--- spamassassin/lib/Mail/SpamAssassin/Conf.pm 2003-12-17 16:06:29.000000000 +0100 +++ spamassassin/lib/Mail/SpamAssassin/Conf.pm 2004-01-20 23:57:19.000000000 +0100 @@ -107,6 +107,10 @@ use constant TYPE_URI_EVALS => 0x0011; use constant TYPE_META_TESTS => 0x0012; use constant TYPE_RBL_EVALS => 0x0013; +use constant TYPE_URIIP_TESTS => 0x0014; +use constant TYPE_URIIP_EVALS => 0x0015; +use constant TYPE_URIIP_RBL_TESTS => 0x0016; +use constant TYPE_URIIP_RBL_EVALS => 0x0017; $VERSION = 'bogus'; # avoid CPAN.pm picking up version strings later @@ -2121,6 +2125,19 @@ next; } +# URI IP addresses + if (/^uriip\s+(\S+)\s+(?:rbl)?eval:(.*)$/) { + my ($name, $fn) = ($1, $2); + + if ($fn =~ /^check_uriip_rbl/) { + $self->add_test ($name, $fn, TYPE_URIIP_RBL_EVALS); + } +# else { +# $self->add_test ($name, $fn, TYPE_URIIP_EVALS); +# } + next; + } + =item rawbody SYMBOLIC_TEST_NAME /pattern/modifiers Define a raw-body pattern test. C is a Perl regular expression. @@ -2633,6 +2650,9 @@ elsif ($type == TYPE_RBL_EVALS) { $self->{rbl_evals}->{$name} = \@args; } + elsif ($type == TYPE_URIIP_RBL_EVALS) { + $self->{uriip_rbl_evals}->{$name} = \@args; + } elsif ($type == TYPE_RAWBODY_EVALS) { $self->{rawbody_evals}->{$name} = \@args; } --- spamassassin/lib/Mail/SpamAssassin/EvalTests.pm 2003-12-17 09:09:00.000000000 +0100 +++ spamassassin/lib/Mail/SpamAssassin/EvalTests.pm 2004-01-20 23:57:19.000000000 +0100 @@ -1329,6 +1329,18 @@ $self->check_rbl_backend($rule, $set, $rbl_server, 'TXT', $subtest); } +sub check_uriip_rbl { + my ($self, $rule, $set, $rbl_server, $subtest) = @_; + my @ips = @{$self->{uriips}}; + eval { + foreach my $ip (@ips) { + next unless ($ip =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/); + $self->do_rbl_lookup($rule, $set, 'A', $rbl_server, + "$4.$3.$2.$1.$rbl_server", $subtest); + } + }; +} + # run for first message sub check_rbl_sub { my ($self, $rule, $set, $subtest) = @_; --- spamassassin/lib/Mail/SpamAssassin/PerMsgStatus.pm 2003-12-17 16:06:29.000000000 +0100 +++ spamassassin/lib/Mail/SpamAssassin/PerMsgStatus.pm 2004-01-20 23:57:19.000000000 +0100 @@ -122,6 +122,9 @@ $self->{conf}->set_score_set ($set|2); } + # IPs of spamvertised URIs + $self->{uriips} = [ ]; + # pre-chew Received headers $self->parse_received_headers(); @@ -1743,12 +1746,67 @@ return @{$self->{uri_list}}; } +sub do_resolve_uri { + my ($self, $uri) = @_; + my @ips = (); + + $uri =~ s/^http:\/\///; + $uri =~ s/^mailto:\/\///; + $uri =~ s/\/.*$//; + $uri =~ s/^.*\@//; + + @ips = $self->lookup_all_ips($uri); + + return @ips; +} + +sub do_body_uriip_tests { + my ($self, @ips) = @_; + local ($_); + + dbg ("running uriip tests; score so far=".