| # SpamAssassin - URIDNSBL rules |
| # |
| # Please don't modify this file as your changes will be overwritten with |
| # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. |
| # See 'perldoc Mail::SpamAssassin::Conf' for details. |
| # |
| # <@LICENSE> |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to you under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at: |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # </@LICENSE> |
| # |
| ########################################################################### |
| |
| # Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded. |
| # Note that this plugin defines a new config setting, 'uridnsbl', |
| # which lists the zones to look up in advance. The rules will |
| # not hit unless each rule has a corresponding 'uridnsbl' line. |
| |
| ifplugin Mail::SpamAssassin::Plugin::URIDNSBL |
| |
| ########################################################################### |
| ## Spamhaus |
| |
| uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2 |
| body URIBL_SBL eval:check_uridnsbl('URIBL_SBL') |
| describe URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist |
| tflags URIBL_SBL net |
| reuse URIBL_SBL |
| |
| uridnssub URIBL_CSS zen.spamhaus.org. A 127.0.0.3 |
| body URIBL_CSS eval:check_uridnsbl('URIBL_CSS') |
| describe URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS blocklist |
| tflags URIBL_CSS net |
| reuse URIBL_CSS |
| |
| # Only works correctly from 3.4.3, earlier versions basically run as URIBL_SBL duplicate |
| if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_uridnsbl_for_a) |
| uridnssub URIBL_SBL_A zen.spamhaus.org. A 127.0.0.2 |
| body URIBL_SBL_A eval:check_uridnsbl('URIBL_SBL_A') |
| describe URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist |
| tflags URIBL_SBL_A net a |
| reuse URIBL_SBL_A |
| |
| uridnssub URIBL_CSS_A zen.spamhaus.org. A 127.0.0.3 |
| body URIBL_CSS_A eval:check_uridnsbl('URIBL_CSS_A') |
| describe URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS blocklist |
| tflags URIBL_CSS_A net a |
| reuse URIBL_CSS_A |
| endif |
| |
| # DBL, https://www.spamhaus.org/dbl/ |
| # changes axb 05-17-2014: as per https://www.spamhaus.org/news/article/713/ |
| # SH changes effective 06-01-2014 |
| if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only) |
| |
| urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2 |
| body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM') |
| describe URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_SPAM net domains_only |
| reuse URIBL_DBL_SPAM |
| |
| urirhssub URIBL_DBL_PHISH dbl.spamhaus.org. A 127.0.1.4 |
| body URIBL_DBL_PHISH eval:check_uridnsbl('URIBL_DBL_PHISH') |
| describe URIBL_DBL_PHISH Contains a Phishing URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_PHISH net domains_only |
| reuse URIBL_DBL_PHISH |
| |
| urirhssub URIBL_DBL_MALWARE dbl.spamhaus.org. A 127.0.1.5 |
| body URIBL_DBL_MALWARE eval:check_uridnsbl('URIBL_DBL_MALWARE') |
| describe URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_MALWARE net domains_only |
| reuse URIBL_DBL_MALWARE |
| |
| urirhssub URIBL_DBL_BOTNETCC dbl.spamhaus.org. A 127.0.1.6 |
| body URIBL_DBL_BOTNETCC eval:check_uridnsbl('URIBL_DBL_BOTNETCC') |
| describe URIBL_DBL_BOTNETCC Contains a botned C&C URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_BOTNETCC net domains_only |
| reuse URIBL_DBL_BOTNETCC |
| |
| urirhssub URIBL_DBL_ABUSE_SPAM dbl.spamhaus.org. A 127.0.1.102 |
| body URIBL_DBL_ABUSE_SPAM eval:check_uridnsbl('URIBL_DBL_ABUSE_SPAM') |
| describe URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_ABUSE_SPAM net domains_only |
| reuse URIBL_DBL_ABUSE_SPAM |
| |
