Re: [SA] RE RCVD_VIA_APNIC

[Adam Katz]

Warren Togami wrote:
> # 2005/07/29, http://www.apnic.net/db/ranges.html
> header   RCVD_VIA_APNIC Received =~ 
> /[^0-9.](?:5[89]|6[01]|12[456]|20[23]|21[0189]|22[012])(?:\.[012]?[0-9]{1,2}){3}(?:\]|\)|
>  
> )/
> describe RCVD_VIA_APNIC Received through a relay in Asia/Pacific Network

> Adam Katz had this rule in one of his channels. While it is wholly 
> unsafe to be used alone, it could be useful in masscheck statistics
> and possibly if used in meta booleans in combination with other
> rules.
> 
> Unfortunately, in testing the above rule on my own corpus I see it
> is missing some obvious Asian addresses. This page reveals that the
> regex is out of date. Does there exist a good automated way to
> convert many CIDR ranges to a single regex?

Hm.  I didn't know that APNIC's space was updated that often.  I'll
adjust my rule.  Also, though I didn't say anything when you
approached me in IRC (we're on vastly different schedules), I did make
some changes to the rule so as to make it safer, including checking
against trusted networks and DNS whitelists and scoring it at 0.001.

__RCVD_VIA_APNIC will soon be updated to a monster constructed from a
hand-tweaked copy of the table at http://www.apnic.net/db/ranges.html
and fed into Regexp::Assemble (post-tweaked perl code is attached).

The attached apnic.cf.txt file (named so as to better appear in your
mail reader) is a sample of the pending latest revision in khop-bl.

As to its "missing some obvious Asian addresses" ... I believe that is
because many Asian addresses are outside the jurisdiction of APNIC,
for example, I believe Japan has three /8 networks (43, 126, and 133)
independent of APNIC ... and that's just by eying the XKCD map of the
IPv4 space!

# 2009/10/02 from http://www.apnic.net/db/ranges.html   meta bits added 20090930
header __RCVD_VIA_APNIC Received =~ 
/(?-xism:[^0-9.](?:2(?:0(?:2(?:\.1(?:2(?:3\.(?:0?(?:[4-9][0-9]|3[2-9])|[12][0-9]{2})\.[012]?[0-9]{1,2}|[^3]\.(?:012]?[0-9]{1,2}){2})|[^2]3\.(?:012]?[0-9]{1,2}){2})|(?:.[02]?[0-9]{1,2}){3})|3(?:.[012]?[0-9]{1,2}){3})|(?:1[0189]|2[012])(?:.[012]?[0-9]{1,2}){3})|1(?:(?:2[0123456]|8[023]|1\d|75)(?:.[012]?[0-9]{1,2}){3}|69\.2(?:1[0-9]|2[0-3]|0[89])(?:.[012]?[0-9]{1,2}){2})|(?:5[89]|6[01])(?:.[012]?[0-9]{1,2}){3})(?:\]\)\s]))/
meta     RCVD_VIA_APNIC __RCVD_VIA_APNIC && !__KHOP_DNSWLD && !ALL_TRUSTED
describe RCVD_VIA_APNIC Received through a relay in Asia/Pacific Network        
tflags   RCVD_VIA_APNIC noautolearn                                             
#score   RCVD_VIA_APNIC 0.4 0.2 0.7 0.5 # lowered for autolearn BLs
score    RCVD_VIA_APNIC 0.001 # 20090930: not suitable for blanket publication

meta     __KHOP_DNSWLD  RCVD_IN_DNSWL_LOW || RCVD_IN_DNSWL_MED || 
RCVD_IN_DNSWL_HI || RCVD_IN_JMF_W || RCVD_IN_BSP_TRUSTED || RCVD_IN_IADB_DOPTIN 
|| RCVD_IN_IADB_ML_DOPTIN || RCVD_IN_IADB_VOUCHED || RCVD_IN_SSC_TRUSTED_COI

#!/usr/bin/perl -w

use Regexp::Assemble;

my $ra = Regexp::Assemble->new;
my $start = '[^0-9.]';
my $end = '(?:\]\)\s])';
my $cidr8tail = '(?:.[012]?[0-9]{1,2}){3}' . $end;

$ra->add($start . '58' . $cidr8tail);
$ra->add($start . '59' . $cidr8tail);
$ra->add($start . '60' . $cidr8tail);
$ra->add($start . '61' . $cidr8tail);
$ra->add($start . '110' . $cidr8tail);
$ra->add($start . '111' . $cidr8tail);
$ra->add($start . '112' . $cidr8tail);
$ra->add($start . '113' . $cidr8tail);
$ra->add($start . '114' . $cidr8tail);
$ra->add($start . '115' . $cidr8tail);
$ra->add($start . '116' . $cidr8tail);
$ra->add($start . '117' . $cidr8tail);
$ra->add($start . '118' . $cidr8tail);
$ra->add($start . '119' . $cidr8tail);
$ra->add($start . '120' . $cidr8tail);
$ra->add($start . '121' . $cidr8tail);
$ra->add($start . '122' . $cidr8tail);
$ra->add($start . '123' . $cidr8tail);
$ra->add($start . '124' . $cidr8tail);
$ra->add($start . '125' . $cidr8tail);
$ra->add($start . '126' . $cidr8tail);
$ra->add($start . '169\.20[89](?:.[012]?[0-9]{1,2}){2}' . $end);
$ra->add($start . '169\.21[0-9](?:.[012]?[0-9]{1,2}){2}' . $end);
$ra->add($start . '169\.22[0-3](?:.[012]?[0-9]{1,2}){2}' . $end);
$ra->add($start . '175' . $cidr8tail);
$ra->add($start . '180' . $cidr8tail);
$ra->add($start . '182' . $cidr8tail);
$ra->add($start . '183' . $cidr8tail);
$ra->add($start . '202(?:.[02]?[0-9]{1,2}){3}' . $end);
$ra->add($start . '202\.12[^3]\.(?:012]?[0-9]{1,2}){2}' . $end);
$ra->add($start . '202\.1[^2]3\.(?:012]?[0-9]{1,2}){2}' . $end);
$ra->add($start . '202\.123\.[12][0-9]{2}\.[012]?[0-9]{1,2}' . $end);
$ra->add($start . '202\.123\.0?[4-9][0-9]\.[012]?[0-9]{1,2}' . $end);
$ra->add($start . '202\.123\.0?3[2-9]\.[012]?[0-9]{1,2}' . $end);
$ra->add($start . '203' . $cidr8tail);
$ra->add($start . '210' . $cidr8tail);
$ra->add($start . '211' . $cidr8tail);
$ra->add($start . '218' . $cidr8tail);
$ra->add($start . '219' . $cidr8tail);
$ra->add($start . '220' . $cidr8tail);
$ra->add($start . '221' . $cidr8tail);
$ra->add($start . '222' . $cidr8tail);

print "header __RCVD_VIA_APNIC\tReceived =~ /" . $ra->re . "/\n";