20_dnsbl_tests.cf - spamassassin - Git at Google

 # SpamAssassin rules file: DNS blacklist tests
 #
 # Please don't modify this file as your changes will be overwritten with
 # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
 # See 'perldoc Mail::SpamAssassin::Conf' for details.
 #
 # <@LICENSE>
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to you under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at:
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # </@LICENSE>
 #
 ###########################################################################

 require_version @@VERSION@@

 ###########################################################################

 ifplugin Mail::SpamAssassin::Plugin::DNSEval

 # See the Mail::SpamAssassin::Conf manual page for details of how to use
 # check_rbl().

 # ---------------------------------------------------------------------------
 # Multizone / Multi meaning BLs first.
 #
 # Note that currently TXT queries cannot be used for these, since the
 # DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
 # Well, at least NJABL doesn't, it seems, as of Apr 7 2003.

 # ---------------------------------------------------------------------------
 # NJABL
 # URL: http://www.dnsbl.njabl.org/

 header __RCVD_IN_NJABL		eval:check_rbl('njabl', 'combined.njabl.org.')
 describe __RCVD_IN_NJABL	Received via a relay in combined.njabl.org
 tflags __RCVD_IN_NJABL		net

 header RCVD_IN_NJABL_RELAY	eval:check_rbl_sub('njabl', '127.0.0.2')
 describe RCVD_IN_NJABL_RELAY	NJABL: sender is confirmed open relay
 tflags RCVD_IN_NJABL_RELAY	net
 #reuse RCVD_IN_NJABL_RELAY

 # NJABL DUL: obsoleted by PBL (bug 5187)

 header RCVD_IN_NJABL_SPAM	eval:check_rbl_sub('njabl', '127.0.0.4')
 describe RCVD_IN_NJABL_SPAM	NJABL: sender is confirmed spam source
 tflags RCVD_IN_NJABL_SPAM	net
 #reuse RCVD_IN_NJABL_SPAM

 header RCVD_IN_NJABL_MULTI	eval:check_rbl_sub('njabl', '127.0.0.5')
 describe RCVD_IN_NJABL_MULTI	NJABL: sent through multi-stage open relay
 tflags RCVD_IN_NJABL_MULTI	net
 #reuse RCVD_IN_NJABL_MULTI

 header RCVD_IN_NJABL_CGI	eval:check_rbl_sub('njabl', '127.0.0.8')
 describe RCVD_IN_NJABL_CGI	NJABL: sender is an open formmail
 tflags RCVD_IN_NJABL_CGI	net
 #reuse RCVD_IN_NJABL_CGI

 header RCVD_IN_NJABL_PROXY	eval:check_rbl_sub('njabl', '127.0.0.9')
 describe RCVD_IN_NJABL_PROXY	NJABL: sender is an open proxy
 tflags RCVD_IN_NJABL_PROXY	net
 #reuse RCVD_IN_NJABL_PROXY

 # ---------------------------------------------------------------------------
 # SORBS
 # transfers: both axfr and ixfr available
 # URL: http://www.dnsbl.sorbs.net/
 # pay-to-use: no
 # delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request

 header __RCVD_IN_SORBS		eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
 describe __RCVD_IN_SORBS	SORBS: sender is listed in SORBS
 tflags __RCVD_IN_SORBS		net

 header RCVD_IN_SORBS_HTTP	eval:check_rbl_sub('sorbs', '127.0.0.2')
 describe RCVD_IN_SORBS_HTTP	SORBS: sender is open HTTP proxy server
 tflags RCVD_IN_SORBS_HTTP	net
 #reuse RCVD_IN_SORBS_HTTP

 header RCVD_IN_SORBS_SOCKS	eval:check_rbl_sub('sorbs', '127.0.0.3')
 describe RCVD_IN_SORBS_SOCKS	SORBS: sender is open SOCKS proxy server
 tflags RCVD_IN_SORBS_SOCKS	net
 #reuse RCVD_IN_SORBS_SOCKS

 header RCVD_IN_SORBS_MISC	eval:check_rbl_sub('sorbs', '127.0.0.4')
 describe RCVD_IN_SORBS_MISC	SORBS: sender is open proxy server
 tflags RCVD_IN_SORBS_MISC	net
 #reuse RCVD_IN_SORBS_MISC

 header RCVD_IN_SORBS_SMTP	eval:check_rbl_sub('sorbs', '127.0.0.5')
 describe RCVD_IN_SORBS_SMTP	SORBS: sender is open SMTP relay
 tflags RCVD_IN_SORBS_SMTP	net
 #reuse RCVD_IN_SORBS_SMTP

