You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by kh...@apache.org on 2010/04/25 06:39:58 UTC
svn commit: r937743 - in /spamassassin/trunk/rulesrc/sandbox/khopesh:
20_khop_dynamic.cf 20_s25r.cf
Author: khopesh
Date: Sun Apr 25 04:39:57 2010
New Revision: 937743
URL: http://svn.apache.org/viewvc?rev=937743&view=rev
Log:
split production-grade s25r rules into new file and published it in its own sa-update channel khop-dynamic
Added:
spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_dynamic.cf
Modified:
spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
Added: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_dynamic.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_dynamic.cf?rev=937743&view=auto
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_dynamic.cf (added)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_dynamic.cf Sun Apr 25 04:39:57 2010
@@ -0,0 +1,64 @@
+## khop-dynamic.cf v 2010042418
+## Khopesh's Dynamic host detection
+## This depends on khop-trust.cf which has a lesser form in SpamAssassin 3.3.1+
+##
+## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
+## http://khopesh.com/Anti-spam
+## khopesh on irc://irc.freenode.net/#spamassassin
+##
+## sa-update --gpgkey E8B493D6 --channel khop-dynamic.sa.khopesh.com
+##
+## These rules are Copyright (C) 2001-2009 by Adam Katz <antispamATkhopiscom>
+## Licensed under the Apache License 2.0 or Creative Commons Share-alike 2.0
+## The author is receptive to relicensing requests.
+##
+## Additional credit goes to the original designers of the concepts knit together
+## by these rules, namely ASAMI Hideo for S25R.
+##
+## This file is fully vetted by the Spamassassin Rule QA testing system at
+## http://ruleqa.spamassassin.org/?srcpath=20_khop_dynamic.cf
+
+
+# S25R is: http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
+# S25R is seven regexps used to detect botnets by reverse DNS.
+# Last updated with upstream regexps on 2009-11-23
+# S25R is loosely licensed permissively with the following sentence:
+# > I don't claim any exclusive rights about my idea. And, if you invent a
+# > new means based on my idea, I hope you contribute it to the Internet
+# > world without claiming exclusive rights.
+#
+# The Upstream cleanses its list with a whitelist consisting of major sites like
+# google.com, hotmail.com, data-hotel.net, yahoo.co.jp, yahoo.com, mixi.jp,
+# home.ne.jp, softbank.ne.jp, ezweb.ne.jp, and verisign.net. All of these
+# correctly use SPF except yahoo (which uses DKIM), home.ne.jp, and verisign.
+# The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting.
+
+# S25R_0 is equal to RDNS_NONE and has a host of problems. We ignore it here.
+
+header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
+header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/
+header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
+header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
+header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
+header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/
+
+
+# S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
+# This was not published with S25R due to matching 'feed' and similar words.
+# PCRE lets us use negative look-ahead. This ignores 3+ consecutive hex letters.
+header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/
+# 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214 awesome score-map; avg is LOW!
+# 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420 37% of spam hits are under 6 pts
+
+# safe, no cleansing needed
+meta KHOP_DYNAMIC __LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__TWO_IPS_RCVD || __5_SUBDOM || __RDNS_HEX || __S25R_4 || __S25R_6)
+describe KHOP_DYNAMIC Relay looks like a dynamic address
+tflags KHOP_DYNAMIC nopublish
+score KHOP_DYNAMIC 2.0
+
+# cleansing added to make safe
+meta KHOP_DYNAMIC2 !(__NOT_SPOOFED||__GREYLISTING||KHOP_DYNAMIC) && (__S25R_1 + __S25R_2 + 2*__S25R_3 + 2*__S25R_5 + __IP_IN_RELAY > 2)
+describe KHOP_DYNAMIC2 Relay looks like a dynamic address
+tflags KHOP_DYNAMIC2 nopublish
+score KHOP_DYNAMIC2 1.0
+
Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf?rev=937743&r1=937742&r2=937743&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf Sun Apr 25 04:39:57 2010
@@ -1,50 +1,31 @@
-# S25R is: http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html
-# S25R is seven regexps used to detect botnets by reverse DNS.
-# Last updated with upstream regexps on 2009-11-23
-
-# S25R whitelist includes: google.com, hotmail.com, data-hotel.net, yahoo.co.jp, yahoo.com, mixi.jp, home.ne.jp, softbank.ne.jp, ezweb.ne.jp, verisign.net
-# of these, only yahoo.com(has DKIM), home.ne.jp, and verisign.net lack SPF.
-# The whitelist is way too big to be worthwhile, so we use SPF/DKIM/Greylisting.
-
-
-# Limited via __HELO_NO_DOMAIN to distinguish from (and improve upon) RDNS_NONE
-#meta S25R_0 __LAST_EXTERNAL_RELAY_NO_AUTH && RDNS_NONE && __HELO_NO_DOMAIN && !__NOT_SPOOFED && !__GREYLISTING
-#describe S25R_0 S25R: Reverse lookup failure
-#score S25R_0 0.1
-#tflags S25R_0 nopublish
-# still trying to figure out whether to push this or just let RDNS_NONE do it.
+# Most of this has migrated to the khop-dynamic channel, new as of 2010-04-24.
