You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Marcelo Galeti <mc...@gmail.com> on 2009/04/17 11:39:57 UTC

Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Hello Guys,

Do you know if are there something like the old 'Top200 SpamCop Relays' 
70_sc_top200 ?

wget http://www.rulesemporium.com/rules/70_sc_top200.cf

Thank you very much to all,

Marcelo Galeti
-- 
View this message in context: http://www.nabble.com/Something-like-the-old-%2270_sc_top200%22---%27Top200-SpamCop-Relays%27-tp23094446p23094446.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Marcelo Galeti <mc...@gmail.com>.

OK Guys,

I understood ! Thanks for this help. 




Giampaolo Tomassoni wrote:
> 
>> -----Original Message-----
>> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
>> Sent: Friday, April 17, 2009 2:48 PM
>> 
>> On Fri, 2009-04-17 at 02:39 -0700, Marcelo Galeti wrote:
>> > Hello Guys,
>> 
>> Wow, a Nabble user with a real name. :)
>> 
>> > Do you know if are there something like the old 'Top200 SpamCop
>> Relays'
>> > 70_sc_top200 ?
>> 
>> Not strictly a list of the top 200, but isn't this covered by the more
>> extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?
> 
> As you already pointed out, they are not exactly the same.
> 
> The fact is that 70_sc_top200 seems stuck at Jan 2008 and the sare's index
> page (http://www.rulesemporium.com/) says ninjas are busy working on
> something else.
> 
> It seems to me 70_sc_top200 is an automatic rule, which tautologically
> shouldn't involve any ninja at all in its updating.
> 
> Anybody knows what happened to it?
> 
> Giampaolo
> 
> 
>> 
>> 
>> --
>> char
>> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"
>> ;
>> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
>> c<<=1:
>> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
>> putchar(t[s]);h=m;s=0; }}}
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Something-like-the-old-%2270_sc_top200%22---%27Top200-SpamCop-Relays%27-tp23094446p23104247.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

Posted by Adam Katz <an...@khopis.com>.

Justin Mason wrote:
>> This is updated nightly in my sa-update channel at:
>> khop-sc-neighbors.sa.khopesh.com
>>
>> (Generation script:  http://khopesh.com/scripts/sa-sc-neighbors )
>>
>> Install with something like:
>>
>> wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import -
>> sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com
>>
>>
>> I'd love to see how this fares in the mass-check system...
> 
> Adam -- could you open a bug on the bugzilla and attach an up-to-date
> copy of the rules file, and I'll put it in my sandbox to see how it
> goes?  (unfortunately the ruleqa stuff can't deal with testing
> third-party sa-update sources yet.)

Done:  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6114


Note, the published generation script is out of date now.  It is
currently married to the sc.khopesh.com DNSBL (since they share the
same source data) and I need to determine what my next course of
action is in that respect.

Re: khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

Posted by Justin Mason <jm...@jmason.org>.

> This is updated nightly in my sa-update channel at:
> khop-sc-neighbors.sa.khopesh.com
>
> (Generation script:  http://khopesh.com/scripts/sa-sc-neighbors )
>
> Install with something like:
>
> wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import -
> sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com
>
>
> I'd love to see how this fares in the mass-check system...

Adam -- could you open a bug on the bugzilla and attach an up-to-date
copy of the rules file, and I'll put it in my sandbox to see how it
goes?  (unfortunately the ruleqa stuff can't deal with testing
third-party sa-update sources yet.)

--j.

khop-sc-neighbors (updated nightly, replaces 70_sc_top200)

Posted by Adam Katz <an...@khopis.com>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>> Do you know if are there something like the old 'Top200 SpamCop
>>> Relays' 70_sc_top200 ?
>
> It seems to me 70_sc_top200 is an automatic rule, which
> tautologically shouldn't involve any ninja at all in its updating.

YES!  I've actually been working on something very similar.  Instead
of just using a list, it abstracts to neighboring networks (providing
anticipatory scores).

This is derived from SpamCop's index of high-volume spammers in CIDR
/8 (class A) and CIDR /24 (class D) netblocks and assigns points to
them.  Basically, this is a stereotyping, assuming clusters of
spammers beget spammers within systems with nearby IPv4 addresses.

Note that this rule does not (yet) fire on things already indexed by
SpamCop since such things already get points.  The argument that such
high-volume spam subnets should get increased scores anyway is
interesting and should be investigated more thoroughly in the future
(I haven't had any false positives yet, but YMMV).

This is updated nightly in my sa-update channel at:
khop-sc-neighbors.sa.khopesh.com

(Generation script:  http://khopesh.com/scripts/sa-sc-neighbors )

Install with something like:

wget -qO - http://khopesh.com/sa/GPG.KEY |sudo sa-update --import -
sa-update --gpgkey E8B493D6 --channel khop-sc-neighbors.sa.khopesh.com


I'd love to see how this fares in the mass-check system...