$self->{hits}); + foreach my $ip (@ips) { + dbg ("Testing spamvertised IP '$ip'"); + push(@{$self->{uriips}}, $ip); + } + + my $evalhash = $self->{conf}->{uriip_rbl_evals}; + my ($rulename, @args); + my $debugenabled = $Mail::SpamAssassin::DEBUG->{enabled}; + + while (my ($rulename, $test) = each %{$evalhash}) { + my $score = $self->{conf}->{scores}->{$rulename}; + next unless $score; + + $self->{test_log_msgs} = (); + + my ($function, @args) = @{$test}; + my $result; + eval { + $result = $self->$function($rulename, @args); + }; + + if ($@) { + warn "Failed to run $rulename URIIP RBL SpamAssassin test, skipping:\n". + "\t($@)\n"; + $self->{rule_errors}++; + next; + } + } +} + sub do_body_uri_tests { my ($self, $textary) = @_; local ($_); dbg ("running uri tests; score so far=".$self->{hits}); my @uris = $self->get_uri_list(); + my @ips = (); + + foreach my $uri (@uris) { + push (@ips, $self->do_resolve_uri($uri)); + } + $self->do_body_uriip_tests(@ips); my $doing_user_rules = $self->{conf}->{user_rules_to_compile}->{Mail::SpamAssassin::Conf::TYPE_URI_TESTS}; @@ -2166,7 +2224,6 @@ $self->{test_log_msgs} = (); # clear test state my ($function, @args) = @{$test}; - my $result; eval { $result = $self->$function($rulename, @args); --- spamassassin/rules/20_uriip_tests.cf 1970-01-01 01:00:00.000000000 +0100 +++ spamassassin/rules/20_uriip_tests.cf 2004-01-20 23:58:36.000000000 +0100 @@ -0,0 +1,196 @@ +# SpamAssassin rules file: RBL tests of spamvertised IPs +# +# Please don't modify this file as your changes will be overwritten with +# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. +# See 'perldoc Mail::SpamAssassin::Conf' for details. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of either the Artistic License or the GNU General +# Public License as published by the Free Software Foundation; either +# version 1 of the License, or (at your option) any later version. +# +# See the file "License" in the top level of the SpamAssassin source +# distribution for more details. +# +########################################################################### + +require_version @@VERSION@@ + +# Don't activate too many of these rulesets, as the number of DNS +# queries per email will become very high! + +### Spamvertised sites listed on "common" DNSBLs ### +# +# Spamhaus Block List +# +uriip HOSTED_SBL eval:check_uriip_rbl('sbl', 'sbl.spamhaus.org.') +describe HOSTED_SBL URL ist hosted at a site listed in the Spamhaus Block List. +tflags HOSTED_SBL net + +# Spam Prevention Early Warning System +# +uriip HOSTED_SPEWS_L1 eval:check_uriip_rbl('spews', 'l1.spews.dnsbl.sorbs.net.') +describe HOSTED_SPEWS_L1 URL ist hosted at a site listed in the SPEWS (Level 1) blacklist. +tflags HOSTED_SPEWS_L1 net +# +uriip HOSTED_SPEWS_L2 eval:check_uriip_rbl('spews', 'l2.spews.dnsbl.sorbs.net.') +describe HOSTED_SPEWS_L2 URL ist hosted at a site listed in the SPEWS (Level 2) blacklist. +tflags HOSTED_SPEWS_L2 net + + +# Habeas(TM) violators blacklist +# +uriip