1# SpamAssassin - URIDNSBL rules 2# 3# Please don't modify this file as your changes will be overwritten with 4# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. 5# See 'perldoc Mail::SpamAssassin::Conf' for details. 6# 7# <@LICENSE> 8# Licensed to the Apache Software Foundation (ASF) under one or more 9# contributor license agreements. See the NOTICE file distributed with 10# this work for additional information regarding copyright ownership. 11# The ASF licenses this file to you under the Apache License, Version 2.0 12# (the "License"); you may not use this file except in compliance with 13# the License. You may obtain a copy of the License at: 14# 15# http://www.apache.org/licenses/LICENSE-2.0 16# 17# Unless required by applicable law or agreed to in writing, software 18# distributed under the License is distributed on an "AS IS" BASIS, 19# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20# See the License for the specific language governing permissions and 21# limitations under the License. 22# </@LICENSE> 23# 24########################################################################### 25 26# Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded. 27# Note that this plugin defines a new config setting, 'uridnsbl', 28# which lists the zones to look up in advance. The rules will 29# not hit unless each rule has a corresponding 'uridnsbl' line. 30 31ifplugin Mail::SpamAssassin::Plugin::URIDNSBL 32 33########################################################################### 34## Spamhaus 35 36uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2 37body URIBL_SBL eval:check_uridnsbl('URIBL_SBL') 38describe URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist 39tflags URIBL_SBL net 40reuse URIBL_SBL 41 42uridnssub URIBL_CSS zen.spamhaus.org. A 127.0.0.3 43body URIBL_CSS eval:check_uridnsbl('URIBL_CSS') 44describe URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS blocklist 45tflags URIBL_CSS net 46reuse URIBL_CSS 47 48# Only works correctly from 3.4.3, earlier versions basically run as URIBL_SBL duplicate 49if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_uridnsbl_for_a) 50 uridnssub URIBL_SBL_A zen.spamhaus.org. A 127.0.0.2 51 body URIBL_SBL_A eval:check_uridnsbl('URIBL_SBL_A') 52 describe URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist 53 tflags URIBL_SBL_A net a 54 reuse URIBL_SBL_A 55 56 uridnssub URIBL_CSS_A zen.spamhaus.org. A 127.0.0.3 57 body URIBL_CSS_A eval:check_uridnsbl('URIBL_CSS_A') 58 describe URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS blocklist 59 tflags URIBL_CSS_A net a 60 reuse URIBL_CSS_A 61endif 62 63# New blocked checks 10/2019 64uridnssub URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org. A 127.255.255.254 65body URIBL_ZEN_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_ZEN_BLOCKED_OPENDNS') 66describe URIBL_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ 67tflags URIBL_ZEN_BLOCKED_OPENDNS net 68reuse URIBL_ZEN_BLOCKED_OPENDNS 69 70# New blocked checks 10/2019 71uridnssub URIBL_ZEN_BLOCKED zen.spamhaus.org. A 127.255.255.255 72body URIBL_ZEN_BLOCKED eval:check_uridnsbl('URIBL_ZEN_BLOCKED') 73describe URIBL_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ 74tflags URIBL_ZEN_BLOCKED net 75reuse URIBL_ZEN_BLOCKED 76 77if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) 78dns_block_rule URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org 79dns_block_rule