## khop-sc-neighbors.cf	v 2010012519
## Khopesh's syndication of SpamCop's top offenders and top offending networks.
## 
## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
## http://khopesh.com/Anti-spam
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## sa-update --channel khop-bl.sa.khopesh.com --gpgkey F4AD9292
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## Source data (copyright Cisco subsidiary SpamCop.net) taken from links below.
## The author is receptive to relicensing requests for this and its generator.


# http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:1(?:2[23]|17)|95)(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2

header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:89|90)|20[01])(?:\.[012]?[0-9]{1,2}){3}\b)/
describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
# 0.00000ms 22.7242%s 0.5009%h 0.978s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP_CIDR8  229488s/280h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  457506s/457h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  22495s/2h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  205146s/170h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR8  1807s/108h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 84% of hits also hit RCVD_IN_PBL (0.905)


# http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:1(?:0\.139|7\.197)|90\.146)|222\.25[34]|59\.92)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75

header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b1(?:2(?:3\.2(?:38?|7)|1\.247|2\.168)|90\.24)(?:\.[012]?[0-9]{1,2}){2}\b)/
describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
# 0.00000ms 0.6947%s 0.0000%h 1.000s/o 0.85rank 1.0score
#counts  KHOP_SC_TOP_CIDR16  7015s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  14059s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  845s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  6137s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP_CIDR16  33s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 91% of hits also hit RCVD_IN_PBL (0.905)
# notable overlap: 85% of hits also hit RAZOR2_CHECK (0.5)
# notable overlap: 84% of hits also hit RAZOR2_CF_RANGE_51_100 (0.5)


# http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:1(?:93\.108\.38|21\.1\.37)|203\.8(?:7\.178|2\.92)|89\.251\.107|93\.91\.196)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
# http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
# 0.00000ms 0.0239%s 0.0000%h 1.000s/o 0.57rank 1.00score
#counts  KHOP_SC_CIDR24  241s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_CIDR24  486s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_CIDR24  1s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09

header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:1(?:11\.224\.250|21\.54\.32)|(?:203\.82\.8|0\.0\.)0|77\.73\.139|93\.186\.96)\.[012]?[0-9]{1,2}\b)/
describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8