 # delist: $50 fee
 #header RCVD_IN_SORBS_SPAM	eval:check_rbl_sub('sorbs', '127.0.0.6')
 #describe RCVD_IN_SORBS_SPAM	SORBS: sender is a spam source
 #tflags RCVD_IN_SORBS_SPAM	net
 #reuse RCVD_IN_SORBS_SPAM

 header RCVD_IN_SORBS_WEB	eval:check_rbl_sub('sorbs', '127.0.0.7')
 describe RCVD_IN_SORBS_WEB	SORBS: sender is a abuseable web server
 tflags RCVD_IN_SORBS_WEB	net
 #reuse RCVD_IN_SORBS_WEB

 header RCVD_IN_SORBS_BLOCK	eval:check_rbl_sub('sorbs', '127.0.0.8')
 describe RCVD_IN_SORBS_BLOCK	SORBS: sender demands to never be tested
 tflags RCVD_IN_SORBS_BLOCK	net
 #reuse RCVD_IN_SORBS_BLOCK

 header RCVD_IN_SORBS_ZOMBIE	eval:check_rbl_sub('sorbs', '127.0.0.9')
 describe RCVD_IN_SORBS_ZOMBIE	SORBS: sender is on a hijacked network
 tflags RCVD_IN_SORBS_ZOMBIE	net
 #reuse RCVD_IN_SORBS_ZOMBIE

 header RCVD_IN_SORBS_DUL	eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
 describe RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address
 tflags RCVD_IN_SORBS_DUL	net
 #reuse RCVD_IN_SORBS_DUL

 # ---------------------------------------------------------------------------
 # Spamhaus SBL+XBL, now called Zen
 #
 # Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed
 # OPM (opm.blitzed.org) lists so it's not necessary to query those as well.

 header __RCVD_IN_ZEN            eval:check_rbl('zen', 'zen.spamhaus.org.')
 describe __RCVD_IN_ZEN          Received via a relay in Spamhaus Zen
 tflags __RCVD_IN_ZEN            net

 # SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
 header RCVD_IN_SBL              eval:check_rbl_sub('zen', '127.0.0.2')
 describe RCVD_IN_SBL            Received via a relay in Spamhaus SBL
 tflags RCVD_IN_SBL              net
 #reuse RCVD_IN_SBL

 # XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
 header RCVD_IN_XBL              eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.[45678]')
 describe RCVD_IN_XBL            Received via a relay in Spamhaus XBL
 tflags RCVD_IN_XBL              net
 #reuse RCVD_IN_XBL

 # PBL is the Policy Block List: http://www.spamhaus.org/pbl/
 header RCVD_IN_PBL              eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')
 describe RCVD_IN_PBL            Received via a relay in Spamhaus PBL
 tflags RCVD_IN_PBL              net
 #reuse RCVD_IN_PBL T_RCVD_IN_PBL_WITH_NJABL_DUL RCVD_IN_NJABL_DUL

 # ---------------------------------------------------------------------------
 # RFC-Ignorant blacklists (both name and IP based)

 header __RFC_IGNORANT_ENVFROM	eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.')
 tflags __RFC_IGNORANT_ENVFROM	net

 header DNS_FROM_RFC_DSN		eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
 describe DNS_FROM_RFC_DSN	Envelope sender in dsn.rfc-ignorant.org
 tflags DNS_FROM_RFC_DSN		net
 #reuse DNS_FROM_RFC_DSN

 header DNS_FROM_RFC_BOGUSMX	eval:check_rbl_sub('rfci_envfrom', '127.0.0.8')
 describe DNS_FROM_RFC_BOGUSMX	Envelope sender in bogusmx.rfc-ignorant.org
 tflags DNS_FROM_RFC_BOGUSMX	net
 #reuse DNS_FROM_RFC_BOGUSMX

