## From Adam Katz (khopesh) testing grounds and live channels ## http://khopesh.com/Anti-spam # #### select rules from khop-bl ## (warren's work has already covered most of what I'd add here) # ## I'm using the RCVD_VIA_ prefix to represent regional internet registries ## rather than blocklists' RCVD_IN_ prefix. It is VERY important that people ## not consider these to be DNS blocklists ... especially given the fact that ## their mass-check stats at http://ruleqa.spamassassin.org/?rule=/RCVD_VIA are ## quite competitive with the DNSBLs, which is more a reflection of our lack of ## foreign ham in the corpora than any real facts. # ## Asia-Pacific Network Information Centre (APNIC) ## from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125 ## updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html #header __RCVD_VIA_APNIC X-Spam-Relays-External =~ /^\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/ # ## Matches ANY external relay. This was __RCVD_VIA_APNIC until 2010-04-24. #header __RCVD_VIA_APNIC_E X-Spam-Relays-External =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.(?:[012]?\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/ #tflags __RCVD_VIA_APNIC_E nopublish # ## African Network Informati Center (AfriNIC) ## from http://www.afrinic.net/Registration/resources.htm at 20100524 ## Note that APNIC claims to have transferred 202.123.0.0/19 to AfriNIC ## although AfriNIC appears to have no recognition of this. ## Also note APNIC and RIPE have some kind of proxy allocation deal assigning ## 196.192.0.0/13 for AfriNIC (though it belongs to AfriNIC anyway...) ## APNIC's site says the range is "used to make /22 allocations to future ## members of AfriNIC" while RIPE says it allocates /24s from the same block to ## "Local Internet Registries (LIRs) and End Users in African countries north ## of the equator." #header __RCVD_VIA_AFRINIC X-Spam-Relays-External =~ /^\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/ #header __RCVD_VIA_AFRINIC_E X-Spam-Relays-External =~ /\[ ip=(?:(?:41|19[67])|202\.123\.(?:[12]?\d|3[01]))\.\d/ #tflags __RCVD_VIA_AFRINIC_E nopublish # ## Reseaux IP Europeens Network Coordination Centre (RIPE NCC) ## (Europe, Middle East, parts of Central Asia) ## from command: ## whois -h whois.ripe.net ' -rTrs RS-IP-ALLOCATIONS-TO-RIPE-NCC-FROM-IANA ' ## as noted at http://www.ripe.net/ripe/docs/ripe-493.html at 20100524 #header __RCVD_VIA_RIPE X-Spam-Relays-External =~ /^\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/ #header __RCVD_VIA_RIPE_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:9[345]|7[68]|09|88)|2(?:1(?:[23]|7))?|7[789]|9[0-5]|8\d|31|46|62)\.\d/ #tflags __RCVD_VIA_RIPE_E nopublish # ## Latin American and Caribbean Internet Addresses Registry (LACNIC) ## from http://lacnic.net/en/registro/ at 20100115 #header __RCVD_VIA_LACNIC X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/ ##tflags __RCVD_VIA_LACNIC nopublish #header __RCVD_VIA_LACNIC_E X-Spam-Relays-External =~ /\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/ #tflags __RCVD_VIA_LACNIC_E nopublish # ## American Registry of Internet Numbers (ARIN) ## (Canada, many Carribbean and North Atlantic islands, the United States) ## from https://www.arin.net/knowledge/ip_blocks.html at 20100524 ## ... that page is out of date. Using IANA page instead: ## http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt ##header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?:1(?:0[78]|7[34]|84|99)|2(?:0[4-9]|16|4)|6[3-9]|7[0-6]|9[6-9]|50)\.\d/ #header __RCVD_VIA_ARIN X-Spam-Relays-External =~ /^\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/ #header __RCVD_VIA_ARIN_E X-Spam-Relays-External =~ /\[ ip=(?!169\.254|172\.(?:1[6-9]|2\d|3[01])\.|192\.(?:0\.[02]|168)\.|198\.51\.100)(?:1(?:3[0124-9]|6[0124-9]|4[02346-9]|5[25-9]|7[0234]|9[289]|0[78]|2[89]|84)|2(?:0[4-9]|16|4)|7[0-6]?|6[3-9]|9[6-9]|50)\.\d/ #tflags __RCVD_VIA_ARIN_E nopublish # ## IP Space allocated before RIRs, mostly to corporations in the United States. ## from iana source at 20100524 via command ## (note, it doesn't collaps ranges, e.g. [1234567] -> [1-7] ) ## perl -w -mRegexp::Assemble -e 'open (IANA, "new; while () { next if /RESERVED|IANA|whois\.