]>
Commit | Line | Data |
---|---|---|
b780ea8d SI |
1 | # SpamAssassin rules file: DNS blacklist and whitelist tests |
2 | # | |
3 | # Please don't modify this file as your changes will be overwritten with | |
4 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
5 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
6 | # | |
7 | # <@LICENSE> | |
8 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
9 | # contributor license agreements. See the NOTICE file distributed with | |
10 | # this work for additional information regarding copyright ownership. | |
11 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
12 | # (the "License"); you may not use this file except in compliance with | |
13 | # the License. You may obtain a copy of the License at: | |
14 | # | |
15 | # http://www.apache.org/licenses/LICENSE-2.0 | |
16 | # | |
17 | # Unless required by applicable law or agreed to in writing, software | |
18 | # distributed under the License is distributed on an "AS IS" BASIS, | |
19 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
20 | # See the License for the specific language governing permissions and | |
21 | # limitations under the License. | |
22 | # </@LICENSE> | |
23 | # | |
24 | ########################################################################### | |
25 | ||
26 | require_version 3.004005 | |
27 | ||
28 | ########################################################################### | |
29 | ||
30 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
31 | ||
32 | # See the Mail::SpamAssassin::Conf manual page for details of how to use | |
33 | # check_rbl(). | |
34 | ||
35 | # --------------------------------------------------------------------------- | |
36 | # Multizone / Multi meaning BLs first. | |
37 | # | |
38 | # Note that currently TXT queries cannot be used for these, since the | |
39 | # DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply. | |
40 | ||
41 | ||
42 | # --------------------------------------------------------------------------- | |
43 | # SORBS | |
44 | # transfers: both axfr and ixfr available | |
45 | # URL: http://www.dnsbl.sorbs.net/ | |
46 | # pay-to-use: no | |
47 | # delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request | |
48 | ||
49 | header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.') | |
50 | describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS | |
51 | tflags __RCVD_IN_SORBS net | |
52 | reuse __RCVD_IN_SORBS | |
53 | ||
54 | header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2') | |
55 | describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server | |
56 | tflags RCVD_IN_SORBS_HTTP net | |
57 | reuse RCVD_IN_SORBS_HTTP | |
58 | ||
59 | header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3') | |
60 | describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server | |
61 | tflags RCVD_IN_SORBS_SOCKS net | |
62 | reuse RCVD_IN_SORBS_SOCKS | |
63 | ||
64 | header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4') | |
65 | describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server | |
66 | tflags RCVD_IN_SORBS_MISC net | |
67 | reuse RCVD_IN_SORBS_MISC | |
68 | ||
69 | header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5') | |
70 | describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay | |
71 | tflags RCVD_IN_SORBS_SMTP net | |
72 | reuse RCVD_IN_SORBS_SMTP | |
73 | ||
74 | # delist: $50 fee | |
75 | #header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6') | |
76 | #describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source | |
77 | #tflags RCVD_IN_SORBS_SPAM net | |
78 | #reuse RCVD_IN_SORBS_SPAM RCVD_IN_SORBS_SPAM | |
79 | ||
80 | header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7') | |
81 | describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server | |
82 | tflags RCVD_IN_SORBS_WEB net | |
83 | reuse RCVD_IN_SORBS_WEB | |
84 | ||
85 | header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8') | |
86 | describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested | |
