/usr/share/spamassassin/20_dynrdns.cf is in spamassassin 3.4.0-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 | # SpamAssassin rules file: dynamic-ish rDNS tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# We should write a new ruletype for these, to save typing.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version @@VERSION@@
# ---------------------------------------------------------------------------
# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
# See bug #5856, all references of "trusted" were changed to "external"
# All of the RDNS_DYNAMIC rules require that the last external relay
# did not use SMTP authentication. These rules should not be firing on
# friendlies!
header __LAST_UNTRUSTED_RELAY_NO_AUTH X-Spam-Relays-Untrusted =~ /^[^\]]+ auth= /
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# c-66-176-16-108.se.client2.attbi.com [66.176.16.108]
# c-67-168-174-61.client.comcast.net [67.168.174.61]
# NNN-NNN-NNN-NNN.fibertel.com.ar
# NN.NN.NNN.NNN.ap.yournet.ne.jp
# NN.NNN.NN-NN.rev.gaoland.net
# vaise-1-82-67-44-166.fbx.proxad.net [82.67.44.166]
# lns-vlq-11-62-147-186-141.adsl.proxad.net [62.147.186.141]
# dsl-200-95-109-107.prod-infinitum.com.mx [200.95.109.107]
# port-212-202-77-203.reverse.qsc.de [212.202.77.203]
# pool-151-203-32-68.bos.east.verizon.net [151.203.32.68]
# c-67-164-133-216.client.comcast.net [67.164.133.216]
# 200-171-228-6.customer.telesp.net.br [200.171.228.6]
# modemcable090.28-201-24.mc.videotron.ca [24.201.28.90]
# 80-218-47-160.dclient.hispeed.ch [80.218.47.160]
# cdm-68-226-239-16.laft.cox-internet.com [68.226.239.16]
# d53-64-35-171.nap.wideopenwest.com [64.53.171.35]
# 74.67-201-80.adsl.skynet.be [80.201.67.74]
# 12-218-225-223.client.mchsi.com [12.218.225.223]
# pptp-81-30-186-139.ufanet.ru [81.30.186.139]
# (require an alpha first, as legit HELO'ing-as-IP-address is hit otherwise)
header __RDNS_DYNAMIC_IPADDR X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+\S*\.\S+\.\S/i
describe __RDNS_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# catv-506237d8.miskcatv.broadband.hu [80.98.55.216]
# node-c-8b22.a2000.nl
# cm89.omega139.maxonline.com.sg
# cm114.gamma208.maxonline.com.sg
header __RDNS_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d/i
describe __RDNS_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
# fia83-8.dsl.hccnet.nl [62.251.8.83]
# fia160-115-100.dsl.hccnet.nl [80.100.115.160]
header __RDNS_DYNAMIC_HCC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i
describe __RDNS_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
# h0002a5d76857.ne.client2.attbi.com [65.96.12.59]
header __RDNS_DYNAMIC_ATTBI X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\d+\S+\.client2\.attbi\.com/i
describe __RDNS_DYNAMIC_ATTBI Relay HELO'd using suspicious hostname (ATTBI.com)
# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com
# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140]
header __RDNS_DYNAMIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ rdns=CPE\d+\S+\.rogers\.com/i
describe __RDNS_DYNAMIC_ROGERS Relay HELO'd using suspicious hostname (Rogers)
# ca-morpark-cuda1-zone7-b-159.vnnyca.adelphia.net[67.23.129.159]
# tn-greenvillecuda1cable7a-36.atlaga.adelphia.net [68.171.113.36]
# ky-richmond2a-123.rhmdky.adelphia.net [68.71.36.123]
# ny-lackawannacadent4-chtwga3a-b-117.buf.adelphia.net [68.71.205.117]
# fl-edel-u2-c3c-233.pbc.adelphia.net [68.64.89.233]
header __RDNS_DYNAMIC_ADELPHIA X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}-\S+-\d{1,3}\.[a-z]{3,8}\.adelphia\.net/i
