You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by kh...@apache.org on 2010/02/06 02:08:09 UTC

svn commit: r907149 - in /spamassassin/trunk/rulesrc/sandbox/khopesh: 20_bug_6299.cf 20_khop_experimental.cf 20_khop_general.cf 20_khop_sc_bug_6114.cf 20_s25r.cf

Author: khopesh
Date: Sat Feb  6 01:08:08 2010
New Revision: 907149

URL: http://svn.apache.org/viewvc?rev=907149&view=rev
Log:
cleanup, bugfixes, tweaks, new minor experiments

Modified:
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_bug_6299.cf
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_bug_6299.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_bug_6299.cf?rev=907149&r1=907148&r2=907149&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_bug_6299.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_bug_6299.cf Sat Feb  6 01:08:08 2010
@@ -1,4 +1,4 @@
-# includes updates through 2010-01-19 (as last referenced 2010-01-21)
+# includes updates through 2010-01-19 (as last referenced 2010-02-05)
 # via http://www.iana.org/assignments/ipv4-address-space/
 # updates itemized by date at http://www.cymru.com/Documents/bogon-list.html
 header	 T_KHOP_RCVD_ILLEGAL_IP	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?:[05]|14|23|3[1679]|4[29]|50|1(?:0[0-7]|7[679]|8[15])|2(?:2[3-9]|[3-9]\d)|\d{4,}|[3-9]\d\d)\.\d+\.\d+\.\d+ /
@@ -6,17 +6,12 @@
 header	 T_KHOP_RCVD_ILLEGAL_IP_LE	X-Spam-Relays-Untrusted =~ /^[^\]]+ (?:by|ip)=(?:[05]|14|23|3[1679]|4[29]|50|1(?:0[0-7]|7[679]|8[15])|2(?:2[3-9]|[3-5]\d)|\d{4,}|[3-9]\d\d)\.\d+\.\d+\.\d+ /
 
 # TEST-NET addresses are for documentation and examples only
-header	 RCVD_TEST_NET	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?:192\.0\.2|198\.51\.100|203\.0\.113)\.\d+ /
+header	 RCVD_TEST_NET	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?:192\.0\.2|198\.51\.100|203\.0\.113)\./
 describe RCVD_TEST_NET	Received: uses test IP address, violating RFC 5737
 
 # My understanding of the link-local block is that it is used by DHCP-driven
 # clients that cannot find a DHCP server, allowing local-only communications
 # (like 127/8) plus anything *directly* connected to it (that means no
 # routable addresses are available, e.g. in an ad hoc network).
-header	 RCVD_LINK_LOCAL	X-Spam-Relays-Untrusted =~ / (?:by|ip)=169\.254\.d+\.\d+ /
-describe RCVD_LINK_LOCAL	Received: uses link-local IP, violating RFC 3927
-
-# NOTE, THIS NEEDS IPv6 HELP
-header	 T_RCVD_INVALID_IP	X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?!(?:(?:1?\d?\d|2(?:[0-4]\d|5[0-4])))(\.(?:1?\d?\d|2(?:[0-4]\d|5[0-4]))){3} )\d/
-describe T_RCVD_INVALID_IP	Received: contains an invalidly formatted IP
-
+header	 RCVD_LINK_LOCAL  X-Spam-Relays-Untrusted =~ / (?:by|ip)=169\.254\./
+describe RCVD_LINK_LOCAL  Received: uses link-local IP, violating RFC 3927

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf?rev=907149&r1=907148&r2=907149&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf Sat Feb  6 01:08:08 2010
@@ -4,9 +4,9 @@
 describe MALFORMED_FREEMAIL	Bad headers on message from free email service
 #score	 MALFORMED_FREEMAIL	0.1
 