URIBL_ZEN_BLOCKED zen.spamhaus.org 80endif 81 82 83# DBL, https://www.spamhaus.org/dbl/ 84# changes axb 05-17-2014: as per https://www.spamhaus.org/news/article/713/ 85# SH changes effective 06-01-2014 86if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only) 87 88urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2 89body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM') 90describe URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist 91tflags URIBL_DBL_SPAM net domains_only notrim 92reuse URIBL_DBL_SPAM 93 94urirhssub URIBL_DBL_PHISH dbl.spamhaus.org. A 127.0.1.4 95body URIBL_DBL_PHISH eval:check_uridnsbl('URIBL_DBL_PHISH') 96describe URIBL_DBL_PHISH Contains a Phishing URL listed in the Spamhaus DBL blocklist 97tflags URIBL_DBL_PHISH net domains_only notrim 98reuse URIBL_DBL_PHISH 99 100urirhssub URIBL_DBL_MALWARE dbl.spamhaus.org. A 127.0.1.5 101body URIBL_DBL_MALWARE eval:check_uridnsbl('URIBL_DBL_MALWARE') 102describe URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus DBL blocklist 103tflags URIBL_DBL_MALWARE net domains_only notrim 104reuse URIBL_DBL_MALWARE 105 106urirhssub URIBL_DBL_BOTNETCC dbl.spamhaus.org. A 127.0.1.6 107body URIBL_DBL_BOTNETCC eval:check_uridnsbl('URIBL_DBL_BOTNETCC') 108describe URIBL_DBL_BOTNETCC Contains a botned C&C URL listed in the Spamhaus DBL blocklist 109tflags URIBL_DBL_BOTNETCC net domains_only notrim 110reuse URIBL_DBL_BOTNETCC 111 112urirhssub URIBL_DBL_ABUSE_SPAM dbl.spamhaus.org. A 127.0.1.102 113body URIBL_DBL_ABUSE_SPAM eval:check_uridnsbl('URIBL_DBL_ABUSE_SPAM') 114describe URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist 115tflags URIBL_DBL_ABUSE_SPAM net domains_only notrim 116reuse URIBL_DBL_ABUSE_SPAM 117 118urirhssub URIBL_DBL_ABUSE_REDIR dbl.spamhaus.org. A 127.0.1.103 119body URIBL_DBL_ABUSE_REDIR eval:check_uridnsbl('URIBL_DBL_ABUSE_REDIR') 120describe URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the Spamhaus DBL blocklist 121tflags URIBL_DBL_ABUSE_REDIR net domains_only notrim 122reuse URIBL_DBL_ABUSE_REDIR 123 124urirhssub URIBL_DBL_ABUSE_PHISH dbl.spamhaus.org. A 127.0.1.104 125body URIBL_DBL_ABUSE_PHISH eval:check_uridnsbl('URIBL_DBL_ABUSE_PHISH') 126describe URIBL_DBL_ABUSE_PHISH Contains an abused phishing URL listed in the Spamhaus DBL blocklist 127tflags URIBL_DBL_ABUSE_PHISH net domains_only notrim 128reuse URIBL_DBL_ABUSE_PHISH 129 130urirhssub URIBL_DBL_ABUSE_MALW dbl.spamhaus.org. A 127.0.1.105 131body URIBL_DBL_ABUSE_MALW eval:check_uridnsbl('URIBL_DBL_ABUSE_MALW') 132describe URIBL_DBL_ABUSE_MALW Contains an abused malware URL listed in the Spamhaus DBL blocklist 133tflags URIBL_DBL_ABUSE_MALW net domains_only notrim 134reuse URIBL_DBL_ABUSE_MALW 135 136urirhssub URIBL_DBL_ABUSE_BOTCC dbl.spamhaus.org. A 127.0.1.106 137body URIBL_DBL_ABUSE_BOTCC eval:check_uridnsbl('URIBL_DBL_ABUSE_BOTCC') 138describe URIBL_DBL_ABUSE_BOTCC Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist 139tflags URIBL_DBL_ABUSE_BOTCC net domains_only notrim 140reuse URIBL_DBL_ABUSE_BOTCC 141 142 143# this indicates that IP-address queries were sent to DBL, and should 144# never appear; if it does, something is wrong with SpamAssassin 145urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A 127.0.1.255 146body URIBL_DBL_ERROR eval:check_uridnsbl('URIBL_DBL_ERROR') 147describe URIBL_DBL_ERROR Error: queried the Spamhaus DBL blocklist for an IP 148tflags URIBL_DBL_ERROR net