describe __RDNS_DYNAMIC_ADELPHIA Relay HELO'd using suspicious hostname (Adelphia)
# pD9E4F89F.dip.t-dialin.net [217.228.248.159]
header __RDNS_DYNAMIC_DIALIN X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z][A-F0-9]+\.dip\./
describe __RDNS_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin)
# 0xd5aaf40b.dhcp.kabelnettet.dk
# 0x50a46949.virnxx11.adsl-dhcp.tele.dk
header __RDNS_DYNAMIC_HEXIP X-Spam-Relays-External =~ /^[^\]]+ rdns=0x[a-f0-9]{8}\./
describe __RDNS_DYNAMIC_HEXIP Relay HELO'd using suspicious hostname (Hex IP)
# 118.Red-80-35-201.pooles.rima-tde.net
header __RDNS_DYNAMIC_SPLIT_IP X-Spam-Relays-External =~ /^[^\]]+ rdns=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
describe __RDNS_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
# YahooBB219173000034.bbtec.net [219.173.0.34]
header __RDNS_DYNAMIC_YAHOOBB X-Spam-Relays-External =~ /^[^\]]+ rdns=YahooBB/i
describe __RDNS_DYNAMIC_YAHOOBB Relay HELO'd using suspicious hostname (YahooBB)
# ool-18be1aaf.dyn.optonline.net [24.190.26.175]
header __RDNS_DYNAMIC_OOL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.dyn\.optonline\.net/
describe __RDNS_DYNAMIC_OOL Relay HELO'd using suspicious hostname (OptOnline)
# wiley-170-10231.roadrunner.nf.net [205.251.210.249]
header __RDNS_DYNAMIC_RR2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]+-\d{1,3}-\d{1,5}\.roadrunner/i
describe __RDNS_DYNAMIC_RR2 Relay HELO'd using suspicious hostname (RR 2)
# pcp04024417pcs.toresd01.pa.comcast.net [68.86.206.126]
# bgp542174bgs.ewndsr01.nj.comcast.net[68.38.144.91]
# Computer-udp135632uds.union01.nj.comcast.net [68.39.99.32]
header __RDNS_DYNAMIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z-]+\d+[a-z]{3}\.[a-z0-9]+\...\.comcast/i
describe __RDNS_DYNAMIC_COMCAST Relay HELO'd using suspicious hostname (Comcast)
# h234n2fls32o895.telia.com [217.208.73.234]
# h53n2fls32o828.telia.com
# h116n2fls32o1111.telia.com
# h29n1fls306o1003.telia.com
header __RDNS_DYNAMIC_TELIA X-Spam-Relays-External =~ /^[^\]]+ rdns=h\d+n\d+fls\S+\.telia\.com/i
describe __RDNS_DYNAMIC_TELIA Relay HELO'd using suspicious hostname (Telia)
# CM-vina5-168-207.cm.vtr.net [200.104.168.207]
# CM-anto1-98-153.cm.vtr.net [200.104.98.153]
header __RDNS_DYNAMIC_VTR X-Spam-Relays-External =~ /^[^\]]+ rdns=cm-[a-z]+\d+-\d+-\d+\.cm\.vtr/i
describe __RDNS_DYNAMIC_VTR Relay HELO'd using suspicious hostname (VTR)
# ec9z5l.cm.chello.no
header __RDNS_DYNAMIC_CHELLO_NO X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.cm\.chello\.no/i
describe __RDNS_DYNAMIC_CHELLO_NO Relay HELO'd using suspicious hostname (Chello.no)
# g225174.upc-g.chello.nl
# a151145.upc-a.chello.nl
# a96134.upc-a.chello.nl
header __RDNS_DYNAMIC_CHELLO_NL X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]\d+\.upc-[a-z]\.chello\.nl/i
describe __RDNS_DYNAMIC_CHELLO_NL Relay HELO'd using suspicious hostname (Chello.nl)
# MG001182.user.veloxzone.com.br
# ba199058073.user.veloxzone.com.br
header __RDNS_DYNAMIC_VELOX X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}\d+\.user\.veloxzone\./i
describe __RDNS_DYNAMIC_VELOX Relay HELO'd using suspicious hostname (Veloxzone)
