1 # SpamAssassin - URIDNSBL rules
3 # Please don't modify this file as your changes will be overwritten with
4 # the next update. Use /etc/mail/spamassassin/local.cf instead.
5 # See 'perldoc Mail::SpamAssassin::Conf' for details.
8 # Licensed to the Apache Software Foundation (ASF) under one or more
9 # contributor license agreements. See the NOTICE file distributed with
10 # this work for additional information regarding copyright ownership.
11 # The ASF licenses this file to you under the Apache License, Version 2.0
12 # (the "License"); you may not use this file except in compliance with
13 # the License. You may obtain a copy of the License at:
15 # http://www.apache.org/licenses/LICENSE-2.0
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
24 ###########################################################################
26 # Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded.
27 # Note that this plugin defines a new config setting, 'uridnsbl',
28 # which lists the zones to look up in advance. The rules will
29 # not hit unless each rule has a corresponding 'uridnsbl' line.
31 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
33 ###########################################################################
36 uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
37 body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
38 describe URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist
42 uridnssub URIBL_CSS zen.spamhaus.org. A 127.0.0.3
43 body URIBL_CSS eval:check_uridnsbl('URIBL_CSS')
44 describe URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS blocklist
48 # Only works correctly from 3.4.3, earlier versions basically run as URIBL_SBL duplicate
49 if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_uridnsbl_for_a)
50 uridnssub URIBL_SBL_A zen.spamhaus.org. A 127.0.0.2
51 body URIBL_SBL_A eval:check_uridnsbl('URIBL_SBL_A')
52 describe URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist
53 tflags URIBL_SBL_A net a
56 uridnssub URIBL_CSS_A zen.spamhaus.org. A 127.0.0.3
57 body URIBL_CSS_A eval:check_uridnsbl('URIBL_CSS_A')
58 describe URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS blocklist
59 tflags URIBL_CSS_A net a
63 # New blocked checks 10/2019
64 uridnssub URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org. A 127.255.255.254
65 body URIBL_ZEN_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_ZEN_BLOCKED_OPENDNS')
66 describe URIBL_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/
67 tflags URIBL_ZEN_BLOCKED_OPENDNS net
68 reuse URIBL_ZEN_BLOCKED_OPENDNS
70 # New blocked checks 10/2019
71 uridnssub URIBL_ZEN_BLOCKED zen.spamhaus.org. A 127.255.255.255
72 body URIBL_ZEN_BLOCKED eval:check_uridnsbl('URIBL_ZEN_BLOCKED')
73 describe URIBL_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
74 tflags URIBL_ZEN_BLOCKED net
75 reuse URIBL_ZEN_BLOCKED
77 if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
78 dns_block_rule URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org
79 dns_block_rule URIBL_ZEN_BLOCKED zen.spamhaus.org
83 # DBL, https://www.spamhaus.org/dbl/
84 # changes axb 05-17-2014: as per https://www.spamhaus.org/news/article/713/
85 # SH changes effective 06-01-2014
86 if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only)
88 urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2
89 body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM')
90 describe URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist
91 tflags URIBL_DBL_SPAM net domains_only notrim
94 urirhssub URIBL_DBL_PHISH dbl.spamhaus.org. A 127.0.1.4
95 body URIBL_DBL_PHISH eval:check_uridnsbl('URIBL_DBL_PHISH')
96 describe URIBL_DBL_PHISH Contains a Phishing URL listed in the Spamhaus DBL blocklist
97 tflags URIBL_DBL_PHISH net domains_only notrim
100 urirhssub URIBL_DBL_MALWARE dbl.spamhaus.org. A 127.0.1.5
101 body URIBL_DBL_MALWARE eval:check_uridnsbl('URIBL_DBL_MALWARE')
102 describe URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus DBL blocklist
103 tflags URIBL_DBL_MALWARE net domains_only notrim
104 reuse URIBL_DBL_MALWARE
106 urirhssub URIBL_DBL_BOTNETCC dbl.spamhaus.org. A 127.0.1.6
107 body URIBL_DBL_BOTNETCC eval:check_uridnsbl('URIBL_DBL_BOTNETCC')
108 describe URIBL_DBL_BOTNETCC Contains a botned C&C URL listed in the Spamhaus DBL blocklist
109 tflags URIBL_DBL_BOTNETCC net domains_only notrim
110 reuse URIBL_DBL_BOTNETCC
112 urirhssub URIBL_DBL_ABUSE_SPAM dbl.spamhaus.org. A 127.0.1.102
113 body URIBL_DBL_ABUSE_SPAM eval:check_uridnsbl('URIBL_DBL_ABUSE_SPAM')