# http://www.spamcop.net/w3m?action=hoshame
header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:2\.(?:1(?:6(?:4\.52\.100|5\.199\.21)|54\.81\.242)|(?:62\.122\.17|87\.47\.13)0|7(?:5\.37\.125|8\.103\.88)|53\.(?:80\.203|79\.74)|43\.18(?:2\.178|1\.7))|0\.(?:(?:3(?:0\.70\.20|3\.214\.)|72\.183\.5)2|(?:95\.162\.20|54\.72\.3)0|8(?:0\.140\.61|7\.103\.18)|27\.138\.74|45\.77\.158|6\.193\.89)|1\.(?:2(?:2(?:0\.232\.61|8\.3\.2)|51\.76\.132)|144\.87\.36)|3\.(?:1(?:31\.169\.166|99\.72\.228)|248\.186\.70)|9\.(?:212\.106\.145|94\.196\.170)|4\.227\.175\.236|8\.46\.105\.195|7\.57\.121\.29)|1(?:7\.(?:1(?:50\.4(?:1\.16|5\.)5|74\.229\.221|99\.231\.249)|64\.104\.107|76\.2\.129)|3\.(?:147\.118\.113|251\.134\.138|79\.125\.122)|1\.2(?:47\.239\.239|34\.93\.154|02\.2\.97)|2\.(?:55\.66\.17|63\.221\.1)0|8\.248\.5(?:1\.2|\.18)|6\.230\.133\.69|9\.252\.48\.66)|2(?:2\.(?:12(?:2\.1(?:42\.189|57\.73)|4\.198\.131)|252\.223\.2)|1\.1(?:20\.224\.1|43\.49\.2)46|0\.225\.226\.70))|1(?:2(?:2\.(?:1(?:69\.125\.35|55\.1\.174|83\.238\.9)|5(?:2\.251\.113|5\.106\.18)|252\.234\.74)|4\.(?:1(?:0(?:4\.1(?:02\.73|40\.82)|7\.32\.28)|24\.43\.32)|217\.216\.49)|1\.(?:1\.(?:37\.14[567]|18\.242)|52\.155\.13[03])|5\.(?:160\.72\.163|60\.164\.2)|0\.28\.78\.141|3\.49\.45\.154|\.191\.88\.50)|9(?:3\.(?:1(?:08\.38\.(?:2(?:28|35)|181)|11\.156\.182|38\.206\.228)|227\.98\.4)|5\.(?:2(?:4\.(?:209\.14|93\.252)|30\.140\.18|2\.107\.1)|189\.46\.253)|0\.(?:144\.76\.178|210\.28\.193|4\.44\.237)|4\.(?:126\.204\.31|63\.136\.18|79\.21\.147)|6\.28\.240\.2)|1(?:8\.(?:1(?:02\.131\.130|75\.6\.138)|96\.132\.174)|4\.14(?:3\.2\.244|1\.5\.3)|1\.224\.250\.13[035]|7\.121\.237\.170|0\.45\.144\.227|9\.93\.0\.211)|8(?:6\.2(?:4\.(?:1[6789]|2[0123])\.3|8\.228\.1)|9\.112\.218\.234|0\.150\.199\.56)|4(?:8\.2(?:33\.150\.147|43\.142\.24)|0\.111\.153\.4)|74\.51\.89\.104)|8(?:3\.(?:1(?:4(?:2\.111\.228|9\.17\.42)|6\.1(?:49\.50|67\.14)|3\.218\.106)|229\.208\.[25])|9\.(?:1(?:05\.128\.3[35]|89\.170\.21|90\.197\.14)|251\.107\.(?:2[125]|30))|5\.(?:2(?:1(?:7\.190\.150|9\.190\.2)|34\.177\.253)|118\.193\.158)|2\.1(?:9(?:3\.140\.168|2\.89\.176)|14\.73\.162)|0\.(?:93\.12(?:5\.186|4\.1)|235\.105\.140)|7\.(?:106\.60\.136|226\.222\.22)|4\.2(?:04\.136\.3|2\.63\.74))|9(?:1\.(?:1(?:21\.(?:1(?:5(?:0\.6|8\.7)0|36\.218)|26\.180|74\.105)|9(?:3\.175\.32|7\.5\.1))|(?:92\.230\.22|207\.42\.)7)|3\.(?:1(?:15\.243\.198|86\.96\.150)|91\.196\.9[19])|5\.1(?:70\.208\.114|54\.240\.98)|4\.2(?:3\.25\.83|5\.3\.10))|6(?:2\.(?:1(?:49\.(?:166\.45|226\.69)|28\.42\.5)|77\.221\.54|38\.54\.81)|(?:4\.76\.123\.9|1\.4\.104\.3)8|6\.(?:129\.72\.76|46\.179\.10)|0\.250\.102\.209|9\.174\.114\.103|7\.228\.17\.195)|7(?:8\.(?:(?:97\.11\.3|56\.5\.7)5|38\.132\.101|24\.111\.78)|7\.(?:36\.153\.21|109\.9\.10|73\.139\.2)|(?:4\.124\.198\.11|1\.40\.58\.17)0|9\.140\.172\.46)|5(?:8\.(?:1(?:20\.227\.149|8\.38\.235)|68\.66\.25[012]|248\.4\.67)|9\.163\.26\.211)|41\.204\.190\.12)\b)/
describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
# 0.00000ms 0.1230%s 0.0000%h 1.000s/o 0.69rank 1.00score
#counts  KHOP_SC_TOP200  1250s/0h of 1072123 corpus (1015898s/56225h) 05/25/09
#counts  KHOP_SC_TOP200  4s/0h of 101470 corpus (99923s/1547h bb-jm) 05/25/09
#counts  KHOP_SC_TOP200  1245s/0h of 935409 corpus (905697s/29712h dos) 05/25/09
#counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
# assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:2(?:0(?:2\.(?:7(?:5\.37\.125|8\.103\.88)|43\.18(?:2\.178|1\.7)|165\.199\.21|87\.47\.130)|0\.(?:27\.138\.74|30\.70\.202|80\.140\.61|54\.72\.30)|1\.2(?:51\.76\.13|28\.3\.)2|4\.227\.175\.236|3\.199\.72\.228|8\.46\.105\.195|7\.57\.121\.29)|1(?:7\.(?:1(?:50\.4(?:1\.16|5\.)5|99\.231\.249)|76\.2\.129)|1\.2(?:47\.239\.239|34\.93\.154)|3\.251\.134\.138|6\.230\.133\.69|2\.55\.66\.170)|22\.12(?:2\.142\.189|4\.198\.131))|1(?:2(?:2\.(?:252\.234\.74|55\.106\.18)|1\.1\.37\.14[567]|0\.28\.78\.141|3\.49\.45\.154|4\.124\.43\.32|\.191\.88\.50)|9(?:5\.(?:2(?:4\.93\.252|2\.107\.1)|189\.46\.253)|4\.63\.136\.18|3\.227\.98\.4)|8(?:6\.2(?:4\.(?:1[6789]|2[0123])\.3|8\.228\.1)|9\.112\.218\.234)|(?:4(?:8\.243\.142\.2|0\.111\.153\.)|74\.51\.89\.10)4)|8(?:7\.(?:106\.60\.136|226\.222\.22)|3\.16\.1(?:49\.50|67\.14)|9\.251\.107\.(?:21|30)|0\.235\.105\.140|4\.204\.136\.3|5\.219\.190\.2)|9(?:1\.(?:1(?:21\.(?:15(?:0\.6|8\.7)0|74\.105)|97\.5\.1)|92\.230\.227)|5\.154\.240\.98|3\.91\.196\.91)|6(?:2\.(?:77\.221\.54|128\.42\.5|38\.54\.81)|6\.(?:129\.72\.76|46\.179\.10)|7\.228\.17\.195)|7(?:(?:8\.38\.132\.10|7\.36\.153\.2)1|4\.124\.198\.110)|41\.204\.190\.12)\b)/
#describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
#score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
# http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
# 0.00000ms 0.2880%s 0.0000%h 1.000s/o 0.76rank 1.00score
#counts  KHOP_SC_TOP100  2908s/0h of 1065604 corpus (1009702s/55902h) 05/25/09
#counts  KHOP_SC_TOP100  5897s/0h of 2102483 corpus (2015322s/87161h) 05/25/09
#counts  KHOP_SC_TOP100  6s/0h of 101483 corpus (99912s/1571h bb-jm) 05/25/09
#counts  KHOP_SC_TOP100  2901s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
#counts  KHOP_SC_TOP100  1s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
# notable overlap: 99% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960) (duh)
# notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
# notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)

