# SpamAssassin rules file: DNS blacklist tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### require_version @@VERSION@@ ########################################################################### ifplugin Mail::SpamAssassin::Plugin::DNSEval # See the Mail::SpamAssassin::Conf manual page for details of how to use # check_rbl(). # --------------------------------------------------------------------------- # Multizone / Multi meaning BLs first. # # Note that currently TXT queries cannot be used for these, since the # DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply. # Well, at least NJABL doesn't, it seems, as of Apr 7 2003. # --------------------------------------------------------------------------- # NJABL # URL: http://www.dnsbl.njabl.org/ header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.') describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org tflags __RCVD_IN_NJABL net header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2') describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay tflags RCVD_IN_NJABL_RELAY net #reuse RCVD_IN_NJABL_RELAY header RCVD_IN_NJABL_DUL eval:check_rbl('njabl-notfirsthop', 'combined.njabl.org.', '127.0.0.3') describe RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP tflags RCVD_IN_NJABL_DUL net #reuse RCVD_IN_NJABL_DUL header RCVD_IN_NJABL_SPAM eval:check_rbl_sub('njabl', '127.0.0.4') describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source tflags RCVD_IN_NJABL_SPAM net #reuse RCVD_IN_NJABL_SPAM header RCVD_IN_NJABL_MULTI eval:check_rbl_sub('njabl', '127.0.0.5') describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay tflags RCVD_IN_NJABL_MULTI net #reuse RCVD_IN_NJABL_MULTI header RCVD_IN_NJABL_CGI eval:check_rbl_sub('njabl', '127.0.0.8') describe RCVD_IN_NJABL_CGI NJABL: sender is an open formmail tflags RCVD_IN_NJABL_CGI net #reuse RCVD_IN_NJABL_CGI header RCVD_IN_NJABL_PROXY eval:check_rbl_sub('njabl', '127.0.0.9') describe RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy tflags RCVD_IN_NJABL_PROXY net #reuse RCVD_IN_NJABL_PROXY # --------------------------------------------------------------------------- # SORBS # transfers: both axfr and ixfr available # URL: http://www.dnsbl.sorbs.net/ # pay-to-use: no # delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.') describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS tflags __RCVD_IN_SORBS net header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2') describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server tflags RCVD_IN_SORBS_HTTP net #reuse RCVD_IN_SORBS_HTTP header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3') describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server tflags RCVD_IN_SORBS_SOCKS net #reuse RCVD_IN_SORBS_SOCKS header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4') describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server tflags RCVD_IN_SORBS_MISC net #reuse RCVD_IN_SORBS_MISC header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5') describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay tflags RCVD_IN_SORBS_SMTP net #reuse RCVD_IN_SORBS_SMTP # delist: $50 fee #header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6') #describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source #tflags RCVD_IN_SORBS_SPAM net #reuse RCVD_IN_SORBS_SPAM header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7') describe RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server tflags RCVD_IN_SORBS_WEB net #reuse RCVD_IN_SORBS_WEB header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8') describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested tflags RCVD_IN_SORBS_BLOCK net #reuse RCVD_IN_SORBS_BLOCK header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9') describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network tflags RCVD_IN_SORBS_ZOMBIE net #reuse RCVD_IN_SORBS_ZOMBIE header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10') describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address tflags RCVD_IN_SORBS_DUL net #reuse RCVD_IN_SORBS_DUL # --------------------------------------------------------------------------- # Spamhaus SBL+XBL # # Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed # OPM (opm.blitzed.org) lists so it's not necessary to query those as well. # TODO: replace with ZEN from rulesrc/sandbox/jm/20_zen.cf. For now, # allow both to run for 1 weekend to verify sanity of results... header __RCVD_IN_SBL_XBL eval:check_rbl('sblxbl', 'sbl-xbl.spamhaus.org.') describe __RCVD_IN_SBL_XBL Received via a relay in Spamhaus SBL+XBL tflags __RCVD_IN_SBL_XBL net # SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/ header RCVD_IN_SBL eval:check_rbl_sub('sblxbl', '127.0.0.2') describe RCVD_IN_SBL Received via a relay in Spamhaus SBL tflags RCVD_IN_SBL net #reuse RCVD_IN_SBL # XBL is the Exploits Block List: http://www.spamhaus.org/xbl/ header RCVD_IN_XBL eval:check_rbl('sblxbl-notfirsthop', 'sbl-xbl.spamhaus.org.', '127.0.0.