## khop-sc-neighbors.cf v 200912221 ## Khopesh's syndication of SpamCop's top offenders and top offending networks. ## ## Spamassassin rules written by Adam Katz ## http://khopesh.com/Anti-spam ## khopesh on irc://irc.freenode.net/#spamassassin ## ## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292 ## ## These rules are Copyright 2001-2009 by Adam Katz ## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0. ## The code that generated this output is GNU Affero General Public License v3. ## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below. ## The author is receptive to relicensing requests for this and its generator. # http://spamcop.net/w3m?action=map;net=0;sort=spamcnt header KHOP_SC_CIDR8 Received =~ /(?-xism:\b(?:2(?:00|22)|187|89)(?:\.[012]?[0-9]{1,2}){3}\b)/ describe KHOP_SC_CIDR8 Relay listed in SpamCop top 8 IP/8 CIDRs score KHOP_SC_CIDR8 0.2 0.1 0.3 0.2 header KHOP_SC_TOP_CIDR8 Received =~ /(?-xism:\b(?:1(?:23|89|90)|201)(?:\.[012]?[0-9]{1,2}){3}\b)/ describe KHOP_SC_TOP_CIDR8 Relay listed in SpamCop top 4 IP/8 CIDRs score KHOP_SC_TOP_CIDR8 0.5 0.4 0.8 0.6 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail # 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score #counts KHOP_SC_TOP_CIDR8 229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09 #counts KHOP_SC_TOP_CIDR8 457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09 #counts KHOP_SC_TOP_CIDR8 22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09 #counts KHOP_SC_TOP_CIDR8 205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09 #counts KHOP_SC_TOP_CIDR8 1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09 # notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905) # http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt header KHOP_SC_CIDR16 Received =~ /(?-xism:\b(?:1(?:(?:23\.[12]|18\.9)6|8(?:9\.111|7\.4))|203\.210)(?:\.[012]?[0-9]{1,2}){2}\b)/ describe KHOP_SC_CIDR16 Relay listed in SpamCop top 12 IP/16 CIDRs score KHOP_SC_CIDR16 0.6 0.5 0.9 0.75 header KHOP_SC_TOP_CIDR16 Received =~ /(?-xism:\b(?:1(?:23\.2[37]|13\.22)|222\.25[34]|92\.85)(?:\.[012]?[0-9]{1,2}){2}\b)/ describe KHOP_SC_TOP_CIDR16 Relay listed in SpamCop top 6 IP/16 CIDRs score KHOP_SC_TOP_CIDR16 0.9 0.8 1.3 1.2 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail # 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score #counts KHOP_SC_TOP_CIDR16 7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09 #counts KHOP_SC_TOP_CIDR16 14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09 #counts KHOP_SC_TOP_CIDR16 845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09 #counts KHOP_SC_TOP_CIDR16 6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09 #counts KHOP_SC_TOP_CIDR16 33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09 # notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905) # notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5) # notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5) # http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt header KHOP_SC_CIDR24 Received =~ /(?-xism:\b(?:6(?:(?:8\.168\.13|0\.213\.4)8|2\.61\.164)|113\.160\.113|213\.233\.64|91\.132\.70)\.[012]?[0-9]{1,2}\b)/ describe KHOP_SC_CIDR24 Relay listed in SpamCop top 12 IP/24 CIDRs score KHOP_SC_CIDR24 0.9 0.8 1.3 1.2 # http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail # 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score #counts KHOP_SC_CIDR24 241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09 #counts KHOP_SC_CIDR24 486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09 #counts KHOP_SC_CIDR24 1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09 #counts KHOP_SC_CIDR24 240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09 #counts KHOP_SC_CIDR24 0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09 header KHOP_SC_TOP_CIDR24 Received =~ /(?