You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by kh...@apache.org on 2010/01/03 17:49:35 UTC
svn commit: r895444 - in /spamassassin/trunk/rulesrc/sandbox/khopesh: 20_khop_experimental.cf 20_khop_sc_bug_6114.cf 20_s25r.cf

Author: khopesh
Date: Sun Jan  3 16:49:34 2010
New Revision: 895444

URL: http://svn.apache.org/viewvc?rev=895444&view=rev
Log:
moved to -External from -Untrusted on relay checks as per hege's suggestions, sc update

Modified:
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf?rev=895444&r1=895443&r2=895444&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf Sun Jan  3 16:49:34 2010
@@ -20,12 +20,12 @@
 #score	 KHOP_FAKE_EBAY 	2.25 # 20090408
 
 ifplugin Mail::SpamAssassin::Plugin::URIDetail
-  uri_detail KHOP_CLIQUEZ_ICI	text =~ /^cliquez\Wici\b/i
+  uri_detail KHOP_FOREIGN_CLICK	text =~ /\b(?:cliquez\Wici\b|clic aqu[^<.,a ])/i
 else
-  rawbody    KHOP_CLIQUEZ_ICI	/>cliquez\Wici\b/i
+  rawbody    KHOP_FOREIGN_CLICK	m{\bhref=[^>]{9,199}>[^<]{0,80}(?:<(?!/a\b)[^>]{0,299}>[^<]{0,80}){0,9}[^<]{0,80}\b(?:cliquez\Wici\b|clic aqu[^<.,a ])}si
 endif
-describe KHOP_CLIQUEZ_ICI	Click here link in French
-#score	 KHOP_CLIQUEZ_ICI	1.1	# 20090526 see also SARE_UN7
+describe KHOP_FOREIGN_CLICK	Click here link in French or Spanish
+#score	 KHOP_FOREIGN_CLICK	1.1	# 20090526 see also SARE_UN7
 
 # I don't think this ever fires
 uri	 URI_HIDDEN	m'.{7}\/\.\.?/?\w'
@@ -33,20 +33,20 @@
 #score	 URI_HIDDEN	0.7 # 20090515 13:29 by Adam Katz (me) on sa-users list
 
 # no subdomain; sent by example.com rather than server.example.com
-header __RDNS_NO_SUBDOM	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
+header __RDNS_NO_SUBDOM	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
 
 # Relays with 5+ subdomains.
 # My data (post-greylisting) is 1.7869/0.0682 spam/ham, s/o = .897
 # Those should be significantly better sans-greylisting (they can't get worse).
 # @ 20091214, 5.7617/0.0344 spam/ham, 0.994 s/o.
-header __5_SUBDOM X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:[^. ]*\.){6,}\w+ /
+header __5_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]*\.){6,}\w+ /
 
 # Probably too similar to __S25R_1
-header __NUM_LTR_3 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\S*(?:\d\S*[^0-9. ]\S*\d){3,} /
+header __NUM_LTR_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:\d\S*[^0-9. ]\S*\d){3,} /
 
 # IP address in relay's rDNS or HELO
-header __IP_IN_RELAY X-Spam-Relays-Untrusted =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) [^\]]*(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
-header __IP_PART_IN_RELAY X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.\d+\.(\d+)\.(\d+) [^\]]*(?:rdns|helo)=\S*(?:\1\W\2\W|\2\W\1)\b/
+header __IP_IN_RELAY  X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
+header __IP_PART_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=\d+\.\d+\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\W\2\W|\2\W\1)\b/
 
 header __MSGID_DOTZERO	Message-ID =~ /\.0\.0\./
 

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf?rev=895444&r1=895443&r2=895444&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf Sun Jan  3 16:49:34 2010
@@ -1,4 +1,4 @@
-## khop-sc-neighbors.cf	v 2009121423
+## khop-sc-neighbors.cf	v 201001311
 ## Khopesh's syndication of SpamCop's top offenders and top offending networks.
 ## 
 ## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
@@ -15,11 +15,11 @@
 
 
 # http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
-header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:1(?:17|22)|200|59)(?:\.[012]?[0-9]{1,2}){3}\b)/
+header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:200|77|89|95)(?:\.[012]?[0-9]{1,2}){3}\b)/
 describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
 score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2
 