domains_only notrim 149reuse URIBL_DBL_ERROR 150 151# New blocked checks 10/2019 152urirhssub URIBL_DBL_BLOCKED_OPENDNS dbl.spamhaus.org. A 127.255.255.254 153body URIBL_DBL_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_DBL_BLOCKED_OPENDNS') 154describe URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ 155tflags URIBL_DBL_BLOCKED_OPENDNS net domains_only notrim 156reuse URIBL_DBL_BLOCKED_OPENDNS 157 158# New blocked checks 10/2019 159urirhssub URIBL_DBL_BLOCKED dbl.spamhaus.org. A 127.255.255.255 160body URIBL_DBL_BLOCKED eval:check_uridnsbl('URIBL_DBL_BLOCKED') 161describe URIBL_DBL_BLOCKED ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ 162tflags URIBL_DBL_BLOCKED net domains_only notrim 163reuse URIBL_DBL_BLOCKED 164 165endif 166 167########################################################################### 168## SURBL 169 170#MERGED INTO BIT 64 per bug 7279 171#urirhssub URIBL_SC_SURBL multi.surbl.org. A 2 172#body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL') 173#describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 174#tflags URIBL_SC_SURBL net notrim 175#reuse URIBL_SC_SURBL 176 177urirhssub URIBL_WS_SURBL multi.surbl.org. A 4 178body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL') 179describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 180tflags URIBL_WS_SURBL net notrim 181reuse URIBL_WS_SURBL 182 183urirhssub URIBL_PH_SURBL multi.surbl.org. A 8 184body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL') 185describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist 186tflags URIBL_PH_SURBL net notrim 187reuse URIBL_PH_SURBL 188 189urirhssub URIBL_MW_SURBL multi.surbl.org. A 16 190body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL') 191describe URIBL_MW_SURBL Contains a URL listed in the MW SURBL blocklist 192tflags URIBL_MW_SURBL net notrim 193reuse URIBL_MW_SURBL 194 195urirhssub URIBL_CR_SURBL multi.surbl.org. A 128 196body URIBL_CR_SURBL eval:check_uridnsbl('URIBL_CR_SURBL') 197describe URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist 198tflags URIBL_CR_SURBL net notrim 199reuse URIBL_CR_SURBL 200 201#MERGED INTO BIT 64 per bug 7279 202#urirhssub URIBL_AB_SURBL multi.surbl.org. A 32 203#body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL') 204#describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 205#tflags URIBL_AB_SURBL net notrim 206#reuse URIBL_AB_SURBL 207 208#JP MOVED INTO ABUSE AS WELL AND BIT REUSED per bug 7279 209urirhssub URIBL_ABUSE_SURBL multi.surbl.org. A 64 210body URIBL_ABUSE_SURBL eval:check_uridnsbl('URIBL_ABUSE_SURBL') 211describe URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist 212tflags URIBL_ABUSE_SURBL net notrim 213reuse URIBL_ABUSE_SURBL 214 215#SURBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you. 216urirhssub SURBL_BLOCKED multi.surbl.org. A 1 217body SURBL_BLOCKED eval:check_uridnsbl('SURBL_BLOCKED') 218describe SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. 