(My other channels: http://khopesh.com/Anti-spam#Custom_SA_hacks )

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknuVbQACgkQnCRV0Oi0k9bqWwCfbxB6YvOLWIm3+0CNqqMqU6Kj
iOsAn3NtIUHzobDds/MuCOFEb7aK2pQV
=SSbs
-----END PGP SIGNATURE-----

RE: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Marcelo Galeti <mc...@gmail.com>.

Giampaolo,

You read my mind :))

Greatings and take care !

Marcelo



Giampaolo Tomassoni wrote:
> 
>> -----Original Message-----
>> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
>> Sent: Friday, April 17, 2009 2:48 PM
>> 
>> On Fri, 2009-04-17 at 02:39 -0700, Marcelo Galeti wrote:
>> > Hello Guys,
>> 
>> Wow, a Nabble user with a real name. :)
>> 
>> > Do you know if are there something like the old 'Top200 SpamCop
>> Relays'
>> > 70_sc_top200 ?
>> 
>> Not strictly a list of the top 200, but isn't this covered by the more
>> extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?
> 
> As you already pointed out, they are not exactly the same.
> 
> The fact is that 70_sc_top200 seems stuck at Jan 2008 and the sare's index
> page (http://www.rulesemporium.com/) says ninjas are busy working on
> something else.
> 
> It seems to me 70_sc_top200 is an automatic rule, which tautologically
> shouldn't involve any ninja at all in its updating.
> 
> Anybody knows what happened to it?
> 
> Giampaolo
> 
> 
>> 
>> 
>> --
>> char
>> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"
>> ;
>> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
>> c<<=1:
>> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
>> putchar(t[s]);h=m;s=0; }}}
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Something-like-the-old-%2270_sc_top200%22---%27Top200-SpamCop-Relays%27-tp23094446p23103282.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Fri, 2009-04-17 at 22:53 +0200, Giampaolo Tomassoni wrote:
> > From: Karsten Bräckelmann

> > More precisely: If that rule-set still would be generated, it would be a
> > sub-set of bl.spamcop.net.
> 
> It is a ranked chunk of the top 200 spammers, not just a subset. It
> could even make sense to score a mail based on both 70_sc_top200 *and*
> bl.spamcop.net: this way the top 200's would earn some more points...

I was kind of hoping you'd jump on that. :)

Yes, you're right, it does imply a more serious category. However, I
don't believe it's worth scoring both *as-is*, with the 3.0 for the top
200 static list. An additional score might be worth it, though. (Dunno
for sure, depends on the average SA score of messages sent by those
relays.)

Also, the static list will always lag behind. So it would be best to
have it coded in some way in the bl.spamcop.net response.

> bl.spamcop.net doesn't give any hint about a source rank in the SC db...

Unfortunately. ;)

> > It died. And in fact, died *years* ago. As you can see two clicks away
> > from the link you posted, it became superfluous long ago and has been
> > deprecated. Just see the description of the rule-set:

> > So, I'd say delete your copy of that stale file immediately.
> 
> A stale file is a stale file. But is it that much stale the idea as a
> whole? I mean, the "top 200 spammers" one.

Probably not, and it'd suit the SA way perfectly. More evidence, higher
score.

However, I believe the idea of a static file in this context, updated
"sparsely", is stale. Having the BL return different codes for "listed"
and "top ranking" would be much preferable.

  guenther

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Giampaolo Tomassoni <Gi...@Tomassoni.biz>.

> -----Original Message-----
> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
> Sent: Friday, April 17, 2009 8:48 PM
> 
> ...omissis...
> 
> > > Not strictly a list of the top 200, but isn't this covered by the
> more
> > > extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?
> >
> > As you already pointed out, they are not exactly the same.
> 
> More precisely: If that rule-set still would be generated, it would be
> a
> sub-set of bl.spamcop.net.

It is a ranked chunk of the top 200 spammers, not just a subset. It could even make sense to score a mail based on both 70_sc_top200 *and* bl.spamcop.net: this way the top 200's would earn some more points...

bl.spamcop.net doesn't give any hint about a source rank in the SC db...


> > The fact is that 70_sc_top200 seems stuck at Jan 2008 and the sare's
> index
> > page (http://www.rulesemporium.com/) says ninjas are busy working on
> > something else.
> >
> > It seems to me 70_sc_top200 is an automatic rule, which
> tautologically
> > shouldn't involve any ninja at all in its updating.
> 
> Well, it still would require some maintenance occasionally.
> 
> > Anybody knows what happened to it?
> 
> It died. And in fact, died *years* ago. As you can see two clicks away
> from the link you posted, it became superfluous long ago and has been
> deprecated. Just see the description of the rule-set:
> 
>   Do not use these if you use SpamCop.net's blacklist (Default with net
>   enabled on 2.63). This ruleset is created from that data. [...]
> 
> 
> So, I'd say delete your copy of that stale file immediately.