 # bug 4628: these rules are too unreliable to assign scores to
 header __DNS_FROM_RFC_POST      eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
 tflags __DNS_FROM_RFC_POST      net
 #reuse __DNS_FROM_RFC_POST DNS_FROM_RFC_POST

 header __DNS_FROM_RFC_ABUSE     eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
 tflags __DNS_FROM_RFC_ABUSE     net
 #reuse __DNS_FROM_RFC_ABUSE DNS_FROM_RFC_ABUSE

 header __DNS_FROM_RFC_WHOIS     eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
 tflags __DNS_FROM_RFC_WHOIS     net
 #reuse __DNS_FROM_RFC_WHOIS DNS_FROM_RFC_WHOIS

 # ---------------------------------------------------------------------------
 # Now, single zone BLs follow:

 # another domain-based blacklist
 header DNS_FROM_AHBL_RHSBL	eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
 describe DNS_FROM_AHBL_RHSBL	Envelope sender listed in dnsbl.ahbl.org
 tflags DNS_FROM_AHBL_RHSBL	net
 #reuse DNS_FROM_AHBL_RHSBL

 # ---------------------------------------------------------------------------
 # NOTE: donation tests, see README file for details

 header RCVD_IN_BL_SPAMCOP_NET	eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
 describe RCVD_IN_BL_SPAMCOP_NET	Received via a relay in bl.spamcop.net
 tflags RCVD_IN_BL_SPAMCOP_NET	net
 #reuse RCVD_IN_BL_SPAMCOP_NET

 # ---------------------------------------------------------------------------
 # NOTE: commercial tests, see README file for details

 header RCVD_IN_MAPS_RBL		eval:check_rbl('rbl', 'blackholes.mail-abuse.org.')
 describe RCVD_IN_MAPS_RBL	Relay in RBL, http://www.mail-abuse.org/rbl/
 tflags RCVD_IN_MAPS_RBL		net

 header RCVD_IN_MAPS_DUL		eval:check_rbl('dialup-lastexternal', 'dialups.mail-abuse.org.')
 describe RCVD_IN_MAPS_DUL	Relay in DUL, http://www.mail-abuse.org/dul/
 tflags RCVD_IN_MAPS_DUL		net

 header RCVD_IN_MAPS_RSS		eval:check_rbl('rss', 'relays.mail-abuse.org.')
 describe RCVD_IN_MAPS_RSS	Relay in RSS, http://www.mail-abuse.org/rss/
 tflags RCVD_IN_MAPS_RSS		net

 header RCVD_IN_MAPS_NML		eval:check_rbl('nml', 'nonconfirm.mail-abuse.org.')
 describe RCVD_IN_MAPS_NML	Relay in NML, http://www.mail-abuse.org/nml/
 tflags RCVD_IN_MAPS_NML		net

 # if you're subscribed to RBL+, then comment out the above rules (just the
 # "header" lines, not the "describe" or "tflags" lines) and uncomment the
 # below lines
 #header RCVD_IN_MAPS_RBL	eval:check_rbl('rblplus', 'rbl-plus.mail-abuse.org.', '1')
 #header RCVD_IN_MAPS_DUL	eval:check_rbl('rblplus-lastexternal', 'rbl-plus.mail-abuse.org.', '2')
 #header RCVD_IN_MAPS_RSS	eval:check_rbl_sub('rblplus', '4')
 #header RCVD_IN_MAPS_OPS	eval:check_rbl_sub('rblplus', '8')
 #describe RCVD_IN_MAPS_OPS	Relay in OPS, http://www.mail-abuse.org/ops/
 #tflags RCVD_IN_MAPS_OPS	net


 # ---------------------------------------------------------------------------
 # Section for DNS WL related lookups below.

