khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

[Adam Katz <an...@khopis.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>> Do you know if are there something like the old 'Top200 SpamCop
>>> Relays' 70_sc_top200 ?
>
> It seems to me 70_sc_top200 is an automatic rule, which
> tautologically shouldn't involve any ninja at all in its updating.

YES!  I've actually been working on something very similar.  Instead
of just using a list, it abstracts to neighboring networks (providing
anticipatory scores).

This is derived from SpamCop's index of high-volume spammers in CIDR
/8 (class A) and CIDR /24 (class D) netblocks and assigns points to
them.  Basically, this is a stereotyping, assuming clusters of
spammers beget spammers within systems with nearby IPv4 addresses.

Note that this rule does not (yet) fire on things already indexed by
SpamCop since such things already get points.  The argument that such
high-volume spam subnets should get increased scores anyway is
interesting and should be investigated more thoroughly in the future
(I haven't had any false positives yet, but YMMV).

This is updated nightly in my sa-update channel at:
khop-sc-neighbors.sa.khopesh.com

(Generation script:  http://khopesh.com/scripts/sa-sc-neighbors )

Install with something like:

wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import -
sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com


I'd love to see how this fares in the mass-check system...


(My other channels: http://khopesh.com/Anti-spam#Custom_SA_hacks )

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknuVbQACgkQnCRV0Oi0k9bqWwCfbxB6YvOLWIm3+0CNqqMqU6Kj
iOsAn3NtIUHzobDds/MuCOFEb7aK2pQV
=SSbs
-----END PGP SIGNATURE-----

Re: khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

[Adam Katz <an...@khopis.com>]

Justin Mason wrote:
>> This is updated nightly in my sa-update channel at:
>> khop-sc-neighbors.sa.khopesh.com
>>
>> (Generation script:  http://khopesh.com/scripts/sa-sc-neighbors )
>>
>> Install with something like:
>>
>> wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import -
>> sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com
>>
>>
>> I'd love to see how this fares in the mass-check system...
> 
> Adam -- could you open a bug on the bugzilla and attach an up-to-date
> copy of the rules file, and I'll put it in my sandbox to see how it
> goes?  (unfortunately the ruleqa stuff can't deal with testing
> third-party sa-update sources yet.)

Done:  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6114


Note, the published generation script is out of date now.  It is
currently married to the sc.khopesh.com DNSBL (since they share the
same source data) and I need to determine what my next course of
action is in that respect.

Re: khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

[Justin Mason <jm...@jmason.org>]

> This is updated nightly in my sa-update channel at:
> khop-sc-neighbors.sa.khopesh.com
>
> (Generation script:  http://khopesh.com/scripts/sa-sc-neighbors )
>
> Install with something like:
>
> wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import -
> sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com
>
>
> I'd love to see how this fares in the mass-check system...

Adam -- could you open a bug on the bugzilla and attach an up-to-date
copy of the rules file, and I'll put it in my sandbox to see how it
goes?  (unfortunately the ruleqa stuff can't deal with testing
third-party sa-update sources yet.)

--j.