+# The channel's content lives here in svn as 20_khop_dynamic.cf
-header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
describe S25R_1 S25R: Bottom of rDNS has num, non-num, num
meta S25R_1 __S25R_1 && !(__DOS_RELAYED_EXT||__S25R_2||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING)
tflags S25R_1 nopublish
#score S25R_1 0.1
-header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/
describe S25R_2 S25R: Bottom of rDNS has 5+ digits in a row
meta S25R_2 __S25R_2 && !(__S25R_1||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING)
tflags S25R_2 nopublish
#score S25R_2 0.1
-header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
describe S25R_3 S25R: A low-level of rDNS starts w/ a number
meta S25R_3 __S25R_3 && !(__S25R_1||__S25R_2||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING)
tflags S25R_3 nopublish
#score S25R_3 0.1
-header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
describe S25R_4 S25R: Bottom of rDNS ends w/ num, next lvl has num-num
meta S25R_4 __S25R_4 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTING)
#tflags S25R_4 nopublish
#score S25R_4 0.1
-header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
describe S25R_5 S25R: rDNS has 5+ layers, bottom 2 end in numbers
meta S25R_5 __S25R_5 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_6 || __NOT_SPOOFED || __GREYLISTING)
tflags S25R_5 nopublish
#score S25R_5 0.1
-header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/
describe S25R_6 S25R: rDNS looks dynamic or customer-facing
meta S25R_6 __S25R_6 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_5 || __NOT_SPOOFED || __GREYLISTING)
#tflags S25R_6 nopublish
@@ -53,12 +34,14 @@ meta S25R_6 __S25R_6 && !(__S25R_1||__S
# Testing the union. Limits S25R_0 (RDNS_NONE) for high FPs.
# Ordered by popularity in an effort to improve short-circuiting.
#meta S25R ((RDNS_NONE&&__HELO_NO_DOMAIN)||__S25R_1||__S25R_3||__S25R_5||__S25R_2||__S25R_6||__S25R_4) && !__NOT_SPOOFED && !__GREYLISTING
-#describe S25R Selective SMTP Rejection: Relay has dynamic rDNS
-#tflags S25R nopublish
+# using __MAY_BE_FORGED (sendmail-only?) instead of RDNS_NONE as S25R_0
+meta S25R !(__NOT_SPOOFED||__GREYLISTING) && (__MAY_BE_FORGED||__S25R_1||__S25R_3||__S25R_5||__S25R_2||__S25R_6||__S25R_4)
+describe S25R Selective SMTP Rejection: Relay has dynamic rDNS
+tflags S25R nopublish
-# Here it is, my full-blown poor-man's botnet
+# Early poor-mani's botnet attempts (replaced by KHOP_DYNAMIC and KHOP_DYNAMIC2)
meta KHOP_BOTNET_4 __LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTING) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || RDNS_DYNAMIC + __S25R_1*.8 + __S25R_2*.8 > 1.7)
describe KHOP_BOTNET_4 Relay looks like a dynamic address
tflags KHOP_BOTNET_4 nopublish
@@ -67,36 +50,19 @@ meta KHOP_BOTNET_7 !(__FROM_FREEMAIL ||
describe KHOP_BOTNET_7 Relay looks like a dynamic address
tflags KHOP_BOTNET_7 nopublish
-meta KHOP_BOTNET_UNCLEAN __LAST_EXTERNAL_RELAY_NO_AUTH && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2)
+meta KHOP_BOTNET_9 !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTING) && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY + __MAY_BE_FORGED > 2)
+describe KHOP_BOTNET_9 Relay looks like a dynamic address
+tflags KHOP_BOTNET_9 nopublish
+
+meta KHOP_BOTNET_UNCLEAN __LAST_EXTERNAL_RELAY_NO_AUTH && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY + __MAY_BE_FORGED > 2)
describe KHOP_BOTNET_UNCLEAN Relay looks like a dynamic address
tflags KHOP_BOTNET_UNCLEAN nopublish
-
-# I intend to remove s25r_4 and s25r_6 from publish
-# and enable the next two once I've added findings from RCD.
-
-# safe, no cleansing needed
-meta KHOP_DYNAMIC __LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__TWO_IPS_RCVD || __5_SUBDOM || __RDNS_HEX || __S25R_4 || __S25R_6)
-describe KHOP_DYNAMIC Relay looks like a dynamic address
-tflags KHOP_DYNAMIC nopublish
-
-# cleansing added to make safe
-meta KHOP_DYNAMIC2 !(__NOT_SPOOFED||__GREYLISTING) && (__S25R_1 + __S25R_2 + 2*__S25R_3 + 2*__S25R_5 + __IP_IN_RELAY > 2)
-describe KHOP_DYNAMIC2 Relay looks like a dynamic address
-tflags KHOP_DYNAMIC2 nopublish
-
# Sanity check: how much freemail lacks spf or dkim?
meta SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
-# S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
-# This was not published with S25R due to matching 'feed' and similar words.
-# PCRE lets us use negative look-ahead. This ignores 3+ consecutive hex letters.
-header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/
-# 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214 awesome score-map; avg is LOW!
-# 4.9976/0.0086 spam/ham, 0.998 s/o @ 20100420 37% of spam hits are under 6 pts
-
# see if we can further reduce the FPs w/out impacting the spam hits too hard
header __RDNS_HEX9 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{8}/