HOSTED_HABEAS_VIOLATOR eval:check_uriip_rbl('hil', 'sa-hil.habeas.com.') +describe HOSTED_HABEAS_VIOLATOR Uses a URL whose IP has been caught as Habeas violator +tflags HOSTED_HABEAS_VIOLATOR net + + +### ISPs known to tolerate spamvertised sites ### +# +#uriip HOSTED_AT_ABOVE eval:check_uriip_rbl('above', 'above.blackholes.us.') +#describe HOSTED_AT_ABOVE Uses a URL hosted at AboveNet +#tflags HOSTED_AT_ABOVE net + +#uriip HOSTED_AT_ATT eval:check_uriip_rbl('att', 'att.blackholes.us.') +#describe HOSTED_AT_ATT Uses a URL hosted at AT&T +#tflags HOSTED_AT_ATT net + +#uriip HOSTED_AT_BELLSOUTH eval:check_uriip_rbl('bellsouth', 'bellsouth.blackholes.us.') +#describe HOSTED_AT_BELLSOUTH Uses a URL hosted at Bellsouth +#tflags HOSTED_AT_BELLSOUTH net + +uriip HOSTED_AT_CHINANET eval:check_uriip_rbl('chinanet', 'chinanet.blackholes.us.') +describe HOSTED_AT_CHINANET Uses a URL hosted at Chinanet +tflags HOSTED_AT_CHINANET net + +#uriip HOSTED_AT_CIBERLYNX eval:check_uriip_rbl('ciberlynx', 'ciberlynx.blackholes.us.') +#describe HOSTED_AT_CIBERLYNX Uses a URL hosted at Ciberlynx +#tflags HOSTED_AT_CIBERLYNX net + +#uriip HOSTED_AT_COGENTCO eval:check_uriip_rbl('cogentco', 'cogentco.blackholes.us.') +#describe HOSTED_AT_COGENTCO Uses a URL hosted at Cogent +#tflags HOSTED_AT_COGENTCO net + +#uriip HOSTED_AT_COMCAST eval:check_uriip_rbl('comcast', 'comcast.blackholes.us.') +#describe HOSTED_AT_COMCAST Uses a URL hosted at Comcast +#tflags HOSTED_AT_COMCAST net + +#uriip HOSTED_AT_COVAD eval:check_uriip_rbl('covad', 'covad.blackholes.us.') +#describe HOSTED_AT_COVAD Uses a URL hosted at Covad +#tflags HOSTED_AT_COVAD net + +#uriip HOSTED_AT_CW eval:check_uriip_rbl('cw', 'cw.blackholes.us.') +#describe HOSTED_AT_CW Uses a URL hosted at Cable & Wireless +#tflags HOSTED_AT_CW net + +#uriip HOSTED_AT_HE eval:check_uriip_rbl('he', 'he.blackholes.us.') +#describe HOSTED_AT_HE Uses a URL hosted at HE.net +#tflags HOSTED_AT_HE net + +#uriip HOSTED_AT_HOSTCENTRIC eval:check_uriip_rbl('hostcentric', 'hostcentric.blackholes.us.') +#describe HOSTED_AT_HOSTCENTRIC Uses a URL hosted at Hostcentric +#tflags HOSTED_AT_HOSTCENTRIC net + +#uriip HOSTED_AT_INTERBUSINESS eval:check_uriip_rbl('interbusiness', 'interbusiness.blackholes.us.') +#describe HOSTED_AT_INTERBUSINESS Uses a URL hosted at Interbusiness +#tflags HOSTED_AT_INTERBUSINESS net + +#uriip HOSTED_AT_INTERNAP eval:check_uriip_rbl('internap', 'internap.blackholes.us.') +#describe HOSTED_AT_INTERNAP Uses a URL hosted at Internap +#tflags HOSTED_AT_INTERNAP net + +#uriip HOSTED_AT_LEVEL3 eval:check_uriip_rbl('level3', 'level3.blackholes.us.') +#describe HOSTED_AT_LEVEL3 Uses a URL hosted at Level3 +#tflags HOSTED_AT_LEVEL3 net + +#uriip HOSTED_AT_QWEST eval:check_uriip_rbl('qwest', 'qwest.blackholes.us.') +#describe HOSTED_AT_QWEST Uses a URL hosted at QWest +#tflags