-header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:23|89|90)|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
+header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:89|90)|201|93)(?:\.[012]?[0-9]{1,2}){3}\b)/
 describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
 score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
@@ -33,11 +33,11 @@
 
 
 # http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
-header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:22\.1(?:62|73)|90\.253)|59\.9[24]|222\.254)(?:\.[012]?[0-9]{1,2}){2}\b)/
+header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:22\.16[34]|17\.197)|59\.9[24]|95\.30)(?:\.[012]?[0-9]{1,2}){2}\b)/
 describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
 score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75
 
-header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b1(?:1(?:3\.(?:169|22)|7\.197)|2(?:3\.2[37]|1\.247))(?:\.[012]?[0-9]{1,2}){2}\b)/
+header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:1(?:2(?:3\.2[37]|1\.247)|13\.22)|222\.254|93\.41)(?:\.[012]?[0-9]{1,2}){2}\b)/
 describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
 score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
@@ -53,7 +53,7 @@
 
 
 # http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
-header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:0(?:2\.75\.37|3\.82\.80)|19\.254\.35)|9(?:3\.186\.224|8\.126\.177)|121\.54\.32)\.[012]?[0-9]{1,2}\b)/
+header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:13\.176\.23[01]|03\.82\.92)|64\.187\.119|195\.46\.33|93\.186\.96)\.[012]?[0-9]{1,2}\b)/
 describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
 score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
 # http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
@@ -64,13 +64,13 @@
 #counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
 #counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
 
-header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:1(?:11\.224\.250|21\.1\.37)|203\.82\.9[12]|72\.21\.6|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
+header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:77\.24(?:1\.45|4\.40)|193\.108\.38|89\.251\.107|203\.82\.91|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
 describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
 score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8
 