# public4-seve6-5-cust173.lond.broadband.ntl.com
# spr1-bolt5-5-0-cust9.manc.broadband.ntl.com
# spc1-lewi4-6-0-cust190.lond.broadband.ntl.com
header __RDNS_DYNAMIC_NTL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\d+-\d+-cust\d+\.[a-z]{4,6}\.broadband\.ntl\.com/i
describe __RDNS_DYNAMIC_NTL Relay HELO'd using suspicious hostname (NTL)
# cp160000-a.mill1.nb.home.nl
# cp341468-b.venra1.lb.home.nl
header __RDNS_DYNAMIC_HOME_NL X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl/i
describe __RDNS_DYNAMIC_HOME_NL Relay HELO'd using suspicious hostname (Home.nl)
# (I'm quite sure these may be a good spamsign in future)
# nwblwi-nrp3-l10-a671.nwblwi.tds.net
header __RDNS_DYNAMIC_TDS X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+-[a-z]\d+\.[a-z]{6}\.tds\.net/i
header __RDNS_DYNAMIC_VIRTUA X-Spam-Relays-External =~ /^[^\]]+ rdns=\d+\.cps\./i
# sp1-c700-131.spacelan.ne.jp
header __RDNS_DYNAMIC_SPACELAN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+-[a-z]\d+-\d+\./i
# rDNS host-type indicators, as per
# http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-naming-schemes-00.txt
header __RDNS_INDICATOR_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.]dyn(?:amic)?[\-\.]/i
# surprisingly large ham hitrate
header __RDNS_INDICATOR_TYPE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:dial|modem|isdn|dov|\S?dsl|cable|wireless)[\-\.]/i
# this hits a little ham, not too much though
header __RDNS_INDICATOR_RES X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:res|resnet|client)[\-\.]/i
# these are non-standard, but common in the field; 100% spam correlation!
# (I think that's a fluke)
header __RDNS_INDICATOR_TYPE2 X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:docsis|dhcp|cpe|catv)[\-\.]/i
# dsl.dynamic8510023760.ttnet.net.tr
header __RDNS_DYNAMIC_TTNET X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.]dyn(?:amic)?\d/i
# c221106.ppp.asahi-net.or.jp
# i253064.ppp.asahi-net.or.jp
# u035201.ppp.asahi-net.or.jp
# w158034.ppp.asahi-net.or.jp
header __RDNS_DYNAMIC_ASAHI X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z][0-9]+\.ppp\.asahi-net\.or\.jp/i
# exceptions (bug 5397):
header __RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:fix|static|fixip)/i
# bug 5586:
header __CGATE_RCVD Received =~ /by \S+ \(CommuniGate Pro/
# bug 5926:
header __DOMINO_RCVD Received =~ /by \S+ \(Lotus Domino /
header __RDNS_NONE X-Spam-Relays-External =~ /^[^\]]+ rdns= /
###########################################################################
meta RDNS_DYNAMIC (__LAST_EXTERNAL_RELAY_NO_AUTH && !__RDNS_STATIC && (__RDNS_DYNAMIC_IPADDR || __RDNS_DYNAMIC_DHCP || __RDNS_DYNAMIC_HCC || __RDNS_DYNAMIC_ATTBI || __RDNS_DYNAMIC_ROGERS || __RDNS_DYNAMIC_ADELPHIA || __RDNS_DYNAMIC_DIALIN || __RDNS_DYNAMIC_HEXIP || __RDNS_DYNAMIC_SPLIT_IP || __RDNS_DYNAMIC_YAHOOBB || __RDNS_DYNAMIC_OOL || __RDNS_DYNAMIC_RR2 || __RDNS_DYNAMIC_COMCAST || __RDNS_DYNAMIC_TELIA || __RDNS_DYNAMIC_VTR || __RDNS_DYNAMIC_CHELLO_NO || __RDNS_DYNAMIC_CHELLO_NL || __RDNS_DYNAMIC_VELOX || __RDNS_DYNAMIC_NTL || __RDNS_DYNAMIC_HOME_NL || __RDNS_DYNAMIC_TDS || __RDNS_DYNAMIC_VIRTUA || __RDNS_DYNAMIC_SPACELAN || __RDNS_INDICATOR_DYN || __RDNS_INDICATOR_RES || __RDNS_INDICATOR_TYPE2 || __RDNS_DYNAMIC_TTNET || __RDNS_DYNAMIC_ASAHI))
describe RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
meta RDNS_NONE (__RDNS_NONE && !__CGATE_RCVD && !__DOMINO_RCVD)
describe RDNS_NONE Delivered to internal network by a host with no rDNS
|