 # Sender Score Certified (formerly Bonded Sender, hence the legacy rule names):
 # http://www.senderscorecertified.com/
 header RCVD_IN_BSP_TRUSTED	eval:check_rbl_txt('bsp-firsttrusted', 'sa-trusted.bondedsender.org.', '(?i:bonded)')
 describe RCVD_IN_BSP_TRUSTED	Sender is in Sender Score Certified (trusted relay)
 tflags RCVD_IN_BSP_TRUSTED	net nice
 #reuse RCVD_IN_BSP_TRUSTED

 header RCVD_IN_BSP_OTHER	eval:check_rbl_txt('bsp-untrusted', 'sa-other.bondedsender.org.', '(?i:bonded)')
 describe RCVD_IN_BSP_OTHER	Sender is in Sender Score Certified (other relay)
 tflags RCVD_IN_BSP_OTHER	net nice
 #reuse RCVD_IN_BSP_OTHER

 # confirmed-opt-in list; see bug 5476
 header RCVD_IN_SSC_TRUSTED_COI    eval:check_rbl('ssc-firsttrusted', 'plus.bondedsender.org.')
 describe RCVD_IN_SSC_TRUSTED_COI  Sender is in Sender Score Certified (confirmed opt-in)
 tflags RCVD_IN_SSC_TRUSTED_COI    net nice
 #reuse RCVD_IN_SSC_TRUSTED_COI

 # ---------------------------------------------------------------------------

 # IADB support ...
 header __RCVD_IN_IADB		eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.')
 tflags __RCVD_IN_IADB		net nice

 header RCVD_IN_IADB_VOUCHED	eval:check_rbl_sub('iadb-firsttrusted', '^127.0.1.255$')
 describe RCVD_IN_IADB_VOUCHED	ISIPP IADB lists as vouched-for sender
 tflags RCVD_IN_IADB_VOUCHED	net nice

 # ---------------------------------------------------------------------------

 # Habeas Accredited Senders
 #	 Last octet of the returned A record indicates the Habeas-assigned
 #	"Permission Level" of the Sender.
 #		10 to 39	Personal, transactional, and Confirmed Opt In
 #		40 to 59	Secure referrals and Single Opt In
 #		60 to 99	Checked but not accredited by Habeas.
 #
 # sa-accredit.habeas.com is for SpamAssassin use.
 #
 header HABEAS_ACCREDITED_COI	eval:check_rbl('habeas-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d')
 describe HABEAS_ACCREDITED_COI	Habeas Accredited Confirmed Opt-In or Better
 tflags HABEAS_ACCREDITED_COI	net nice

 header HABEAS_ACCREDITED_SOI	eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[45]\d')
 describe HABEAS_ACCREDITED_SOI	Habeas Accredited Opt-In or Better
 tflags HABEAS_ACCREDITED_SOI	net nice

 header HABEAS_CHECKED		eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[6789]\d')
 describe HABEAS_CHECKED		Habeas Checked
 tflags HABEAS_CHECKED		net nice

 # Habeas Accredited Senders, with check for "Accreditor Assertion"
 #	Same Habeas whitelist checks as above, but performed only if the Sender
 #	has specified Habeas as their accreditor in either the EnvelopeFrom or
 #	"Accreditor" header field.  This reduces the DNS overhead, but will
 #	miss senders who are unable to add custom header fields.
 #
 # header HABEAS_ACCREDITED_COI	eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d', 'habeas')
 # describe HABEAS_ACCREDITED_COI	Habeas Accredited Confirmed Opt-In or Better
 # tflags HABEAS_ACCREDITED_COI	net nice
 #
 # header HABEAS_ACCREDITED_SOI	eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[45]\d', 'habeas')
 # describe HABEAS_ACCREDITED_SOI	Habeas Accredited Opt-In or Better
 # tflags HABEAS_ACCREDITED_SOI	net nice
 #
 # header HABEAS_CHECKED		eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[6789]\d', 'habeas')
 # describe HABEAS_CHECKED		Habeas Checked
 # tflags HABEAS_CHECKED		net nice