| urirhssub URIBL_DBL_ABUSE_REDIR dbl.spamhaus.org. A 127.0.1.103 |
| body URIBL_DBL_ABUSE_REDIR eval:check_uridnsbl('URIBL_DBL_ABUSE_REDIR') |
| describe URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_ABUSE_REDIR net domains_only |
| reuse URIBL_DBL_ABUSE_REDIR |
| |
| urirhssub URIBL_DBL_ABUSE_PHISH dbl.spamhaus.org. A 127.0.1.104 |
| body URIBL_DBL_ABUSE_PHISH eval:check_uridnsbl('URIBL_DBL_ABUSE_PHISH') |
| describe URIBL_DBL_ABUSE_PHISH Contains an abused phishing URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_ABUSE_PHISH net domains_only |
| reuse URIBL_DBL_ABUSE_PHISH |
| |
| urirhssub URIBL_DBL_ABUSE_MALW dbl.spamhaus.org. A 127.0.1.105 |
| body URIBL_DBL_ABUSE_MALW eval:check_uridnsbl('URIBL_DBL_ABUSE_MALW') |
| describe URIBL_DBL_ABUSE_MALW Contains an abused malware URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_ABUSE_MALW net domains_only |
| reuse URIBL_DBL_ABUSE_MALW |
| |
| urirhssub URIBL_DBL_ABUSE_BOTCC dbl.spamhaus.org. A 127.0.1.106 |
| body URIBL_DBL_ABUSE_BOTCC eval:check_uridnsbl('URIBL_DBL_ABUSE_BOTCC') |
| describe URIBL_DBL_ABUSE_BOTCC Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist |
| tflags URIBL_DBL_ABUSE_BOTCC net domains_only |
| reuse URIBL_DBL_ABUSE_BOTCC |
| |
| |
| # this indicates that IP-address queries were sent to DBL, and should |
| # never appear; if it does, something is wrong with SpamAssassin |
| urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A 127.0.1.255 |
| body URIBL_DBL_ERROR eval:check_uridnsbl('URIBL_DBL_ERROR') |
| describe URIBL_DBL_ERROR Error: queried the Spamhaus DBL blocklist for an IP |
| tflags URIBL_DBL_ERROR net domains_only |
| reuse URIBL_DBL_ERROR |
| |
| endif |
| |
| ########################################################################### |
| ## SURBL |
| |
| #MERGED INTO BIT 64 per bug 7279 |
| #urirhssub URIBL_SC_SURBL multi.surbl.org. A 2 |
| #body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL') |
| #describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist |
| #tflags URIBL_SC_SURBL net |
| #reuse URIBL_SC_SURBL |
| |
| urirhssub URIBL_WS_SURBL multi.surbl.org. A 4 |
| body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL') |
| describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist |
| tflags URIBL_WS_SURBL net |
| reuse URIBL_WS_SURBL |
| |
| urirhssub URIBL_PH_SURBL multi.surbl.org. A 8 |
| body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL') |
| describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist |
| tflags URIBL_PH_SURBL net |
| reuse URIBL_PH_SURBL |
| |
| urirhssub URIBL_MW_SURBL multi.surbl.org. A 16 |
| body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL') |
| describe URIBL_MW_SURBL Contains a URL listed in the MW SURBL blocklist |
| tflags URIBL_MW_SURBL net |
| reuse URIBL_MW_SURBL |
| |
| urirhssub URIBL_CR_SURBL multi.surbl.org. A 128 |
| body URIBL_CR_SURBL eval:check_uridnsbl('URIBL_CR_SURBL') |
| describe URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist |
| tflags URIBL_CR_SURBL net |
| reuse URIBL_CR_SURBL |
| |
| #MERGED INTO BIT 64 per bug 7279 |
| #urirhssub URIBL_AB_SURBL multi.surbl.org. A 32 |
| #body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL') |
| #describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist |
| #tflags URIBL_AB_SURBL net |
| #reuse URIBL_AB_SURBL |
| |
| #JP MOVED INTO ABUSE AS WELL AND BIT REUSED per bug 7279 |
| urirhssub URIBL_ABUSE_SURBL multi.surbl.org. A 64 |
| body URIBL_ABUSE_SURBL eval:check_uridnsbl('URIBL_ABUSE_SURBL') |
| describe URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist |
| tflags URIBL_ABUSE_SURBL net |
| reuse URIBL_ABUSE_SURBL |
| |