114 describe URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist
115 tflags URIBL_DBL_ABUSE_SPAM net domains_only notrim
116 reuse URIBL_DBL_ABUSE_SPAM
118 urirhssub URIBL_DBL_ABUSE_REDIR dbl.spamhaus.org. A 127.0.1.103
119 body URIBL_DBL_ABUSE_REDIR eval:check_uridnsbl('URIBL_DBL_ABUSE_REDIR')
120 describe URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the Spamhaus DBL blocklist
121 tflags URIBL_DBL_ABUSE_REDIR net domains_only notrim
122 reuse URIBL_DBL_ABUSE_REDIR
124 urirhssub URIBL_DBL_ABUSE_PHISH dbl.spamhaus.org. A 127.0.1.104
125 body URIBL_DBL_ABUSE_PHISH eval:check_uridnsbl('URIBL_DBL_ABUSE_PHISH')
126 describe URIBL_DBL_ABUSE_PHISH Contains an abused phishing URL listed in the Spamhaus DBL blocklist
127 tflags URIBL_DBL_ABUSE_PHISH net domains_only notrim
128 reuse URIBL_DBL_ABUSE_PHISH
130 urirhssub URIBL_DBL_ABUSE_MALW dbl.spamhaus.org. A 127.0.1.105
131 body URIBL_DBL_ABUSE_MALW eval:check_uridnsbl('URIBL_DBL_ABUSE_MALW')
132 describe URIBL_DBL_ABUSE_MALW Contains an abused malware URL listed in the Spamhaus DBL blocklist
133 tflags URIBL_DBL_ABUSE_MALW net domains_only notrim
134 reuse URIBL_DBL_ABUSE_MALW
136 urirhssub URIBL_DBL_ABUSE_BOTCC dbl.spamhaus.org. A 127.0.1.106
137 body URIBL_DBL_ABUSE_BOTCC eval:check_uridnsbl('URIBL_DBL_ABUSE_BOTCC')
138 describe URIBL_DBL_ABUSE_BOTCC Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist
139 tflags URIBL_DBL_ABUSE_BOTCC net domains_only notrim
140 reuse URIBL_DBL_ABUSE_BOTCC
143 # this indicates that IP-address queries were sent to DBL, and should
144 # never appear; if it does, something is wrong with SpamAssassin
145 urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A 127.0.1.255
146 body URIBL_DBL_ERROR eval:check_uridnsbl('URIBL_DBL_ERROR')
147 describe URIBL_DBL_ERROR Error: queried the Spamhaus DBL blocklist for an IP
148 tflags URIBL_DBL_ERROR net domains_only notrim
149 reuse URIBL_DBL_ERROR
151 # New blocked checks 10/2019
152 urirhssub URIBL_DBL_BLOCKED_OPENDNS dbl.spamhaus.org. A 127.255.255.254
153 body URIBL_DBL_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_DBL_BLOCKED_OPENDNS')
154 describe URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/
155 tflags URIBL_DBL_BLOCKED_OPENDNS net domains_only notrim
156 reuse URIBL_DBL_BLOCKED_OPENDNS
158 # New blocked checks 10/2019
159 urirhssub URIBL_DBL_BLOCKED dbl.spamhaus.org. A 127.255.255.255
160 body URIBL_DBL_BLOCKED eval:check_uridnsbl('URIBL_DBL_BLOCKED')
161 describe URIBL_DBL_BLOCKED ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
162 tflags URIBL_DBL_BLOCKED net domains_only notrim
163 reuse URIBL_DBL_BLOCKED
167 ###########################################################################
170 #MERGED INTO BIT 64 per bug 7279
171 #urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
172 #body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL')
173 #describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
174 #tflags URIBL_SC_SURBL net notrim
175 #reuse URIBL_SC_SURBL
177 urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
178 body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL')
179 describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
180 tflags URIBL_WS_SURBL net notrim
183 urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
184 body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL')
185 describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
186 tflags URIBL_PH_SURBL net notrim
189 urirhssub URIBL_MW_SURBL multi.surbl.org. A 16
190 body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL')
191 describe URIBL_MW_SURBL Contains a URL listed in the MW SURBL blocklist
192 tflags URIBL_MW_SURBL net notrim
195 urirhssub URIBL_CR_SURBL multi.surbl.org. A 128
196 body URIBL_CR_SURBL eval:check_uridnsbl('URIBL_CR_SURBL')
197 describe URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist
198 tflags URIBL_CR_SURBL net notrim
201 #MERGED INTO BIT 64 per bug 7279
202 #urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
203 #body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL')
204 #describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
205 #tflags URIBL_AB_SURBL net notrim
206 #reuse URIBL_AB_SURBL
208 #JP MOVED INTO ABUSE AS WELL AND BIT REUSED per bug 7279
209 urirhssub URIBL_ABUSE_SURBL multi.surbl.org. A 64
210 body URIBL_ABUSE_SURBL eval:check_uridnsbl('URIBL_ABUSE_SURBL')
211 describe URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
212 tflags URIBL_ABUSE_SURBL net notrim
213 reuse URIBL_ABUSE_SURBL
215 #SURBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you.