219tflags SURBL_BLOCKED net noautolearn notrim 220reuse SURBL_BLOCKED 221 222if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) 223dns_block_rule SURBL_BLOCKED multi.surbl.org 224endif 225 226########################################################################### 227## URIBL 228 229urirhssub URIBL_BLACK multi.uribl.com. A 2 230body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') 231describe URIBL_BLACK Contains an URL listed in the URIBL blacklist 232tflags URIBL_BLACK net 233reuse URIBL_BLACK 234 235urirhssub URIBL_GREY multi.uribl.com. A 4 236body URIBL_GREY eval:check_uridnsbl('URIBL_GREY') 237describe URIBL_GREY Contains an URL listed in the URIBL greylist 238tflags URIBL_GREY net 239reuse URIBL_GREY 240 241urirhssub URIBL_RED multi.uribl.com. A 8 242body URIBL_RED eval:check_uridnsbl('URIBL_RED') 243describe URIBL_RED Contains an URL listed in the URIBL redlist 244tflags URIBL_RED net 245reuse URIBL_RED 246 247#URIBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you. 248urirhssub URIBL_BLOCKED multi.uribl.com. A 1 249body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED') 250describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. 251tflags URIBL_BLOCKED net noautolearn 252reuse URIBL_BLOCKED 253 254if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) 255dns_block_rule URIBL_BLOCKED multi.uribl.com 256endif 257 258########################################################################### 259## DOMAINS TO SKIP (KNOWN GOOD) 260 261# Linting 262uridnsbl_skip_domain taint.org 263 264# Don't bother looking for example domains as per RFC 2606. 265uridnsbl_skip_domain example.com example.net example.org 266 267uridnsbl_skip_domain local.cf 268 269# MUA CSS class definitions 270uridnsbl_skip_domain div.tk p.tk li.tk no.tk 271 272# (roughly) top 200 domains not blacklisted by SURBL 273uridnsbl_skip_domain 126.com 163.com 2o7.net 4at1.com 274uridnsbl_skip_domain 5iantlavalamp.com about.com adelphia.net adobe.com addthis.com 275uridnsbl_skip_domain agora-inc.com agoramedia.com akamai.net 276uridnsbl_skip_domain akamaitech.net amazon.com ancestry.com aol.com 277uridnsbl_skip_domain apache.org apple.com arcamax.com astrology.com apple.news 278uridnsbl_skip_domain atdmt.com att.net bbc.co.uk 279uridnsbl_skip_domain bcentral.com bellsouth.net bfi0.com 280uridnsbl_skip_domain bridgetrack.com cafe24.com charter.net 281uridnsbl_skip_domain citibank.com citizensbank.com cjb.net 282uridnsbl_skip_domain classmates.com clickbank.net cnet.com 283uridnsbl_skip_domain cnn.com com.com com.ne.kr comcast.net 284uridnsbl_skip_domain corporate-ir.net cox.net cs.com 285uridnsbl_skip_domain custhelp.com daum.net dd.se debian.org 286uridnsbl_skip_domain dell.com directtrack.com directnic.com domain.com 287uridnsbl_skip_domain dsbl.org earthlink.net ebay.co.uk ebay.com 288uridnsbl_skip_domain ebayimg.com ebaystatic.com edgesuite.net ediets.com 289uridnsbl_skip_domain egroups.com emode.com excite.com f-secure.com 290uridnsbl_skip_domain free.fr freebsd.org 291uridnsbl_skip_domain gentoo.org geocities.com gmail.com gmx.net 292uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com 293uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com 294uridnsbl_skip_domain hotpop.com hp.com ibm.com incredimail.com 295uridnsbl_skip_domain investorplace.com ivillage.com joingevalia.com 296uridnsbl_skip_domain juno.com kernel.org livejournal.com lycos.com 297uridnsbl_skip_domain m7z.net mac.com macromedia.com 298uridnsbl_skip_domain mail.com mail.ru mailscanner.info marketwatch.com 299uridnsbl_skip_domain mcafee.com mchsi.com messagelabs.com 300uridnsbl_skip_domain microsoft.com military.com mindspring.com mit.edu 301uridnsbl_skip_domain monster.com msn.com nate.com 302uridnsbl_skip_domain netflix.com netscape.com netscape.net netzero.net 303uridnsbl_skip_domain norman.com nytimes.com optonline.net osdn.com 304uridnsbl_skip_domain