HOSTED_AT_QWEST net + +#uriip HOSTED_AT_RACKSPACE eval:check_uriip_rbl('rackspace', 'rackspace.blackholes.us.') +#describe HOSTED_AT_RACKSPACE Uses a URL hosted at Rackspace +#tflags HOSTED_AT_RACKSPACE net + +#uriip HOSTED_AT_ROGERS eval:check_uriip_rbl('rogers', 'rogers.blackholes.us.') +#describe HOSTED_AT_ROGERS Uses a URL hosted at Rogers +#tflags HOSTED_AT_ROGERS net + +#uriip HOSTED_AT_RR eval:check_uriip_rbl('rr', 'rr.blackholes.us.') +#describe HOSTED_AT_RR Uses a URL hosted at RoadRunner +#tflags HOSTED_AT_RR net + +#uriip HOSTED_AT_SERVEPATH eval:check_uriip_rbl('servepath', 'servepath.blackholes.us.') +#describe HOSTED_AT_SERVEPATH Uses a URL hosted at ServePath +#tflags HOSTED_AT_SERVEPATH net + +#uriip HOSTED_AT_SPRINT eval:check_uriip_rbl('sprint', 'sprint.blackholes.us.') +#describe HOSTED_AT_SPRINT Uses a URL hosted at Sprint +#tflags HOSTED_AT_SPRINT net + +#uriip HOSTED_AT_TELUS eval:check_uriip_rbl('telus', 'telus.blackholes.us.') +#describe HOSTED_AT_TELUS Uses a URL hosted at Telus +#tflags HOSTED_AT_TELUS net + +#uriip HOSTED_AT_VALUENET eval:check_uriip_rbl('valuenet', 'valuenet.blackholes.us.') +#describe HOSTED_AT_VALUENET Uses a URL hosted at ValueNet +#tflags HOSTED_AT_VALUENET net + +uriip HOSTED_AT_VERIO eval:check_uriip_rbl('verio', 'verio.blackholes.us.') +describe HOSTED_AT_VERIO Uses a URL hosted at Verio +tflags HOSTED_AT_VERIO net + +#uriip HOSTED_AT_VERIZON eval:check_uriip_rbl('verizon', 'verizon.blackholes.us.') +#describe HOSTED_AT_VERIZON Uses a URL hosted at Verizon +#tflags HOSTED_AT_VERIZON net + +#uriip HOSTED_AT_WANADOOFR eval:check_uriip_rbl('wanadoo-fr', 'wanadoo-fr.blackholes.us.') +#describe HOSTED_AT_WANADOOFR Uses a URL hosted at Wanadoo France +#tflags HOSTED_AT_WANADOOFR net + +#uriip HOSTED_AT_XO eval:check_uriip_rbl('xo', 'xo.blackholes.us.') +#describe HOSTED_AT_XO Uses a URL hosted at XO.com +#tflags HOSTED_AT_XO net + + +### Countries with severe spam problems ### +# +#uriip HOSTED_IN_ARGENTINA eval:check_uriip_rbl('argentina', 'argentina.blackholes.us.') +#describe HOSTED_IN_ARGENTINA Uses a URL hosted in Argentina +#tflags HOSTED_IN_ARGENTINA net + +#uriip HOSTED_IN_BRAZIL eval:check_uriip_rbl('brazil', 'brazil.blackholes.us.') +#describe HOSTED_IN_BRAZIL Uses a URL hosted in Brazil +#tflags HOSTED_IN_BRAZIL net + +uriip HOSTED_IN_CHINA eval:check_uriip_rbl('china', 'china.blackholes.us.') +describe HOSTED_IN_CHINA Uses a URL hosted in China +tflags HOSTED_IN_CHINA net + +uriip HOSTED_IN_KOREA eval:check_uriip_rbl('korea', 'korea.blackholes.us.') +describe HOSTED_IN_KOREA Uses a URL hosted in Korea +tflags HOSTED_IN_KOREA net + +#uriip HOSTED_IN_MALAYSIA eval:check_uriip_rbl('malaysia', 'malaysia.blackholes.us.') +#describe HOSTED_IN_MALAYSIA Uses a URL hosted in Malaysia +#tflags HOSTED_IN_MALAYSIA net + +#uriip