216 urirhssub SURBL_BLOCKED multi.surbl.org. A 1
217 body SURBL_BLOCKED eval:check_uridnsbl('SURBL_BLOCKED')
218 describe SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
219 tflags SURBL_BLOCKED net noautolearn notrim
222 if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
223 dns_block_rule SURBL_BLOCKED multi.surbl.org
226 ###########################################################################
229 urirhssub URIBL_BLACK multi.uribl.com. A 2
230 body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
231 describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
232 tflags URIBL_BLACK net
235 urirhssub URIBL_GREY multi.uribl.com. A 4
236 body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
237 describe URIBL_GREY Contains an URL listed in the URIBL greylist
238 tflags URIBL_GREY net
241 urirhssub URIBL_RED multi.uribl.com. A 8
242 body URIBL_RED eval:check_uridnsbl('URIBL_RED')
243 describe URIBL_RED Contains an URL listed in the URIBL redlist
247 #URIBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you.
248 urirhssub URIBL_BLOCKED multi.uribl.com. A 1
249 body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED')
250 describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
251 tflags URIBL_BLOCKED net noautolearn
254 if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
255 dns_block_rule URIBL_BLOCKED multi.uribl.com
258 ###########################################################################
259 ## DOMAINS TO SKIP (KNOWN GOOD)
262 uridnsbl_skip_domain taint.org
264 # Don't bother looking for example domains as per RFC 2606.
265 uridnsbl_skip_domain example.com example.net example.org
267 uridnsbl_skip_domain local.cf
269 # MUA CSS class definitions
270 uridnsbl_skip_domain div.tk p.tk li.tk no.tk
272 # (roughly) top 200 domains not blacklisted by SURBL
273 uridnsbl_skip_domain 126.com 163.com 2o7.net 4at1.com
274 uridnsbl_skip_domain 5iantlavalamp.com about.com adelphia.net adobe.com addthis.com
275 uridnsbl_skip_domain agora-inc.com agoramedia.com akamai.net
276 uridnsbl_skip_domain akamaitech.net amazon.com ancestry.com aol.com
277 uridnsbl_skip_domain apache.org apple.com arcamax.com astrology.com apple.news
278 uridnsbl_skip_domain atdmt.com att.net bbc.co.uk
279 uridnsbl_skip_domain bcentral.com bellsouth.net bfi0.com
280 uridnsbl_skip_domain bridgetrack.com cafe24.com charter.net
281 uridnsbl_skip_domain citibank.com citizensbank.com cjb.net
282 uridnsbl_skip_domain classmates.com clickbank.net cnet.com
283 uridnsbl_skip_domain cnn.com com.com com.ne.kr comcast.net
284 uridnsbl_skip_domain corporate-ir.net cox.net cs.com
285 uridnsbl_skip_domain custhelp.com daum.net dd.se debian.org
286 uridnsbl_skip_domain dell.com directtrack.com directnic.com domain.com
287 uridnsbl_skip_domain dsbl.org earthlink.net ebay.co.uk ebay.com
288 uridnsbl_skip_domain ebayimg.com ebaystatic.com edgesuite.net ediets.com
289 uridnsbl_skip_domain egroups.com emode.com excite.com f-secure.com
290 uridnsbl_skip_domain free.fr freebsd.org
291 uridnsbl_skip_domain gentoo.org geocities.com gmail.com gmx.net
292 uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com
293 uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com
294 uridnsbl_skip_domain hotpop.com hp.com ibm.com incredimail.com
295 uridnsbl_skip_domain investorplace.com ivillage.com joingevalia.com
296 uridnsbl_skip_domain juno.com kernel.org livejournal.com lycos.com
297 uridnsbl_skip_domain m7z.net mac.com macromedia.com
298 uridnsbl_skip_domain mail.com mail.ru mailscanner.info marketwatch.com
299 uridnsbl_skip_domain mcafee.com mchsi.com messagelabs.com
300 uridnsbl_skip_domain microsoft.com military.com mindspring.com mit.edu