 
 # http://www.spamcop.net/w3m?action=hoshame
-header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:0\.(?:2(?:7\.1(?:19\.130|38\.74)|1\.184\.66)|6(?:8\.117\.197|\.193\.89)|141\.87\.135|76\.129\.133|80\.140\.61)|2\.(?:1(?:81\.234\.218|64\.44\.180)|75\.37\.(?:125|227)|31\.135\.52|87\.47\.130)|3\.(?:1(?:13\.118\.18|93\.187\.66)|82\.(?:91\.10[14]|79\.107)|217\.145\.80)|8\.(?:101\.55\.162|89\.219\.153|233\.32\.8)|9\.(?:239\.(?:35\.12|47\.20)5|94\.196\.170)|4\.2(?:27\.175\.2|00\.166\.)36|1\.161\.22\.77|7\.57\.121\.29)|1(?:1\.(?:1(?:9(?:1\.174\.141|8\.225\.206)|19\.98\.147)|2(?:39\.16(?:2\.41|3\.13)|02\.2\.97)|43\.80\.248)|7\.(?:1(?:6(?:9\.213\.246|\.69\.8)|99\.231\.249|45\.1\.16)|64\.104\.107|73\.31\.11)|3\.(?:2(?:51\.1(?:34\.138|69\.132)|27\.219\.58)|140\.0\.221)|0\.2(?:12\.180\.162|45\.122\.38|53\.114\.57)|6\.(?:230\.133\.69|150\.32\.34)|2\.150\.22\.143|8\.38\.12\.246|9\.254\.35\.45)|2(?:0\.(?:2(?:25\.117\.249|41\.246\.97)|9(?:0\.136\.61|5\.232\.26))|2\.(?:2(?:37\.78\.177|52\.223\.2)|122\.1(?:56\.30|97\.38))|1\.1(?:3(?
 :5\.132\.14|9\.0\.97)|43\.4(?:3\.204|8\.107))))|1(?:9(?:5\.(?:2(?:25\.46\.236|05\.141\.3|4\.209\.14)|1(?:58\.5\.12|61\.9\.)2|95\.228\.150)|0\.(?:2(?:4\.(?:150\.185|218\.149)|7\.214\.130|04\.66\.59)|65\.170\.206)|(?:3\.108\.38\.22|4\.63\.136\.1)8|6\.207\.237\.130|2\.220\.65\.106|9\.239\.229\.13)|2(?:2\.(?:16(?:0\.(?:99\.2(?:38|42)|208\.62)|6\.15\.115)|(?:252\.231\.1|55\.106\.)4)|1\.(?:1(?:\.(?:37\.14[567]|18\.242)|43\.193\.179)|242\.79\.66)|4\.(?:2(?:17\.19(?:8\.233|9\.142)|47\.194\.48)|124\.39\.106)|5\.46\.73\.179)|1(?:9\.(?:4(?:0\.98\.34|6\.26\.93)|93\.105\.5)|8\.1(?:02\.181\.250|75\.6\.138)|1\.224\.250\.(?:6[56]|132|70)|4\.141\.(?:22\.65|5\.3)|6\.193\.163\.138|0\.172\.152\.47|7\.25\.129\.200|5\.68\.2\.15)|8(?:6\.2(?:4\.(?:1[6789]|2[013])\.3|8\.228\.1)|9\.1(?:12\.218\.23|\.168\.4)4)|(?:4(?:8\.243\.142\.2|0\.111\.153\.)|58\.170\.64\.7)4|6(?:8\.143\.(?:17\.100|44\.181)|1\.58\.28\.39)|38\.210\.136\.199)|9(?:1\.(?:1(?:21\.(?:1(?:05\.224|36\.218)|(?:74\.10|66\.5)5|83\.216)|96\.9
 6\.67)|210\.148\.172|92\.230\.227)|4\.(?:23(?:\.(?:12\.122|25\.83|37\.55)|0\.166\.5)|102\.11\.56)|5\.1(?:72\.103\.251|54\.240\.98)|3\.(?:122\.135\.4|91\.196\.99)|6\.45\.176\.153|2\.63\.240\.36|8\.126\.177\.8)|6(?:7\.(?:22(?:5\.17(?:7\.110|9\.86)|8\.26\.146)|43\.56\.15)|1\.1(?:00\.1(?:2\.193|4\.234)|58\.163\.112|9\.120\.35)|6\.(?:177\.148\.62|46\.179\.10)|2\.1(?:68\.168\.185|42\.11\.3)|0\.213\.48\.250|5\.167\.95\.182)|8(?:(?:4\.(?:22\.140\.18|51\.241\.)|2\.98\.132\.21|9\.200\.168\.3)6|0\.(?:(?:235\.105\.14|179\.155\.3)0|93\.125\.186|55\.84\.242)|3\.1(?:6\.1(?:49\.50|67\.14)|8\.234\.166|9\.164\.58)|7\.237\.233\.2|5\.21\.9\.4)|7(?:7\.(?:105\.133\.10|236\.64\.198|70\.54\.81)|(?:1\.249\.193\.3|5\.126\.138\.4)2|2\.(?:21\.6\.2[23]|52\.239\.50)|4\.(?:63\.57\.79|7\.71\.220)|9\.171\.120\.23)|5(?:8\.(?:1(?:20\.227\.149|8\.168\.166)|2(?:6\.100\.250|48\.4\.67)|68\.(?:66\.25[012]|4\.18))|9\.160\.177\.27))\b)/