 endif
	# SpamAssassin rules file: DNS blacklist tests
	#
	# Please don't modify this file as your changes will be overwritten with
	# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
	# See 'perldoc Mail::SpamAssassin::Conf' for details.
	#
	# <@LICENSE>
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to you under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at:
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	# </@LICENSE>
	#
	###########################################################################

	require_version @@VERSION@@

	###########################################################################

	ifplugin Mail::SpamAssassin::Plugin::DNSEval

	# See the Mail::SpamAssassin::Conf manual page for details of how to use
	# check_rbl().

	# ---------------------------------------------------------------------------
	# Multizone / Multi meaning BLs first.
	#
	# Note that currently TXT queries cannot be used for these, since the
	# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
	# Well, at least NJABL doesn't, it seems, as of Apr 7 2003.

	# ---------------------------------------------------------------------------
	# NJABL
	# URL: http://www.dnsbl.njabl.org/

	header __RCVD_IN_NJABL eval:check_rbl('njabl', 'combined.njabl.org.')
	describe __RCVD_IN_NJABL Received via a relay in combined.njabl.org
	tflags __RCVD_IN_NJABL net

	header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
	describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
	tflags RCVD_IN_NJABL_RELAY net
	#reuse RCVD_IN_NJABL_RELAY

	# NJABL DUL: obsoleted by PBL (bug 5187)

	header RCVD_IN_NJABL_SPAM eval:check_rbl_sub('njabl', '127.0.0.4')
	describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source
	tflags RCVD_IN_NJABL_SPAM net
	#reuse RCVD_IN_NJABL_SPAM

	header RCVD_IN_NJABL_MULTI eval:check_rbl_sub('njabl', '127.0.0.5')
	describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay
	tflags RCVD_IN_NJABL_MULTI net
	#reuse RCVD_IN_NJABL_MULTI

	header RCVD_IN_NJABL_CGI eval:check_rbl_sub('njabl', '127.0.0.8')
	describe RCVD_IN_NJABL_CGI NJABL: sender is an open formmail
	tflags RCVD_IN_NJABL_CGI net
	#reuse RCVD_IN_NJABL_CGI

	header RCVD_IN_NJABL_PROXY eval:check_rbl_sub('njabl', '127.0.0.9')
	describe RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy
	tflags RCVD_IN_NJABL_PROXY net
	#reuse RCVD_IN_NJABL_PROXY

	# ---------------------------------------------------------------------------
	# SORBS
	# transfers: both axfr and ixfr available
	# URL: http://www.dnsbl.sorbs.net/
	# pay-to-use: no
	# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request

	header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
	describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
	tflags __RCVD_IN_SORBS net

	header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
	describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
	tflags RCVD_IN_SORBS_HTTP net
	#reuse RCVD_IN_SORBS_HTTP

	header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
	describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
	tflags RCVD_IN_SORBS_SOCKS net
	#reuse RCVD_IN_SORBS_SOCKS

	header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
	describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
	tflags RCVD_IN_SORBS_MISC net
	#reuse RCVD_IN_SORBS_MISC

	header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
	describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
	tflags RCVD_IN_SORBS_SMTP net
	#reuse RCVD_IN_SORBS_SMTP

	# delist: $50 fee
	#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
	#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
	#tflags RCVD_IN_SORBS_SPAM net
	#reuse RCVD_IN_SORBS_SPAM

	header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
	describe RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
	tflags RCVD_IN_SORBS_WEB net
	#reuse RCVD_IN_SORBS_WEB

	header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
	describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
	tflags RCVD_IN_SORBS_BLOCK net
	#reuse RCVD_IN_SORBS_BLOCK

	header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
	describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
	tflags RCVD_IN_SORBS_ZOMBIE net
	#reuse RCVD_IN_SORBS_ZOMBIE

	header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
	describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address
	tflags RCVD_IN_SORBS_DUL net
	#reuse RCVD_IN_SORBS_DUL

	# ---------------------------------------------------------------------------
	# Spamhaus SBL+XBL, now called Zen
	#
	# Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed
	# OPM (opm.blitzed.org) lists so it's not necessary to query those as well.

