Lines 183-248
Link Here
|
183 |
header POST_IN_RCVD Received =~ / Post\.(?:sk|cz)/ |
183 |
header POST_IN_RCVD Received =~ / Post\.(?:sk|cz)/ |
184 |
describe POST_IN_RCVD Received contains fake 'Post.cz' hostname |
184 |
describe POST_IN_RCVD Received contains fake 'Post.cz' hostname |
185 |
|
185 |
|
|
|
186 |
|
187 |
# Multizone / Multi meaning BLs first |
188 |
|
189 |
# Osirusoft, like MAPS RBL+ is a multi-meaning BL, so it is treated separately |
190 |
header RCVD_IN_OSIRUSOFT_COM rbleval:check_rbl('osirusoft', 'relays.osirusoft.com.') |
191 |
describe RCVD_IN_OSIRUSOFT_COM Received via a relay in relays.osirusoft.com |
192 |
|
193 |
# X prefix was used to insure that it was run at the end, but it's not needed |
194 |
# anymore since we run the rule with rblreseval -- Marc |
195 |
header X_OSIRU_SPAM_SRC rbleval:check_rbl_results_for('osirusoft', '127.0.0.4') |
196 |
describe X_OSIRU_SPAM_SRC DNSBL: sender is Confirmed Spam Source |
197 |
|
198 |
header X_OSIRU_SPAMWARE_SITE rbleval:check_rbl_results_for('osirusoft', '127.0.0.6') |
199 |
describe X_OSIRU_SPAMWARE_SITE DNSBL: sender is a Spamware site or vendor |
200 |
|
201 |
header X_OSIRU_DUL_FH rbleval:check_rbl('osirusoft-dul-firsthop', 'dialups.mail-abuse.org.') |
202 |
describe X_OSIRU_DUL_FH Received from first hop dialup listed in relays.osirusoft.com |
203 |
|
204 |
|
205 |
|
206 |
# Now, single zone BLs follow: |
186 |
# the new first arg for check_rbl() indicates what type of check it is; |
207 |
# the new first arg for check_rbl() indicates what type of check it is; |
187 |
# each type of check is stored in a separate set, and if an IP has already |
208 |
# each type of check is stored in a separate set, and if an IP has already |
188 |
# been hit in that set, it will not be checked with any other zone in |
209 |
# been hit in that set, it will not be checked with any other zone in |
189 |
# that set. |
210 |
# that set. |
190 |
header RCVD_IN_RELAYS_ORDB_ORG eval:check_rbl('relay', 'relays.ordb.org.') |
211 |
header RCVD_IN_RELAYS_ORDB_ORG rbleval:check_rbl('relay', 'relays.ordb.org.') |
191 |
describe RCVD_IN_RELAYS_ORDB_ORG Received via a relay in relays.ordb.org |
212 |
describe RCVD_IN_RELAYS_ORDB_ORG Received via a relay in relays.ordb.org |
192 |
|
213 |
|
193 |
header RCVD_IN_OSIRUSOFT_COM eval:check_rbl('relay', 'relays.osirusoft.com.') |
214 |
header RCVD_IN_VISI rbleval:check_rbl('relay', 'relays.visi.com.') |
194 |
describe RCVD_IN_OSIRUSOFT_COM Received via a relay in relays.osirusoft.com |
|
|
195 |
|
196 |
header RCVD_IN_VISI eval:check_rbl('relay', 'relays.visi.com.') |
197 |
describe RCVD_IN_VISI Received via a relay in relays.visi.com |
215 |
describe RCVD_IN_VISI Received via a relay in relays.visi.com |
198 |
|
216 |
|
199 |
header RCVD_IN_RFCI eval:check_rbl('rfci', 'ipwhois.rfc-ignorant.org.') |
|
|
200 |
describe RCVD_IN_RFCI Received via a relay in ipwhois.rfc-ignorant.org |
201 |
|
202 |
# Overzealous, blocking sparklist.com and yahoogroups with Confirmed Spam |
217 |
# Overzealous, blocking sparklist.com and yahoogroups with Confirmed Spam |
203 |
# Source records. not recommended. |
218 |
# Source records. not recommended. |
204 |
#header RCVD_IN_5_10 eval:check_rbl('relay', 'blackholes.five-ten-sg.com.') |
219 |
