You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by ha...@t-online.de on 2009/10/02 23:59:15 UTC

RE RCVD_VIA_APNIC

>> Warren Togami wrote:
>> # 2005/07/29, http://www.apnic.net/db/ranges.html
>> header   RCVD_VIA_APNIC Received =~ 
>> /[^0-9.](?:5[89]|6[01]|12[456]|20[23]|21[0189]|22[012])(?:\.[012]?[0-9]{1,2}){3}(?:\]|\)| 
>> )/
>> describe RCVD_VIA_APNIC Received through a relay in Asia/Pacific Network

>> Adam Katz had this rule in one of his channels.  While it is wholly 
>> unsafe to be used alone, it could be useful in masscheck statistics and 
>> possibly if used in meta booleans in combination with other rules.
>>
>> http://www.apnic.net/publications/research-and-insights/ip-address-trends/apnic-resource-range
>> Unfortunately, in testing the above rule on my own corpus I see it is 
>> missing some obvious Asian addresses.  This page reveals that the regex 
>> is out of date.  Does there exist a good automated way to convert many 
>> CIDR ranges to a single regex?
>> 
>> Warren Togami

Hi Warren,

I am using the geoIP database in a similar context, but rather than converting to regex,
I convert to a cdb file and do a lookup on that.
To integrate with spamassassin, a perl cdb module would be needed

More info about cdb is available at http://cr.yp.to/cdb.html

Regards
Wolfgang

Re: [SA] RE RCVD_VIA_APNIC

Posted by Adam Katz <an...@khopis.com>.

Warren Togami wrote:
> # 2005/07/29, http://www.apnic.net/db/ranges.html
> header   RCVD_VIA_APNIC Received =~ 
> /[^0-9.](?:5[89]|6[01]|12[456]|20[23]|21[0189]|22[012])(?:\.[012]?[0-9]{1,2}){3}(?:\]|\)| 
> )/
> describe RCVD_VIA_APNIC Received through a relay in Asia/Pacific Network

> Adam Katz had this rule in one of his channels. While it is wholly 
> unsafe to be used alone, it could be useful in masscheck statistics
> and possibly if used in meta booleans in combination with other
> rules.
> 
> Unfortunately, in testing the above rule on my own corpus I see it
> is missing some obvious Asian addresses. This page reveals that the
> regex is out of date. Does there exist a good automated way to
> convert many CIDR ranges to a single regex?

Hm.  I didn't know that APNIC's space was updated that often.  I'll
adjust my rule.  Also, though I didn't say anything when you
approached me in IRC (we're on vastly different schedules), I did make
some changes to the rule so as to make it safer, including checking
against trusted networks and DNS whitelists and scoring it at 0.001.

__RCVD_VIA_APNIC will soon be updated to a monster constructed from a
hand-tweaked copy of the table at http://www.apnic.net/db/ranges.html
and fed into Regexp::Assemble (post-tweaked perl code is attached).

The attached apnic.cf.txt file (named so as to better appear in your
mail reader) is a sample of the pending latest revision in khop-bl.

As to its "missing some obvious Asian addresses" ... I believe that is
because many Asian addresses are outside the jurisdiction of APNIC,
for example, I believe Japan has three /8 networks (43, 126, and 133)
independent of APNIC ... and that's just by eying the XKCD map of the
IPv4 space!