#!/bin/sh
###########################
## Creates Spamassassin rules based on SpamCop's posted top Class A (CIDR/8)
##   and Class C (CIDR/24) blocks by reported spam volume.
## Usage: sa-sc-neighbors [FILE]
##   FILE is the output file, defaults to /etc/spamassassin/sc-neighbors.cf
## 
## Run this from /etc/cron.daily (or root's crontab) for optimal usage.
## 
## sa-sc-neighbors 0.2 (c) 2009 Adam Katz <antispamATkhopiscom>, AGPL v3+
###########################
#### This program is free software: you can redistribute it and/or modify
#### it under the terms of the GNU Affero General Public License as
#### published by the Free Software Foundation, either version 3 of the
#### License, or (at your option) any later version.
#### 
#### This program is distributed in the hope that it will be useful,
#### but WITHOUT ANY WARRANTY; without even the implied warranty of
#### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#### GNU Affero General Public License at <http://www.gnu.org/licenses>.
###########################

class_a_offenders='http://spamcop.net/w3m?action=map;net=0;sort=spamcnt;format=text'
class_c_offenders='http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text'

output="${1:-/etc/spamassassin/sc-neighbors.cf}"
if [ "x$1" = "x-${1#?}" -a "x$1" != "x-" ]; then # --help
  sed -e '/^## /!d' -e s/// "`which $0 2>/dev/null || echo $0`"; exit 1
elif ! touch "$output"; then
  echo "Cannot write to '$output', using standard output instead..." >&2
  output=/dev/stdout
fi
date=`date +"%D %T (%Z)"`

# get_blocks URL NUMBER -> list of IPs (with no CIDR)
get_blocks() {
  wget -qq -O - "$1" 2>/dev/null |sed -e "/\/[0-3]*[0-9]\t.*/!d" \
                                      -e s///g -e $((1+${2:-12}))q
}

IP='\.[012]?[0-9]{1,2}'

# class A (a.*.*.* or CIDR a.0.0.0/8)
block=1
for a in `get_blocks "$class_a_offenders" 8`; do
  a=${a%.0.0.0}
  [ $block -le 4 ] && a4="${a4:+$a4|}$a"
  a8="${a8:+$a8|}$a"
  block=$(($block+1))
done

# class C (a.b.c.* or CIDR a.b.c.0/24)
block=1
for c in `get_blocks "$class_c_offenders" 12`; do
  c=`echo "${c%.0}" |sed 's/\./\\\\./g'`
  [ $block -le 6 ] && c6="${c6:+$c6|}$c"
  c12="${c12:+$c12|}$c"
  block=$(($block+1))
done

cat <<EOF >"$output"
## khop-sc-neighbors.cf    v `date +%Y%m%d%H`
## 
## Spamassassin rules written by Adam Katz
## http://khopesh.com/Anti-spam (with rules for sa-update)
## khopesh on irc://irc.freenode.net/#spamassassin
## 
## These rules are Copyright 2001-2009 by Adam Katz <antispamATkhopiscom>
## Licensed under the Creative Commons Non-Commercial Share-alike License 2.0.
## The code that generated this output is GNU Affero General Public License v3.
## The author is receptive to relicensing requests for this and its generator.

# SC_A (for CIDR8) updated $date from
# $class_a_offenders
header __KHOP_SC_A	Received =~ /\\b(?:$a8)(?:$IP){3}\\b/
header __KHOP_SC_A_TOP	Received =~ /\\b(?:$a4)(?:$IP){3}\\b/

# SC_C (for CIDR24) updated $date from
# $class_c_offenders
header __KHOP_SC_C	Received =~ /\\b(?:$c12)$IP\\b/
header __KHOP_SC_C_TOP	Received =~ /\\b(?:$c6)$IP\\b/

meta     KHOP_SC_CIDR8	( !RCVD_IN_BL_SPAMCOP_NET &&  __KHOP_SC_A )
describe KHOP_SC_CIDR8	Spammy IP/8 block, http://spamcop.net/w3m?action=map
score    KHOP_SC_CIDR8	0.2 0.1 0.2 0.2

meta     KHOP_SC_TOP_CIDR8	( !RCVD_IN_BL_SPAMCOP_NET && __KHOP_SC_A_TOP )
describe KHOP_SC_TOP_CIDR8	Spammy IP/8 block (top offending /8 CIDRs)
score    KHOP_SC_TOP_CIDR8	0.3 0.2 0.4 0.6

meta     KHOP_SC_CIDR24	  ( !RCVD_IN_BL_SPAMCOP_NET && __KHOP_SC_C )
describe KHOP_SC_CIDR24	  Spammy IP/24 block, http://spamcop.net/w3m?action=map
score    KHOP_SC_CIDR24	  0.3 0.2 0.3 0.4

meta     KHOP_SC_TOP_CIDR24	( !RCVD_IN_BL_SPAMCOP_NET && __KHOP_SC_C_TOP )
describe KHOP_SC_TOP_CIDR24	Spammy IP/24 block (top offending /24 CIDRs)
score    KHOP_SC_TOP_CIDR24	0.5 0.5 0.5 0.6
EOF