MAXSIZE 16384 MAXCOMMENT 1024 ADDSCORE SHOWVALUE THRESHOLD_SUSPECT 430 THRESHOLD_SPAM 499.9 NOWHITELIST PRECOMPILE # mise à jour du 30/09/2008 # L'en-tête à filtrer a la forme: # X-Ovh-Remote: 111.111.111.111 (reverse DNS) # le signe = signifie l'arrêt des évaluations à la première règle satisfaite # images # ------ Content-Type: 250.0 {image} GIF_IMAGE contains a GIF image Subject: 250.0 {^Re:$} RE_SUBJECT subject is only Re: # pas de DNS ( -> poubelle direct) # ---------- # ne s'est pas déclenchée depuis longtemps - OVH doit filtrer =X-Ovh-Remote: 500.0 {\(\)} [NO_DNS no reverse DNS] # liste blanche # ------------- # pour les émetteurs licites qui ont la mauvaise idée de mettre des chiffres dans # leur reverse DNS... Le cas de neufgp.fr est traité plus loin. # ems2smtp6.adistar.net # bizpsie3.9services.com # ns21640.ovh.net # web86807.mail.ukl.yahoo.com # web55606.mail.re4.yahoo.com # bay0-omc2-s15.bay0.hotmail.com # smtp2f.orange.fr =X-Ovh-Remote: -100.0 {(9services\.com|smtp|\.ovh\.net|\.mail\.[a-z0-9]*\.yahoo\.com|\.hotmail\.com|\.orange\.fr)} [DNS_OK sender in whitelist] # mso1k193.u-3mrs.fr =X-Ovh-Remote: -100.0 {\(mso.*\.fr\)} [DNS_OK sender in whitelist] # email marketers # --------------- =Return-Path: 500.0 {forumdiffusion\.net} [ BULK bulk emailer ] # filtres sur 3 nombres (facile car peu de risque de faux positifs - 1-2-3.com ?) # --------------------- # ce filtre peut aussi attraper de l'hexadécimal # 157.60.119-80.rev.gaoland.net # n23z173l14.broadband.ctm.net # gl14-151.gl14.cilas.net # usr042.bb007-01.uda.im.wakwak.ne.jp # kfnfa-01p3-169.ppp11.odn.ad.jp # cust-02-5286ca52.adsl.scarlet.nl # host25-60-dynamic.2-79-r.retail.telecomitalia.it =X-Ovh-Remote: 500.0 {\([^0-9]*[0-9]+[^0-9]+[0-9]+[^0-9]+[0-9]+} [RES_IP looks like a residential IP (3 numbers found)] # filtres sur 2 nombres (plus sélectifs car risque de faux positifs ex. acme24-7.com) # --------------------- # les opérateurs ne manquent pas d'imagination... # ce filtre peut aussi attraper de l'hexadécimal # cpe-4-111.bvconline.com.ar # cablelink45-1.intercable.net # cable2-54.murray-ky.net # cust43-dsl58.idnet.net # jk230.opt2.point.ne.jp # mon-pq53-152.dial.allstream.net # 71-240-dsl.kielnet.net # 240-116.netrunf.cytanet.com.cy # m245.c250.petrotel.pl # cm153-94.liwest.at # cmpc006-098.cnet2.gawex.pl # c3281-83.impsat.com.co # x66x22178.jaskom.pl # 238m50.rivo.mediatti.net # 20ppp4.telegraph.spb.ru # p34n14.ruraltel.net # p1038-ipbf902osakakita.osaka.ocn.ne.jp # pohnpei-pm02-s13.telecom.fm # epsh-ip-nas-1-p178.telkom-ipnet.co.za # 36-102-cust.westnet.ie # nat-go2-1.aster.pl # ac-classe2.bry.com.br # nat-4.desire24.com =X-Ovh-Remote: 500.0 {\([-a-z]*[0-9]+[-.a-z]+[0-9]+} [RES_IP looks like a residential IP (2 numbers found)] # filtres sur un seul nombre (attention aux filtres hexadécimaux ex. deadbeef.com) # -------------------------- # 5 chiffres à la suite, ex. f149069.upc-f.chello.nl # a13111.applet-bg.com # on fait une exception pour le neuf, ex. sp604003mt.neufgp.fr, sp604002av.neufgp.fr =X-Ovh-Remote: 500.0 {[0-9]{5,}(?![0-9]*[a-z]{2}\.neufgp\.fr)} [RES_IP looks like a residential IP (5 digits found)] # 8 chiffres hexadécimaux avec préfixe 0x # cpe.atm2-0-74567.0x535f084e.taanxx2.customer.tele.dk # 0x573aa187.sonqu1.broadband.tele.dk =X-Ovh-Remote: 500.0 {[.