1# SB-BLOCKLISTS-CONNECTING.RC
2#
3# SpamBouncer Blocklist Connecting IP Checks
4#
5# This series of recipes checks the IPs that connect to your mail server
6# against various blocklists.
7#
8# Last Updated: 10/14/2016
9
10LOCALTAG=no
11
12# SpamHaus IP-based Blocklist Checks
13#
14#  This recipe checks all of the Spamhaus IP-based blocklists.
15
16LT2=no
17
18:0
19* SBLCHECK ?? ^yes$
20{ LT2=yes }
21
22:0
23* CSSCHECK ?? ^yes$
24{ LT2=yes }
25
26:0
27* PBLCHECK ?? ^(ISP|SPAMHAUS|ALL)$
28{ LT2=yes }
29
30:0
31* XBLCHECK ?? ^(CBL|ALL)$
32{ LT2=yes }
33
34# Check Connecting (first external) IP.
35#
36:0
37* LOCALTAG ?? ^no$
38* LT2 ?? ^(yes)$
39* ! FIRSTEXIP ?? ^000\.000\.000\.000$
40{
41 LT5=no
42 LOCALDESCRIPTION="Connecting IP:"
43 LOCALCHECK=${FIRSTEXIP}
44 LOCALREVCHECK=${FIRSTEXREVIP}
45 LISTSERVER="zen.spamhaus.org"
46
47 :0
48 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
49
50 :0
51 * SBLCHECK ?? ^(yes)$
52 {
53  LISTNAME="the SBL"
54  LISTRESPONSE="127\.0\.0\.2"
55  LISTSCORE="5"
56  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
57 }
58
59 :0
60 * CSSCHECK ?? ^(yes)$
61 {
62  LISTNAME="the CSS"
63  LISTRESPONSE="127\.0\.0\.3"
64  LISTSCORE="5"
65  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
66 }
67
68 :0
69 * PBLCHECK ?? ^(ISP|ALL)$
70 {
71  LISTNAME="the PBL (ISP)"
72  LISTRESPONSE="127\.0\.0\.10"
73  LISTSCORE="5"
74  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
75 }
76
77 :0
78 * PBLCHECK ?? ^(SPAMHAUS|ALL)$
79 {
80  LISTNAME="the PBL (SpamHaus)"
81  LISTRESPONSE="127\.0\.0\.11"
82  LISTSCORE="5"
83  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
84 }
85
86 :0
87 * XBLCHECK ?? ^(CBL|ALL)$
88 {
89  LISTNAME="the XBL (CBL)"
90  LISTRESPONSE="127\.0\.0\.4"
91  LISTSCORE="5"
92  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
93 }
94
95 LISTSERVER='localhost'
96 LOCALDESCRIPTION='Null'
97}
98
99INCLUDERC=${SBDIR}/functions/test-threshold.rc
100
101:0
102* ! SBCONFIG ?? ^(Analyze|Debug)$
103* SPAMTAG ?? ^yes$
104{ LOCALTAG=yes }
105
106
107# CBL check
108#
109# Checks cbl.abuseat.org, which is updated somewhat more
110# frequently than zen.spamhaus.org, and contains some extra
111# data. If a bot is spewing and Zen is down, this is a lifesaver.
112
113# Check Connecting (First External) IP
114:0
115* LOCALTAG ?? ^no$
116* CBLCHECK ?? ^(yes)$
117* ! FIRSTEXIP ?? ^000\.000\.000\.000$
118{
119 LT5=no
120 LOCALDESCRIPTION="Connecting IP:"
121 LOCALCHECK=${FIRSTEXIP}
122 LOCALREVCHECK=${FIRSTEXREVIP}
123 LISTSERVER="cbl.abuseat.org"
124
125 :0
126 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
127
128 :0
129 * CBLCHECK ?? ^(yes)$
130 {
131  LISTNAME="the CBL"
132  LISTRESPONSE="127\.0\.0\.2"
133  LISTSCORE="5"
134  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
135 }
136
137 LISTSERVER='localhost'
138 LOCALDESCRIPTION='Null'
139}
140
141INCLUDERC=${SBDIR}/functions/test-threshold.rc
142
143:0
144* ! SBCONFIG ?? ^(Analyze|Debug)$
145* SPAMTAG ?? ^yes$
146{ LOCALTAG=yes }
147
148
149# Spamcop BL check
150#
151# Checks bl.spamcop.net, which lists IPs that have sent spam to
152# Spamcop users.  This was at one time a very aggressive list
153# with a high false positive count, but the FP count has dropped
154# dramatically in the last few years.  I have therefore increased
155# the score for Spamcop and included it in the default list of
156# SpamBouncer blocklists.