(?:ripe|arin|apnic|afrinic|lacnic)\.net/; next unless m{^\s*\d{3}/\d+\s}; chomp; print "$_\n"; s:/8.*| |^0+::g; $re->add($_); } print "$re\n"' #header __RCVD_VIA_NON_RIR X-Spam-Relays-External =~ /^\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/ #header __RCVD_VIA_NON_RIR_E X-Spam-Relays-External =~ /\[ ip=(?:0(?:1[1235-9]|2[012689]|3[02-58]|4[034578]|5[2-7]|0[34689])|21[45])\.\d/ #tflags __RCVD_VIA_NON_RIR_E nopublish # ## Note that none of the above RCVD_VIA rules account for IPv6, ## nor do any of the RCVD_ILLEGAL_IP rules. #header __RCVD_VIA_IPV6 X-Spam-Relays-External =~ /^\[ ip=[0-9a-f:]+ /i #header __RCVD_VIA_IPV6_E X-Spam-Relays-External =~ /\[ ip=[0-9a-f:]+ /i # ## This should never hit anything. If it does, there is a hole in a subrules. #meta UNKNOWN_ORIGIN !(__RCVD_VIA_AFRINIC || __RCVD_VIA_APNIC || __RCVD_VIA_ARIN || __RCVD_VIA_LACNIC || __RCVD_VIA_RIPE || __RCVD_VIA_NON_RIR || RCVD_ILLEGAL_IP || __RCVD_VIA_IPV6) # # ## The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/ ## Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net: ## http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html ## Since this is run by Heise and already decently advertised, I don't anticipate ## problems testing here. Flagged 'nopublish' to keep it in testing for now. ## https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6529 ## "reuse" flag because this DNSBL only keeps IP's for 12 hours, testing older mail is ## not useful. It must rely on tagging during delivery. #header RCVD_IN_NIX_SPAM eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.') #describe RCVD_IN_NIX_SPAM Received via a relay in NiX Spam (heise.de) #tflags RCVD_IN_NIX_SPAM net nopublish # 20091123 #reuse RCVD_IN_NIX_SPAM # ## Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this? ## ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07 ## ... @20091128, 18.87/2.16 became 5.30/0.09 ##header RCVD_IN_SPAMCOP eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.') ##header RCVD_IN_SPAMCOP eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)') ##describe RCVD_IN_SPAMCOP Received via a relay in bl.spamcop.net ##tflags RCVD_IN_SPAMCOP net nopublish # 20091123 # #meta PUBLISHED_DNSBLS RCVD_IN_XBL || RCVD_IN_PBL || RCVD_IN_PSBL || RCVD_IN_SORBS_DUL || RCVD_IN_SORBS_WEB || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_RP_RNBL #tflags PUBLISHED_DNSBLS net nopublish # 20110127 #meta PUBLISHED_DNSBLS_BRBL PUBLISHED_DNSBLS || RCVD_IN_BRBL_LASTEXT #tflags PUBLISHED_DNSBLS_BRBL net nopublish # 20110127 # #ifplugin Mail::SpamAssassin::Plugin::DNSEval # { # ## we have the non-lastext data; let's see how good it is if we clean it up a bit ## we'll exclude anything that might have too much info relaying (mailling lists ## and freemail). my intuition is 35-50% spam, 2-4% ham, but we could get lucky. ## the original version ensured multiple external relays and a hit in either ## spamcop or barracuda. now i've added zen, and sorbs. ## ## bug 6634 removed __RCVD_IN_BRBL ##header __RCVD_IN_BRBL eval:check_rbl('brbl','bb.barracudacentral.org') ##tflags __RCVD_IN_BRBL net nopublish ## ##meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL) #meta DNSBL_INDIRECT !__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_XBL||RCVD_IN_PBL||RCVD_IN_SORBS_DUL) #describe DNSBL_INDIRECT Received indirectly through a relay in a DNSBL #tflags DNSBL_INDIRECT net nopublish # 20091203 ##meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) #meta DNSBL_INDIRECT_UNSAFE (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) #describe DNSBL_INDIRECT_UNSAFE Received ~indirectly through a relay in a DNSBL #tflags DNSBL_INDIRECT_UNSAFE net nopublish # 20091207 ##meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS >1) #meta DNSBL_INDIRECT_UNSAFE_2 !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_ZEN+__RCVD_IN_SORBS>1) #describe DNSBL_INDIRECT_UNSAFE_2 Received ~indirectly through a relay in 2+ DNSBLs #tflags DNSBL_INDIRECT_UNSAFE_2 net nopublish # 20091207 # #endif # } Mail::SpamAssassin::Plugin::DNSEval #