# SpamAssassin rules file: DNS blacklist tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail3/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of either the Artistic License or the GNU General
# Public License as published by the Free Software Foundation; either
# version 1 of the License, or (at your option) any later version.
#
# See the file "License" in the top level of the SpamAssassin source
# distribution for more details.
#
###########################################################################

require_version 2.63

# See the Mail::SpamAssassin::Conf manual page for details of how to use
# check_rbl().

# ---------------------------------------------------------------------------
# Multizone / Multi meaning BLs first.
#
# Note that currently TXT queries cannot be used for these, since the
# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
# Well, at least NJABL doesn't, it seems, as of Apr 7 2003.

# ---------------------------------------------------------------------------
# NJABL
# URL: http://www.dnsbl.njabl.org/

header RCVD_IN_NJABL        eval:check_rbl('njabl', 'dnsbl.njabl.org.')
describe RCVD_IN_NJABL        Received via a relay in dnsbl.njabl.org
tflags RCVD_IN_NJABL        net

header RCVD_IN_NJABL_RELAY    eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY    NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY    net

header RCVD_IN_NJABL_DIALUP    eval:check_rbl('njabl-notfirsthop', 'dnsbl.njabl.org.', '127.0.0.3')
describe RCVD_IN_NJABL_DIALUP    NJABL: dialup sender did non-local SMTP
tflags RCVD_IN_NJABL_DIALUP    net

header RCVD_IN_NJABL_SPAM    eval:check_rbl_sub('njabl', '127.0.0.4')
describe RCVD_IN_NJABL_SPAM    NJABL: sender is confirmed spam source
tflags RCVD_IN_NJABL_SPAM    net

header RCVD_IN_NJABL_MULTI    eval:check_rbl_sub('njabl', '127.0.0.5')
describe RCVD_IN_NJABL_MULTI    NJABL: sent through multi-stage open relay
tflags RCVD_IN_NJABL_MULTI    net

header RCVD_IN_NJABL_CGI    eval:check_rbl_sub('njabl', '127.0.0.8')
describe RCVD_IN_NJABL_CGI    NJABL: sender is an open formmail
tflags RCVD_IN_NJABL_CGI    net

header RCVD_IN_NJABL_PROXY    eval:check_rbl_sub('njabl', '127.0.0.9')
describe RCVD_IN_NJABL_PROXY    NJABL: sender is an open proxy
tflags RCVD_IN_NJABL_PROXY    net

# ---------------------------------------------------------------------------
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request

header RCVD_IN_SORBS        eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe RCVD_IN_SORBS        SORBS: sender is listed in SORBS
tflags RCVD_IN_SORBS        net

header RCVD_IN_SORBS_HTTP    eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP    SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP    net

header RCVD_IN_SORBS_SOCKS    eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS    SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS    net

header RCVD_IN_SORBS_MISC    eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC    SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC    net

header RCVD_IN_SORBS_SMTP    eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP    SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP    net

header RCVD_IN_SORBS_SPAM    eval:check_rbl_sub('sorbs', '127.0.0.6')
describe RCVD_IN_SORBS_SPAM    SORBS: spam source or spam-supporting ISP
tflags RCVD_IN_SORBS_SPAM    net

header RCVD_IN_SORBS_WEB    eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB    SORBS: sender is a abuseable web server
tflags RCVD_IN_SORBS_WEB    net

header RCVD_IN_SORBS_BLOCK    eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK    SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK    net

header RCVD_IN_SORBS_ZOMBIE    eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE    SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE    net

# Dynablock used to be at easynet.nl; closed down there, but reopened
# by SORBS.
header RCVD_IN_DYNABLOCK        eval:check_rbl('sorbs-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_DYNABLOCK      Sent directly from dynamic IP address
tflags RCVD_IN_DYNABLOCK        net

# ---------------------------------------------------------------------------
# OPM (recommended, supports TXT queries, but A queries needed for sub-tests)
# transfers: axfr/ixfr for trusted sites
# url: http://opm.blitzed.org/
# pay-to-use: no
# delist: automatic expiry, no fee, retested on request (free)

header RCVD_IN_OPM        eval:check_rbl('opm', 'opm.blitzed.org.')
describe RCVD_IN_OPM        Received via a relay in opm.blitzed.org
tflags RCVD_IN_OPM        net

header RCVD_IN_OPM_WINGATE    eval:check_rbl_sub('opm', '1')
describe RCVD_IN_OPM_WINGATE    OPM: sender is open WinGate proxy
tflags RCVD_IN_OPM_WINGATE    net

header RCVD_IN_OPM_SOCKS    eval:check_rbl_sub('opm', '2')
describe RCVD_IN_OPM_SOCKS    OPM: sender is open SOCKS proxy
tflags RCVD_IN_OPM_SOCKS    net

header RCVD_IN_OPM_HTTP        eval:check_rbl_sub('opm', '4')
describe RCVD_IN_OPM_HTTP    OPM: sender is open HTTP CONNECT proxy
tflags RCVD_IN_OPM_HTTP        net

header RCVD_IN_OPM_ROUTER    eval:check_rbl_sub('opm', '8')
describe RCVD_IN_OPM_ROUTER    OPM: sender is open router proxy
tflags RCVD_IN_OPM_ROUTER    net

header RCVD_IN_OPM_HTTP_POST    eval:check_rbl_sub('opm', '16')
describe RCVD_IN_OPM_HTTP_POST    OPM: sender is open HTTP POST proxy
tflags RCVD_IN_OPM_HTTP_POST    net