157
158# Check Connecting (First External) IP
159:0
160* LOCALTAG ?? ^no$
161* SPAMCOPCHECK ?? ^(yes)$
162* ! FIRSTEXIP ?? ^000\.000\.000\.000$
163{
164 LT5=no
165 LOCALDESCRIPTION="Connecting IP:"
166 LOCALCHECK=${FIRSTEXIP}
167 LOCALREVCHECK=${FIRSTEXREVIP}
168 LISTSERVER="bl.spamcop.net"
169
170 :0
171 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
172
173 :0
174 * SPAMCOPCHECK ?? ^(yes)$
175 {
176  LISTNAME="SpamCop"
177  LISTRESPONSE="127\.0\.0\.2"
178  LISTSCORE="5"
179  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
180 }
181
182 LISTSERVER='localhost'
183 LOCALDESCRIPTION='Null'
184}
185
186INCLUDERC=${SBDIR}/functions/test-threshold.rc
187
188:0
189* ! SBCONFIG ?? ^(Analyze|Debug)$
190* SPAMTAG ?? ^yes$
191{ LOCALTAG=yes }
192
193
194# PSBL Check
195#
196# http://psbl.surriel.com
197#
198# Checks Rick van Rijn's Passive Spam Blocklist.  This is a low-FP
199# easy-removal list of spam senders that often catches spam from IPs
200# that are not in the SpamHaus or SpamCop blocklists yet.  This
201# blocklist is suitable only for checking connecting IPs, not deep
202# header parsing.
203#
204:0
205* LOCALTAG ?? ^no$
206* PSBLCHECK ?? ^(yes)$
207* ! FIRSTEXIP ?? ^000\.000\.000\.000$
208{
209 LT5=no
210 LOCALDESCRIPTION="Connecting IP:"
211 LOCALCHECK=${FIRSTEXIP}
212 LOCALREVCHECK=${FIRSTEXREVIP}
213 LISTSERVER="psbl.surriel.com"
214
215 :0
216 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
217
218 :0
219 * PSBLCHECK ?? ^(yes)$
220 {
221  LISTNAME="the PSBL"
222  LISTRESPONSE="127\.0\.0\.2"
223  LISTSCORE="5"
224  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
225 }
226
227 LISTSERVER='localhost'
228 LOCALDESCRIPTION='Null'
229}
230
231INCLUDERC=${SBDIR}/functions/test-threshold.rc
232
233:0
234* ! SBCONFIG ?? ^(Analyze|Debug)$
235* SPAMTAG ?? ^yes$
236{ LOCALTAG=yes }
237
238
239# ReturnPath Senderscore Reputation List
240#
241# http://www.senderscore.com
242#
243# Checks the ReturnPath SenderScore for the sending IP.
244
245:0
246* LOCALTAG ?? ^no$
247* RPSSCHECK ?? ^(LOW|ALL)$
248* ! FIRSTEXIP ?? ^000\.000\.000\.000$
249{
250 LT5=no
251 LOCALDESCRIPTION="Connecting IP:"
252 LOCALCHECK=${FIRSTEXIP}
253 LOCALREVCHECK=${FIRSTEXREVIP}
254 LISTSERVER="score.senderscore.com"
255
256 :0
257 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
258
259 :0
260 * RPSSCHECK ?? ^(LOW|ALL)$
261 {
262  LISTNAME="Senderscore"
263  LISTLEVEL="Worst"
264  LISTRESPONSE="127\.0\.0\.([0-9]|1[0-9])"
265  LISTSCORE="5"
266  INCLUDERC=${SBDIR}/functions/rpss-sub.rc
267
268  LISTNAME="Senderscore"
269  LISTLEVEL="Bad"
270  LISTRESPONSE="127\.0\.0\.([2-3][0-9])"
271  LISTSCORE="4"
272  INCLUDERC=${SBDIR}/functions/rpss-sub.rc
273
274  LISTNAME="Senderscore"
275  LISTLEVEL="Low"
276  LISTRESPONSE="127\.0\.0\.([4-5][0-9])"
277  LISTSCORE="3"
278  INCLUDERC=${SBDIR}/functions/rpss-sub.rc
279 }
280
281 :0
282 * RPSSCHECK ?? ^ALL$
283 {
284  LISTNAME="Senderscore"
285  LISTLEVEL="OK"
286  LISTRESPONSE="127\.0\.0\.([6-7][0-9])"
287  LISTSCORE="-3"
288  INCLUDERC=${SBDIR}/functions/rpss-sub.rc
289
290  LISTNAME="Senderscore"
291  LISTLEVEL="Good"
292  LISTRESPONSE="127\.0\.0\.(8[0-9])"
293  LISTSCORE="-4"
294  INCLUDERC=${SBDIR}/functions/rpss-sub.rc
295
296  LISTNAME="Senderscore"
297  LISTLEVEL="Best"
298  LISTRESPONSE="127\.0\.0\.(9[0-9]|100)"
299  LISTSCORE="-5"
300  INCLUDERC=${SBDIR}/functions/rpss-sub.rc
301 }
302
303 LISTSERVER='localhost'
304 LOCALDESCRIPTION='Null'
305}
306
307INCLUDERC=${SBDIR}/functions/test-threshold.rc
308
309:0
310* ! SBCONFIG ?? ^(Analyze|Debug)$
311* SPAMTAG ?? ^yes$
312{ LOCALTAG=yes }
313
314
315# MailSpike Reputation List
316# http://mailspike.net/
317#
318# Reputation blocklist/whitelist combination. Blacklist is very accurate,
319# and has a good catch rate and low FPs.