301 uridnsbl_skip_domain monster.com msn.com nate.com
302 uridnsbl_skip_domain netflix.com netscape.com netscape.net netzero.net
303 uridnsbl_skip_domain norman.com nytimes.com optonline.net osdn.com
304 uridnsbl_skip_domain overstock.com pacbell.net pandasoftware.com
305 uridnsbl_skip_domain paypal.com peoplepc.com plaxo.com
306 uridnsbl_skip_domain prodigy.net radaruol.com.br
307 uridnsbl_skip_domain real.com redhat.com regions.com regionsnet.com
308 uridnsbl_skip_domain rogers.com rr.com sbcglobal.net sec.gov sf.net
309 uridnsbl_skip_domain shaw.ca shockwave.com smithbarney.com
310 uridnsbl_skip_domain sourceforge.net spamcop.net speedera.net sportsline.com
311 uridnsbl_skip_domain sun.com suntrust.com sympatico.ca t-online.de
312 uridnsbl_skip_domain tails.nl telus.net terra.com.br ticketmaster.com
313 uridnsbl_skip_domain tinyurl.com tiscali.co.uk tom.com
314 uridnsbl_skip_domain tone.co.nz tux.org uol.com.br
315 uridnsbl_skip_domain ups.com verizon.net w3.org usps.com
316 uridnsbl_skip_domain wamu.com wanadoo.fr washingtonpost.com weatherbug.com
317 uridnsbl_skip_domain web.de webshots.com webtv.net wsj.com
318 uridnsbl_skip_domain yahoo.ca yahoo.co.kr yahoo.co.uk
319 uridnsbl_skip_domain yahoo.com yahoo.com.br yahoogroups.com yimg.com
320 uridnsbl_skip_domain yopi.de yoursite.com zdnet.com
321 uridnsbl_skip_domain openxmlformats.org passport.com xmlsoap.org
322 uridnsbl_skip_domain abc.xyz avast.com schema.org
324 # wtogami's most frequent known good URIDNSBL lookups (1/1/2011)
325 uridnsbl_skip_domain alexa.com ask.com baidu.com bing.com craigslist.org
326 uridnsbl_skip_domain doubleclick.com ebay.de facebook.com flickr.com godaddy.com
327 uridnsbl_skip_domain google.co.in google.it mozilla.com myspace.com rediff.com
328 uridnsbl_skip_domain twitter.com wordpress.com yahoo.co.jp youtube.com
330 # axb's frequent known good URIDNSBL lookups
332 uridnsbl_skip_domain fedex.com
333 uridnsbl_skip_domain openoffice.org
334 uridnsbl_skip_domain vk.com
336 # pointless footer noise
337 uridnsbl_skip_domain security.cloud
338 uridnsbl_skip_domain yac.mx
340 # Microsoft on ns1.msedge.net
341 uridnsbl_skip_domain microsofttranslator.com office.com microsoftonline.com bing.com msedge.net
343 # Some frequent known good URIDNSBL lookups 3.10.2018 -hk
344 uridnsbl_skip_domain aka.ms akamaihd.net alibaba.com alicdn.com amazon.co.uk
345 uridnsbl_skip_domain amazon.de amazonaws.com amazonses.com bandcamp.com
346 uridnsbl_skip_domain booking.com cdninstagram.com cloudfront.net dhl.com
347 uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr
348 uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi
349 uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com
350 uridnsbl_skip_domain google.de google.fi googleapis.com googleusercontent.com
351 uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com
352 uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com
353 uridnsbl_skip_domain media-amazon.com mtasv.net mzstatic.com nebula.fi
354 uridnsbl_skip_domain nic.fi onmicrosoft.com oracle.com paypalobjects.com
355 uridnsbl_skip_domain pinimg.com pinterest.com posti.com posti.fi pstmrk.it
356 uridnsbl_skip_domain skype.com soundcloud.com ssl-images-amazon.com
357 uridnsbl_skip_domain suomi24.fi t.co telia.com telia.fi tnt.com tori.fi
358 uridnsbl_skip_domain tripadvisor.com twimg.com youtu.be
359 # Some more frequent known good URIDNSBL lookups 10.4.2020 -hk
360 uridnsbl_skip_domain docs.google.com etuovi.com iki.fi nflxext.com nflximg.com
361 uridnsbl_skip_domain nflximg.net outlook.com postnord.com postnord.fi postnord.no
362 uridnsbl_skip_domain saunalahti.fi
364 endif # Mail::SpamAssassin::Plugin::URIDNSBL
projects / proxmox-spamassassin.git / blob