	header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
	describe __RCVD_IN_ZEN Received via a relay in Spamhaus Zen
	tflags __RCVD_IN_ZEN net

	# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
	header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2')
	describe RCVD_IN_SBL Received via a relay in Spamhaus SBL
	tflags RCVD_IN_SBL net
	#reuse RCVD_IN_SBL

	# XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
	header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.[45678]')
	describe RCVD_IN_XBL Received via a relay in Spamhaus XBL
	tflags RCVD_IN_XBL net
	#reuse RCVD_IN_XBL

	# PBL is the Policy Block List: http://www.spamhaus.org/pbl/
	header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')
	describe RCVD_IN_PBL Received via a relay in Spamhaus PBL
	tflags RCVD_IN_PBL net
	#reuse RCVD_IN_PBL T_RCVD_IN_PBL_WITH_NJABL_DUL RCVD_IN_NJABL_DUL

	# ---------------------------------------------------------------------------
	# RFC-Ignorant blacklists (both name and IP based)

	header __RFC_IGNORANT_ENVFROM eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.')
	tflags __RFC_IGNORANT_ENVFROM net

	header DNS_FROM_RFC_DSN eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
	describe DNS_FROM_RFC_DSN Envelope sender in dsn.rfc-ignorant.org
	tflags DNS_FROM_RFC_DSN net
	#reuse DNS_FROM_RFC_DSN

	header DNS_FROM_RFC_BOGUSMX eval:check_rbl_sub('rfci_envfrom', '127.0.0.8')
	describe DNS_FROM_RFC_BOGUSMX Envelope sender in bogusmx.rfc-ignorant.org
	tflags DNS_FROM_RFC_BOGUSMX net
	#reuse DNS_FROM_RFC_BOGUSMX

	# bug 4628: these rules are too unreliable to assign scores to
	header __DNS_FROM_RFC_POST eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
	tflags __DNS_FROM_RFC_POST net
	#reuse __DNS_FROM_RFC_POST DNS_FROM_RFC_POST

	header __DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
	tflags __DNS_FROM_RFC_ABUSE net
	#reuse __DNS_FROM_RFC_ABUSE DNS_FROM_RFC_ABUSE

	header __DNS_FROM_RFC_WHOIS eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
	tflags __DNS_FROM_RFC_WHOIS net
	#reuse __DNS_FROM_RFC_WHOIS DNS_FROM_RFC_WHOIS

	# ---------------------------------------------------------------------------
	# Now, single zone BLs follow:

	# another domain-based blacklist
	header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
	describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
	tflags DNS_FROM_AHBL_RHSBL net
	#reuse DNS_FROM_AHBL_RHSBL

	# ---------------------------------------------------------------------------
	# NOTE: donation tests, see README file for details

	header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
	describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
	tflags RCVD_IN_BL_SPAMCOP_NET net
	#reuse RCVD_IN_BL_SPAMCOP_NET

	# ---------------------------------------------------------------------------
	# NOTE: commercial tests, see README file for details

	header RCVD_IN_MAPS_RBL eval:check_rbl('rbl', 'blackholes.mail-abuse.org.')
	describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/
	tflags RCVD_IN_MAPS_RBL net

	header RCVD_IN_MAPS_DUL eval:check_rbl('dialup-lastexternal', 'dialups.mail-abuse.org.')
	describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/
	tflags RCVD_IN_MAPS_DUL net

	header RCVD_IN_MAPS_RSS eval:check_rbl('rss', 'relays.mail-abuse.org.')
	describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/
	tflags RCVD_IN_MAPS_RSS net

	header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.org.')
	describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/
	tflags RCVD_IN_MAPS_NML net

	# if you're subscribed to RBL+, then comment out the above rules (just the
	# "header" lines, not the "describe" or "tflags" lines) and uncomment the
	# below lines
	#header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'rbl-plus.mail-abuse.org.', '1')
	#header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal', 'rbl-plus.mail-abuse.org.', '2')
	#header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4')
	#header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8')
	#describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.org/ops/
	#tflags RCVD_IN_MAPS_OPS net


	# ---------------------------------------------------------------------------
	# Section for DNS WL related lookups below.

