# From Adam Katz (khopesh) testing grounds and live channels # http://khopesh.com/Anti-spam ### select rules from khop-bl # (warren's work has already covered most of what I'd add here) # I'm using the RCVD_VIA_ prefix to represent regional internet registries # rather than blocklists' RCVD_IN_ prefix. It is VERY important that people # not consider these to be DNS blocklists ... especially given the fact that # their mass-check stats at http://ruleqa.spamassassin.org/?rule=/RCVD_VIA are # quite competitive with the DNSBLs, which is more a reflection of our lack of # foreign ham in the corpora than any real facts. # Asia-Pacific Network Information Centre (APNIC) # from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125 # updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html header __RCVD_VIA_APNIC X-Spam-Relays-External =~ /^\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/ # Matches ANY external relay. This was __RCVD_VIA_APNIC until 2010-04-24. header __RCVD_VIA_APNIC_E X-Spam-Relays-External =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/ tflags __RCVD_VIA_APNIC_E nopublish # African Network Informati Center (AfriNIC) # from http://www.afrinic.net/Registration/resources.htm at 20100524 # Note that APNIC claims to have transferred 202.123.0.0/19 to AfriNIC # although AfriNIC appears to have no recognition of this. # Also note APNIC and RIPE have some kind of proxy allocation deal assigning # 196.192.0.0/13 for AfriNIC (though it belongs to AfriNIC anyway...) # APNIC's site says the range is "used to make /22 allocations to future # members of AfriNIC" while RIPE says it allocates /24s from the same block to # "Local Internet Registries (LIRs) and End Users in African countries north # of the equator." header __RCVD_VIA_AFRINIC X-Spam-Relays-External =~ /^\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/ header __RCVD_VIA_AFRINIC_E X-Spam-Relays-External =~ /\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/ tflags __RCVD_VIA_AFRINIC_E nopublish # Reseaux IP Europeens Network Coordination Centre (RIPE NCC) # (Europe, Middle East, parts of Central Asia) # from command: # whois -h whois.ripe.net ' -rTrs RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA ' # as noted at http://www.ripe.net/ripe/docs/ripe-493.html at 20100524 header __RCVD_VIA_RIPE X-Spam-Relays-External =~ /^\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/ header __RCVD_VIA_RIPE_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/ tflags __RCVD_VIA_RIPE_E nopublish # Latin American and Caribbean Internet Addresses Registry (LACNIC) # from http://lacnic.net/en/registro/ at 20100115 header __RCVD_VIA_LACNIC X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/ #tflags __RCVD_VIA_LACNIC nopublish header __RCVD_VIA_LACNIC_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/ tflags __RCVD_VIA_LACNIC_E nopublish # American Registry of Internet Numbers (ARIN) # (Canada, many Carribbean and North Atlantic islands, the United States) # from https://www.arin.net/knowledge/ip_blocks.html at 20100524 # ... that page is out of date. Using IANA page instead: # http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt #header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?:1(?:0[78]|7[34]|84|99)|2(?:0[4-9]|16|4)|6[3-9]|7[0-6]|9[6-9]|50)\.\d/ header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/ header __RCVD_VIA_ARIN_E X-Spam-Relays-External =~ /\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/ tflags __RCVD_VIA_ARIN_E nopublish # IP Space allocated before RIRs, mostly to corporations in the United States. # from iana source at 20100524 via command # (note, it doesn't collaps ranges, e.g. [1234567] -> [1-7] ) # perl -w -mRegexp::Assemble -e 'open (IANA, "new; while () { next if /RESERVED|IANA|whois\.(?:ripe|arin|apnic|afrinic|lacnic)\.net/; next unless m{^\s*\d{3}/\d+\s}; chomp; print "$_\n"; s:/8.*| |^0+::g; $re->add($_); } print "$re\n"' header __RCVD_VIA_NON_RIR X-Spam-Relays-External =~ /^\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/ header __RCVD_VIA_NON_RIR_E X-Spam-Relays-External =~ /\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/ tflags __RCVD_VIA_NON_RIR_E nopublish # Note that none of the above RCVD_VIA rules account for IPv6, # nor do any of the RCVD_ILLEGAL_IP rules. header __RCVD_VIA_IPV6 X-Spam-Relays-External =~ /^\[ ip=[0-9a-f:]+ /i header __RCVD_VIA_IPV6_E X-Spam-Relays-External =~ /\[ ip=[0-9a-f:]+ /i # This should never hit anything. If it does, there is a hole in a subrules. meta UNKNOWN_ORIGIN !(__RCVD_VIA_AFRINIC || __RCVD_VIA_APNIC || __RCVD_VIA_ARIN || __RCVD_VIA_LACNIC || __RCVD_VIA_RIPE || __RCVD_VIA_NON_RIR || RCVD_ILLEGAL_IP || __RCVD_VIA_IPV6) # The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/ # Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net: # http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html # Since this is run by Heise and already decently advertised, I don't anticipate # problems testing here. Flagged 'nopublish' to keep it in testing for now. # https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6529 # "reuse" flag because this DNSBL only keeps IP's for 12 hours, testing older mail is # not useful. It must rely on tagging during delivery. header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.') describe RCVD_IN_NIX_SPAM Received via a relay in NiX Spam (heise.de) tflags RCVD_IN_NIX_SPAM net nopublish # 20091123 reuse RCVD_IN_NIX_SPAM # Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this? # ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07 # ... @20091128, 18.87/2.16 became 5.30/0.09 #header RCVD_IN_SPAMCOP eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.') header RCVD_IN_SPAMCOP eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)') describe RCVD_IN_SPAMCOP Received via a relay in bl.spamcop.net tflags RCVD_IN_SPAMCOP net nopublish # 20091123 meta PUBLISHED_DNSBLS RCVD_IN_XBL || RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SORBS_DUL || RCVD_IN_SORBS_WEB || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_RP_RNBL tflags PUBLISHED_DNSBLS net nopublish # 20110127 meta PUBLISHED_DNSBLS_BRBL PUBLISHED_DNSBLS || RCVD_IN_BRBL_LASTEXT tflags PUBLISHED_DNSBLS_BRBL net nopublish # 20110127 ifplugin Mail::SpamAssassin::Plugin::DNSEval # { # we have the non-lastext data; let's see how good it is if we clean it up a bit # we'll exclude anything that might have too much info relaying (mailling lists # and freemail). my intuition is 35-50% spam, 2-4% ham, but we could get lucky. # the original version ensured multiple external relays and a hit in either # spamcop or barracuda. now i've added zen, and sorbs. # # bug 6634 removed __RCVD_IN_BRBL #header __RCVD_IN_BRBL eval:check_rbl('brbl','bb.barracudacentral.org') #tflags __RCVD_IN_BRBL net nopublish # #meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL) meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL) describe DNSBL_INDIRECT Received indirectly through a relay in a DNSBL tflags DNSBL_INDIRECT net nopublish # 20091203 #meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) describe DNSBL_INDIRECT_UNSAFE Received ~indirectly through a relay in a DNSBL tflags DNSBL_INDIRECT_UNSAFE net nopublish # 20091207 #meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS+__RCVD_IN_NJABL >1) meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_ZEN+__RCVD_IN_SORBS+__RCVD_IN_NJABL >1) describe DNSBL_INDIRECT_UNSAFE_2 Received ~indirectly through a relay in 2+ DNSBLs tflags DNSBL_INDIRECT_UNSAFE_2 net nopublish # 20091207 endif # } Mail::SpamAssassin::Plugin::DNSEval