#header RCVD_IN_5_10 rbleval:check_rbl('relay', 'blackholes.five-ten-sg.com.') |
205 |
#describe RCVD_IN_5_10 Received via a relay in blackholes.five-ten-sg.com |
220 |
#describe RCVD_IN_5_10 Received via a relay in blackholes.five-ten-sg.com |
206 |
|
221 |
|
207 |
header RCVD_IN_ORBS eval:check_rbl('relay', 'orbs.dorkslayers.com.') |
222 |
header RCVD_IN_ORBS rbleval:check_rbl('relay', 'orbs.dorkslayers.com.') |
208 |
describe RCVD_IN_ORBS Received via a relay in orbs.dorkslayers.com |
223 |
describe RCVD_IN_ORBS Received via a relay in orbs.dorkslayers.com |
209 |
|
224 |
|
210 |
# X prefix is so that these are run after RCVD_IN_*. tests are run in |
225 |
# DSBL catches open relays, badly-installed CGI scripts and open SOCKS and |
211 |
# alphanumerically-sorted order. (These used to be Osirusoft.com-specific, but |
226 |
# HTTP proxies. list.dsbl.org lists servers tested by "trusted" users, |
212 |
# now, other DNSBLs are using the same convention.) |
227 |
# multihop.dsbl.org lists servers which open SMTP servers relay through, |
213 |
header X_OSIRU_SPAM_SRC eval:check_rbl_results_for('relay', '127.0.0.4') |
228 |
# unconfirmed.dsbl.org lists servers tested by "untrusted" users. |
214 |
describe X_OSIRU_SPAM_SRC DNSBL: sender is Confirmed Spam Source |
229 |
# See http://dsbl.org/ for full details. |
|
|
230 |
# This is effectively an open relay BL, put in in the relay set too -- Marc |
231 |
header RCVD_IN_DSBL rbleval:check_rbl('relay', 'list.dsbl.org') |
232 |
describe RCVD_IN_DSBL Received via a relay in list.dsbl.org |
215 |
|
233 |
|
216 |
header X_OSIRU_SPAMWARE_SITE eval:check_rbl_results_for('relay', '127.0.0.6') |
234 |
header RCVD_IN_MULTIHOP_DSBL rbleval:check_rbl('multihop', 'multihop.dsbl.org') |
217 |
describe X_OSIRU_SPAMWARE_SITE DNSBL: sender is a Spamware site or vendor |
235 |
describe RCVD_IN_MULTIHOP_DSBL Received via a relay in multihop.dsbl.org |
|
|
236 |
|
237 |
# We want to count this in the open relay set so that someone doesn't get scored |
238 |
# twice (at least by default) for being listed there and in some other relay BL. |
239 |
# Users can request a double hit and double score by changing 'relay' with |
240 |
# 'unconfirmed_dsbl' or something like that, but I don't think it should be |
241 |
# a default -- Marc |
242 |
header X_RCVD_IN_UNCONFIRMED_DSBL rbleval:check_rbl('relay', 'unconfirmed.dsbl.org') |
243 |
describe X_RCVD_IN_UNCONFIRMED_DSBL Received via a relay in unconfirmed.dsbl.org |
244 |
|
245 |
|
246 |
# Other miscellaneous RBLs are listed here: |
247 |
header RCVD_IN_RFCI rbleval:check_rbl('rfci', 'ipwhois.rfc-ignorant.org.') |
248 |
describe RCVD_IN_RFCI Received via a relay in ipwhois.rfc-ignorant.org |
249 |
|
250 |
|
251 |
# NOTE: commercial test, see README file for details |
252 |
header RCVD_IN_BL_SPAMCOP_NET rbleval:check_rbl('spamcop', 'bl.spamcop.net.') |
253 |
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net |
218 |
|
254 |
|
219 |
# NOTE: commercial tests, see README file for details |
255 |
# NOTE: commercial tests, see README file for details |
220 |
header RCVD_IN_RBL eval:check_rbl('rbl', 'blackholes.mail-abuse.org.') |
256 |
header RCVD_IN_RBL rbleval:check_rbl('rbl', 'blackholes.mail-abuse.org.') |
221 |
describe RCVD_IN_RBL Received via RBLed relay, see http://www.mail-abuse.org/rbl/ |
257 |