| #SURBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you. |
| urirhssub SURBL_BLOCKED multi.surbl.org. A 1 |
| body SURBL_BLOCKED eval:check_uridnsbl('SURBL_BLOCKED') |
| describe SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. |
| tflags SURBL_BLOCKED net noautolearn |
| reuse SURBL_BLOCKED |
| |
| if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) |
| dns_block_rule SURBL_BLOCKED multi.surbl.org |
| endif |
| |
| ########################################################################### |
| ## URIBL |
| |
| urirhssub URIBL_BLACK multi.uribl.com. A 2 |
| body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') |
| describe URIBL_BLACK Contains an URL listed in the URIBL blacklist |
| tflags URIBL_BLACK net |
| reuse URIBL_BLACK |
| |
| urirhssub URIBL_GREY multi.uribl.com. A 4 |
| body URIBL_GREY eval:check_uridnsbl('URIBL_GREY') |
| describe URIBL_GREY Contains an URL listed in the URIBL greylist |
| tflags URIBL_GREY net |
| reuse URIBL_GREY |
| |
| urirhssub URIBL_RED multi.uribl.com. A 8 |
| body URIBL_RED eval:check_uridnsbl('URIBL_RED') |
| describe URIBL_RED Contains an URL listed in the URIBL redlist |
| tflags URIBL_RED net |
| reuse URIBL_RED |
| |
| #URIBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you. |
| urirhssub URIBL_BLOCKED multi.uribl.com. A 1 |
| body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED') |
| describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. |
| tflags URIBL_BLOCKED net noautolearn |
| reuse URIBL_BLOCKED |
| |
| if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) |
| dns_block_rule URIBL_BLOCKED multi.uribl.com |
| endif |
| |
| ########################################################################### |
| ## DOMAINS TO SKIP (KNOWN GOOD) |
| |
| # Linting |
| uridnsbl_skip_domain taint.org |
| |
| # Don't bother looking for example domains as per RFC 2606. |
| uridnsbl_skip_domain example.com example.net example.org |
| |
| uridnsbl_skip_domain local.cf |
| |
| # MUA CSS class definitions |
| uridnsbl_skip_domain div.tk p.tk li.tk no.tk |
| |
| # (roughly) top 200 domains not blacklisted by SURBL |
| uridnsbl_skip_domain 126.com 163.com 2o7.net 4at1.com |
| uridnsbl_skip_domain 5iantlavalamp.com about.com adelphia.net adobe.com addthis.com |
| uridnsbl_skip_domain agora-inc.com agoramedia.com akamai.net |
| uridnsbl_skip_domain akamaitech.net amazon.com ancestry.com aol.com |
| uridnsbl_skip_domain apache.org apple.com arcamax.com astrology.com apple.news |
| uridnsbl_skip_domain atdmt.com att.net bbc.co.uk |
| uridnsbl_skip_domain bcentral.com bellsouth.net bfi0.com |
| uridnsbl_skip_domain bridgetrack.com cafe24.com charter.net |
| uridnsbl_skip_domain citibank.com citizensbank.com cjb.net |
| uridnsbl_skip_domain classmates.com clickbank.net cnet.com |
| uridnsbl_skip_domain cnn.com com.com com.ne.kr comcast.net |
| uridnsbl_skip_domain corporate-ir.net cox.net cs.com |
| uridnsbl_skip_domain custhelp.com daum.net dd.se debian.org |
| uridnsbl_skip_domain dell.com directtrack.com directnic.com domain.com |
| uridnsbl_skip_domain dsbl.org earthlink.net ebay.co.uk ebay.com |
| uridnsbl_skip_domain ebayimg.com ebaystatic.com edgesuite.net ediets.com |
| uridnsbl_skip_domain egroups.com emode.com excite.com f-secure.com |
| uridnsbl_skip_domain free.fr freebsd.org |
| uridnsbl_skip_domain gentoo.org geocities.com gmail.com gmx.net |
| uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com |
| uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com |
| uridnsbl_skip_domain hotpop.com hp.com ibm.com incredimail.com |
| uridnsbl_skip_domain investorplace.com ivillage.com joingevalia.com |
| uridnsbl_skip_domain juno.com kernel.org livejournal.com lycos.com |