+header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:1(?:9(?:5\.(?:2(?:3(?:8\.108\.131|0\.140\.18)|4\.93\.252|2\.107\.1)|1(?:8(?:4\.210\.38|9\.45\.11)|61\.9\.2)|78\.104\.253)|3\.(?:1(?:08\.38\.(?:2(?:2[89]|3[01])|181)|11\.156\.182|6\.45\.254)|227\.98\.4)|0\.(?:1(?:04\.159\.245|44\.54\.82)|220\.134\.58|41\.219\.177)|4\.(?:79\.21\.1(?:36|42|63|78)|50\.125\.26)|6\.(?:12\.226\.22|40\.10\.25)0)|2(?:2\.(?:1(?:60\.251\.30|83\.222\.34)|5(?:2\.170\.51|5\.106\.18)|252\.234\.74|3\.172\.37)|1\.(?:1\.(?:37\.14[567]|18\.250)|242\.109\.66)|4\.124\.(?:4(?:3\.32|4\.11)|214\.243|66\.114)|3\.254\.71\.71|5\.18\.138\.34|\.191\.88\.50)|1(?:1\.(?:224\.250\.(?:13[45]|66)|125\.78\.140)|(?:0\.172\.179\.|8\.96\.8\.16)3|7\.(?:25\.129\.200|120\.26\.18)|9\.6(?:8\.182\.130|4\.100\.2)|4\.143\.2\.244|6\.14\.150\.22)|8(?:(?:7\.7\.233\.20|9\.80\.178\.2)0|6\.24\.(?:1[6789]|2[0123])\.3|8\.128\.(?:118\.180|32\.242))|7(?:3\.12\.133\.210|4\.51\.89\.104)|(?:65\.132\.230|09\.72\.112)\.253|48\.243\.142\.24)|2(?:0(?:0\.
 (?:1(?:1(?:1\.108\.154|9\.240\.243)|50\.44\.4)|(?:42\.174\.10|6\.193\.8)9|27\.119\.130|30\.70\.202|80\.140\.61|95\.162\.53)|2\.(?:43\.18(?:2\.178|1\.7)|164\.44\.180|53\.77\.226|75\.37\.125)|1\.(?:1(?:44\.87\.36|95\.11\.34)|219\.3\.36)|3\.(?:82\.91\.10[14]|199\.72\.228)|9\.(?:129\.155\.253|94\.196\.170))|1(?:7\.(?:1(?:50\.(?:4(?:1\.16|5\.)5|56\.133)|99\.231\.249)|27\.150\.198|64\.104\.107|76\.204\.62)|(?:2\.(?:179\.130\.25|55\.66\.17)|8\.233\.189\.3)0|3\.(?:168\.32\.2|79\.125\.1)22|9\.25(?:2\.48\.67|4\.35\.45)|1\.24\.209\.253|6\.230\.133\.69)|20\.225\.(?:226\.70|91\.194))|8(?:9\.(?:2(?:5(?:1\.107\.(?:2[0125]|30)|\.77\.78)|1\.(?:93\.154|73\.2)|06\.152\.226)|1(?:05\.128\.3[23458]|89\.170\.2[156]|15\.25\.21))|2\.1(?:93\.1(?:(?:40\.16|55\.22)4|39\.226)|(?:44\.169\.19|14\.85\.1)4|50\.35\.218)|0\.(?:93\.12(?:5\.186|6\.10|4\.1)|84\.184\.126|78\.216\.24|2\.65\.127)|4\.(?:7(?:8\.223\.130|7\.48\.17)|17\.11\.114)|3\.14(?:(?:9\.17\.4|3\.32\.)2|2\.111\.228)|5\.(?:234\.16\.24[1234]|30\.67\
 .154)|1\.(?:198\.163\.194|201\.60\.169)|7\.2(?:26\.222\.22|42\.3\.1)|6\.64\.139\.27|8\.146\.206\.1)|9(?:1\.(?:19(?:3\.(?:253\.233|175\.32)|7\.(?:127\.2|5\.1)|4\.235\.54)|20(?:2\.8(?:6\.80|\.38)|3\.140\.32|6\.148\.54)|67\.82\.32)|3\.(?:1(?:86\.96\.150|22\.135\.4)|91\.196\.99)|2\.(?:125\.202\.61|86\.26\.74)|4\.25\.(?:10\.66|3\.10)|8\.126\.177\.8)|6(?:2\.(?:3(?:3\.188\.17|8\.54\.81)|193\.144\.194)|1\.(?:1(?:00\.228\.1|7\.76\.197)|4\.104\.38)|4\.(?:187\.119\.(?:9[89]|101)|76\.123\.98)|7\.181\.106\.181|0\.213\.48\.250)|7(?:7\.(?:2(?:32\.141\.61|44\.40\.82)|76\.144\.11[04]|109\.9\.10|52\.172\.1)|8\.(?:38\.132\.101|56\.5\.75))|41\.204\.190\.12)\b)/
 describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
 score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
@@ -81,7 +81,7 @@
 #counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
 # assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
 
