1
# SpamAssassin rules file: DNS blacklist and whitelist tests
3
# Please don't modify this file as your changes will be overwritten with
4
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
5
# See 'perldoc Mail::SpamAssassin::Conf' for details.
8
# Licensed to the Apache Software Foundation (ASF) under one or more
9
# contributor license agreements. See the NOTICE file distributed with
10
# this work for additional information regarding copyright ownership.
11
# The ASF licenses this file to you under the Apache License, Version 2.0
12
# (the "License"); you may not use this file except in compliance with
13
# the License. You may obtain a copy of the License at:
15
# http://www.apache.org/licenses/LICENSE-2.0
17
# Unless required by applicable law or agreed to in writing, software
18
# distributed under the License is distributed on an "AS IS" BASIS,
19
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
# See the License for the specific language governing permissions and
21
# limitations under the License.
24
###########################################################################
26
require_version @@VERSION@@
28
###########################################################################
30
ifplugin Mail::SpamAssassin::Plugin::DNSEval
32
# See the Mail::SpamAssassin::Conf manual page for details of how to use
35
# ---------------------------------------------------------------------------
36
# Multizone / Multi meaning BLs first.
38
# Note that currently TXT queries cannot be used for these, since the
39
# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
40
# Well, at least NJABL doesn't, it seems, as of Apr 7 2003.
42
# ---------------------------------------------------------------------------
44
# URL: http://www.dnsbl.njabl.org/
46
header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.')
47
describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
48
tflags __RCVD_IN_NJABL net
51
header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
52
describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
53
tflags RCVD_IN_NJABL_RELAY net
54
reuse RCVD_IN_NJABL_RELAY
56
# NJABL DUL: obsoleted by PBL (bug 5187)
58
header RCVD_IN_NJABL_SPAM eval:check_rbl_sub('njabl', '127.0.0.4')
59
describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source
60
tflags RCVD_IN_NJABL_SPAM net
61
reuse RCVD_IN_NJABL_SPAM
63
header RCVD_IN_NJABL_MULTI eval:check_rbl_sub('njabl', '127.0.0.5')
64
describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay
65
tflags RCVD_IN_NJABL_MULTI net
66
reuse RCVD_IN_NJABL_MULTI
68
header RCVD_IN_NJABL_CGI eval:check_rbl_sub('njabl', '127.0.0.8')
69
describe RCVD_IN_NJABL_CGI NJABL: sender is an open formmail
70
tflags RCVD_IN_NJABL_CGI net
71
reuse RCVD_IN_NJABL_CGI
73
header RCVD_IN_NJABL_PROXY eval:check_rbl_sub('njabl', '127.0.0.9')