| uridnsbl_skip_domain m7z.net mac.com macromedia.com |
| uridnsbl_skip_domain mail.com mail.ru mailscanner.info marketwatch.com |
| uridnsbl_skip_domain mcafee.com mchsi.com messagelabs.com |
| uridnsbl_skip_domain microsoft.com military.com mindspring.com mit.edu |
| uridnsbl_skip_domain monster.com msn.com nate.com |
| uridnsbl_skip_domain netflix.com netscape.com netscape.net netzero.net |
| uridnsbl_skip_domain norman.com nytimes.com optonline.net osdn.com |
| uridnsbl_skip_domain overstock.com pacbell.net pandasoftware.com |
| uridnsbl_skip_domain paypal.com peoplepc.com plaxo.com |
| uridnsbl_skip_domain prodigy.net radaruol.com.br |
| uridnsbl_skip_domain real.com redhat.com regions.com regionsnet.com |
| uridnsbl_skip_domain rogers.com rr.com sbcglobal.net sec.gov sf.net |
| uridnsbl_skip_domain shaw.ca shockwave.com smithbarney.com |
| uridnsbl_skip_domain sourceforge.net spamcop.net speedera.net sportsline.com |
| uridnsbl_skip_domain sun.com suntrust.com sympatico.ca t-online.de |
| uridnsbl_skip_domain tails.nl telus.net terra.com.br ticketmaster.com |
| uridnsbl_skip_domain tinyurl.com tiscali.co.uk tom.com |
| uridnsbl_skip_domain tone.co.nz tux.org uol.com.br |
| uridnsbl_skip_domain ups.com verizon.net w3.org usps.com |
| uridnsbl_skip_domain wamu.com wanadoo.fr washingtonpost.com weatherbug.com |
| uridnsbl_skip_domain web.de webshots.com webtv.net wsj.com |
| uridnsbl_skip_domain yahoo.ca yahoo.co.kr yahoo.co.uk |
| uridnsbl_skip_domain yahoo.com yahoo.com.br yahoogroups.com yimg.com |
| uridnsbl_skip_domain yopi.de yoursite.com zdnet.com |
| uridnsbl_skip_domain openxmlformats.org passport.com xmlsoap.org |
| uridnsbl_skip_domain abc.xyz avast.com schema.org |
| |
| # wtogami's most frequent known good URIDNSBL lookups (1/1/2011) |
| uridnsbl_skip_domain alexa.com ask.com baidu.com bing.com craigslist.org |
| uridnsbl_skip_domain doubleclick.com ebay.de facebook.com flickr.com godaddy.com |
| uridnsbl_skip_domain google.co.in google.it mozilla.com myspace.com rediff.com |
| uridnsbl_skip_domain twitter.com wordpress.com yahoo.co.jp youtube.com |
| |
| # axb's frequent known good URIDNSBL lookups |
| |
| uridnsbl_skip_domain fedex.com |
| uridnsbl_skip_domain openoffice.org |
| uridnsbl_skip_domain vk.com |
| |
| # pointless footer noise |
| uridnsbl_skip_domain security.cloud |
| uridnsbl_skip_domain yac.mx |
| |
| # Microsoft on ns1.msedge.net |
| uridnsbl_skip_domain microsofttranslator.com office.com microsoftonline.com bing.com msedge.net |
| |
| # Some frequent known good URIDNSBL lookups 3.10.2018 -hk |
| uridnsbl_skip_domain aka.ms akamaihd.net alibaba.com alicdn.com amazon.co.uk |
| uridnsbl_skip_domain amazon.de amazonaws.com amazonses.com bandcamp.com |
| uridnsbl_skip_domain booking.com cdninstagram.com cloudfront.net dhl.com |
| uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr |
| uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi |
| uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com |
| uridnsbl_skip_domain google.de google.fi googleapis.com googleusercontent.com |
| uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com |
| uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com |
| uridnsbl_skip_domain media-amazon.com mtasv.net mzstatic.com nebula.fi |
| uridnsbl_skip_domain nic.fi onmicrosoft.com oracle.com paypalobjects.com |
| uridnsbl_skip_domain pinimg.com pinterest.com posti.com posti.fi pstmrk.it |
| uridnsbl_skip_domain skype.com soundcloud.com ssl-images-amazon.com |
| uridnsbl_skip_domain suomi24.fi t.co telia.com telia.fi tnt.com tori.fi |
| uridnsbl_skip_domain tripadvisor.com twimg.com youtu.be |
| |
| endif # Mail::SpamAssassin::Plugin::URIDNSBL |