-header	 FROM_WEBSITE	From =~ m'\b(?:f|ht)tps?://[^/\@]{3,60}\.\w\w'i
+header	 FROM_WEBSITE	From =~ m'\b(?:f|ht)tps?://[^\s"</\@]{3,60}\.\w\w'i
 describe FROM_WEBSITE	Sender name appears to be a link
-header	 FROM_WWW	From:name =~ /\bwww\.[^\/\@]{3,60}\.\w\w/i
+header	 FROM_WWW	From:name =~ /\bwww\.[^\s"<\/\@]{4,60}\.\w\w/i
 describe FROM_WWW	Sender name appears to be a website
 
 header	 FROM_2_EMAILS	From =~ /([^\@]{2,}\@[^\@]{2,60}\.\w\w).*(?!\1)[^\@]{2,}\@[^\@]/
@@ -86,7 +86,11 @@
 # even today, so I'm testing it here.  The rDNS dynamic tests will likely trump.
 header SARE_RECV_SPAM_DOMN0B Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/
 tflags SARE_RECV_SPAM_DOMN0B	nopublish
-header SARE_RECV_SPAM_DOMN0B2	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}\bdynamic.hinet\.(?:com|net|org|info)(?:\.tw)? /
+header SARE_RECV_SPAM_DOMN0B2	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^\] ]{0,25}\bdynamic.hinet\.(?:com|net|org|info)(?:\.tw)? /
 tflags SARE_RECV_SPAM_DOMN0B2	nopublish
-header SARE_RECV_SPAM_DOMN0B3	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}\bdynamic.hinet\.net /
+header SARE_RECV_SPAM_DOMN0B3	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^\] ]{0,25}\bdynamic.hinet\.net /
 tflags SARE_RECV_SPAM_DOMN0B3	nopublish
+
+header	 RCVD_VIA_IPV6	X-Spam-Relays-Untrusted =~ /^[^\]]+ (?:by|ip)=[^\] ]+:[^\] .]+ /
+describe RCVD_VIA_IPV6	Received by the last trusted relay via IPv6
+tflags	 RCVD_VIA_IPV6	nice

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf?rev=907149&r1=907148&r2=907149&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_general.cf Sat Feb  6 01:08:08 2010
@@ -33,9 +33,10 @@
 
 # This doesn't fire often after greylisting ... how about w/out it?
 # renamed from KHOP_NO_FQDN
-meta	 KHOP_HELO_BOT	__HELO_NO_DOMAIN && KHOP_BOTNET_2
-describe KHOP_HELO_BOT	Suspect botnet sender claims no domain name
-tflags   KHOP_HELO_BOT	nopublish
+# this is useless -- 99% of its hits overlap HELO_NO_DOMAIN
+#meta	 KHOP_HELO_BOT	__HELO_NO_DOMAIN && KHOP_BOTNET_7
+#describe KHOP_HELO_BOT	Suspect botnet sender claims no domain name
+#tflags   KHOP_HELO_BOT	nopublish
 #score	 KHOP_HELO_BOT	0.5	# 20090603
 
 header __NAME_IS_EMAIL	From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
@@ -65,8 +66,8 @@
 describe SPOOFED_URL	Has a link whose text is a different URL
 #score	 SPOOFED_URL	2.0	# 20090408, beware of 'legit' tracking bugs
 
-uri	 __FORGED_URL_DOM_1	m'https?://[^/]{0,40}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.[^/]{5}'i
-body	 __FORGED_URL_DOM_2	m'(^|\W)https?://[\w.-]{0,40}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.[^/]{5}'i
+uri	 __FORGED_URL_DOM_1	m'https?://[^/]{0,40}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/\s]{4}'i
+body	 __FORGED_URL_DOM_2	m'(^|\W)https?://[\w.-]{0,40}\.(?:com|org|edu|net|gov|com?\.[a-z]{2})\.\w[^/\s]{5}'i
 meta	 FORGED_URL_DOM	__FORGED_URL_DOM_1 || __FORGED_URL_DOM_2
 describe FORGED_URL_DOM	Link domain has a TLD as a subdomain
 

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf?rev=907149&r1=907148&r2=907149&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_sc_bug_6114.cf Sat Feb  6 01:08:08 2010
@@ -1,4 +1,4 @@
-## khop-sc-neighbors.cf	v 2010012519
+## khop-sc-neighbors.cf	v 201002520
 ## Khopesh's syndication of SpamCop's top offenders and top offending networks.
 ## 
 ## Spamassassin rules written by Adam Katz <antispamATkhopiscom>
@@ -15,11 +15,11 @@
 
