~ubuntu-branches/ubuntu/lucid/spamassassin/lucid-updates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
# SpamAssassin rules file: DNS blacklist tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

require_version @@VERSION@@

###########################################################################

ifplugin Mail::SpamAssassin::Plugin::DNSEval

# See the Mail::SpamAssassin::Conf manual page for details of how to use
# check_rbl().

# ---------------------------------------------------------------------------
# Multizone / Multi meaning BLs first.
#
# Note that currently TXT queries cannot be used for these, since the
# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
# Well, at least NJABL doesn't, it seems, as of Apr 7 2003.

# ---------------------------------------------------------------------------
# NJABL
# URL: http://www.dnsbl.njabl.org/

header __RCVD_IN_NJABL          eval:check_rbl('njabl', 'combined.njabl.org.')
describe __RCVD_IN_NJABL        Received via a relay in combined.njabl.org
tflags __RCVD_IN_NJABL          net
reuse  __RCVD_IN_NJABL

header RCVD_IN_NJABL_RELAY      eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY    NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY      net
reuse  RCVD_IN_NJABL_RELAY

# NJABL DUL: obsoleted by PBL (bug 5187)

header RCVD_IN_NJABL_SPAM       eval:check_rbl_sub('njabl', '127.0.0.4')
describe RCVD_IN_NJABL_SPAM     NJABL: sender is confirmed spam source
tflags RCVD_IN_NJABL_SPAM       net
reuse  RCVD_IN_NJABL_SPAM

header RCVD_IN_NJABL_MULTI      eval:check_rbl_sub('njabl', '127.0.0.5')
describe RCVD_IN_NJABL_MULTI    NJABL: sent through multi-stage open relay
tflags RCVD_IN_NJABL_MULTI      net
reuse  RCVD_IN_NJABL_MULTI

header RCVD_IN_NJABL_CGI        eval:check_rbl_sub('njabl', '127.0.0.8')
describe RCVD_IN_NJABL_CGI      NJABL: sender is an open formmail
tflags RCVD_IN_NJABL_CGI        net
reuse  RCVD_IN_NJABL_CGI

header RCVD_IN_NJABL_PROXY      eval:check_rbl_sub('njabl', '127.0.0.9')
describe RCVD_IN_NJABL_PROXY    NJABL: sender is an open proxy
tflags RCVD_IN_NJABL_PROXY      net
reuse  RCVD_IN_NJABL_PROXY

# ---------------------------------------------------------------------------
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request

header __RCVD_IN_SORBS          eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS        SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS          net
reuse  __RCVD_IN_SORBS

header RCVD_IN_SORBS_HTTP       eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP     SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP       net
reuse  RCVD_IN_SORBS_HTTP

header RCVD_IN_SORBS_SOCKS      eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS    SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS      net
reuse  RCVD_IN_SORBS_SOCKS

header RCVD_IN_SORBS_MISC       eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC     SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC       net
reuse  RCVD_IN_SORBS_MISC

header RCVD_IN_SORBS_SMTP       eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP     SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP       net
reuse  RCVD_IN_SORBS_SMTP

# delist: $50 fee
#header RCVD_IN_SORBS_SPAM      eval:check_rbl_sub('sorbs', '127.0.0.6')
#describe RCVD_IN_SORBS_SPAM    SORBS: sender is a spam source
#tflags RCVD_IN_SORBS_SPAM      net
#reuse  RCVD_IN_SORBS_SPAM      RCVD_IN_SORBS_SPAM

header RCVD_IN_SORBS_WEB        eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB      SORBS: sender is an abusable web server
tflags RCVD_IN_SORBS_WEB        net
reuse  RCVD_IN_SORBS_WEB

header RCVD_IN_SORBS_BLOCK      eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK    SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK      net
reuse  RCVD_IN_SORBS_BLOCK

header RCVD_IN_SORBS_ZOMBIE     eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE   SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE     net
reuse  RCVD_IN_SORBS_ZOMBIE

header RCVD_IN_SORBS_DUL        eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_SORBS_DUL      SORBS: sent directly from dynamic IP address
tflags RCVD_IN_SORBS_DUL        net
reuse  RCVD_IN_SORBS_DUL

# ---------------------------------------------------------------------------
# Spamhaus SBL+XBL, now called Zen
#
# Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed
# OPM (opm.blitzed.org) lists so it's not necessary to query those as well.

header __RCVD_IN_ZEN            eval:check_rbl('zen', 'zen.spamhaus.org.')
describe __RCVD_IN_ZEN          Received via a relay in Spamhaus Zen
tflags __RCVD_IN_ZEN            net
reuse  __RCVD_IN_ZEN

# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
header RCVD_IN_SBL              eval:check_rbl_sub('zen', '127.0.0.2')
describe RCVD_IN_SBL            Received via a relay in Spamhaus SBL
tflags RCVD_IN_SBL              net
reuse  RCVD_IN_SBL

# XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
header RCVD_IN_XBL              eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.[45678]')
describe RCVD_IN_XBL            Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL              net
reuse  RCVD_IN_XBL

# PBL is the Policy Block List: http://www.spamhaus.org/pbl/
header RCVD_IN_PBL              eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')
describe RCVD_IN_PBL            Received via a relay in Spamhaus PBL
tflags RCVD_IN_PBL              net
reuse  RCVD_IN_PBL              RCVD_IN_PBL T_RCVD_IN_PBL_WITH_NJABL_DUL RCVD_IN_NJABL_DUL

# ---------------------------------------------------------------------------
# RFC-Ignorant blacklists (both name and IP based)

header __RFC_IGNORANT_ENVFROM   eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.')
tflags __RFC_IGNORANT_ENVFROM   net

header DNS_FROM_RFC_DSN         eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
describe DNS_FROM_RFC_DSN       Envelope sender in dsn.rfc-ignorant.org
tflags DNS_FROM_RFC_DSN         net
reuse  DNS_FROM_RFC_DSN

header DNS_FROM_RFC_BOGUSMX     eval:check_rbl_sub('rfci_envfrom', '127.0.0.8')
describe DNS_FROM_RFC_BOGUSMX   Envelope sender in bogusmx.rfc-ignorant.org
tflags DNS_FROM_RFC_BOGUSMX     net
reuse  DNS_FROM_RFC_BOGUSMX

# bug 4628: these rules are too unreliable to assign scores to
header __DNS_FROM_RFC_POST      eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
tflags __DNS_FROM_RFC_POST      net
reuse  __DNS_FROM_RFC_POST      DNS_FROM_RFC_POST

header __DNS_FROM_RFC_ABUSE     eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
tflags __DNS_FROM_RFC_ABUSE     net
reuse  __DNS_FROM_RFC_ABUSE     DNS_FROM_RFC_ABUSE

header __DNS_FROM_RFC_WHOIS     eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
tflags __DNS_FROM_RFC_WHOIS     net
reuse  __DNS_FROM_RFC_WHOIS     DNS_FROM_RFC_WHOIS

# ---------------------------------------------------------------------------
# Now, single zone BLs follow:

# another domain-based blacklist
# Disabled due to https://launchpad.net/bugs/1412830
#header DNS_FROM_AHBL_RHSBL      eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
#describe DNS_FROM_AHBL_RHSBL    Envelope sender listed in dnsbl.ahbl.org
#tflags DNS_FROM_AHBL_RHSBL      net
#reuse  DNS_FROM_AHBL_RHSBL

# ---------------------------------------------------------------------------
# NOTE: donation tests, see README file for details

header RCVD_IN_BL_SPAMCOP_NET   eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags RCVD_IN_BL_SPAMCOP_NET   net
reuse  RCVD_IN_BL_SPAMCOP_NET

# ---------------------------------------------------------------------------
# NOTE: commercial tests, see README file for details

header RCVD_IN_MAPS_RBL         eval:check_rbl('rblplus', 'activationcode.r.mail-abuse.com.', '1')
describe RCVD_IN_MAPS_RBL       Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
tflags RCVD_IN_MAPS_RBL         net

header RCVD_IN_MAPS_DUL         eval:check_rbl('rblplus-lastexternal', 'activationcode.r.mail-abuse.com.', '2')
describe RCVD_IN_MAPS_DUL       Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html
tflags RCVD_IN_MAPS_DUL         net

header RCVD_IN_MAPS_RSS         eval:check_rbl_sub('rblplus', '4')
describe RCVD_IN_MAPS_RSS       Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html
tflags RCVD_IN_MAPS_RSS         net

header RCVD_IN_MAPS_OPS         eval:check_rbl_sub('rblplus', '8')
describe RCVD_IN_MAPS_OPS       Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html
tflags RCVD_IN_MAPS_OPS         net

# The NML isn't part of the RBL+ and I find any documentation for it - is it dead?
header RCVD_IN_MAPS_NML         eval:check_rbl('nml', 'nonconfirm.mail-abuse.com.')
describe RCVD_IN_MAPS_NML       Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html
tflags RCVD_IN_MAPS_NML         net

# ---------------------------------------------------------------------------
# Section for DNS WL related lookups below.

# IADB support ...
header __RCVD_IN_IADB           eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.')
tflags __RCVD_IN_IADB           net nice

header RCVD_IN_IADB_VOUCHED     eval:check_rbl_sub('iadb-firsttrusted', '^127.0.1.255$')
describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for sender
tflags RCVD_IN_IADB_VOUCHED     net nice

endif