-#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:2(?:1(?:1\.(?:2(?:39\.16(?:2\.41|3\.13)|02\.2\.97)|1(?:98\.225\.206|19\.98\.147))|3\.(?:2(?:51\.134\.13|27\.219\.5)8|140\.0\.221)|7\.16(?:9\.213\.246|\.69\.8)|0\.253\.114\.57|2\.150\.22\.143|6\.230\.133\.69)|0(?:(?:2\.181\.234\.2|3\.113\.118\.)18|8\.(?:89\.219\.153|233\.32\.8)|0\.(?:27\.138\.74|6\.193\.89)|4\.227\.175\.236|9\.239\.47\.205|7\.57\.121\.29)|2(?:1\.1(?:3(?:5\.132\.14|9\.0\.97)|43\.48\.107)|0\.(?:225\.117\.249|95\.232\.26)|2\.237\.78\.177))|1(?:1(?:(?:9\.93\.105\.|5\.68\.2\.1)5|1\.224\.250\.(?:132|65|70)|8\.175\.6\.138|4\.141\.5\.3)|(?:4(?:8\.243\.142\.2|0\.111\.153\.)|89\.1(?:12\.218\.23|\.168\.4))4|9(?:5\.2(?:25\.46\.236|05\.141\.3)|9\.239\.229\.13|4\.63\.136\.18)|2(?:1\.1\.37\.14[567]|4\.217\.199\.142|2\.166\.15\.115)|6(?:8\.143\.17\.100|1\.58\.28\.39))|9(?:1\.(?:1(?:21\.(?:1(?:05\.224|36\.218)|83\.216|66\.55)|96\.96\.67)|92\.230\.227)|6\.45\.176\.153|3\.91\.196\.99|4\.23\.12\.122)|7(?:7\.(?:105\.133\.10|236\
 .64\.198)|2\.(?:52\.239\.50|21\.6\.22)|5\.126\.138\.42|9\.171\.120\.23|4\.7\.71\.220)|8(?:0\.(?:235\.105\.14|179\.155\.3)0|3\.1(?:8\.234\.166|6\.149\.50)|4\.22\.140\.186|7\.237\.233\.2|5\.21\.9\.4)|6(?:1\.100\.1(?:2\.193|4\.234)|7\.225\.17(?:7\.110|9\.86)|0\.213\.48\.250)|5(?:8\.26\.100\.250|9\.160\.177\.27))\b)/
+#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:1(?:9(?:3\.1(?:08\.38\.(?:2(?:2[89]|30)|181)|11\.156\.182|6\.45\.254)|5\.(?:2(?:38\.108\.13|2\.107\.)|189\.45\.1)1|4\.79\.21\.1(?:42|78))|2(?:1\.(?:1\.37\.14[567]|242\.109\.66)|2\.(?:183\.222\.3|252\.234\.7)4|4\.124\.(?:66\.114|44\.11)|\.191\.88\.50)|8(?:6\.24\.(?:1[6789]|2[0123])\.3|8\.128\.(?:118\.180|32\.242)|7\.7\.233\.200)|1(?:1\.224\.250\.135|4\.143\.2\.244|7\.120\.26\.18|9\.64\.100\.2)|74\.51\.89\.104)|8(?:9\.(?:2(?:5(?:1\.107\.2[0125]|\.77\.78)|06\.152\.226|1\.73\.2)|105\.128\.35)|(?:7\.226\.222\.2|3\.149\.17\.4)2|1\.(?:198\.163\.194|201\.60\.169)|4\.(?:78\.223\.130|17\.11\.114)|5\.234\.16\.24[23]|2\.144\.169\.194|6\.64\.139\.27)|2(?:1(?:7\.(?:150\.56\.133|27\.150\.198|76\.204\.62)|1\.24\.209\.253|3\.168\.32\.222|6\.230\.133\.69|2\.55\.66\.170)|0(?:0\.(?:111\.108\.154|27\.119\.130|30\.70\.202|80\.140\.61)|2\.(?:75\.37\.125|43\.181\.7)))|9(?:1\.(?:19(?:(?:3\.175\.3|7\.127\.)2|4\.235\.54)|202\.8\.38|67\.82\.32)|4\.25\
 .3\.10)|6(?:2\.(?:193\.144\.194|38\.54\.81)|0\.213\.48\.250|1\.4\.104\.38)|7(?:7\.76\.144\.110|8\.38\.132\.101)|41\.204\.190\.12)\b)/
 #describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
 #score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
@@ -95,12 +95,12 @@
 # notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
 # notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)
 