 
 # http://spamcop.net/w3m?action=map;net=0;sort=spamcnt
-header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:1(?:2[23]|17)|95)(?:\.[012]?[0-9]{1,2}){3}\b)/
+header   KHOP_SC_CIDR8  Received =~ /(?-xism:\b(?:1?89|77|94)(?:\.[012]?[0-9]{1,2}){3}\b)/
 describe KHOP_SC_CIDR8  Relay listed in SpamCop top 8 IP/8 CIDRs
 score    KHOP_SC_CIDR8  0.2 0.1 0.3 0.2
 
-header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:1(?:89|90)|20[01])(?:\.[012]?[0-9]{1,2}){3}\b)/
+header   KHOP_SC_TOP_CIDR8  Received =~ /(?-xism:\b(?:9[25]|190|201)(?:\.[012]?[0-9]{1,2}){3}\b)/
 describe KHOP_SC_TOP_CIDR8  Relay listed in SpamCop top 4 IP/8 CIDRs
 score    KHOP_SC_TOP_CIDR8  0.5 0.4 0.8 0.6
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR8/detail
@@ -33,11 +33,11 @@
 
 
 # http://www.spamcop.net/w3m?action=map;net=bmaxcnt;mask=16777215;sort=spamcnt
-header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:1(?:0\.139|7\.197)|90\.146)|222\.25[34]|59\.92)(?:\.[012]?[0-9]{1,2}){2}\b)/
+header   KHOP_SC_CIDR16  Received =~ /(?-xism:\b(?:1(?:09\.184|78\.93)|59\.9[23]|222\.253|94\.179)(?:\.[012]?[0-9]{1,2}){2}\b)/
 describe KHOP_SC_CIDR16  Relay listed in SpamCop top 12 IP/16 CIDRs
 score    KHOP_SC_CIDR16  0.6 0.5 0.9 0.75
 
-header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b1(?:2(?:3\.2(?:38?|7)|1\.247|2\.168)|90\.24)(?:\.[012]?[0-9]{1,2}){2}\b)/
+header   KHOP_SC_TOP_CIDR16  Received =~ /(?-xism:\b(?:1(?:2(?:3\.2[37]|1\.247)|90\.24)|92\.(?:47|80))(?:\.[012]?[0-9]{1,2}){2}\b)/
 describe KHOP_SC_TOP_CIDR16  Relay listed in SpamCop top 6 IP/16 CIDRs
 score    KHOP_SC_TOP_CIDR16  0.9 0.8 1.3 1.2
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP_CIDR16/detail
@@ -53,7 +53,7 @@
 
 
 # http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt
-header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:1(?:93\.108\.38|21\.1\.37)|203\.8(?:7\.178|2\.92)|89\.251\.107|93\.91\.196)\.[012]?[0-9]{1,2}\b)/
+header   KHOP_SC_CIDR24  Received =~ /(?-xism:\b(?:2(?:1(?:1\.60\.219|3\.87\.76)|21\.143\.49)|111\.224\.250|81\.192\.199|93\.91\.196)\.[012]?[0-9]{1,2}\b)/
 describe KHOP_SC_CIDR24  Relay listed in SpamCop top 12 IP/24 CIDRs
 score    KHOP_SC_CIDR24  0.9 0.8 1.3 1.2
 # http://ruleqa.spamassassin.org/week/KHOP_SC_CIDR24/detail
@@ -64,13 +64,13 @@
 #counts  KHOP_SC_CIDR24  240s/0h of 928863 corpus (899498s/29365h dos) 05/25/09
 #counts  KHOP_SC_CIDR24  0s/0h of 35258 corpus (10292s/24966h jm) 05/25/09
 