# ---------------------------------------------------------------------------
# Now, single zone BLs follow:

# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
header RCVD_IN_SBL        eval:check_rbl_txt('sbl', 'sbl.spamhaus.org.')
describe RCVD_IN_SBL        Received via a relay in Spamhaus Block List
tflags RCVD_IN_SBL        net

# DSBL catches open relays, badly-installed CGI scripts and open SOCKS and
# HTTP proxies.  list.dsbl.org lists servers tested by "trusted" users,
# multihop.dsbl.org lists servers which open SMTP servers relay through,
# unconfirmed.dsbl.org lists servers tested by "untrusted" users.
# See http://dsbl.org/ for full details.
# transfers: yes - rsync and http, see http://dsbl.org/usage
# pay-to-use: no
# delist: automated/distributed
header RCVD_IN_DSBL        eval:check_rbl_txt('dsbl', 'list.dsbl.org.')
describe RCVD_IN_DSBL        Received via a relay in list.dsbl.org
tflags RCVD_IN_DSBL        net

# Other miscellaneous RBLs are listed here:
header RCVD_IN_RFCI        eval:check_rbl_txt('rfci', 'ipwhois.rfc-ignorant.org.')
describe RCVD_IN_RFCI        Sent via a relay in ipwhois.rfc-ignorant.org
tflags RCVD_IN_RFCI        net

# DSN is a domain-based blacklist
header DNS_FROM_RFCI_DSN    eval:check_rbl_from_host('rfci-dsn', 'dsn.rfc-ignorant.org.')
describe DNS_FROM_RFCI_DSN    From: sender listed in dsn.rfc-ignorant.org
tflags DNS_FROM_RFCI_DSN    net

# sa-hil.habeas.com for SpamAssassin queries
# hil.habeas.com for everything else
header HABEAS_VIOLATOR        eval:check_rbl_swe('hil', 'sa-hil.habeas.com.')
describe HABEAS_VIOLATOR    Has Habeas warrant mark and on Infringer List
tflags HABEAS_VIOLATOR        net

header RCVD_IN_BSP_TRUSTED    eval:check_rbl_txt('bsp-firsttrusted', 'sa-trusted.bondedsender.org.')
describe RCVD_IN_BSP_TRUSTED    Sender is in Bonded Sender Program (trusted relay)
tflags RCVD_IN_BSP_TRUSTED    net nice

header RCVD_IN_BSP_OTHER    eval:check_rbl_txt('bsp-untrusted', 'sa-other.bondedsender.org.')
describe RCVD_IN_BSP_OTHER    Sender is in Bonded Sender Program (other relay)
tflags RCVD_IN_BSP_OTHER    net nice

# SenderBase provides information about senders
# sa.senderbase.org for SpamAssassin queries
# test.senderbase.org for everything else (until SenderBase is in production)
#header SENDERBASE net

# ---------------------------------------------------------------------------
# NOTE: donation tests, see README file for details

header RCVD_IN_BL_SPAMCOP_NET    eval:check_rbl_txt('spamcop', 'bl.spamcop.net.')
describe RCVD_IN_BL_SPAMCOP_NET    Received via a relay in bl.spamcop.net
tflags RCVD_IN_BL_SPAMCOP_NET    net

# ---------------------------------------------------------------------------
# NOTE: commercial tests, see README file for details

header RCVD_IN_MAPS_RBL        eval:check_rbl('rbl', 'blackholes.mail-abuse.org.')
describe RCVD_IN_MAPS_RBL    Relay in RBL, http://www.mail-abuse.org/rbl/
tflags RCVD_IN_MAPS_RBL        net

header RCVD_IN_MAPS_DUL        eval:check_rbl('dialup-notfirsthop', 'dialups.mail-abuse.org.')
describe RCVD_IN_MAPS_DUL    Relay in DUL, http://www.mail-abuse.org/dul/
tflags RCVD_IN_MAPS_DUL        net

header RCVD_IN_MAPS_RSS        eval:check_rbl('rss', 'relays.mail-abuse.org.')
describe RCVD_IN_MAPS_RSS    Relay in RSS, http://www.mail-abuse.org/rss/
tflags RCVD_IN_MAPS_RSS        net

header RCVD_IN_MAPS_NML        eval:check_rbl('nml', 'nonconfirm.mail-abuse.org.')
describe RCVD_IN_MAPS_NML    Relay in NML, http://www.mail-abuse.org/nml/
tflags RCVD_IN_MAPS_NML        net

# if you're subscribed to RBL+, then comment out the above rules (just the
# "header" lines, not the "describe" or "tflags" lines) and uncomment the
# below lines
#header RCVD_IN_MAPS_RBL    eval:check_rbl('rblplus', 'rbl-plus.mail-abuse.org.', '1')
#header RCVD_IN_MAPS_DUL    eval:check_rbl('rblplus-notfirsthop', 'rbl-plus.mail-abuse.org.', '2')
#header RCVD_IN_MAPS_RSS    eval:check_rbl_sub('rblplus', '4')
#header RCVD_IN_MAPS_OPS    eval:check_rbl_sub('rblplus', '8')
#describe RCVD_IN_MAPS_OPS    Relay in OPS, http://www.mail-abuse.org/ops/
#tflags RCVD_IN_MAPS_OPS    net