320#
321:0
322* LOCALTAG ?? ^no$
323* MSPIKEREPCHECK ?? (ALL|DEFAULT|BLACK|L5|L4|L3|L2)
324* ! FIRSTEXIP ?? ^000\.000\.000\.000$
325{
326 LT5=no
327 LOCALDESCRIPTION="Connecting IP:"
328 LOCALCHECK=${FIRSTEXIP}
329 LOCALREVCHECK=${FIRSTEXREVIP}
330 LISTSERVER="rep.mailspike.net"
331
332 :0
333 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
334
335 :0
336 * MSPIKEREPCHECK ?? (ALL|DEFAULT|BLACK|L5)
337 {
338  LISTNAME="MailSpike Reputation (L5|Worst)"
339  LISTRESPONSE="127\.0\.0\.10"
340  LISTSCORE="5"
341  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
342 }
343
344 :0
345 * LT5 ?? ^no$
346 * MSPIKEREPCHECK ?? (ALL|DEFAULT|BLACK|L4)
347 {
348  LISTNAME="MailSpike Reputation (L4|Very Bad)"
349  LISTRESPONSE="127\.0\.0\.11"
350  LISTSCORE="4"
351  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
352 }
353
354 :0
355 * LT5 ?? ^no$
356 * MSPIKEREPCHECK ?? (ALL|DEFAULT|BLACK|L3)
357 {
358  LISTNAME="MailSpike Reputation (L3|Bad)"
359  LISTRESPONSE="127\.0\.0\.12"
360  LISTSCORE="3"
361  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
362 }
363
364 :0
365 * LT5 ?? ^no$
366 * MSPIKEREPCHECK ?? (ALL|BLACK|L2)
367 {
368  LISTNAME="MailSpike Reputation (L2|Suspicious)"
369  LISTRESPONSE="127\.0\.0\.13"
370  LISTSCORE="2"
371  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
372 }
373
374 LISTSERVER='localhost'
375 LOCALDESCRIPTION='Null'
376}
377
378:0
379* ! SBCONFIG ?? ^(Analyze|Debug)$
380* SPAMTAG ?? ^yes$
381{ LOCALTAG=yes }
382
383
384# SORBS Checks
385#
386#  The Spam and Open Relay Blocking System (SORBS) has a DNSBL with
387#  several useful lists.  They're all aggressive, and should be used
388#  with caution.
389
390LT2=no
391
392:0
393* SORBSCGICHECK ?? ^yes$
394{ LT2=yes }
395
396:0
397* SORBSDYNCHECK ?? ^yes$
398{ LT2=yes }
399
400:0
401* SORBSPROXYCHECK ?? ^yes$
402{ LT2=yes }
403
404:0
405* SORBSPROXY2CHECK ?? ^yes$
406{ LT2=yes }
407
408:0
409* SORBSRELAYCHECK ?? ^yes$
410{ LT2=yes }
411
412:0
413* SORBSSOCKSCHECK ?? ^yes$
414{ LT2=yes }
415
416:0
417* SORBSSPAMCHECK ?? ^yes$
418{ LT2=yes }
419
420:0
421* SORBSZOMBIECHECK ?? ^yes$
422{ LT2=yes }
423
424# Check first external IP.
