# UNCLASSIFIED SPAMMERS # # This file contains recipes for IPs or domains that either sent spam # or hosted spamvertized web sites. # Spam Source IPs # LT2=no LT4=no :0 * SPAMTAG ?? ^yes$ { LT4=yes } :0 * SBCONFIG ?? ^Debug$ { LT4=no } :0 * LT4 ?? ^no$ { TESTNAME='Spam Source IP (Current Month)' TESTCIDR=${SBDIR}/black/source-ips-0604.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc :0 * LT2 ?? ^no$ { TESTNAME='Spam Source IP (One Month Ago)' TESTCIDR=${SBDIR}/black/source-ips-0603.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source IP (Two Months Ago)' TESTCIDR=${SBDIR}/black/source-ips-0602.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source IP (Three Months Ago)' TESTCIDR=${SBDIR}/black/source-ips-0601.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source IP (Master List)' TESTCIDR=`${LS} ${SBDIR}/black/*-ips.cidr` TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } :0 * LT4 ?? ^yes$ { LT2=yes SBLOG="L5-sb-unclassified.rc: IP ${LOCALIP} CIDR pattern match with ${LOCALBUFFER}" INCLUDERC=${SBDIR}/functions/loglevel.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # SpamHaus DROP List IPs # :0 * LT2 ?? ^no$ { LT4=no :0 * SPAMTAG ?? ^yes$ { LT4=yes } :0 * SBCONFIG ?? ^Debug$ { LT4=no } :0 * LT4 ?? ^no$ { TESTNAME='Spam Source IP (SpamHaus DROP List)' TESTCIDR=${SBDIR}/black/spamhaus-drop-ips.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Mainsleaze IPs # :0 * LT2 ?? ^no$ { LT4=no :0 * SPAMTAG ?? ^yes$ { LT4=yes } :0 * SBCONFIG ?? ^Debug$ { LT4=no } :0 * LT4 ?? ^no$ * ! MAINSLEAZE ?? ^NONE$ { TESTNAME='Spam Source IP (Mainsleaze)' TESTCIDR=`${LS} ${SBDIR}/mainsleaze/*-ips.cidr` :0 * MAINSLEAZE ?? ^BLOCK$ { TESTSCORE=5 } :0 * MAINSLEAZE ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Opt-Out ESP IPs # :0 * LT2 ?? ^no$ { LT3=no :0 * SPAMTAG ?? ^yes$ { LT3=yes } :0 * SBCONFIG ?? ^Debug$ { LT3=no } :0 * LT3 ?? no * ! OPTOUT ?? ^NONE$ { TESTNAME='Spam Source IP (Opt-Out ESP)' TESTCIDR=`${LS} ${SBDIR}/optout/*-ips.cidr` :0 * OPTOUT ?? ^BLOCK$ { TESTSCORE=5 } :0 * OPTOUT ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Spam-Supporting ISP IPs # :0 * LT2 ?? ^no$ { LT3=no :0 * SPAMTAG ?? ^yes$ { LT3=yes } :0 * SBCONFIG ?? ^Debug$ { LT3=no } :0 * LT3 ?? ^no$ * ! PINKISP ?? ^NONE$ { TESTNAME='Spam Source IP (Spam-Supporting ISP)' TESTCIDR=`${LS} ${SBDIR}/pinkisp/*-ips.cidr` :0 * PINKISP ?? ^BLOCK$ { TESTSCORE=5 } :0 * PINKISP ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-header-cidr.rc } } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Spam Source Domains # LT3=no :0 * SPAMTAG ?? ^yes$ { LT3=yes } :0 * SBCONFIG ?? ^Debug$ { LT3=no } :0 * LT3 ?? ^no$ { :0 { TESTNAME='Spam Source Domain (Current Quarter)' TESTDOMAINS=${SBDIR}/black/source-domains-06q2.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source Domain (One Quarter Ago)' TESTDOMAINS=${SBDIR}/black/source-domains-06q1.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source Domain (Two Quarters Ago)' TESTDOMAINS=${SBDIR}/black/source-domains-05q4.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source Domain (Three Quarters Ago)' TESTDOMAINS=${SBDIR}/black/source-domains-05q3.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } :0 * LT2 ?? ^no$ { TESTNAME='Spam Source Domain (Master List)' TESTDOMAINS=`${LS} ${SBDIR}/black/*-domains.txt` TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Mainsleaze Source Domains # :0 * LT2 ?? ^no$ { LT3=no :0 * SPAMTAG ?? ^yes$ { LT3=yes } :0 * SBCONFIG ?? ^Debug$ { LT3=no } :0 * LT3 ?? ^no$ * ! MAINSLEAZE ?? ^NONE$ { TESTNAME='Spam Source Domain (Mainsleaze)' TESTDOMAINS=`${LS} ${SBDIR}/mainsleaze/*-domains.txt` :0 * MAINSLEAZE ?? ^BLOCK$ { TESTSCORE=5 } :0 * MAINSLEAZE ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Opt-Out ESP Source Domains # :0 * LT2 ?? ^no$ { LT3=no :0 * SPAMTAG ?? ^yes$ { LT3=yes } :0 * SBCONFIG ?? ^Debug$ { LT3=no } :0 * LT3 ?? ^no$ * ! OPTOUT ?? ^NONE$ { TESTNAME='Spam Source Domain (Opt-Out ESP)' TESTDOMAINS=`${LS} ${SBDIR}/optout/*-domains.txt` :0 * OPTOUT ?? ^BLOCK$ { TESTSCORE=5 } :0 * OPTOUT ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-header-domains.rc } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Spam Haven IPs # LT2=no LOCALTAG=no :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ { :0 { TESTNAME='Spam Haven IP (Current Month)' TESTCIDR=${SBDIR}/black/haven-ips-0604.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven IP (One Month Ago)' TESTCIDR=${SBDIR}/black/haven-ips-0603.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven IP (Two Months Ago)' TESTCIDR=${SBDIR}/black/haven-ips-0602.