87 | tflags RCVD_IN_SORBS_BLOCK net | |
88 | reuse RCVD_IN_SORBS_BLOCK | |
89 | ||
90 | header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9') | |
91 | describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network | |
92 | tflags RCVD_IN_SORBS_ZOMBIE net | |
93 | reuse RCVD_IN_SORBS_ZOMBIE | |
94 | ||
95 | header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10') | |
96 | describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address | |
97 | tflags RCVD_IN_SORBS_DUL net | |
98 | reuse RCVD_IN_SORBS_DUL | |
99 | ||
100 | # --------------------------------------------------------------------------- | |
101 | # Spamhaus ZEN includes SBL+CSS+XBL+PBL | |
102 | # https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 | |
103 | # | |
104 | # Spamhaus XBL contains the Abuseat CBL data (cbl.abuseat.org) | |
105 | ||
106 | header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.') | |
107 | describe __RCVD_IN_ZEN Received via a relay in Spamhaus Zen | |
108 | tflags __RCVD_IN_ZEN net | |
109 | reuse __RCVD_IN_ZEN | |
110 | ||
111 | # SBL is the Spamhaus Block List: https://www.spamhaus.org/sbl/ | |
112 | header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2') | |
113 | describe RCVD_IN_SBL Received via a relay in Spamhaus SBL | |
114 | tflags RCVD_IN_SBL net | |
115 | reuse RCVD_IN_SBL | |
116 | ||
117 | # XBL is the Exploits Block List: https://www.spamhaus.org/xbl/ | |
118 | header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[4567]$') | |
119 | describe RCVD_IN_XBL Received via a relay in Spamhaus XBL | |
120 | tflags RCVD_IN_XBL net | |
121 | reuse RCVD_IN_XBL | |
122 | ||
123 | # PBL is the Policy Block List: https://www.spamhaus.org/pbl/ | |
124 | header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.1[01]$') | |
125 | describe RCVD_IN_PBL Received via a relay in Spamhaus PBL | |
126 | tflags RCVD_IN_PBL net | |
127 | reuse RCVD_IN_PBL | |
128 | ||
129 | # CSS is the Spamhaus CSS Component of the SBL List: https://www.spamhaus.org/css/ | |
130 | header RCVD_IN_SBL_CSS eval:check_rbl_sub('zen', '127.0.0.3') | |
131 | describe RCVD_IN_SBL_CSS Received via a relay in Spamhaus SBL-CSS | |
132 | tflags RCVD_IN_SBL_CSS net | |
133 | reuse RCVD_IN_SBL_CSS | |
134 | ||
135 | # New blocked checks 10/2019 | |
136 | header RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.255\.255\.254$') | |
137 | describe RCVD_IN_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ | |
138 | tflags RCVD_IN_ZEN_BLOCKED_OPENDNS net | |
139 | reuse RCVD_IN_ZEN_BLOCKED_OPENDNS | |
140 | ||
141 | # New blocked checks 10/2019 | |
142 | header RCVD_IN_ZEN_BLOCKED eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.255\.255\.255$') | |
143 | describe RCVD_IN_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ | |
144 | tflags RCVD_IN_ZEN_BLOCKED net | |
145 | reuse RCVD_IN_ZEN_BLOCKED | |
146 | ||
147 | if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) | |
148 | dns_block_rule RCVD_IN_ZEN_BLOCKED_OPENDNS zen.spamhaus.org | |
149 | dns_block_rule RCVD_IN_ZEN_BLOCKED zen.spamhaus.org | |
150 | endif | |
151 | ||
152 | ||
153 | # Now, single zone BLs follow: | |
154 | ||
155 | # --------------------------------------------------------------------------- | |
156 | # NOTE: donation tests, see README file for details | |
157 | ||
158 | header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)') | |
159 | describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net | |
160 | tflags RCVD_IN_BL_SPAMCOP_NET net | |
161 | reuse RCVD_IN_BL_SPAMCOP_NET | |
162 | ||
163 | # --------------------------------------------------------------------------- | |
164 | # NOTE: commercial tests, see README file for details | |
165 | ||
166 | header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'activationcode.r.mail-abuse.com.', '1') | |
167 | describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html | |
168 | tflags RCVD_IN_MAPS_RBL net | |
169 | reuse RCVD_IN_MAPS_RBL | |
170 | ||