-header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:1(?:11\.224\.250|21\.54\.32)|(?:203\.82\.8|0\.0\.)0|77\.73\.139|93\.186\.96)\.[012]?[0-9]{1,2}\b)/
+header   KHOP_SC_TOP_CIDR24  Received =~ /(?-xism:\b(?:203\.82\.(?:80|92)|81\.192\.211|121\.54\.32|77\.73\.139|0\.0\.0)\.[012]?[0-9]{1,2}\b)/
 describe KHOP_SC_TOP_CIDR24  Relay listed in SpamCop top 6 IP/24 CIDRs
 score    KHOP_SC_TOP_CIDR24  1.7 1.5 1.9 1.8
 
 
 # http://www.spamcop.net/w3m?action=hoshame
-header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:2\.(?:1(?:6(?:4\.52\.100|5\.199\.21)|54\.81\.242)|(?:62\.122\.17|87\.47\.13)0|7(?:5\.37\.125|8\.103\.88)|53\.(?:80\.203|79\.74)|43\.18(?:2\.178|1\.7))|0\.(?:(?:3(?:0\.70\.20|3\.214\.)|72\.183\.5)2|(?:95\.162\.20|54\.72\.3)0|8(?:0\.140\.61|7\.103\.18)|27\.138\.74|45\.77\.158|6\.193\.89)|1\.(?:2(?:2(?:0\.232\.61|8\.3\.2)|51\.76\.132)|144\.87\.36)|3\.(?:1(?:31\.169\.166|99\.72\.228)|248\.186\.70)|9\.(?:212\.106\.145|94\.196\.170)|4\.227\.175\.236|8\.46\.105\.195|7\.57\.121\.29)|1(?:7\.(?:1(?:50\.4(?:1\.16|5\.)5|74\.229\.221|99\.231\.249)|64\.104\.107|76\.2\.129)|3\.(?:147\.118\.113|251\.134\.138|79\.125\.122)|1\.2(?:47\.239\.239|34\.93\.154|02\.2\.97)|2\.(?:55\.66\.17|63\.221\.1)0|8\.248\.5(?:1\.2|\.18)|6\.230\.133\.69|9\.252\.48\.66)|2(?:2\.(?:12(?:2\.1(?:42\.189|57\.73)|4\.198\.131)|252\.223\.2)|1\.1(?:20\.224\.1|43\.49\.2)46|0\.225\.226\.70))|1(?:2(?:2\.(?:1(?:69\.125\.35|55\.1\.174|83\.238\.9)|5(?:2\.251\.113|5\.106
 \.18)|252\.234\.74)|4\.(?:1(?:0(?:4\.1(?:02\.73|40\.82)|7\.32\.28)|24\.43\.32)|217\.216\.49)|1\.(?:1\.(?:37\.14[567]|18\.242)|52\.155\.13[03])|5\.(?:160\.72\.163|60\.164\.2)|0\.28\.78\.141|3\.49\.45\.154|\.191\.88\.50)|9(?:3\.(?:1(?:08\.38\.(?:2(?:28|35)|181)|11\.156\.182|38\.206\.228)|227\.98\.4)|5\.(?:2(?:4\.(?:209\.14|93\.252)|30\.140\.18|2\.107\.1)|189\.46\.253)|0\.(?:144\.76\.178|210\.28\.193|4\.44\.237)|4\.(?:126\.204\.31|63\.136\.18|79\.21\.147)|6\.28\.240\.2)|1(?:8\.(?:1(?:02\.131\.130|75\.6\.138)|96\.132\.174)|4\.14(?:3\.2\.244|1\.5\.3)|1\.224\.250\.13[035]|7\.121\.237\.170|0\.45\.144\.227|9\.93\.0\.211)|8(?:6\.2(?:4\.(?:1[6789]|2[0123])\.3|8\.228\.1)|9\.112\.218\.234|0\.150\.199\.56)|4(?:8\.2(?:33\.150\.147|43\.142\.24)|0\.111\.153\.4)|74\.51\.89\.104)|8(?:3\.(?:1(?:4(?:2\.111\.228|9\.17\.42)|6\.1(?:49\.50|67\.14)|3\.218\.106)|229\.208\.[25])|9\.(?:1(?:05\.128\.3[35]|89\.170\.21|90\.197\.14)|251\.107\.(?:2[125]|30))|5\.(?:2(?:1(?:7\.190\.150|9\.190\.2)|34\.177\.253