-#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:9(?:1\.(?:210\.148\.172|121\.74\.105)|5\.154\.240\.98)|1(?:24\.217\.198\.233|68\.143\.44\.181)|2(?:08\.101\.55\.162|20\.241\.246\.97)|58\.(?:120\.227\.149|248\.4\.67)|66\.46\.179\.10)\b)/
+#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:2(?:0(?:9\.94\.196\.170|0\.6\.193\.89)|17\.150\.4(?:1\.16|5\.)5)|1(?:24\.124\.43\.32|93\.227\.98\.4)|8(?:2\.114\.85\.14|3\.143\.32\.2)|9(?:3\.91\.196\.99|1\.197\.5\.1))\b)/
 #describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
 #score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
 # assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
 
-#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:0(?:3\.82\.91\.10[14]|4\.200\.166\.36|1\.161\.22\.77)|1(?:(?:1\.191\.174\.14|7\.73\.31\.1)1|9\.254\.35\.45))|9(?:8\.126\.177\.8|4\.23\.25\.83)|72\.21\.6\.23)\b)/
+#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:03\.82\.91\.10[14]|17\.199\.231\.249)|19(?:3\.108\.38\.231|5\.230\.140\.18)|8(?:9\.251\.107\.3|0\.93\.126\.1)0|64\.187\.119\.9[89]|98\.126\.177\.8)\b)/
 #describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
 #score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
 # assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf?rev=895444&r1=895443&r2=895444&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf Sun Jan  3 16:49:34 2010
@@ -14,32 +14,32 @@
 #tflags	 S25R_0 nopublish
 # still trying to figure out whether to push this or just let RDNS_NONE do it.
 
-header __S25R_1 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
+header __S25R_1 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d[^0-9. ]+\d\S*\./
 describe S25R_1 S25R: Bottom of rDNS has num, non-num, num
 meta	 S25R_1 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_1 && !(__DOS_RELAYED_EXT||__S25R_2||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
 #score	 S25R_1 0.1
 
-header __S25R_2 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d{5}/
+header __S25R_2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d{5}/
 describe S25R_2 S25R: Bottom of rDNS has 5+ digits in a row
 meta	 S25R_2 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_2 && !(__S25R_1||__S25R_3||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
 #score	 S25R_2 0.1
 
-header __S25R_3 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
+header __S25R_3 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:[^. ]+\.)?\d[^. ]*\.[^. ]+\.\S+\.[a-z]/
 describe S25R_3 S25R: A low-level of rDNS starts w/ a number
 meta	 S25R_3 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_3 && !(__S25R_1||__S25R_2||__S25R_4||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
 #score	 S25R_3 0.1
 
-header __S25R_4 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
+header __S25R_4 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d-\d/
 describe S25R_4 S25R: Bottom of rDNS ends w/ num, next lvl has num-num
 meta	 S25R_4 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_4 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_5||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
 #score	 S25R_4 0.1
 
-header __S25R_5 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
+header __S25R_5 X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\d\.[^. ]*\d\.[^. ]+\.\S+\./
 describe S25R_5 S25R: rDNS has 5+ layers, bottom 2 end in numbers
 meta	 S25R_5 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_5 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_6 || __NOT_SPOOFED || __GREYLISTED)
 #score	 S25R_5 0.1
 
-header __S25R_6 X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/
+header __S25R_6 X-Spam-Relays-External =~ /^[^\]]+ rdns=(?:dhcp|dialup|ppp|[achrsvx]?dsl)[^. ]*\d/
 describe S25R_6 S25R: rDNS looks dynamic or customer-facing
 meta	 S25R_6 __LAST_EXTERNAL_RELAY_NO_AUTH && __S25R_6 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_5 || __NOT_SPOOFED || __GREYLISTED)
 #score	 S25R_6 0.1
@@ -72,4 +72,4 @@
 # Negative look-ahead lets us ignore 3+ consecutive hex letters.
 # 4.4352/0.0163 spam/ham, 0.996 s/o @ 20091214
 # plus, lots of low-scoring spam hit.  this is a really good rule.
-header __RDNS_HEX X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/
+header __RDNS_HEX X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ .]*\d(?![0-9a-f]*[a-f]{3})[0-9a-f]{7}/