# From Adam Katz (khopesh) testing grounds and live channels
# http://khopesh.com/Anti-spam

### select rules from khop-bl
# (warren's work has already covered most of what I'd add here)

# Detect milter-greylist, scam-grey, postgrey, SQLgrey, and hopefully others
header	 __GREYLISTING	ALL =~ /(?:^|\n)X-(?:Scam-Grey|Greylist(?:ing)?):\s/m

# doesn't match enough, has a higher S/O than above, therefore useless.
#header	 __GREYLISTED	ALL =~ /(?:^|\n)X-(?:Scam-Grey|Greylist(?:ing)?):\s+delay(?:ed)? (?:for )?\d+(?: ?s(?:ec(?:ond)?s?)?|:\d\d)/im

meta KHOP_GREYED __GREYLISTING && (RDNS_NONE||RDNS_DYNAMIC||__HELO_NO_DOMAIN)
describe KHOP_GREYED	Greylisted and sent from dynamically-named relay
score	 KHOP_GREYED	0.1

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta	   DKIM_INVALID	__DKIM_EXISTS && !DKIM_VALID
  describe DKIM_INVALID	DKIM-Signature header exists but is not valid
  # masscheck ignores ifplugins and thus always has DKIM_INVALID==__DKIM_EXISTS
endif


header	 __DKIM_EXISTS	exists:DKIM-Signature
# 0.1320/12.7782 spam/ham, 0.010 s/o @ 20100420  safe without forgeries for now.



# Note 1: This is ordered counterintuitively because masscheck
#         ignores ifplugins and just takes the first definition.
# Note 2: At the moment, __DKIM_EXISTS is safe.  When that changes,
#         it will need to be removed from the first entry.
# Note 3: I have zero confidence in the auto-publish mechanism
#         leaving the below block intact.  I'll try using its own syntax...

##{ __NOT_SPOOFED
if ! plugin (Mail::SpamAssassin::Plugin::DKIM)
 ifplugin Mail::SpamAssassin::Plugin::SPF
   meta __NOT_SPOOFED  SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# no DKIM, yes SPF
 else
   meta __NOT_SPOOFED  __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# no DKIM, no SPF.
 endif
else
 ifplugin Mail::SpamAssassin::Plugin::SPF
  meta __NOT_SPOOFED  SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# yes DKIM, yes SPF
 else
  meta __NOT_SPOOFED  DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# yes DKIM, no SPF
endif
##} __NOT_SPOOFED


# I'm using the RCVD_VIA_ prefix to represent regional internet registries
# rather than blocklists' RCVD_IN_ prefix.  It is VERY important that people
# not consider these to be DNS blocklists ... especially given the fact that
# their mass-check stats at http://ruleqa.spamassassin.org/?rule=/RCVD_VIA are
# quite competitive with the DNSBLs, which is more a reflection of our lack of
# foreign ham in the corpora than any real facts.

# old version, does not reflect recent allocation of 1/8 and 27/8.
#header     __RCVD_VIA_APNIC   Received =~ /(?-xism:[^0-9.](?:2(?:0(?:2(?:\.1(?:2(?:3\.(?:0?(?:[4-9][0-9]|3[2-9])|[12][0-9]{2})\.[012]?[0-9]{1,2}|[^3]\.(?:012]?[0-9]{1,2}){2})|[^2]3\.(?:012]?[0-9]{1,2}){2})|(?:\.[02]?[0-9]{1,2}){3})|3(?:\.[012]?[0-9]{1,2}){3})|(?:1[0189]|2[012])(?:\.[012]?[0-9]{1,2}){3})|1(?:(?:2[0123456]|8[023]|1\d|75)(?:\.[012]?[0-9]{1,2}){3}|69\.2(?:1[0-9]|2[0-3]|0[89])(?:\.[012]?[0-9]{1,2}){2})|(?:5[89]|6[01])(?:\.[012]?[0-9]{1,2}){3})(?:[\]\)\s]))/
#describe   __RCVD_VIA_APNIC   Received through a relay in Asia/Pacific Network