 )|118\.193\.158)|2\.1(?:9(?:3\.140\.168|2\.89\.176)|14\.73\.162)|0\.(?:93\.12(?:5\.186|4\.1)|235\.105\.140)|7\.(?:106\.60\.136|226\.222\.22)|4\.2(?:04\.136\.3|2\.63\.74))|9(?:1\.(?:1(?:21\.(?:1(?:5(?:0\.6|8\.7)0|36\.218)|26\.180|74\.105)|9(?:3\.175\.32|7\.5\.1))|(?:92\.230\.22|207\.42\.)7)|3\.(?:1(?:15\.243\.198|86\.96\.150)|91\.196\.9[19])|5\.1(?:70\.208\.114|54\.240\.98)|4\.2(?:3\.25\.83|5\.3\.10))|6(?:2\.(?:1(?:49\.(?:166\.45|226\.69)|28\.42\.5)|77\.221\.54|38\.54\.81)|(?:4\.76\.123\.9|1\.4\.104\.3)8|6\.(?:129\.72\.76|46\.179\.10)|0\.250\.102\.209|9\.174\.114\.103|7\.228\.17\.195)|7(?:8\.(?:(?:97\.11\.3|56\.5\.7)5|38\.132\.101|24\.111\.78)|7\.(?:36\.153\.21|109\.9\.10|73\.139\.2)|(?:4\.124\.198\.11|1\.40\.58\.17)0|9\.140\.172\.46)|5(?:8\.(?:1(?:20\.227\.149|8\.38\.235)|68\.66\.25[012]|248\.4\.67)|9\.163\.26\.211)|41\.204\.190\.12)\b)/
+header   KHOP_SC_TOP200  Received =~ /(?-xism:\b(?:2(?:0(?:2\.(?:1(?:6(?:4\.52\.100|5\.199\.27)|5(?:2\.42|4\.81)\.242|29\.196\.210|42\.153\.21)|4(?:3\.18(?:2\.178|1\.7)|1\.92\.146)|7(?:4\.171\.214|5\.62\.10)|53\.(?:80\.203|79\.74)|62\.122\.118|39\.48\.221|87\.47\.130)|0\.(?:(?:95\.162\.20|54\.72\.3)0|8(?:0\.140\.61|7\.116\.58)|3(?:5\.38\.129|3\.214\.2)|234\.200\.93|49\.183\.202|74\.158\.135|6\.193\.89)|1\.(?:2(?:2(?:0\.232\.61|8\.3\.2)|34\.147\.213|51\.76\.132)|116\.36\.98)|8\.(?:101\.(?:55\.162|61\.60)|46\.105\.195|70\.160\.8)|3\.1(?:76\.142\.137|99\.72\.228)|9\.(?:216\.227\.33|94\.196\.170)|7\.(?:248\.35\.244|57\.90\.161))|1(?:7\.(?:1(?:9(?:8\.160\.218|9\.231\.249)|50\.4(?:1\.16|5\.)5|74\.229\.221|69\.219\.20)|64\.104\.107|76\.2\.129)|1\.(?:2(?:4(?:7\.239\.239|1\.111\.3)|34\.93\.154|02\.2\.97)|(?:105\.37\.5|43\.80\.24)8|60\.219\.183)|2\.(?:1(?:7(?:5\.53\.118|9\.75\.114)|54\.58\.90)|63\.221\.10)|3\.2(?:51\.1(?:34\.138|69\.132)|26\.144\.65)|8\.(?:248\.11\.69|38\.12\.246)|6\.