-xism:\b(?:2(?:(?:20\.231\.12|02\.75\.3)7|16\.66\.78)|(?:111\.224\.25|0\.0\.)0|58\.18\.168)\.[012]?[0-9]{1,2}\b)/ describe KHOP_SC_TOP_CIDR24 Relay listed in SpamCop top 6 IP/24 CIDRs score KHOP_SC_TOP_CIDR24 1.7 1.5 1.9 1.8 # http://www.spamcop.net/w3m?action=hoshame header KHOP_SC_TOP200 Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:1(?:(?:95\.158\.16|41\.87\.13)5|(?:37\.132\.8|63\.249\.)3)|2(?:53\.218\.194|1\.18\.189|6\.148\.62)|8(?:9\.135\.157|0\.140\.61|8\.115\.30)|91\.248\.82|32\.8\.28)|1\.(?:1(?:16\.198\.1|34\.153\.2)14|45\.106\.130|251\.250\.3|59\.14\.107)|9\.(?:1(?:72\.(?:35\.112|44\.13)|1\.164\.39)|94\.196\.170)|3\.(?:210\.2(?:53\.154|49\.19)|101\.104\.2|90\.137\.18)|2\.75\.37\.(?:2(?:4[03]|27|52)|125)|6\.1(?:69\.30\.117|24\.17\.4)|5\.139\.241\.165|8\.84\.169\.157)|1(?:9\.(?:2(?:34\.88\.16|54\.35\.4)5|15(?:0\.139\.18|1\.41\.)6)|3\.(?:186\.(?:57\.18|62\.5)9|227\.219\.58|55\.78\.23)|0\.(?:1(?:27\.253\.121|10\.49\.39)|212\.248\.222)|2\.(?:2(?:35\.111\.208|44\.73\.232)|111\.199\.30)|1\.(?:1(?:52\.12\.114|76\.84\.225)|94\.138\.45)|8\.(?:(?:248\.44\.19|38\.12\.24)6|191\.33\.248)|6\.66\.7(?:8\.(?:125|54)|6\.224)|7\.19(?:4\.197\.245|9\.231\.249))|2(?:0\.(?:2(?:31\.(?:1(?:27\.(?:13|9)|01\.214)|69\.13)|27\.(?:170\.197|35\.234))|124\.249\.1)|2\.(?:2(?:5(?:5\.29\.143|2\.223\.2)|37\.(?:162\.200|78\.177))|124\.203\.27)|1\.214\.164\.240)|4\.1(?:56\.108\.188|99\.205\.252))|1(?:1(?:8\.(?:9(?:6\.2(?:16\.235|4\.156)|1\.117\.165|8\.214\.236)|130\.112\.235)|3\.(?:16(?:0\.113\.1(?:81|5)|9\.176\.24)|255\.7\.234)|6\.(?:47\.133\.40|1\.10\.195|50\.249\.2)|0\.(?:172\.167\.37|45\.146\.169)|9\.(?:39\.253\.25|93\.11\.126)|1\.224\.250\.(?:6[56]|133|70)|7\.25\.129\.200)|9(?:0\.(?:1(?:4(?:4\.(?:93\.154|176\.2)|5\.6\.20)|07\.134\.202)|47\.186\.250|6\.172\.98|81\.54\.33)|5\.(?:1(?:6(?:1\.(?:8\.1|9\.2)|0\.253\.4)|89\.45\.11)|2(?:45\.211\.3|52\.70\.14)6)|3\.1(?:08\.38\.228|98\.8\.211)|6\.28\.237\.185)|2(?:1\.1(?:0\.1(?:27\.158|74\.122)|85\.156\.185|41\.76\.191|66\.183\.29)|5\.(?:234\.18\.130|46\.73\.179)|4\.(?:124\.52\.162|0\.18\.130)|2\.252\.234\.74)|8(?:9\.(?:5(?:(?:5\.166\.12|2\.28\.13)2|9\.236\.19|\.120\.185)|35\.10\.164|60\.39\.162)|8\.217\.20\.96|6\.24\.19\.3)|4(?:0\.113\.(?:121\.101|203\.84)|8\.233\.80\.145)|52\.26\.20\.72)|8(?:3\.1(?:4(?:2\.111\.228|3\.151\.165|\.240\.146)|67\.114\.73)|8\.(?:255\.(?:108\.215|225\.114)|188\.37\.185|84\.200\.97)|2\.(?:2(?:39\.205\.187|28\.64\.89)|193\.140\.168)|0\.(?:(?:25\.174\.11|93\.125\.18)6|84\.120\.242)|4\.(?:22\.140\.186|17\.11\.114|32\.238\.19)|9\.(?:165\.244\.221|47\.164\.17|36\.3\.23)|5\.1(?:70\.32\.154|92\.33\.96)|(?:1\.112|6\.28)\.190\.195)|9(?:1\.(?:1(?:21\.1(?:20\.108|61\.101)|9(?:3\.199\.4|7\.5\.1)|32\.70\.11|44\.144\.9)|214\.16\.42)|(?:5\.154\.146\.9|2\.50\.244\.7)7|4\.(?:23\.45\.154|77\.48\.5)|3\.122\.135\.(?:19|4)|8\.116\.37\.60)|6(?:(?:8\.168\.138\.5|7\.11\.55\.13)4|1\.1(?:58\.163\.112|78\.126\.206)|2\.1(?:40\.137\.175|68\.65\.170)|5\.204\.173\.139|9\.179\.187\.187|0\.213\.48\.250|4\.150\.138\.18|6\.98\.69\.145)|7(?:7\.(?:22(?:2\.149\.7|3\.130\.8)4|48\.106\.146|70\.54\.81)|9\.1(?:(?:72\.39\.25|24\.13\.7)4|65\.208\.16)|2\.(?:71\.33\.237|21\.6\.22)|4\.208\.167\.189)|5(?:8\.(?:18\.168\.16[23456]|211\.218\.74)|9\.(?:160\.177\.27|4\.157\.16)))\b)/ describe KHOP_SC_TOP200 Relay listed in SpamCop top 200 spammer IPs score KHOP_SC_TOP200 3.4 3.2 3.7 3.5 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail # 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score #counts KHOP_SC_TOP200 1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09 #counts KHOP_SC_TOP200 4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09 #counts KHOP_SC_TOP200 1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09 #counts KHOP_SC_TOP200 1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09 # assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) #header KHOP_SC_TOP100 Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:1(?:(?:95\.158\.16|41\.87\.13)5|63\.249\.3)|8(?:9\.135\.157|0\.140\.61)|21\.18\.189)|1\.