You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by kh...@apache.org on 2010/01/16 01:52:11 UTC

svn commit: r899859 - /spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf

Author: khopesh
Date: Sat Jan 16 00:52:11 2010
New Revision: 899859

URL: http://svn.apache.org/viewvc?rev=899859&view=rev
Log:
still playing with my botnet beasts .. (finally) removed rdns_none, added #7

Modified:
    spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf

Modified: spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf?rev=899859&r1=899858&r2=899859&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/khopesh/20_s25r.cf Sat Jan 16 00:52:11 2010
@@ -51,22 +51,26 @@
 #tflags	 S25R	nopublish
 
 # Here it is, my full-blown poor-man's botnet
-meta	 KHOP_BOTNET_2	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || (RDNS_DYNAMIC + RDNS_NONE + __S25R_1 + __S25R_2) > 1)
+meta	 KHOP_BOTNET_2	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || (RDNS_DYNAMIC + __S25R_1 + __S25R_2) > 1)
 describe KHOP_BOTNET_2	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_2	nopublish
 
-meta	 KHOP_BOTNET_4	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || RDNS_DYNAMIC + RDNS_NONE + __S25R_1*.8 + __S25R_2*.8 > 1.7)
+meta	 KHOP_BOTNET_4	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || RDNS_DYNAMIC + __S25R_1*.8 + __S25R_2*.8 > 1.7)
 describe KHOP_BOTNET_4	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_4	nopublish
 
-meta	 KHOP_BOTNET_5	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || (RDNS_DYNAMIC + RDNS_NONE + __S25R_1 + __S25R_2 + __IP_IN_RELAY) > 1)
+meta	 KHOP_BOTNET_5	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || (RDNS_DYNAMIC + __S25R_1 + __S25R_2 + __IP_IN_RELAY) > 1)
 describe KHOP_BOTNET_5	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_5	nopublish
 
-meta	 KHOP_BOTNET_6	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || RDNS_DYNAMIC + RDNS_NONE + __S25R_1*.8 + __S25R_2*.6 + __IP_IN_RELAY*.8 > 2)
+meta	 KHOP_BOTNET_6	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_3 || __S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || RDNS_DYNAMIC + __S25R_1*.8 + __S25R_2*.6 + __IP_IN_RELAY*.8 > 2)
 describe KHOP_BOTNET_6	Relay looks like a dynamic address
 tflags	 KHOP_BOTNET_6	nopublish
 
+meta	 KHOP_BOTNET_7	__LAST_EXTERNAL_RELAY_NO_AUTH && !(__FROM_FREEMAIL || __NOT_SPOOFED || __GREYLISTED) && (__S25R_4 || __S25R_5 || __S25R_6 || __RDNS_HEX || __5_SUBDOM || __S25R_1 + __S25R_2 + __S25R_3 + __IP_IN_RELAY > 2)
+describe KHOP_BOTNET_7	Relay looks like a dynamic address
+tflags	 KHOP_BOTNET_7	nopublish
+
 # S25R-wanted item (3.2 a, "A terminal host name includes hexadecimal number")
 # not published with S25R due to matching words like 'feed.'
 # Negative look-ahead lets us ignore 3+ consecutive hex letters.