 230\.133\.69|9\.95\.129\.206|0\.5\.68\.20)|2(?:2\.(?:124\.198\.131|237\.78\.177)|0\.22(?:7\.154\.244|5\.226\.70)|1\.143\.49\.246))|1(?:9(?:0\.(?:1(?:5(?:6\.232\.132|8\.228\.179|9\.90\.201)|46\.1\.28)|2(?:10\.28\.193|08\.36\.90)|9(?:6\.68\.17|2\.26\.)9|4\.44\.237)|5\.(?:2(?:4\.(?:209\.14|93\.252)|30\.140\.18|2\.107\.1)|1(?:89\.46\.253|28\.56\.20)|95\.223\.25|88\.93\.92)|6\.(?:2(?:20\.57\.60|8\.240\.2)|12\.22(?:6\.220|8\.119))|4\.(?:126\.204\.31|63\.136\.18)|3\.(?:106\.64\.36|227\.98\.4))|2(?:2\.(?:1(?:83\.212\.113|69\.125\.35|55\.1\.174)|252\.234\.74|55\.106\.18)|1\.(?:1\.(?:37\.14[567]|18\.242)|5(?:2\.155\.13|8\.193\.)3)|5\.(?:2(?:35\.128\.246|12\.67\.102)|60\.164\.[25])|3\.(?:237\.123\.193|49\.45\.154)|4\.124\.4(?:3\.32|4\.10)|\.191\.88\.50)|1(?:6\.(?:50\.1(?:54\.130|75\.101)|118\.107\.[34])|0\.(?:139\.148\.109|45\.144\.227)|4\.14(?:3\.230\.162|1\.5\.3)|3\.1(?:62\.70\.74|9\.94\.2)|1\.224\.250\.13[025]|8\.102\.131\.130|5\.133\.151\.85|9\.226\.23\.8)|8(?:6\.2(?:4\.(?:1[6789]|
 2[0123])\.3|8\.228\.1)|9\.182\.132\.168)|57\.100\.228\.178|40\.111\.153\.4)|6(?:1\.(?:1(?:2\.62\.234|7\.76\.197)|9(?:7\.32\.104|\.6\.245)|4\.104\.38)|2\.(?:14(?:9\.(?:166\.45|226\.69)|2\.11\.3)|77\.221\.54|38\.54\.81)|6\.(?:2(?:3(?:1\.167\.70|5\.160\.11)|42\.21\.64)|46\.179\.10)|0\.25(?:0\.102\.209|4\.104\.18)|4\.76\.123\.98)|8(?:0\.(?:93\.12(?:5\.186|4\.1)|82\.181\.20|237\.31\.1)|5\.(?:11(?:8\.193\.158|3\.203\.82)|235\.164\.166)|3\.1(?:70\.123\.102|3\.218\.106|6\.167\.14)|(?:9\.121\.245\.19|7\.204\.24\.10)0|4\.22\.63\.74)|9(?:1\.121\.1(?:5(?:0\.6|8\.7)|71\.3)0|3\.(?:91\.196\.9[19]|62\.200\.26)|5\.1(?:70\.208\.114|54\.240\.98)|4\.(?:153\.224\.26|23\.37\.55))|7(?:7\.(?:73\.139\.(?:2(?:43)?|3)|246\.179\.13|36\.153\.21)|(?:9\.174\.66\.7|8\.97\.11\.3)5|5\.126\.213\.58)|5(?:8\.(?:6(?:8\.66\.25[012]|9\.225\.234)|248\.4\.67)|9\.163\.26\.211))\b)/
 describe KHOP_SC_TOP200  Relay listed in SpamCop top 200 spammer IPs
 score    KHOP_SC_TOP200  3.4 3.2 3.7 3.5
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP200/detail
@@ -81,7 +81,7 @@
 #counts  KHOP_SC_TOP200  1s/0h of 35244 corpus (10278s/24966h jm) 05/25/09
 # assumed overlap: 98+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
 