HOSTED_IN_NIGERIA eval:check_uriip_rbl('nigeria', 'nigeria.blackholes.us.') +#describe HOSTED_IN_NIGERIA Uses a URL hosted in Nigeria +#tflags HOSTED_IN_NIGERIA net + +uriip HOSTED_IN_RUSSIA eval:check_uriip_rbl('russia', 'russia.blackholes.us.') +describe HOSTED_IN_RUSSIA Uses a URL hosted in Russia +tflags HOSTED_IN_RUSSIA net + +#uriip HOSTED_IN_SINGAPORE eval:check_uriip_rbl('singapore', 'singapore.blackholes.us.') +#describe HOSTED_IN_SINGAPORE Uses a URL hosted in Singapore +#tflags HOSTED_IN_SINGAPORE net + +#uriip HOSTED_IN_TAIWAN eval:check_uriip_rbl('taiwan', 'taiwan.blackholes.us.') +#describe HOSTED_IN_TAIWAN Uses a URL hosted in Taiwan +#tflags HOSTED_IN_TAIWAN net + +#uriip HOSTED_IN_THAILAND eval:check_uriip_rbl('thailand', 'thailand.blackholes.us.') +#describe HOSTED_IN_THAILAND Uses a URL hosted in Thailand +#tflags HOSTED_IN_THAILAND net + --- spamassassin/rules/50_scores.cf 2003-12-17 07:14:52.000000000 +0100 +++ spamassassin/rules/50_scores.cf 2004-01-20 23:57:19.000000000 +0100 @@ -1,7 +1,7 @@ # SpamAssassin score file # # Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. +# the next update. Use /etc/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # This program is free software; you can redistribute it and/or modify @@ -999,6 +999,56 @@ score USER_IN_MORE_SPAM_TO -20.000 score USER_IN_ALL_SPAM_TO -100.000 +# Spamvertised IPs within black-hat netblocks + +# Be careful with the scores - some legitimate emails may contain +# (informational) links to spamvertised sites - score them high enough +# but not too high. + +# These ones have been proven as *very* useful. +score HOSTED_SBL 4.0 +score HOSTED_SPEWS_L1 4.0 +score HOSTED_SPEWS_L2 2.0 +score HOSTED_HABEAS_VIOLATOR 4.0 + +# Only to be activated if a regional or ISP-specific spam problem is +# evolving (yet that's what SBL and SPEWS are good for). +score HOSTED_AT_ABOVE 1.5 +score HOSTED_AT_ATT 1.5 +score HOSTED_AT_BELLSOUTH 1.5 +score HOSTED_AT_CHINANET 4.0 +score HOSTED_AT_CIBERLYNX 4.0 +score HOSTED_AT_COGENTCO 2.0 +score HOSTED_AT_COMCAST 2.0 +score HOSTED_AT_COVAD 1.5 +score HOSTED_AT_CW 1.5 +score HOSTED_AT_HE 1.5 +score HOSTED_AT_HOSTCENTRIC 1.5 +score HOSTED_AT_INTERBUSINESS 2.0 +score HOSTED_AT_INTERNAP 2.0 +score HOSTED_AT_LEVEL3 1.5 +score HOSTED_AT_QWEST 2.0 +score HOSTED_AT_RACKSPACE 2.0 +score HOSTED_AT_ROGERS 2.0 +score HOSTED_AT_RR 2.0 +score HOSTED_AT_SERVEPATH 2.0 +score HOSTED_AT_SPRINT 2.0 +score HOSTED_AT_TELUS 1.5 +score HOSTED_AT_VALUENET 1.5 +score HOSTED_AT_VERIO 2.5 + +score HOSTED_IN_ARGENTINA 1.5 +score HOSTED_IN_BRAZIL 1.5 +score HOSTED_IN_CHINA 3.0 +score HOSTED_IN_KOREA 2.5 +score HOSTED_IN_MALAYSIA 1.5 +score HOSTED_IN_NIGERIA 2.0 +score HOSTED_IN_RUSSIA 2.0 +score HOSTED_IN_SINGAPORE 1.5 +score HOSTED_IN_TAIWAN 1.5 +score HOSTED_IN_THAILAND 1.5 + + # # Habeas: http://www.habeas.com/ #