(]0x[a-f0-9]{8}\.} [RES_IP looks like a residential IP (0xhex-8 found)] # 8 chiffres hexadécimaux sans préfixe 0x # wrzb-590ce942.pool.einsundeins.de =X-Ovh-Remote: 500.0 {-[a-f0-9]{8}\.pool\.} [RES_IP looks like a residential IP (hex-8 found)] # i577bcebc.versanet.de # md4691ffd.utfors.se =X-Ovh-Remote: 500.0 {\([im]{0,1}[a-f0-9]{8}\.(versanet|utfors|bb|adsl)\.} [RES_IP looks like a residential IP (hex-8 found)] # 1 lettre, 4 chiffres hexadécimaux, un point # qd69a.q.pppool.de # mc5fa.m.pppool.de # f2fdf.f.ppp-pool.de # f57bf.f.strato-dslnet.de =X-Ovh-Remote: 500.0 {\([a-z][a-f0-9]{4,}\.[a-z]\.(pppool|ppp-pool|strato-dslnet)\.} [RES_IP looks like a residential IP (hex-4 found)] # 4 chiffres hexadécimaux, un point # a012.nest.gliwice.pl =X-Ovh-Remote: 500.0 {\([a-f0-9]{4,}\.nest\.} [RES_IP looks like a residential IP (hex-4 found)] # alajuela-a391.racsa.co.cr =X-Ovh-Remote: 500.0 {-[a-f0-9]{4}\.racsa\.} [RES_IP looks like a residential IP (hex-4 found)] # un mot réservé suivi d'un tiret optionnel et d'un nombre # diala105.etel.ru # cuscon3653.tstt.net.tt # ip245.carmel-creek.sdg.ygnition.net # f186.nasicnet.com # pc-210.nat-pool.uoi.gr # teilnehmer-188.koetschlitz.de # dummy17.psy.cuhk.edu.hk # coral-01.citytelecom.ru # sp26.goodon.com.tw # public-gprs43864.centertel.pl # uttara147.dhaka.net # ks-125.flexabit.net # xdsl-3893.lubin.dialog.net.pl # host51.abaks.pl # netro4.cust.sloane.cz # tk3000.lviv.farlep.net # cap185.lettere.unipd.it # pc197.am.osi.pl # pc06.bogdanfilip.bacau.rdsnet.ro # advance-932.infovia.com.ar # rbi0265.giga-dns.com # umcs.vl174.renfri.lubman.net.pl # jolin.dorm10.nctu.edu.tw # dotcom.vlan145.dengo.lubman.net.pl # dyn5094a.dialin.rad.net.id # phd39.ics.ee.nctu.edu.tw # dor24284.kaist.ac.kr # pppoe-117.pm.spnet.net # ppp-static-224.tis-dialog.ru =X-Ovh-Remote: 500.0 {[.(](f|dial[a-z]|cuscon|ip|pc|teilnehmer|dummy|coral|sp|public-gprs|uttara|ks|xdsl|host|netro|tk|cap|pc|advance|rbi|umcs\.vl|ppoe|home|dorm|dor|vlan|dyn|phd|cust|ppp-static)-{0,1}[0-9]+\.} [RES_IP looks like a residential IP (1 number found)] # un nombre suivi d'un domaine spécifique # visnu-162.cablenet.com.ni # ggf162.internetdsl.tpnet.pl # nbfgrs0.nbfgr.res.in # hutchinson-6.access.nethere.net # scranton174.ctcinet.com # jkolt-178.goldengate.net # tamulink-0050.vpn.tamu.edu # cswe-9123.communicomm.com # austra1253.lnk.telstra.net # hb188.med.unipg.it # timmins-cable632.onlink.net =X-Ovh-Remote: 500.0 {[0-9]+\.