74
describe RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy
75
tflags RCVD_IN_NJABL_PROXY net
76
reuse RCVD_IN_NJABL_PROXY
78
# ---------------------------------------------------------------------------
80
# transfers: both axfr and ixfr available
81
# URL: http://www.dnsbl.sorbs.net/
83
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request
85
header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
86
describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
87
tflags __RCVD_IN_SORBS net
90
header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
91
describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
92
tflags RCVD_IN_SORBS_HTTP net
93
reuse RCVD_IN_SORBS_HTTP
95
header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
96
describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
97
tflags RCVD_IN_SORBS_SOCKS net
98
reuse RCVD_IN_SORBS_SOCKS
100
header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
101
describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
102
tflags RCVD_IN_SORBS_MISC net
103
reuse RCVD_IN_SORBS_MISC
105
header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
106
describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
107
tflags RCVD_IN_SORBS_SMTP net
108
reuse RCVD_IN_SORBS_SMTP
111
#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
112
#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
113
#tflags RCVD_IN_SORBS_SPAM net
114
#reuse RCVD_IN_SORBS_SPAM RCVD_IN_SORBS_SPAM
116
header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
117
describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server
118
tflags RCVD_IN_SORBS_WEB net
119
reuse RCVD_IN_SORBS_WEB
121
header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
122
describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
123
tflags RCVD_IN_SORBS_BLOCK net
124
reuse RCVD_IN_SORBS_BLOCK
126
header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
127
describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
128
tflags RCVD_IN_SORBS_ZOMBIE net
129
reuse RCVD_IN_SORBS_ZOMBIE
131
header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
132
describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address
133
tflags RCVD_IN_SORBS_DUL net
134
reuse RCVD_IN_SORBS_DUL
136
# ---------------------------------------------------------------------------
137
# Spamhaus ZEN includes SBL+CSS+XBL+PBL
139
# Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed
140
# OPM (opm.blitzed.org) lists so it's not necessary to query those as well.
142
header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
143
describe __RCVD_IN_ZEN Received via a relay in Spamhaus Zen
144
tflags __RCVD_IN_ZEN net
147
# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
148
header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2')
149
describe RCVD_IN_SBL Received via a relay in Spamhaus SBL
150
tflags RCVD_IN_SBL net
153
# XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
154
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[45678]$')
155
describe RCVD_IN_XBL Received via a relay in Spamhaus XBL
156
tflags RCVD_IN_XBL net
159
# PBL is the Policy Block List: http://www.spamhaus.org/pbl/
160
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
161
describe RCVD_IN_PBL Received via a relay in Spamhaus PBL
162
tflags RCVD_IN_PBL net
163
reuse RCVD_IN_PBL RCVD_IN_PBL T_RCVD_IN_PBL_WITH_NJABL_DUL RCVD_IN_NJABL_DUL
165
# ---------------------------------------------------------------------------
166
# RFC-Ignorant blacklists (both name and IP based)
168
header __RFC_IGNORANT_ENVFROM eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.')
169
tflags __RFC_IGNORANT_ENVFROM net
171
header DNS_FROM_RFC_DSN eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
172
describe DNS_FROM_RFC_DSN Envelope sender in dsn.rfc-ignorant.org
173
tflags DNS_FROM_RFC_DSN net
174
reuse DNS_FROM_RFC_DSN
176
header DNS_FROM_RFC_BOGUSMX eval:check_rbl_sub('rfci_envfrom', '127.0.0.8')
177
describe DNS_FROM_RFC_BOGUSMX Envelope sender in bogusmx.rfc-ignorant.org
178
tflags DNS_FROM_RFC_BOGUSMX net
179
reuse DNS_FROM_RFC_BOGUSMX
181
# bug 4628: these rules are too unreliable to assign scores to
182
header __DNS_FROM_RFC_POST eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
183
tflags __DNS_FROM_RFC_POST net
184
reuse __DNS_FROM_RFC_POST DNS_FROM_RFC_POST
186
header __DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
187
tflags __DNS_FROM_RFC_ABUSE net
188
reuse __DNS_FROM_RFC_ABUSE DNS_FROM_RFC_ABUSE
190
header __DNS_FROM_RFC_WHOIS eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
191
tflags __DNS_FROM_RFC_WHOIS net
192
reuse __DNS_FROM_RFC_WHOIS DNS_FROM_RFC_WHOIS
194
# ---------------------------------------------------------------------------
195
# Now, single zone BLs follow:
197
# another domain-based blacklist
198
header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
199
describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
200
tflags DNS_FROM_AHBL_RHSBL net
201
reuse DNS_FROM_AHBL_RHSBL
203
# ---------------------------------------------------------------------------
204
# NOTE: donation tests, see README file for details
206
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
207
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
208
tflags RCVD_IN_BL_SPAMCOP_NET net
209
reuse RCVD_IN_BL_SPAMCOP_NET
211
# ---------------------------------------------------------------------------
212
# NOTE: commercial tests, see README file for details
214
header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'activationcode.r.mail-abuse.com.', '1')
215
describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
216
tflags RCVD_IN_MAPS_RBL net
218
header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal', 'activationcode.r.mail-abuse.com.', '2')
219
describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html
220
tflags RCVD_IN_MAPS_DUL net
222
header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4')
223
describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html
224
tflags RCVD_IN_MAPS_RSS net
226
header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8')
227
describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html
228
tflags RCVD_IN_MAPS_OPS net
230
# The NML isn't part of the RBL+ and I find any documentation for it - is it dead?
231
header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.com.')
232
describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html
233
tflags RCVD_IN_MAPS_NML net
235
# ---------------------------------------------------------------------------
236
# Section for DNS WL related lookups below.
239
header __RCVD_IN_IADB eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.')
240
tflags __RCVD_IN_IADB net nice
242
header RCVD_IN_IADB_VOUCHED eval:check_rbl_sub('iadb-firsttrusted', '127.0.1.255')
243
describe RCVD_IN_IADB_VOUCHED ISIPP IADB lists as vouched-for sender
244
tflags RCVD_IN_IADB_VOUCHED net nice
249
ifplugin Mail::SpamAssassin::Plugin::AskDNS
251
askdns DKIMDOMAIN_IN_DWL _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT /^([a-z]+ )*(transaction|list|all)( [a-z]+)*$/
252
tflags DKIMDOMAIN_IN_DWL net nice
253
describe DKIMDOMAIN_IN_DWL Signing domain listed in Spamhaus DWL
255
askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT
256
tflags __DKIMDOMAIN_IN_DWL_ANY net nice
257
describe __DKIMDOMAIN_IN_DWL_ANY Any TXT response received from a Spamhaus DWL
259
meta DKIMDOMAIN_IN_DWL_UNKNOWN __DKIMDOMAIN_IN_DWL_ANY && !DKIMDOMAIN_IN_DWL
260
tflags DKIMDOMAIN_IN_DWL_UNKNOWN net nice
261
describe DKIMDOMAIN_IN_DWL_UNKNOWN Unrecognized response from Spamhaus DWL