(?:116\.198\.114|59\.14\.107)|3\.(?:210\.249\.19|90\.137\.18)|6\.1(?:69\.30\.117|24\.17\.4)|2\.75\.37\.2(?:4[03]|27|52)|9\.172\.35\.112)|1(?:1\.(?:1(?:52\.12\.114|76\.84\.225)|94\.138\.45)|0\.(?:212\.248\.222|110\.49\.39)|2\.(?:111\.199\.30|244\.73\.232)|9\.(?:234\.88\.165|151\.41\.6)|6\.66\.7(?:6\.22|8\.5)4|8\.248\.44\.196|3\.186\.62\.59)|2(?:0\.(?:2(?:27\.(?:170\.197|35\.234)|31\.101\.214)|124\.249\.1)|1\.214\.164\.240|2\.252\.223\.2)|4\.156\.108\.188)|1(?:9(?:0\.(?:144\.93\.154|47\.186\.250|6\.172\.98|81\.54\.33)|5\.1(?:89\.45\.11|61\.9\.2)|3\.108\.38\.228|6\.28\.237\.185)|1(?:9\.(?:39\.253\.25|93\.11\.126)|8\.96\.2(?:16\.235|4\.156)|1\.224\.250\.66|6\.50\.249\.2)|2(?:(?:1\.10\.174\.12|4\.124\.52\.16)2|2\.252\.234\.74)|89\.52\.28\.132)|8(?:8\.(?:(?:255\.108\.21|188\.37\.18)5|84\.200\.97)|2\.2(?:39\.205\.187|28\.64\.89)|1\.112\.190\.195|3\.142\.111\.228|4\.17\.11\.114|9\.36\.3\.23)|9(?:1\.121\.1(?:20\.108|61\.101)|5\.154\.146\.97|3\.122\.135\.4|8\.116\.37\.60|4\.77\.48\.5)|5(?:8\.(?:18\.168\.16[35]|211\.218\.74)|9\.160\.177\.27)|7(?:(?:7\.223\.130\.8|9\.172\.39\.25)4|4\.208\.167\.189)|6(?:5\.204\.173\.139|2\.168\.65\.170|7\.11\.55\.134))\b)/ #describe KHOP_SC_TOP100 Relay listed in SpamCop top 100 spammer IPs #score KHOP_SC_TOP100 1.4 1.3 1.8 1.7 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail # 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score #counts KHOP_SC_TOP100 2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09 #counts KHOP_SC_TOP100 5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09 #counts KHOP_SC_TOP100 6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09 #counts KHOP_SC_TOP100 2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09 #counts KHOP_SC_TOP100 1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09 # notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh) # notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033) # notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619) #header KHOP_SC_TOP20 Received =~ /(?-xism:\b(?:1(?:2(?:1\.10\.127\.158|5\.46\.73\.179)|11\.224\.250\.(?:133|65|70))|7(?:7\.70\.54\.81|2\.21\.6\.22)|219\.254\.35\.45|58\.18\.168\.162|80\.93\.125\.186)\b)/ #describe KHOP_SC_TOP20 Relay listed in SpamCop top 20 spammer IPs #score KHOP_SC_TOP20 1.9 1.7 2.2 2.0 # assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) #header KHOP_SC_TOP10 Received =~ /(?-xism:\b(?:2(?:1(?:3\.227\.219\.58|6\.66\.78\.125)|09\.94\.196\.170)|6(?:1\.158\.163\.112|0\.213\.48\.250|8\.168\.138\.54)|(?:58\.18\.168\.16|84\.22\.140\.18)6|117\.25\.129\.200|91\.132\.70\.11)\b)/ #describe KHOP_SC_TOP10 Relay listed in SpamCop top 10 spammer IPs #score KHOP_SC_TOP10 2.2 2.0 2.6 2.4 # assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) # Bump these up to compensate for expected but absent overlap if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) ) score KHOP_SC_CIDR8 (0.1) score KHOP_SC_TOP_CIDR8 (0.2) # RCVD_IN_PBL score KHOP_SC_CIDR16 (0.8) # RCVD_IN_PBL score KHOP_SC_TOP_CIDR16 (0.9) # RCVD_IN_PBL score KHOP_SC_CIDR24 (0.9) # RCVD_IN_PBL score KHOP_SC_TOP_CIDR24 (1.5) # RCVD_IN_PBL ++ score KHOP_SC_TOP200 4.6 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++ #score KHOP_SC_TOP100 4.7 # RCVD_IN_BL_SPAMCOP_NET ++ #score KHOP_SC_TOP20 4.8 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++ #score KHOP_SC_TOP10 4.9 # RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++ endif