describe RCVD_IN_RBL Received via RBLed relay, see http://www.mail-abuse.org/rbl/ |
222 |
|
258 |
|
223 |
header RCVD_IN_RSS eval:check_rbl('relay', 'relays.mail-abuse.org.') |
259 |
header RCVD_IN_RSS rbleval:check_rbl('relay', 'relays.mail-abuse.org.') |
224 |
describe RCVD_IN_RSS Received via RSSed relay, see http://www.mail-abuse.org/rss/ |
260 |
describe RCVD_IN_RSS Received via RSSed relay, see http://www.mail-abuse.org/rss/ |
225 |
|
261 |
|
226 |
header RCVD_IN_DUL eval:check_rbl('dialup', 'dialups.mail-abuse.org.') |
262 |
header RCVD_IN_DUL rbleval:check_rbl('dialup', 'dialups.mail-abuse.org.') |
227 |
describe RCVD_IN_DUL Received from dialup, see http://www.mail-abuse.org/dul/ |
263 |
describe RCVD_IN_DUL Received from dialup, see http://www.mail-abuse.org/dul/ |
228 |
|
264 |
|
229 |
# NOTE: commercial test, see README file for details |
265 |
header X_RCVD_IN_DUL_FH rbleval:check_rbl('dialup-firsthop', 'dialups.mail-abuse.org.') |
230 |
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl('spamcop', 'bl.spamcop.net.') |
266 |
describe X_RCVD_IN_DUL_FH Received from first hop dialup, see http://www.mail-abuse.org/dul/ |
231 |
|
267 |
|
232 |
# DSBL catches open relays, badly-installed CGI scripts and open SOCKS and |
|
|
233 |
# HTTP proxies. list.dsbl.org lists servers tested by "trusted" users, |
234 |
# multihop.dsbl.org lists servers which open SMTP servers relay through, |
235 |
# unconfirmed.dsbl.org lists servers tested by "untrusted" users. |
236 |
# See http://dsbl.org/ for full details. |
237 |
header RCVD_IN_DSBL eval:check_rbl('dsbl', 'list.dsbl.org') |
238 |
describe RCVD_IN_DSBL Received via a relay in list.dsbl.org |
239 |
|
268 |
|
240 |
header RCVD_IN_MULTIHOP_DSBL eval:check_rbl('dsbl', 'multihop.dsbl.org') |
269 |
# Now, you can apply rules to counter for the effect of two similar BLs matching |
241 |
describe RCVD_IN_MULTIHOP_DSBL Received via a relay in multihop.dsbl.org |
270 |
# together -- Marc |
|
|
271 |
header FUDGE_DUL_MAPS_OSIRU rblreseval:check_two_rbl_results('osirusoft', "127.0.0.3", 'dialup', "127.0.0.3") |
272 |
describe FUDGE_DUL_MAPS_OSIRU Do not double penalize for MAPS DUL and Osirusoft DUL |
273 |
|
274 |
header FUDGE_RELAY_OSIRU rblreseval:check_two_rbl_results('osirusoft', "127.0.0.2", 'relay', "127.0.0.2") |
275 |
describe FUDGE_RELAY_OSIRU Do not double penalize for being an open relay on Osirusoft and another RBL |
276 |
|
277 |
header FUDGE_DUL_OSIRU_FH rblreseval:check_two_rbl_results('osirusoft-dul-firsthop', "127.0.0.3", 'dialup-firsthop', "127.0.0.3") |
278 |
describe FUDGE_DUL_OSIRU_FH Do not double compensate for MAPS DUL and Osirusoft DUL first hop dialup |
279 |
|
242 |
|
280 |
|
243 |
header RCVD_IN_UNCONFIRMED_DSBL eval:check_rbl('dsbl', 'unconfirmed.dsbl.org') |
|
|
244 |
describe RCVD_IN_UNCONFIRMED_DSBL Received via a relay in unconfirmed.dsbl.org |
245 |
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net |
246 |
|
281 |
|
247 |
# don't add headers without testing for false positives (usually Unix MTAs and |
282 |
# don't add headers without testing for false positives (usually Unix MTAs and |
248 |
# list software) and especially don't add From:, Reply-To:, Date:, Message-ID: |
283 |
# list software) and especially don't add From:, Reply-To:, Date:, Message-ID: |