 1.7) describe KHOP_BOTNET_4 Relay looks like a dynamic address tflags KHOP_BOTNET_4 nopublish meta KHOP_BOTNET_7 !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTING) && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2) describe KHOP_BOTNET_7 Relay looks like a dynamic address tflags KHOP_BOTNET_7 nopublish meta KHOP_BOTNET_9 !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTING) && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY + __MAY_BE_FORGED > 2) describe KHOP_BOTNET_9 Relay looks like a dynamic address tflags KHOP_BOTNET_9 nopublish meta KHOP_BOTNET_UNCLEAN __LAST_EXTERNAL_RELAY_NO_AUTH && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY + __MAY_BE_FORGED > 2) describe KHOP_BOTNET_UNCLEAN Relay looks like a dynamic address tflags KHOP_BOTNET_UNCLEAN nopublish # Sanity check: how much freemail lacks spf or dkim? meta SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM # see if we can further reduce the FPs w/out impacting the spam hits too hard header __RDNS_HEX9 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{8}/