-#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:2(?:0(?:2\.(?:7(?:5\.37\.125|8\.103\.88)|43\.18(?:2\.178|1\.7)|165\.199\.21|87\.47\.130)|0\.(?:27\.138\.74|30\.70\.202|80\.140\.61|54\.72\.30)|1\.2(?:51\.76\.13|28\.3\.)2|4\.227\.175\.236|3\.199\.72\.228|8\.46\.105\.195|7\.57\.121\.29)|1(?:7\.(?:1(?:50\.4(?:1\.16|5\.)5|99\.231\.249)|76\.2\.129)|1\.2(?:47\.239\.239|34\.93\.154)|3\.251\.134\.138|6\.230\.133\.69|2\.55\.66\.170)|22\.12(?:2\.142\.189|4\.198\.131))|1(?:2(?:2\.(?:252\.234\.74|55\.106\.18)|1\.1\.37\.14[567]|0\.28\.78\.141|3\.49\.45\.154|4\.124\.43\.32|\.191\.88\.50)|9(?:5\.(?:2(?:4\.93\.252|2\.107\.1)|189\.46\.253)|4\.63\.136\.18|3\.227\.98\.4)|8(?:6\.2(?:4\.(?:1[6789]|2[0123])\.3|8\.228\.1)|9\.112\.218\.234)|(?:4(?:8\.243\.142\.2|0\.111\.153\.)|74\.51\.89\.10)4)|8(?:7\.(?:106\.60\.136|226\.222\.22)|3\.16\.1(?:49\.50|67\.14)|9\.251\.107\.(?:21|30)|0\.235\.105\.140|4\.204\.136\.3|5\.219\.190\.2)|9(?:1\.(?:1(?:21\.(?:15(?:0\.6|8\.7)0|74\.105)|97\.5\.1)|92\.230\.227)|
 5\.154\.240\.98|3\.91\.196\.91)|6(?:2\.(?:77\.221\.54|128\.42\.5|38\.54\.81)|6\.(?:129\.72\.76|46\.179\.10)|7\.228\.17\.195)|7(?:(?:8\.38\.132\.10|7\.36\.153\.2)1|4\.124\.198\.110)|41\.204\.190\.12)\b)/
+#header   KHOP_SC_TOP100  Received =~ /(?-xism:\b(?:1(?:9(?:5\.(?:1(?:89\.46\.253|28\.56\.20)|2(?:30\.140\.18|4\.93\.252))|0\.(?:208\.36\.90|96\.68\.179|146\.1\.28|4\.44\.237)|6\.(?:12\.228\.119|28\.240\.2)|4\.63\.136\.18|3\.227\.98\.4)|2(?:(?:5\.(?:212\.67\.10|60\.164\.)|4\.124\.43\.3)2|1\.(?:1\.(?:37\.14[567]|18\.242)|58\.193\.3)|2\.(?:155\.1\.174|55\.106\.18)|3\.49\.45\.154|\.191\.88\.50)|1(?:1\.224\.250\.13[025]|6\.50\.154\.130|9\.226\.23\.8)|86\.24\.(?:1[6789]|2[0123])\.3|40\.111\.153\.4)|2(?:0(?:2\.(?:4(?:1\.92\.146|3\.181\.7)|15(?:2\.42|4\.81)\.242|62\.122\.118|74\.171\.214|87\.47\.130)|0\.(?:234\.200\.93|80\.140\.61|33\.214\.2|54\.72\.30)|8\.(?:101\.55\.162|46\.105\.195)|9\.(?:216\.227\.33|94\.196\.170)|1\.220\.232\.61|3\.199\.72\.228)|1(?:(?:1\.247\.239\.23|6\.230\.133\.6)9|7\.(?:174\.229\.221|76\.2\.129)|2\.1(?:75\.53\.118|54\.58\.90)|3\.251\.134\.138)|22\.(?:124\.198\.131|237\.78\.177))|6(?:1\.(?:9(?:7\.32\.104|\.6\.245)|4\.104\.38)|6\.(?:235\.160\.11|46\.179\.10)
 |2\.38\.54\.81)|8(?:(?:3\.16\.167\.1|4\.22\.63\.7)4|5\.118\.193\.158|0\.93\.124\.1)|9(?:1\.121\.150\.60|5\.154\.240\.98|3\.91\.196\.91|4\.23\.37\.55)|(?:59\.163\.26\.21|77\.36\.153\.2)1)\b)/
 #describe KHOP_SC_TOP100  Relay listed in SpamCop top 100 spammer IPs
 #score    KHOP_SC_TOP100  1.4 1.3 1.8 1.7
 # http://ruleqa.spamassassin.org/week/KHOP_SC_TOP100/detail
@@ -95,12 +95,12 @@
 # notable overlap: 98% of hits also hit RCVD_IN_XBL (3.033)
 # notable overlap: 80% of hits also hit RCVD_IN_SORBS_WEB (0.619)
 