[456]') describe RCVD_IN_XBL Received via a relay in Spamhaus XBL tflags RCVD_IN_XBL net #reuse RCVD_IN_XBL # --------------------------------------------------------------------------- # RFC-Ignorant blacklists (both name and IP based) header __RFC_IGNORANT_ENVFROM eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.') tflags __RFC_IGNORANT_ENVFROM net header DNS_FROM_RFC_DSN eval:check_rbl_sub('rfci_envfrom', '127.0.0.2') describe DNS_FROM_RFC_DSN Envelope sender in dsn.rfc-ignorant.org tflags DNS_FROM_RFC_DSN net #reuse DNS_FROM_RFC_DSN header DNS_FROM_RFC_BOGUSMX eval:check_rbl_sub('rfci_envfrom', '127.0.0.8') describe DNS_FROM_RFC_BOGUSMX Envelope sender in bogusmx.rfc-ignorant.org tflags DNS_FROM_RFC_BOGUSMX net #reuse DNS_FROM_RFC_BOGUSMX # bug 4628: these rules are too unreliable to assign scores to header __DNS_FROM_RFC_POST eval:check_rbl_sub('rfci_envfrom', '127.0.0.3') tflags __DNS_FROM_RFC_POST net #reuse __DNS_FROM_RFC_POST DNS_FROM_RFC_POST header __DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom', '127.0.0.4') tflags __DNS_FROM_RFC_ABUSE net #reuse __DNS_FROM_RFC_ABUSE DNS_FROM_RFC_ABUSE header __DNS_FROM_RFC_WHOIS eval:check_rbl_sub('rfci_envfrom', '127.0.0.5') tflags __DNS_FROM_RFC_WHOIS net #reuse __DNS_FROM_RFC_WHOIS DNS_FROM_RFC_WHOIS # --------------------------------------------------------------------------- # CompleteWhois blacklists header __RCVD_IN_WHOIS eval:check_rbl('whois', 'combined-HIB.dnsiplists.completewhois.com.') tflags __RCVD_IN_WHOIS net header RCVD_IN_WHOIS_BOGONS eval:check_rbl_sub('whois', '127.0.0.2') describe RCVD_IN_WHOIS_BOGONS CompleteWhois: sender on bogons IP block tflags RCVD_IN_WHOIS_BOGONS net header RCVD_IN_WHOIS_HIJACKED eval:check_rbl_sub('whois', '127.0.0.3') describe RCVD_IN_WHOIS_HIJACKED CompleteWhois: sender on hijacked IP block tflags RCVD_IN_WHOIS_HIJACKED net header RCVD_IN_WHOIS_INVALID eval:check_rbl('whois-notfirsthop', 'combined-HIB.dnsiplists.completewhois.com.', '127.0.0.4') describe RCVD_IN_WHOIS_INVALID CompleteWhois: sender on invalid IP block tflags RCVD_IN_WHOIS_INVALID net #reuse RCVD_IN_WHOIS_INVALID RCVD_IN_RFC_IPWHOIS # --------------------------------------------------------------------------- # Now, single zone BLs follow: # DSBL catches open relays, badly-installed CGI scripts and open SOCKS and # HTTP proxies. list.dsbl.org lists servers tested by "trusted" users, # multihop.dsbl.org lists servers which open SMTP servers relay through, # unconfirmed.dsbl.org lists servers tested by "untrusted" users. # See http://dsbl.org/ for full details. # transfers: yes - rsync and http, see http://dsbl.org/usage # pay-to-use: no # delist: automated/distributed header RCVD_IN_DSBL eval:check_rbl_txt('dsbl-notfirsthop', 'list.dsbl.org.', '(?i:dsbl)') describe RCVD_IN_DSBL Received via a relay in list.dsbl.org tflags RCVD_IN_DSBL net #reuse RCVD_IN_DSBL ######################################################################## # another domain-based blacklist header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.') describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org tflags DNS_FROM_AHBL_RHSBL net #reuse DNS_FROM_AHBL_RHSBL # another domain-based blacklist header DNS_FROM_SECURITYSAGE eval:check_rbl_envfrom('securitysage', 'blackhole.securitysage.com.') describe DNS_FROM_SECURITYSAGE Envelope sender in blackholes.securitysage.com tflags DNS_FROM_SECURITYSAGE net #reuse DNS_FROM_SECURITYSAGE # --------------------------------------------------------------------------- # NOTE: donation tests, see README file for details header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)') describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net tflags RCVD_IN_BL_SPAMCOP_NET net #reuse