# SpamAssassin rules file: DNS blacklist tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # This program is free software; you can redistribute it and/or modify # it under the terms of either the Artistic License or the GNU General # Public License as published by the Free Software Foundation; either # version 1 of the License, or (at your option) any later version. # # See the file "License" in the top level of the SpamAssassin source # distribution for more details. # ########################################################################### require_version @@VERSION@@ # See the Mail::SpamAssassin::Conf manual page for details of how to use # check_rbl(). # --------------------------------------------------------------------------- # Multizone / Multi meaning BLs first. # # Note that currently TXT queries cannot be used for these, since the # DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply. # Well, at least Osirusoft and NJABL don't, it seems, as of Apr 7 2003. # --------------------------------------------------------------------------- # Osirusoft # URL: http://relays.osirusoft.com/ header RCVD_IN_OSIRU rbleval:check_rbl('osirusoft', 'relays.osirusoft.com.') describe RCVD_IN_OSIRU OSIRU: Sent via relay in relays.osirusoft.com tflags RCVD_IN_OSIRU net header RCVD_IN_OSIRU_RELAY rbleval:check_rbl_sub('osirusoft', '127.0.0.2') describe RCVD_IN_OSIRU_RELAY OSIRU: sender is Confirmed Open Relay tflags RCVD_IN_OSIRU_RELAY net header RCVD_IN_OSIRU_DIALUP rbleval:check_rbl('osirusoft-notfirsthop', 'relays.osirusoft.com.', '127.0.0.3') describe RCVD_IN_OSIRU_DIALUP OSIRU: sender is dial-up IP address tflags RCVD_IN_OSIRU_DIALUP net header RCVD_IN_OSIRU_SPAM_SRC rbleval:check_rbl_sub('osirusoft', '127.0.0.4') describe RCVD_IN_OSIRU_SPAM_SRC OSIRU: sender is Confirmed Spam Source tflags RCVD_IN_OSIRU_SPAM_SRC net header RCVD_IN_OSIRU_SPAMWARE rbleval:check_rbl_sub('osirusoft', '127.0.0.6') describe RCVD_IN_OSIRU_SPAMWARE OSIRU: sender is Spamware site or vendor tflags RCVD_IN_OSIRU_SPAMWARE net header RCVD_IN_OSIRU_PROXY rbleval:check_rbl_sub('osirusoft', '127.0.0.9') describe RCVD_IN_OSIRU_PROXY OSIRU: sender is open proxy server tflags RCVD_IN_OSIRU_PROXY net # --------------------------------------------------------------------------- # NJABL # URL: http://www.dnsbl.njabl.org/ header RCVD_IN_NJABL rbleval:check_rbl('njabl', 'dnsbl.njabl.org.') describe RCVD_IN_NJABL Received via a relay in dnsbl.njabl.org tflags RCVD_IN_NJABL net header RCVD_IN_NJABL_RELAY rbleval:check_rbl_sub('njabl', '127.0.0.2') describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay tflags RCVD_IN_NJABL_RELAY net header RCVD_IN_NJABL_DIALUP rbleval:check_rbl('njabl-notfirsthop', 'dnsbl.njabl.org.', '127.0.0.3') describe RCVD_IN_NJABL_DIALUP NJABL: dialup sender did non-local SMTP tflags RCVD_IN_NJABL_DIALUP net header RCVD_IN_NJABL_SPAM rbleval:check_rbl_sub('njabl', '127.0.0.4') describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source tflags RCVD_IN_NJABL_SPAM net header RCVD_IN_NJABL_MULTI rbleval:check_rbl_sub('njabl', '127.0.0.5') describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay tflags RCVD_IN_NJABL_MULTI net header RCVD_IN_NJABL_CGI rbleval:check_rbl_sub('njabl', '127.0.0.8') describe RCVD_IN_NJABL_CGI NJABL: sender is an open formmail tflags RCVD_IN_NJABL_CGI net header RCVD_IN_NJABL_PROXY rbleval:check_rbl_sub('njabl', '127.0.0.9') describe RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy tflags RCVD_IN_NJABL_PROXY net # --------------------------------------------------------------------------- # SORBS # transfers: both axfr and ixfr available # URL: http://www.dnsbl.sorbs.net/ # pay-to-use: no # delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request header RCVD_IN_SORBS rbleval:check_rbl('sorbs', 'dnsbl.sorbs.net.') describe RCVD_IN_SORBS SORBS: sender is listed in SORBS tflags RCVD_IN_SORBS net header RCVD_IN_SORBS_HTTP rbleval:check_rbl_sub('sorbs', '127.0.0.2') describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server tflags RCVD_IN_SORBS_HTTP net header RCVD_IN_SORBS_MISC rbleval:check_rbl_sub('sorbs', '127.0.0.3') describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server tflags RCVD_IN_SORBS_MISC net header RCVD_IN_SORBS_SMTP rbleval:check_rbl_sub('sorbs', '127.0.0.4') describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay tflags RCVD_IN_SORBS_SMTP net header RCVD_IN_SORBS_SOCKS rbleval:check_rbl_sub('sorbs', '127.0.0.5') describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server tflags RCVD_IN_SORBS_SOCKS net header RCVD_IN_SORBS_SPAM rbleval:check_rbl_sub('sorbs', '127.0.0.6') describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source tflags RCVD_IN_SORBS_SPAM net header RCVD_IN_SORBS_WEB rbleval:check_rbl_sub('sorbs', '127.0.0.7') describe RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server tflags RCVD_IN_SORBS_WEB net header RCVD_IN_SORBS_BLOCK rbleval:check_rbl_sub('sorbs', '127.0.0.8') describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested tflags RCVD_IN_SORBS_BLOCK net header RCVD_IN_SORBS_ZOMBIE rbleval:check_rbl_sub('sorbs', '127.0.0.9') describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network tflags RCVD_IN_SORBS_ZOMBIE net # --------------------------------------------------------------------------- # OPM (recommended, supports TXT queries, but A queries needed for sub-tests) # transfers: axfr/ixfr for trusted sites # url: http://opm.blitzed.org/ # pay-to-use: no # delist: automatic expiry, no fee, retested on request (free) header RCVD_IN_OPM rbleval:check_rbl('opm', 'opm.blitzed.org.') describe RCVD_IN_OPM Received via a relay in opm.blitzed.org tflags RCVD_IN_OPM net header RCVD_IN_OPM_WINGATE rbleval:check_rbl_sub('opm', '1') describe RCVD_IN_OPM_WINGATE OPM: sender is open WinGate proxy tflags RCVD_IN_OPM_WINGATE net header RCVD_IN_OPM_SOCKS rbleval:check_rbl_sub('opm', '2') describe RCVD_IN_OPM_SOCKS OPM: sender is open SOCKS proxy tflags RCVD_IN_OPM_SOCKS net header RCVD_IN_OPM_HTTP rbleval:check_rbl_sub('opm', '4') describe RCVD_IN_OPM_HTTP OPM: sender is open HTTP CONNECT proxy tflags RCVD_IN_OPM_HTTP net header RCVD_IN_OPM_ROUTER rbleval:check_rbl_sub('opm', '8') describe RCVD_IN_OPM_ROUTER OPM: sender is open router proxy tflags RCVD_IN_OPM_ROUTER net header RCVD_IN_OPM_HTTP_POST rbleval:check_rbl_sub('opm', '16') describe RCVD_IN_OPM_HTTP_POST OPM: sender is open HTTP POST proxy tflags RCVD_IN_OPM_HTTP_POST net # --------------------------------------------------------------------------- # Now, single zone BLs follow: # SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/ header RCVD_IN_SBL rbleval:check_rbl_txt('sbl', 'sbl.spamhaus.org.') describe RCVD_IN_SBL Received via a relay in Spamhaus Block List tflags RCVD_IN_SBL net # DSBL catches open relays, badly-installed CGI scripts and open SOCKS and # HTTP proxies. list.dsbl.org lists servers tested by "trusted" users, # multihop.dsbl.org lists servers which open SMTP servers relay through, # unconfirmed.dsbl.org lists servers tested by "untrusted" users. # See http://dsbl.org/ for full details. # transfers: yes - rsync and http, see http://dsbl.org/usage # pay-to-use: no # delist: automated/distributed header RCVD_IN_DSBL rbleval:check_rbl_txt('dsbl', 'list.dsbl.org.') describe RCVD_IN_DSBL Received via a relay in list.dsbl.org tflags RCVD_IN_DSBL net # Other miscellaneous RBLs are listed here: header RCVD_IN_RFCI