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven IP (Three Months Ago)' TESTCIDR=${SBDIR}/black/haven-ips-0601.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven IP (Master List)' TESTCIDR=`${LS} ${SBDIR}/black/*-ips.cidr` TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc } :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # SpamHaus DROP List Haven IPs # LOCALTAG=no :0 * LT2 ?? ^yes$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ { TESTNAME='Spam Haven IP (SpamHaus DROP List)' TESTCIDR=${SBDIR}/black/spamhaus-drop-ips.cidr TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Mainsleaze Haven IPs # LOCALTAG=no :0 * LT2 ?? ^yes$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ * ! MAINSLEAZE ?? ^NONE$ { TESTNAME='Spam Haven IP (Mainsleaze)' TESTCIDR=`${LS} ${SBDIR}/mainsleaze/*-ips.cidr` :0 * MAINSLEAZE ?? ^BLOCK$ { TESTSCORE=5 } :0 * MAINSLEAZE ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Opt-Out ESP Haven IPs # LOCALTAG=no :0 * LT2 ?? ^yes$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ * ! OPTOUT ?? ^NONE$ { TESTNAME='Spam Haven IP (Opt-Out ESP)' TESTCIDR=`${LS} ${SBDIR}/optout/*-ips.cidr` :0 * OPTOUT ?? ^BLOCK$ { TESTSCORE=5 } :0 * OPTOUT ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Spam-Supporting ISP Haven IPs # LOCALTAG=no :0 * LT2 ?? ^yes$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ * ! PINKISP ?? ^NONE$ { TESTNAME='Spam Haven IP (Spam-Supporting ISP)' TESTCIDR=`${LS} ${SBDIR}/pinkisp/*-ips.cidr` :0 * PINKISP ?? ^BLOCK$ { TESTSCORE=5 } :0 * PINKISP ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-body-cidr.rc :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Spam Haven Domains # LT2=no LOCALTAG=no :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ { :0 { TESTNAME='Spam Haven Domain (Current Quarter)' TESTDOMAINS=${SBDIR}/black/haven-domains-06q2.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-domains.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven Domain (One Quarter Ago)' TESTDOMAINS=${SBDIR}/black/haven-domains-06q1.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-domains.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven Domain (Two Quarters Ago)' TESTDOMAINS=${SBDIR}/black/haven-domains-05q4.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-domains.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven Domain (Three Quarters Ago)' TESTDOMAINS=${SBDIR}/black/haven-domains-05q3.txt TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-domains.rc } :0 * LOCALTAG ?? ^no$ { TESTNAME='Spam Haven Domain (Master List)' TESTDOMAINS=`${LS} ${SBDIR}/black/*-domains.txt` TESTSCORE=10 INCLUDERC=${SBDIR}/functions/identify-body-domains.rc } :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Spam Mainsleaze Domains # # The domains on the Mainsleaze list belong to # companies that have legitimate users and are more prone # to false positives than the domains listed in the # Haven Domains lists. They're scored more lightly, # and users can turn this filtering off outright if # they so choose. # LOCALTAG=no :0 * LT2 ?? ^yes$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ * ! MAINSLEAZE ?? ^NONE$ { TESTNAME='Spam Haven Domain (Mainsleaze)' TESTDOMAINS=`${LS} ${SBDIR}/mainsleaze/*-domains.txt` :0 * MAINSLEAZE ?? ^BLOCK$ { TESTSCORE=5 } :0 * MAINSLEAZE ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-body-domains.rc :0 * LOCALTAG ?? ^yes$ { LT2=yes } } # Spam Opt-Out ESP Domains # # The domains on the Opt-Out ESP list belong to # companies that send email for hire, and whose list management # policies result in their sending significant amounts of bulk # email to people who did not ask to receive it. These companies # may be fully CAN-SPAM compliant, but they also spam. (Anyone # who thinks CAN-SPAM banned spamming was not paying attention.) # Email from these companies *MAY* be legitimate; they # send email to people who asked for it, as well as who did not. # They also normally honor remove requests, unlike most outright # spammers. Because of this, they are scored more lightly than # other spammers, to allow users to whitelist any email from these # sources that they actually wanted to receive. # LOCALTAG=no :0 * LT2 ?? ^yes$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^yes$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=no } :0 * LOCALTAG ?? ^no$ * LEANTAG ?? ^no$ * ! OPTOUT ?? ^NONE$ { TESTNAME='Spam Haven Domain (Opt-Out ESP)' TESTDOMAINS=`${LS} ${SBDIR}/optout/*-domains.txt` :0 * OPTOUT ?? ^BLOCK$ { TESTSCORE=5 } :0 * OPTOUT ?? ^SPAM$ { TESTSCORE=10 } INCLUDERC=${SBDIR}/functions/identify-body-domains.rc :0 * LOCALTAG ?? ^yes$ { LT2=yes } }