	# Sender Score Certified (formerly Bonded Sender, hence the legacy rule names):
	# http://www.senderscorecertified.com/
	header RCVD_IN_BSP_TRUSTED eval:check_rbl_txt('bsp-firsttrusted', 'sa-trusted.bondedsender.org.', '(?i:bonded)')
	describe RCVD_IN_BSP_TRUSTED Sender is in Sender Score Certified (trusted relay)
	tflags RCVD_IN_BSP_TRUSTED net nice
	#reuse RCVD_IN_BSP_TRUSTED

	header RCVD_IN_BSP_OTHER eval:check_rbl_txt('bsp-untrusted', 'sa-other.bondedsender.org.', '(?i:bonded)')
	describe RCVD_IN_BSP_OTHER Sender is in Sender Score Certified (other relay)
	tflags RCVD_IN_BSP_OTHER net nice
	#reuse RCVD_IN_BSP_OTHER

	# confirmed-opt-in list; see bug 5476
	header RCVD_IN_SSC_TRUSTED_COI eval:check_rbl('ssc-firsttrusted', 'plus.bondedsender.org.')
	describe RCVD_IN_SSC_TRUSTED_COI Sender is in Sender Score Certified (confirmed opt-in)
	tflags RCVD_IN_SSC_TRUSTED_COI net nice
	#reuse RCVD_IN_SSC_TRUSTED_COI

	# ---------------------------------------------------------------------------

	# IADB support ...
	header __RCVD_IN_IADB eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.')
	tflags __RCVD_IN_IADB net nice

	header RCVD_IN_IADB_VOUCHED eval:check_rbl_sub('iadb-firsttrusted', '^127.0.1.255$')
	describe RCVD_IN_IADB_VOUCHED ISIPP IADB lists as vouched-for sender
	tflags RCVD_IN_IADB_VOUCHED net nice

	# ---------------------------------------------------------------------------

	# Habeas Accredited Senders
	# Last octet of the returned A record indicates the Habeas-assigned
	# "Permission Level" of the Sender.
	# 10 to 39 Personal, transactional, and Confirmed Opt In
	# 40 to 59 Secure referrals and Single Opt In
	# 60 to 99 Checked but not accredited by Habeas.
	#
	# sa-accredit.habeas.com is for SpamAssassin use.
	#
	header HABEAS_ACCREDITED_COI eval:check_rbl('habeas-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d')
	describe HABEAS_ACCREDITED_COI Habeas Accredited Confirmed Opt-In or Better
	tflags HABEAS_ACCREDITED_COI net nice

	header HABEAS_ACCREDITED_SOI eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[45]\d')
	describe HABEAS_ACCREDITED_SOI Habeas Accredited Opt-In or Better
	tflags HABEAS_ACCREDITED_SOI net nice

	header HABEAS_CHECKED eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[6789]\d')
	describe HABEAS_CHECKED Habeas Checked
	tflags HABEAS_CHECKED net nice

	# Habeas Accredited Senders, with check for "Accreditor Assertion"
	# Same Habeas whitelist checks as above, but performed only if the Sender
	# has specified Habeas as their accreditor in either the EnvelopeFrom or
	# "Accreditor" header field. This reduces the DNS overhead, but will
	# miss senders who are unable to add custom header fields.
	#
	# header HABEAS_ACCREDITED_COI eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d', 'habeas')
	# describe HABEAS_ACCREDITED_COI Habeas Accredited Confirmed Opt-In or Better
	# tflags HABEAS_ACCREDITED_COI net nice
	#
	# header HABEAS_ACCREDITED_SOI eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[45]\d', 'habeas')
	# describe HABEAS_ACCREDITED_SOI Habeas Accredited Opt-In or Better
	# tflags HABEAS_ACCREDITED_SOI net nice
	#
	# header HABEAS_CHECKED eval:check_rbl_accreditor('accredit-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[6789]\d', 'habeas')
	# describe HABEAS_CHECKED Habeas Checked
	# tflags HABEAS_CHECKED net nice

	endif