#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:2(?:0(?:9\.94\.196\.170|0\.6\.193\.89)|12\.63\.221\.10)|1(?:11\.224\.250\.13[35]|95\.230\.140\.18)|89\.190\.197\.14|58\.248\.4\.67|77\.73\.139\.2|94\.23\.25\.83)\b)/
#describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
#score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:11(?:1\.224\.250\.130|0\.45\.144\.227|4\.141\.5\.3)|(?:221\.143\.49\.24|82\.192\.89\.17)6|93\.(?:186\.96\.150|91\.196\.99)|62\.149\.(?:166\.45|226\.69)|58\.120\.227\.149)\b)/
#describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
#score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
# assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)


# Bump these up to compensate for expected but absent overlap
if (! plugin(Mail::SpamAssassin::Plugin::DNSEval) )
  score  KHOP_SC_CIDR8		(0.1)
  score  KHOP_SC_TOP_CIDR8	(0.2)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR16 	(0.8)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR16	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_CIDR24 	(0.9)	# RCVD_IN_PBL
  score  KHOP_SC_TOP_CIDR24	(1.5)	# RCVD_IN_PBL ++
  score  KHOP_SC_TOP200 	 4.6	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP100 	 4.7 	# RCVD_IN_BL_SPAMCOP_NET ++
  #score KHOP_SC_TOP20  	 4.8 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
  #score KHOP_SC_TOP10  	 4.9 	# RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL++
endif