(cablenet|internetdsl|nbfgr|access|reuters|ctcinet|goldengate|vpn|communicomm|lnk|med|onlink)\.} [RES_IP looks like a residential IP (1 number found)] # un mot réservé, une chaîne, un nombre # pop-sumqait-139.azeronline.com # adsl.eb23-aradas.edu.pt # nat-mi2.aster.pl =X-Ovh-Remote: 500.0 {\((pop|adsl|nat)[-.][-.a-z]*[0-9]{1,3}[-.]} [RES_IP looks like a residential IP (1 number found)] # commence par un nombre suivi d'un point # 163.alfredoscar.a.se =X-Ovh-Remote: 500.0 {\([0-9]{1,3}\.} [RES_IP looks like a residential IP (1 number found)] # filtres sans chiffres # --------------------- # inet-out.dsl-nat.sura.ru =X-Ovh-Remote: 500.0 {[.-_]dsl[.-_]} [RES_IP looks like a residential IP (keyword found)] # domaines spammeurs ou compromis # ------------------------------- # nom ajouté retiré rétabli # wehostdomain.com 04/03/2007 17/03/2007 # ssau.ru 05/03/2007 17/03/2007 # elkhorn.net 05/03/2007 17/03/2007 # intca.ntca.org 08/03/2007 17/03/2007 # puerto.lcwireless.net 08/03/2007 17/03/2007 # ns.sauevald.ee 08/03/2007 17/03/2007 # gw-infotech-plus.ll-bar.zsttk.ru 12/03/2007 19/03/2007 # www.szjlaw2.com 12/03/2007 19/03/2007 # mail.epene.com 12/03/2007 19/03/2007 # hermes.vrnet.com.br 18/03/2007 11/05/2007 # arwen.npgco.com 13/03/2007 20/03/2007 # boscu.mariana.citynet.botosani.ro 13/03/2007 20/03/2007 # ccs.dubki.ru 13/03/2007 20/03/2007 # mail.agidis.com 13/03/2007 20/03/2007 # mail.cheshirecareercenter.org 14/03/2007 21/03/2007 06/04/2007 # sql.ovac.org 15/03/2007 22/03/2007 # ammunitionness.liberties.volia.net 15/03/2007 22/03/2007 # natasa1.mtw.cz 16/03/2007 23/03/2007 # lukoil.radnet.ru 17/03/2007 26/03/2007 # macsim.corneliu.citynet.botosani.ro 17/03/2007 26/03/2007 # vol-energy-cmh-oh-gw.wan.wcom.net 19/03/2007 26/03/2007 # sun-gw.midnet.ru 20/03/2007 30/03/2007 # mail.aebtri.com 23/03/2007 30/03/2007 # fabikova.ludik.cz 23/03/2007 30/03/2007 # bila.zno.skynet.cz 23/03/2007 30/03/2007 # host6.mnafe.com 26/03/2007 04/04/2007 # msb.intnet.mu 26/03/2007 04/04/2007 # hanulso8.knu.ac.kr 26/03/2007 04/04/2007 # premiern.novline.ru 26/03/2007 04/04/2007 # viic.dsl-comm.vsi.ru 26/03/2007 04/04/2007 # palmda.lnk.telstra.net 27/03/2007 04/04/2007 # citynet.botosani.ro 27/03/2007 permanent # mail.china-soul.com 30/03/2007 06/04/2007 # realitiness-invasion.volia.net 31/03/2007 10/04/2007 # fss-6.fsnet.is 31/03/2007 10/04/2007 # media.intermonde.net 31/03/2007 10/04/2007 # sutlepa13.kodunet.webs.ee 01/04/2007 permanent # intca.ntca.org 01/04/2007 10/04/2007 # cisbio.mailclub.fr 01/04/2007 10/04/2007 # nbfgrs0.nbfgr.res.in 02/04/2007 10/04/2007 # lgh004a.skehus19.ac 02/04/2007 10/04/2007 # stacja16.2lo.gorzow.pl 04/04/2007 permanent # easypay.mtnl.net.in 04/04/2007 11/04/2007 # fsozcr.fh-potsdam.de 05/04/2007 permanent # ymlabusr22.eic.nctu.edu.tw 05/04/2007 13/04/2007 # lensk.sakha.ru 05/04/2007 13/04/2007 # sedlnice.miramo.cz 10/04/2007 