425#
426:0
427* LOCALTAG ?? ^no$
428* LT2 ?? ^(yes)$
429* ! FIRSTEXIP ?? ^000\.000\.000\.000$
430{
431 LT5=no
432 LOCALDESCRIPTION="Connecting IP:"
433 LOCALCHECK=${FIRSTEXIP}
434 LOCALREVCHECK=${FIRSTEXREVIP}
435 LISTSERVER="dnsbl.sorbs.net"
436
437 :0
438 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
439
440 :0
441 * SORBSPROXYCHECK ?? ^(yes)$
442 {
443  LISTNAME="SORBS (open proxies)"
444  LISTRESPONSE="127\.0\.0\.(2|3|4)"
445  LISTSCORE="4"
446  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
447 }
448
449 :0
450 * SORBSRELAYCHECK ?? ^(yes)$
451 {
452  LISTNAME="SORBS (open relays)"
453  LISTRESPONSE="127\.0\.0\.5"
454  LISTSCORE="4"
455  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
456 }
457
458 :0
459 * SORBSSPAMCHECK ?? ^(yes)$
460 {
461  LISTNAME="SORBS (spam sources)"
462  LISTRESPONSE="127\.0\.0\.6"
463  LISTSCORE="3"
464  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
465 }
466
467 :0
468 * SORBSCGICHECK ?? ^(yes)$
469 {
470  LISTNAME="SORBS (insecure web forms)"
471  LISTRESPONSE="127\.0\.0\.7"
472  LISTSCORE="3"
473  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
474 }
475
476 :0
477 * SORBSZOMBIECHECK ?? ^(yes)$
478 {
479  LISTNAME="SORBS (zombie netblocks)"
480  LISTRESPONSE="127\.0\.0\.9"
481  LISTSCORE="3"
482  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
483 }
484
485 :0
486 * SORBSDYNCHECK ?? ^(yes)$
487 {
488  LISTNAME="SORBS (dynamic IPs)"
489  LISTRESPONSE="127\.0\.0\.10"
490  LISTSCORE="5"
491  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
492 }
493
494 LISTSERVER='localhost'
495 LOCALDESCRIPTION='Null'
496}
497
498INCLUDERC=${SBDIR}/functions/test-threshold.rc
499
500:0
501* ! SBCONFIG ?? ^(Analyze|Debug)$
502* SPAMTAG ?? ^yes$
503{ LOCALTAG=yes }
504
505
506# EmailBasura
507#
508# http://www.emailbasura.org/
509#
510# Blocklist of spam maintained by people in Latin America.  Useful for
511# Latin American users, or if you receive significant quantities of
512# spam in Spanish or Portuguese that other blocklists and filters do not
513# catch.
514
515:0
516* EBASURACHECK ?? ^(yes)$
517* LOCALTAG ?? ^no$
518* ! FIRSTEXIP ?? ^000\.000\.000\.000$
519{
520 LT5=no
521 LOCALDESCRIPTION="Connecting IP:"
522 LOCALCHECK=${FIRSTEXIP}
523 LOCALREVCHECK=${FIRSTEXREVIP}
524 LISTSERVER="bl.emailbasura.org"
525
526 :0
527 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
528
529 :0
530 * EBASURACHECK ?? ^(yes)$
531 {
532  LISTNAME="EmailBasura"
533  LISTRESPONSE="127\.0\.0\.2"
534  LISTSCORE="5"
535  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
536 }
537
538 LISTSERVER='localhost'
539 LOCALDESCRIPTION='Null'
540}
541
542INCLUDERC=${SBDIR}/functions/test-threshold.rc
543
544:0
545* ! SBCONFIG ?? ^(Analyze|Debug)$
546* SPAMTAG ?? ^yes$
547{ LOCALTAG=yes }
548
549
550# Fabel.DK (mostly Asian and South American IPs)
551# http://www.spamsources.fabel.dk/
552#
553# Bblocklist run much like the PSBL, blocking
554# connecting IPs only, with easy self-removal.  Focuses
555# on IPs in Asia and South America.
556#
557:0
558* FABELDKCHECK ?? ^(yes)$
559* LOCALTAG ?? ^no$
560* ! FIRSTEXIP ?? ^000\.000\.000\.000$
561{
562 LT5=no
563 LOCALDESCRIPTION="Connecting IP:"
564 LOCALCHECK=${FIRSTEXIP}
565 LOCALREVCHECK=${FIRSTEXREVIP}
566 LISTSERVER="spamsources.fabel.dk"
567
568 :0
569 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
570
571 :0
572 * FABELDKCHECK ?? ^(yes)$
573 {
574  LISTNAME="Fabel.dk"
575  LISTRESPONSE="127\.0\.0\.2"
576  LISTSCORE="5"
577  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
578 }
579
580 LISTSERVER='localhost'
581 LOCALDESCRIPTION='Null'
582}
583
584INCLUDERC=${SBDIR}/functions/test-threshold.rc
585
586:0
587* ! SBCONFIG ?? ^(Analyze|Debug)$
588* SPAMTAG ?? ^yes$
589{ LOCALTAG=yes }
590
591# ScientificSpam
592# http://www.scientificspam.net/
593#
594# Blocklist of spammers who spam people in academia
595# and research.