A stale file is a stale file. But is it that much stale the idea as a whole? I mean, the "top 200 spammers" one.


>   guenther

Giampaolo

> 
> 
> --
> char
> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"
> ;
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
> putchar(t[s]);h=m;s=0; }}}

RE: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Fri, 2009-04-17 at 15:43 +0200, Giampaolo Tomassoni wrote:
> > From: Karsten Bräckelmann

> > Not strictly a list of the top 200, but isn't this covered by the more
> > extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?
> 
> As you already pointed out, they are not exactly the same.

More precisely: If that rule-set still would be generated, it would be a
sub-set of bl.spamcop.net.

> The fact is that 70_sc_top200 seems stuck at Jan 2008 and the sare's index
> page (http://www.rulesemporium.com/) says ninjas are busy working on
> something else.
> 
> It seems to me 70_sc_top200 is an automatic rule, which tautologically
> shouldn't involve any ninja at all in its updating.

Well, it still would require some maintenance occasionally.

> Anybody knows what happened to it?

It died. And in fact, died *years* ago. As you can see two clicks away
from the link you posted, it became superfluous long ago and has been
deprecated. Just see the description of the rule-set:

  Do not use these if you use SpamCop.net's blacklist (Default with net
  enabled on 2.63). This ruleset is created from that data. [...]

So, I'd say delete your copy of that stale file immediately.

  guenther

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Giampaolo Tomassoni <g....@libero.it>.

> -----Original Message-----
> From: Karsten Bräckelmann [mailto:guenther@rudersport.de]
> Sent: Friday, April 17, 2009 2:48 PM
> 
> On Fri, 2009-04-17 at 02:39 -0700, Marcelo Galeti wrote:
> > Hello Guys,
> 
> Wow, a Nabble user with a real name. :)
> 
> > Do you know if are there something like the old 'Top200 SpamCop
> Relays'
> > 70_sc_top200 ?
> 
> Not strictly a list of the top 200, but isn't this covered by the more
> extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?

As you already pointed out, they are not exactly the same.

The fact is that 70_sc_top200 seems stuck at Jan 2008 and the sare's index
page (http://www.rulesemporium.com/) says ninjas are busy working on
something else.

It seems to me 70_sc_top200 is an automatic rule, which tautologically
shouldn't involve any ninja at all in its updating.

Anybody knows what happened to it?

Giampaolo

> 
> 
> --
> char
> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"
> ;
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
> putchar(t[s]);h=m;s=0; }}}

Re: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Fri, 2009-04-17 at 11:25 -0700, Marcelo Galeti wrote:
> Yeh ! You are right ! I was justing thinking in way SareRules say this rule
> is Active .... but you are right ! This RSCV rule cover the same thing.

Given that this rule-set is deprecated since *before* 3.0 already, here
goes some advice I've given a few times already...

Carefully review and monitor any third-party (and maybe even stock)
rule-sets. Do not just blindly use whatever you find.

If you would have read the notes before, you wouldn't be wondering or
using it. Odds are, there likely are some other old, deprecated rule-
sets lingering around.

Oh, and since you pointed out the "Active" status, keep the important
caveat on the main page in mind. With a *very* few exceptions, nothing
SARE is being updated and maintained currently.

> > Not strictly a list of the top 200, but isn't this covered by the more
> > extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Marcelo Galeti <mc...@gmail.com>.

Yeh ! You are right ! I was justing thinking in way SareRules say this rule
is Active .... but you are right ! This RSCV rule cover the same thing.

Thank you very much !!!

;) Marcelo 



Karsten Bräckelmann-2 wrote:
> 
> On Fri, 2009-04-17 at 02:39 -0700, Marcelo Galeti wrote:
>> Hello Guys,
> 
> Wow, a Nabble user with a real name. :)
> 
>> Do you know if are there something like the old 'Top200 SpamCop Relays' 
>> 70_sc_top200 ?
> 
> Not strictly a list of the top 200, but isn't this covered by the more
> extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?
> 
> 
> -- 
> char
> *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Something-like-the-old-%2270_sc_top200%22---%27Top200-SpamCop-Relays%27-tp23094446p23103255.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Something like the old "70_sc_top200" - 'Top200 SpamCop Relays'

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Fri, 2009-04-17 at 02:39 -0700, Marcelo Galeti wrote:
> Hello Guys,

Wow, a Nabble user with a real name. :)

> Do you know if are there something like the old 'Top200 SpamCop Relays' 
> 70_sc_top200 ?

Not strictly a list of the top 200, but isn't this covered by the more
extensive RCVD_IN_BL_SPAMCOP_NET dnsbl test?


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}