-#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:2(?:0(?:9\.94\.196\.170|0\.6\.193\.89)|12\.63\.221\.10)|1(?:11\.224\.250\.13[35]|95\.230\.140\.18)|89\.190\.197\.14|58\.248\.4\.67|77\.73\.139\.2|94\.23\.25\.83)\b)/
+#header   KHOP_SC_TOP20  Received =~ /(?-xism:\b(?:2(?:0(?:1\.251\.76\.132|2\.39\.48\.221|0\.6\.193\.89)|1(?:1\.2(?:41\.111\.3|02\.2\.97)|7\.169\.219\.20))|9(?:1\.121\.158\.70|3\.91\.196\.99)|60\.250\.102\.209|77\.246\.179\.13)\b)/
 #describe KHOP_SC_TOP20  Relay listed in SpamCop top 20 spammer IPs
 #score    KHOP_SC_TOP20  1.9 1.7 2.2 2.0
 # assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)
 
-#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:11(?:1\.224\.250\.130|0\.45\.144\.227|4\.141\.5\.3)|(?:221\.143\.49\.24|82\.192\.89\.17)6|93\.(?:186\.96\.150|91\.196\.99)|62\.149\.(?:166\.45|226\.69)|58\.120\.227\.149)\b)/
+#header   KHOP_SC_TOP10  Received =~ /(?-xism:\b(?:2(?:1(?:1\.(?:234\.93\.154|60\.219\.183)|2\.63\.221\.10)|21\.143\.49\.246|07\.57\.90\.161)|11(?:0\.45\.144\.227|4\.141\.5\.3)|62\.149\.(?:166\.45|226\.69)|77\.73\.139\.2)\b)/
 #describe KHOP_SC_TOP10  Relay listed in SpamCop top 10 spammer IPs
 #score    KHOP_SC_TOP10  2.2 2.0 2.6 2.4
 # assumed overlap: 99+% of hits also hit RCVD_IN_BL_SPAMCOP_NET (1.960)

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf?rev=907149&r1=907148&r2=907149&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf Sat Feb  6 01:08:08 2010
@@ -51,26 +51,18 @@
 #tflags	 S25R	nopublish
 
 # Here it is, my full-blown poor-man's botnet
-meta	 KHOP_BOTNET_2	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || (RDNS_DYNAMIC + __S25R_1 + __S25R_2) > 1)
-describe KHOP_BOTNET_2	Relay looks like a dynamic address
-tflags	 KHOP_BOTNET_2	nopublish
-
 meta	 KHOP_BOTNET_4	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || RDNS_DYNAMIC + __S25R_1*.8 + __S25R_2*.8 > 1.7)
 describe KHOP_BOTNET_4	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_4	nopublish
 
-meta	 KHOP_BOTNET_5	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || (RDNS_DYNAMIC + __S25R_1 + __S25R_2 + __IP_IN_RELAY) > 1)
-describe KHOP_BOTNET_5	Relay looks like a dynamic address
-tflags	 KHOP_BOTNET_5	nopublish
-
-meta	 KHOP_BOTNET_6	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || RDNS_DYNAMIC + __S25R_1*.8 + __S25R_2*.6 + __IP_IN_RELAY*.8 > 2)
-describe KHOP_BOTNET_6	Relay looks like a dynamic address
-tflags	 KHOP_BOTNET_6	nopublish
-
 meta	 KHOP_BOTNET_7	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2)
 describe KHOP_BOTNET_7	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_7	nopublish
 
+meta	 KHOP_BOTNET_UNCLEAN	__LAST_EXTERNAL_RELAY_NO_AUTH && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2)
+describe KHOP_BOTNET_UNCLEAN	Relay looks like a dynamic address
+tflags	 KHOP_BOTNET_UNCLEAN	nopublish
+
 # S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
 # not published with S25R due to matching words like 'feed.'
 # Negative look-ahead lets us ignore 3+ consecutive hex letters.