RCVD_IN_BL_SPAMCOP_NET # --------------------------------------------------------------------------- # NOTE: commercial tests, see README file for details header RCVD_IN_MAPS_RBL eval:check_rbl('rbl', 'blackholes.mail-abuse.org.') describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/ tflags RCVD_IN_MAPS_RBL net header RCVD_IN_MAPS_DUL eval:check_rbl('dialup-notfirsthop', 'dialups.mail-abuse.org.') describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/ tflags RCVD_IN_MAPS_DUL net header RCVD_IN_MAPS_RSS eval:check_rbl('rss', 'relays.mail-abuse.org.') describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/ tflags RCVD_IN_MAPS_RSS net header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.org.') describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/ tflags RCVD_IN_MAPS_NML net # if you're subscribed to RBL+, then comment out the above rules (just the # "header" lines, not the "describe" or "tflags" lines) and uncomment the # below lines #header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'rbl-plus.mail-abuse.org.', '1') #header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-notfirsthop', 'rbl-plus.mail-abuse.org.', '2') #header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4') #header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8') #describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.org/ops/ #tflags RCVD_IN_MAPS_OPS net # --------------------------------------------------------------------------- # Section for DNS WL related lookups below: header RCVD_IN_BSP_TRUSTED eval:check_rbl_txt('bsp-firsttrusted', 'sa-trusted.bondedsender.org.', '(?i:bonded)') describe RCVD_IN_BSP_TRUSTED Sender is in Bonded Sender Program (trusted relay) tflags RCVD_IN_BSP_TRUSTED net nice #reuse RCVD_IN_BSP_TRUSTED header RCVD_IN_BSP_OTHER eval:check_rbl_txt('bsp-untrusted', 'sa-other.bondedsender.org.', '(?i:bonded)') describe RCVD_IN_BSP_OTHER Sender is in Bonded Sender Program (other relay) tflags RCVD_IN_BSP_OTHER net nice #reuse RCVD_IN_BSP_OTHER # --------------------------------------------------------------------------- # IADB support ... header __RCVD_IN_IADB eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.') tflags __RCVD_IN_IADB net nice header RCVD_IN_IADB_VOUCHED eval:check_rbl_sub('iadb-firsttrusted', '^127.0.1.255$') describe RCVD_IN_IADB_VOUCHED ISIPP IADB lists as vouched-for sender tflags RCVD_IN_IADB_VOUCHED net nice # --------------------------------------------------------------------------- # Habeas Accredited Senders # Last octet of the returned A record indicates the Habeas-assigned # "Permission Level" of the Sender. # 10 to 39 Personal, transactional, and Confirmed Opt In # 40 to 59 Secure referrals and Single Opt In # 60 to 99 Checked but not accredited by Habeas. # # sa-accredit.habeas.com is for SpamAssassin use. # header HABEAS_ACCREDITED_COI eval:check_rbl('habeas-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d') describe HABEAS_ACCREDITED_COI Habeas Accredited Confirmed Opt-In or Better tflags HABEAS_ACCREDITED_COI net nice header HABEAS_ACCREDITED_SOI eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[45]\d') describe HABEAS_ACCREDITED_SOI Habeas Accredited Opt-In or Better tflags HABEAS_ACCREDITED_SOI net nice header HABEAS_CHECKED eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[6789]\d') describe HABEAS_CHECKED Habeas Checked tflags HABEAS_CHECKED net nice # Habeas Accredited Senders, with check for "Accreditor Assertion" # Same Habeas whitelist checks as above, but performed only if the Sender # has specified Habeas as their accreditor in either the EnvelopeFrom or # "Accreditor" header field. This reduces the DNS overhead, but will # miss senders who are unable to add custom header fields. # # header HABEAS_ACCREDITED_COI eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d', 'habeas') # describe HABEAS_ACCREDITED_COI Habeas Accredited Confirmed Opt-In or Better # tflags HABEAS_ACCREDITED_COI net nice # # header HABEAS_ACCREDITED_SOI eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[45]\d', 'habeas') # describe HABEAS_ACCREDITED_SOI Habeas Accredited Opt-In or Better # tflags HABEAS_ACCREDITED_SOI net nice # # header HABEAS_CHECKED eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[6789]\d', 'habeas') # describe HABEAS_CHECKED Habeas Checked # tflags HABEAS_CHECKED net nice endif