596
597:0
598* SCISPAMCHECK ?? ^(yes)$
599* LOCALTAG ?? ^no$
600* ! FIRSTEXIP ?? ^000\.000\.000\.000$
601{
602 LT5=no
603 LOCALDESCRIPTION="Connecting IP:"
604 LOCALCHECK=${FIRSTEXIP}
605 LOCALREVCHECK=${FIRSTEXREVIP}
606 LISTSERVER="bl.scientificspam.net"
607
608 :0
609 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
610
611 :0
612 * SCISPAMCHECK ?? ^(yes)$
613 {
614  LISTNAME="ScientificSpam"
615  LISTRESPONSE="127\.0\.0\.2"
616  LISTSCORE="5"
617  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
618 }
619
620 LISTSERVER='localhost'
621 LOCALDESCRIPTION='Null'
622}
623
624INCLUDERC=${SBDIR}/functions/test-threshold.rc
625
626:0
627* ! SBCONFIG ?? ^(Analyze|Debug)$
628* SPAMTAG ?? ^yes$
629{ LOCALTAG=yes }
630
631# Suomispam
632# http://www.suomispam.net/
633#
634# Blocklist of spammers who spam users in Finland
635# and sourrounding Baltic and Scandinavian countries.
636
637:0
638* SUOMISCHECK ?? ^(yes)$
639* LOCALTAG ?? ^no$
640* ! FIRSTEXIP ?? ^000\.000\.000\.000$
641{
642 LT5=no
643 LOCALDESCRIPTION="Connecting IP:"
644 LOCALCHECK=${FIRSTEXIP}
645 LOCALREVCHECK=${FIRSTEXREVIP}
646 LISTSERVER="bl.suomispam.net"
647
648 :0
649 { LISTCHECK=`${SBHOST} ${LOCALREVCHECK}.${LISTSERVER} 2> /dev/null` }
650
651 :0
652 * SUOMISCHECK ?? ^(yes)$
653 {
654  LISTNAME="SuomiSpam"
655  LISTRESPONSE="127\.0\.0\.2"
656  LISTSCORE="5"
657  INCLUDERC=${SBDIR}/functions/dnsbl-sub.rc
658 }
659
660 LISTSERVER='localhost'
661 LOCALDESCRIPTION='Null'
662}
663
664INCLUDERC=${SBDIR}/functions/test-threshold.rc
665
666:0
667* ! SBCONFIG ?? ^(Analyze|Debug)$
668* SPAMTAG ?? ^yes$
669{ LOCALTAG=yes }
670
671
672# Spamhaus DBL Blocklist
673#
674#  Checks the SpamHaus Domains Blocklist (DBL), which uses
675#  a different zone than the Spamhaus IP-based blocklists do.
676#  That means a separate recipe.
677
678LT2=no
679
680:0
681* DBLCHECK ?? ^yes$
682{ LT2=yes }
683
684# Check First External Received Domain.
685#
686:0
687* LOCALTAG ?? ^no$
688* LT2 ?? ^yes$
689* ! FIRSTEXDOMAIN ?? ^example\.com$
690{
691 LT5=no
692 LOCALDESCRIPTION="Connecting Domain:"
693 LOCALCHECK=${FIRSTEXDOMAIN}
694 LISTSERVER="dbl.spamhaus.org"
695
696 :0
697 { LISTCHECK=`${SBHOST} ${LOCALCHECK}.${LISTSERVER} 2> /dev/null` }
698
699 :0
700 * DBLCHECK ?? ^yes$
701 {
702  LISTNAME="DBL"
703  LISTRESPONSE="127\.0\.1\.2"
704  LISTSCORE="5"
705  INCLUDERC=${SBDIR}/functions/rhsbl-sub.rc
706 }
707
708 LISTSERVER='localhost'
709 LOCALDESCRIPTION='Null'
710}
711
712INCLUDERC=${SBDIR}/functions/test-threshold.rc
713
714:0
715* ! SBCONFIG ?? ^(Analyze|Debug)$
716* SPAMTAG ?? ^yes$
717{ LOCALTAG=yes }
718
719