rbleval:check_rbl_txt('rfci', 'ipwhois.rfc-ignorant.org.') describe RCVD_IN_RFCI Sent via a relay in ipwhois.rfc-ignorant.org tflags RCVD_IN_RFCI net # DSN is a domain-based blacklist header DNS_FROM_RFCI_DSN rbleval:check_rbl_from_host('rfci-dsn', 'dsn.rfc-ignorant.org.') describe DNS_FROM_RFCI_DSN From: sender listed in dsn.rfc-ignorant.org tflags DNS_FROM_RFCI_DSN net # sa-hil.habeas.com for SpamAssassin queries # hil.habeas.com for everything else header HABEAS_VIOLATOR rbleval:check_rbl_swe('hil', 'sa-hil.habeas.com.') describe HABEAS_VIOLATOR Has Habeas warrant mark and on Infringer List tflags HABEAS_VIOLATOR net # bondedsender.org provides an RBL-style whitelist for trusted relays header __BONDEDSENDER rbleval:check_rbl_txt('bondedsender', 'sa.bondedsender.org.') tflags __BONDEDSENDER net nice # the query type and zone should be the same as __BONDEDSENDER to avoid # duplicate DNS queries header RCVD_IN_BSP_TRUSTED rbleval:check_rbl_txt('bondedsender-lastuntrusted', 'sa.bondedsender.org.') describe RCVD_IN_BSP_TRUSTED Sender is in Bonded Sender Program (trusted relay) tflags RCVD_IN_BSP_TRUSTED net nice # this uses untrusted headers; helps find BSP forgeries, can be used # to identify additional trusted relays that should be listed, etc. meta RCVD_IN_BSP_OTHER (__BONDEDSENDER && !RCVD_IN_BSP_TRUSTED) describe RCVD_IN_BSP_OTHER Sender is in Bonded Sender Program (other relay) tflags RCVD_IN_BSP_OTHER net nice # SenderBase provides information about senders # sa.senderbase.org for SpamAssassin queries # test.senderbase.org for everything else (until SenderBase is in production) #header __SENDERBASE rbleval:check_rbl_txt('senderbase', 'sa.senderbase.org.') #tflags __SENDERBASE net # DynaBlocker: block SMTP connections from dynamic dial-up IP ranges. # URL: http://basic.wirehub.nl/dynablocker.html header RCVD_IN_DYNABLOCK rbleval:check_rbl_txt('dynablock-notfirsthop', 'dynablock.easynet.nl.') describe RCVD_IN_DYNABLOCK Sent directly from dynamic IP address tflags RCVD_IN_DYNABLOCK net # --------------------------------------------------------------------------- # NOTE: donation tests, see README file for details header RCVD_IN_BL_SPAMCOP_NET rbleval:check_rbl_txt('spamcop', 'bl.spamcop.net.') describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net tflags RCVD_IN_BL_SPAMCOP_NET net # --------------------------------------------------------------------------- # NOTE: commercial tests, see README file for details header RCVD_IN_MAPS_RBL rbleval:check_rbl('rbl', 'blackholes.mail-abuse.org.') describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/ tflags RCVD_IN_MAPS_RBL net header RCVD_IN_MAPS_DUL rbleval:check_rbl('dialup-notfirsthop', 'dialups.mail-abuse.org.') describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/ tflags RCVD_IN_MAPS_DUL net header RCVD_IN_MAPS_RSS rbleval:check_rbl('rss', 'relays.mail-abuse.org.') describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/ tflags RCVD_IN_MAPS_RSS net header RCVD_IN_MAPS_NML rbleval:check_rbl('nml', 'nonconfirm.mail-abuse.org.') describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/ tflags RCVD_IN_MAPS_NML net # if you're subscribed to RBL+, then comment out the above rules (just the # "header" lines, not the "describe" or "tflags" lines) and uncomment the # below lines #header RCVD_IN_MAPS_RBL rbleval:check_rbl('rblplus', 'rbl-plus.mail-abuse.org.', '1') #header RCVD_IN_MAPS_DUL rbleval:check_rbl('rblplus-notfirsthop', 'rbl-plus.mail-abuse.org.', '2') #header RCVD_IN_MAPS_RSS rbleval:check_rbl_sub('rblplus', '4') #header RCVD_IN_MAPS_OPS rbleval:check_rbl_sub('rblplus', '8') #describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.org/ops/ #tflags RCVD_IN_MAPS_OPS net