171 | header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal', 'activationcode.r.mail-abuse.com.', '2') | |
172 | describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html | |
173 | tflags RCVD_IN_MAPS_DUL net | |
174 | reuse RCVD_IN_MAPS_DUL | |
175 | ||
176 | header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4') | |
177 | describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html | |
178 | tflags RCVD_IN_MAPS_RSS net | |
179 | reuse RCVD_IN_MAPS_RSS | |
180 | ||
181 | header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8') | |
182 | describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html | |
183 | tflags RCVD_IN_MAPS_OPS net | |
184 | reuse RCVD_IN_MAPS_OPS | |
185 | ||
186 | # The NML isn't part of the RBL+ and I find any documentation for it - is it dead? | |
187 | header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.com.') | |
188 | describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html | |
189 | tflags RCVD_IN_MAPS_NML net | |
190 | reuse RCVD_IN_MAPS_NML | |
191 | ||
192 | # --------------------------------------------------------------------------- | |
193 | # Section for DNS WL related lookups below. | |
194 | ||
195 | # IADB support ... | |
196 | header __RCVD_IN_IADB eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.') | |
197 | tflags __RCVD_IN_IADB net nice | |
198 | reuse __RCVD_IN_IADB | |
199 | ||
200 | header RCVD_IN_IADB_VOUCHED eval:check_rbl_sub('iadb-firsttrusted', '127.0.1.255') | |
201 | describe RCVD_IN_IADB_VOUCHED ISIPP IADB lists as vouched-for sender | |
202 | tflags RCVD_IN_IADB_VOUCHED net nice | |
203 | reuse RCVD_IN_IADB_VOUCHED | |
204 | ||
205 | # --------------------------------------------------------------------------- | |
206 | # Return Path Certified: | |
207 | # https://www.returnpath.net/internetserviceprovider/certification/ | |
208 | # (replaces RCVD_IN_BSP_TRUSTED, RCVD_IN_BSP_OTHER, RCVD_IN_SSC_TRUSTED_COI) | |
209 | header RCVD_IN_RP_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.') | |
210 | describe RCVD_IN_RP_CERTIFIED Sender in ReturnPath Certified - Contact cert-sa@returnpath.net | |
211 | tflags RCVD_IN_RP_CERTIFIED net nice | |
212 | reuse RCVD_IN_RP_CERTIFIED | |
213 | ||
214 | # Return Path Safe: | |
215 | # https://www.returnpath.net/internetserviceprovider/certification/ | |
216 | # (replaces HABEAS_ACCREDITED_COI, HABEAS_ACCREDITED_SOI, HABEAS_CHECKED) | |
217 | header RCVD_IN_RP_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.') | |
218 | describe RCVD_IN_RP_SAFE Sender in ReturnPath Safe - Contact safe-sa@returnpath.net | |
219 | tflags RCVD_IN_RP_SAFE net nice | |
220 | reuse RCVD_IN_RP_SAFE | |
221 | ||
222 | # Return Path Reputation Network Blacklist (RNBL): | |
223 | # https://senderscore.org/blacklistlookup/ | |
224 | header RCVD_IN_RP_RNBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.') | |
225 | describe RCVD_IN_RP_RNBL Relay in RNBL, https://senderscore.org/blacklistlookup/ | |
226 | tflags RCVD_IN_RP_RNBL net | |
227 | reuse RCVD_IN_RP_RNBL | |
228 | ||
229 | endif | |
230 | ||
231 | #These are old and useless - The zones are no longer supported by SpamHaus 2018-12-12 | |
232 | #ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
233 | # | |
234 | #askdns DKIMDOMAIN_IN_DWL _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT /^([a-z]+ )*(transaction|list|all)( [a-z]+)*$/ | |
235 | #tflags DKIMDOMAIN_IN_DWL net nice | |
236 | #describe DKIMDOMAIN_IN_DWL Signing domain listed in Spamhaus DWL | |
237 | #reuse DKIMDOMAIN_IN_DWL | |
238 | # | |
239 | #askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT | |
240 | #tflags __DKIMDOMAIN_IN_DWL_ANY net nice | |
241 | #describe __DKIMDOMAIN_IN_DWL_ANY Any TXT response received from a Spamhaus DWL | |
242 | #reuse __DKIMDOMAIN_IN_DWL_ANY | |
243 | # | |
244 | #meta DKIMDOMAIN_IN_DWL_UNKNOWN __DKIMDOMAIN_IN_DWL_ANY && !DKIMDOMAIN_IN_DWL | |
245 | #tflags DKIMDOMAIN_IN_DWL_UNKNOWN net nice | |
246 | #describe DKIMDOMAIN_IN_DWL_UNKNOWN Unrecognized response from Spamhaus DWL | |
247 | # | |
248 | #endif |