# from http://www.apnic.net/db/ranges.html at 20091002, updated 20100125
# updates easily gleamed from http://www.cymru.com/Documents/bogon-list.html
header __RCVD_VIA_APNIC X-Spam-Relays-External =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.0?(?:[012]\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/
#tflags __RCVD_VIA_APNIC nopublish
#header __RCVD_VIA_APNIC_I X-Spam-Relays-Internal =~ /\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.0?(?:[012]\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/
#tflags __RCVD_VIA_APNIC_I nopublish

header __RCVD_VIA_APNIC_LE X-Spam-Relays-External =~ /^\[ ip=(?-xism:1|27|5[89]|6[01]|1(?:[12][0-6]|1[7-9]|75|8[0123])|2(?:03|1[0189]|2[012]|02(?!\.123\.0?(?:[012]\d|3[01])))|169\.2(?:0[89]|1\d|2[01]|223)|169\.2(?:1[04]|22))\.\d/
#tflags __RCVD_VIA_APNIC_LE nopublish

# from http://lacnic.net/en/registro/ at 20100115
header	 __RCVD_VIA_LACNIC	X-Spam-Relays-External =~ /\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/
tflags	 __RCVD_VIA_LACNIC	nopublish
header	 __RCVD_VIA_LACNIC_LE	X-Spam-Relays-External =~ /^\[ ip=(?:1(?:90|8[679]|20(?:[01]\.|6\.223\.1(?:24|30))))\.\d/
#tflags	 __RCVD_VIA_LACNIC_LE	nopublish



ifplugin Mail::SpamAssassin::Plugin::DNSEval # {

# The DNSBL side of the Manitu iXhash zone, http://www.dnsbl.manitu.net/
# Out-performs PSBL (72.98/0.12 spam/ham to PSBL's 48.69/0.36) at Intra2net:
# http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_NIX_SPAM.html
# Since this is run by Heise and already decently advertised, I don't anticipate
# problems testing here.  Flagged 'nopublish' to keep it in testing for now.
header	 RCVD_IN_NIX_SPAM	eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe RCVD_IN_NIX_SPAM	Received via a relay in NiX Spam (heise.de)
tflags	 RCVD_IN_NIX_SPAM	net nopublish	# 20091123

# Limit SpamCop to LASTEXT like every other DNSBL ... why haven't we tried this?
# ... and what a difference! @20091204, 21.59/2.59 became 3.80/0.07
# ...                        @20091128, 18.87/2.16 became 5.30/0.09
#header	 RCVD_IN_SPAMCOP	eval:check_rbl('spamcop-lastexternal', 'bl.spamcop.net.')
header	 RCVD_IN_SPAMCOP	eval:check_rbl_txt('spamcop-lastexternal', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_SPAMCOP	Received via a relay in bl.spamcop.net
tflags	 RCVD_IN_SPAMCOP	net nopublish	# 20091123

# we have the non-lastext data; let's see how good it is if we clean it up a bit
# we'll exclude anything that might have too much info relaying (mailling lists
# and freemail).  my intuition is 35-50% spam, 2-4% ham, but we could get lucky.
# the original version ensured multiple external relays and a hit in either 
# spamcop or barracuda.  now i've added zen, and sorbs.
#meta	 DNSBL_INDIRECT		!__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT)
meta	 DNSBL_INDIRECT		!__DOS_SINGLE_EXT_RELAY && (RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(__VIA_ML||__DOS_HAS_LIST_UNSUB||__SENDER_BOT||__freemail_safe||ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL)
describe DNSBL_INDIRECT		Received indirectly through a relay in a DNSBL
tflags	 DNSBL_INDIRECT		net nopublish	# 20091203
meta	 DNSBL_INDIRECT_UNSAFE	(RCVD_IN_BL_SPAMCOP_NET||__RCVD_IN_BRBL||__RCVD_IN_ZEN||__RCVD_IN_SORBS) && !(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL)
describe DNSBL_INDIRECT_UNSAFE	Received ~indirectly through a relay in a DNSBL
tflags	 DNSBL_INDIRECT_UNSAFE	net nopublish	# 20091207
meta	 DNSBL_INDIRECT_UNSAFE_2	!(ALL_TRUSTED||RCVD_IN_SPAMCOP||RCVD_IN_BRBL_LASTEXT||RCVD_IN_SORBS_DUL) && (RCVD_IN_BL_SPAMCOP_NET+__RCVD_IN_BRBL+__RCVD_IN_ZEN+__RCVD_IN_SORBS+__RCVD_IN_NJABL >1)
describe DNSBL_INDIRECT_UNSAFE_2	Received ~indirectly through a relay in 2+ DNSBLs
tflags	 DNSBL_INDIRECT_UNSAFE_2	net nopublish	# 20091207

endif # } Mail::SpamAssassin::Plugin::DNSEval