17/04/2007 # arctic.ntvk.com.pl 10/04/2007 17/04/2007 # fuzesgyarmat.novatech.hu 10/04/2007 17/04/2007 # mail.skrecon.com 11/04/2007 19/04/2007 # chanceforloans.com 12/04/2007 permanent # absolving-injunction.volia.net 12/04/2007 19/04/2007 # collusionless-tumble.volia.net 14/04/2007 19/04/2007 # nat-goc.aster.pl 16/04/2007 23/04/2007 # kudus.puragroup.com 18/04/2007 25/04/2007 # kengarags.kenga.net 19/04/2007 26/04/2007 # mdan.toplita.ro 21/04/2007 28/04/2007 # ienybr-debrecen.pantel.net 25/04/2007 02/05/2007 # mail.canda-tlr.ro 27/04/2007 07/05/2007 # server2.plugnet.psi.br 28/04/2007 07/05/2007 # proxy.hittelecom.ru 01/05/2007 07/05/2007 # sementhal.westnet.com.br 02/05/2007 09/05/2007 # gw7.saybervizhn.ru 07/05/2007 14/05/2007 # videowebsolution.consultingweb.it 11/05/2007 18/05/2007 # up-traffic.volia.net 11/05/2007 18/05/2007 # nat.farolbr.com 12/05/2007 19/05/2007 # geodesyguo.cv.nctu.edu.tw 14/05/2007 21/05/2007 # mail2.us-concrete.com 15/05/2007 22/05/2007 # datamedia.tsua.net 15/05/2007 22/05/2007 # os-niepodleglosci.bochnia.pl 16/05/2007 25/05/2007 # mnepu.sura.ru 17/05/2007 25/05/2007 # proxy.abakannet.ru 17/05/2007 25/05/2007 # barroob.mv.ru 18/05/2007 25/05/2007 # pd1.ccsnet.ne.jp 18/05/2007 25/05/2007 # battleship.kaist.ac.kr 19/05/2007 27/05/2007 # 2001dell.connectec.com 21/05/2007 28/05/2007 # gatan.kaist.ac.kr 21/05/2007 28/05/2007 # mail.tcfgroup.net 22/05/2007 29/05/2007 # pspm.whu.edu.cn 22/05/2007 29/05/2007 # abuse.vandagroup.com.cn 22/05/2007 29/05/2007 # ns1.noyearlyfees.com 27/05/2007 permanent # ped29.ctbc.com.br 28/05/2007 05/06/2007 # eh.sibnet.ru 29/05/2007 05/06/2007 # sod.knu.ac.kr 01/06/2007 08/06/2007 # firewall.batelnet.bs 01/06/2007 08/06/2007 # oldcom.kaist.ac.kr 01/06/2007 08/06/2007 # mail.bandshine.com.cn 05/06/2007 12/06/2007 # macau.b.astral.ro 05/06/2007 12/06/2007 # savas.meng.auth.gr 05/06/2007 12/06/2007 # mail.teleperu.com.pe 05/06/2007 12/06/2007 # trojanly.anesthetic.volia.net 08/06/2007 permanent (hébergeur russe nid à spam) # rapid.com.ua 12/06/2007 21/06/2007 # mail.reelfx.com 13/06/2007 21/06/2007 # ryazpressa.ru 21/06/2007 28/06/2007 # mail.ans.kz 22/06/2007 01/07/2007 # angel.techtrans.ru 28/06/2007 05/07/2007 # ns1.paulklee.com.br 01/07/2007 10/07/2007 # voicemail.telme.sg 03/07/2007 10/07/2007 # win98-en.kaist.ac.kr 04/07/2007 permanent # mail.mandos.com.mx 04/07/2007 11/07/2007 # guardian.enternet.hu 05/07/2007 12/07/2007 # aspmail.net4india.com 06/07/2007 15/07/2007 # lex-it.convex.ru 10/07/2007 24/07/2007 # gateway.drlogick.com 10/07/2007 24/07/2007 # brist.convex.ru 11/07/2007 24/07/2007 # mail.usd.onego.ru 12/07/2007 24/07/2007 # mx1.unitoys.ru 13/07/2007 24/07/2007 # techautochim.rusmeh.ll.westcall.ru 22/07/2007 04/09/2007 # exchange.sarrieri.ro 28/07/2007 04/09/2007 # mail.difusoradigital.com.ar 04/09/2007 12/09/2007 # es36.usask.ca 12/09/2007 19/09/2007 # horoshavina-3.incompany.ru 13/09/2007 21/09/2007 # bumerang.md 14/09/2007 21/09/2007 # gate7.spndigital.com 15/09/2007 22/09/2007 # relay.londred.com 17/09/2007 24/09/2007 # mail.422homes.com 17/09/2007 24/09/2007 # bartosze.el2.ftnet.pl 19/09/2007 01/10/2007 # mail.my-promotions.com 21/09/2007 permanent # mailgate.henry-hughes.co.uk 22/09/2007 08/10/2007 # gw.cordsys.net 24/09/2007 01/10/2007 # visualco-9sogtg.cpe.cableonda.net 01/10/2007 permanent # ns2.electrocom.info 01/10/2007 08/10/2007 # hong4.me.nctu.edu.tw 01/10/2007 08/10/2007 # providerservidorintranet.telesat.net.co 01/10/2007 08/10/2007 # sgrfsav.sgrf.gov.om 01/10/2007 08/10/2007 # relay.cpbxl.be 02/10/2007 13/10/2007 # famko.ru 08/10/2007 23/10/2007 # buster.mobile.asu.edu 10/10/2007 23/10/2007 # luki.zbuk.net 10/10/2007 23/10/2007 # homelans.noginsk.vpn.flex.ru 13/10/2007 23/10/2007 # gw-cifrovye-tekhnologii.ll-nkz.zsttk.ru 23/10/2007 09/11/2007 # mail.mellano.com 09/11/2007 21/11/2007 # osguthorpe.demon.co.uk 09/11/2007 21/11/2007 # mail3.superiorwebworks.com 13/11/2007 21/11/2007 # mail.gama.com.tr 21/11/2007 02/12/2007 # balancely.quay.volia-lviv.com 02/12/2007 11/12/2007 # gateway.intermexusa.com 11/12/2007 18/12/2007 # diversiones.manquehue.net 20/12/2007 23/01/2008 # aligator.dilines.net 23/01/2008 16/02/2008 # mail.bdo-balance.dp.ua 25/01/2008 16/02/2008 # cordelia.intersc.com.pl 18/02/2008 29/02/2008 # mail.mtc-network.com 22/02/2008 29/02/2008 # openexchange.enapu.com.pe 29/02/2008 09/03/2008 # mail.pcgeula.co.il 04/03/2008 12/03/2008 # nat1.antenka.eu 09/03/2008 27/03/2008 # sendmail2.ccct.com.ve 12/03/2008 27/03/2008 # standart.kiev.farlep.net 27/03/2008 04/04/2008 # mail.argomm.it 27/03/2008 04/04/2008 # fw-ind-ext.kla-tencor.com 04/04/2008 11/04/2008 # wall.lanck.net 04/04/2008 11/04/2008 # pikk.netshark.ee 11/04/2008 19/04/2008 # mail.kaupmees.ee 16/04/2008 30/04/2008 # mcvlad.fasty.net 19/04/2008 30/04/2008 # la-napoule-art-foundation.rain.fr 21/04/2008 30/04/2008 # mail.ihlonline.com 30/04/2008 16/05/2008 # exchange.xtream.co.il 19/05/2008 06/06/2008 # shmoksy.com 19/05/2008 06/06/2008 # neraton.bacau.rdsnet.ro 06/06/2008 28/06/2008 # mx3.infopac.ru 28/06/2008 09/07/2008 # elementk.cp2.elementk.com 09/07/2008 17/07/2008 # freebsd.ecafil.it 14/07/2008 25/09/2008 # mail.stakdesign.com 15/07/2008 25/09/2008 # c77.pasty.net 17/07/2008 25/09/2008 # styx.aic.net 25/09/2008 # smtp.pacenet-india.com 25/09/2008 # portal.thehottubpeople.co.uk 30/09/2008 # geringer.hod.ar.wroc.pl 01/10/2008 =X-Ovh-Remote: 500.0 {(citynet.botosani.ro|kodunet.webs.ee|gorzow.pl|mail.cheshirecareercenter.org|fh-potsdam.de|chanceforloans.com|ns1.noyearlyfees.com|volia.net|kaist.ac.kr|mail.my-promotions.com|cpe.cableonda.net|styx.aic.net|smtp.pacenet-india.com|portal.thehottubpeople.co.uk|geringer.hod.ar.wroc.pl)} [BAD_DOMAIN looks like a spammer or compromised domain]