overstock.com pacbell.net pandasoftware.com 305uridnsbl_skip_domain paypal.com peoplepc.com plaxo.com 306uridnsbl_skip_domain prodigy.net radaruol.com.br 307uridnsbl_skip_domain real.com redhat.com regions.com regionsnet.com 308uridnsbl_skip_domain rogers.com rr.com sbcglobal.net sec.gov sf.net 309uridnsbl_skip_domain shaw.ca shockwave.com smithbarney.com 310uridnsbl_skip_domain sourceforge.net spamcop.net speedera.net sportsline.com 311uridnsbl_skip_domain sun.com suntrust.com sympatico.ca t-online.de 312uridnsbl_skip_domain tails.nl telus.net terra.com.br ticketmaster.com 313uridnsbl_skip_domain tinyurl.com tiscali.co.uk tom.com 314uridnsbl_skip_domain tone.co.nz tux.org uol.com.br 315uridnsbl_skip_domain ups.com verizon.net w3.org usps.com 316uridnsbl_skip_domain wamu.com wanadoo.fr washingtonpost.com weatherbug.com 317uridnsbl_skip_domain web.de webshots.com webtv.net wsj.com 318uridnsbl_skip_domain yahoo.ca yahoo.co.kr yahoo.co.uk 319uridnsbl_skip_domain yahoo.com yahoo.com.br yahoogroups.com yimg.com 320uridnsbl_skip_domain yopi.de yoursite.com zdnet.com 321uridnsbl_skip_domain openxmlformats.org passport.com xmlsoap.org 322uridnsbl_skip_domain abc.xyz avast.com schema.org 323 324# wtogami's most frequent known good URIDNSBL lookups (1/1/2011) 325uridnsbl_skip_domain alexa.com ask.com baidu.com bing.com craigslist.org 326uridnsbl_skip_domain doubleclick.com ebay.de facebook.com flickr.com godaddy.com 327uridnsbl_skip_domain google.co.in google.it mozilla.com myspace.com rediff.com 328uridnsbl_skip_domain twitter.com wordpress.com yahoo.co.jp youtube.com 329 330# axb's frequent known good URIDNSBL lookups 331 332uridnsbl_skip_domain fedex.com 333uridnsbl_skip_domain openoffice.org 334uridnsbl_skip_domain vk.com 335 336# pointless footer noise 337uridnsbl_skip_domain security.cloud 338uridnsbl_skip_domain yac.mx 339 340# Microsoft on ns1.msedge.net 341uridnsbl_skip_domain microsofttranslator.com office.com microsoftonline.com bing.com msedge.net 342 343# Some frequent known good URIDNSBL lookups 3.10.2018 -hk 344uridnsbl_skip_domain aka.ms akamaihd.net alibaba.com alicdn.com amazon.co.uk 345uridnsbl_skip_domain amazon.de amazonaws.com amazonses.com bandcamp.com 346uridnsbl_skip_domain booking.com cdninstagram.com cloudfront.net dhl.com 347uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr 348uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi 349uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com 350uridnsbl_skip_domain google.de google.fi googleapis.com googleusercontent.com 351uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com 352uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com 353uridnsbl_skip_domain media-amazon.com mtasv.net mzstatic.com nebula.fi 354uridnsbl_skip_domain nic.fi onmicrosoft.com oracle.com paypalobjects.com 355uridnsbl_skip_domain pinimg.com pinterest.com posti.com posti.fi pstmrk.it 356uridnsbl_skip_domain skype.com soundcloud.com ssl-images-amazon.com 357uridnsbl_skip_domain suomi24.fi t.co telia.com telia.fi tnt.com tori.fi 358uridnsbl_skip_domain tripadvisor.com twimg.com youtu.be 359# Some more frequent known good URIDNSBL lookups 10.4.2020 -hk 360uridnsbl_skip_domain docs.google.com etuovi.com iki.fi nflxext.com nflximg.com 361uridnsbl_skip_domain nflximg.net outlook.com postnord.com postnord.fi postnord.no 362uridnsbl_skip_domain saunalahti.fi 363 364endif # Mail::SpamAssassin::Plugin::URIDNSBL 365