# 2006-10-01 # URIBL urirhssub URIBL_BLACK multi.uribl.com. A 2 body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') describe URIBL_BLACK Contains an URL listed in the URIBL blacklist (http://uribl.com) tflags URIBL_BLACK net score URIBL_BLACK 2.0 # NIX_SPAM (heise.de) header NIX_SPAM eval:check_rbl('nix-spam', 'ix.dnsbl.manitu.net') describe NIX_SPAM Listed in NIX_SPAM DNSBL tflags NIX_SPAM net score NIX_SPAM 2.0 # VIRBL (virus sender blacklist) http://virbl.bit.nl header RCVD_IN_VIRBL eval:check_rbl_txt('virbl', 'virbl.dnsbl.bit.nl') describe RCVD_IN_VIRBL Listed in virbl.dnsbl.bit.nl tflags RCVD_IN_VIRBL net score RCVD_IN_VIRBL 1.0 # 2006-12-19 # deactivated, since this DB has vanished as of 2006-12-18 # ORDB (open relays) http://ordb.org #header RCVD_IN_ORDB eval:check_rbl_txt('ordb', 'relays.ordb.org') #describe RCVD_IN_ORDB Listed in relays.ordb.org #tflags RCVD_IN_ORDB net #score RCVD_IN_ORDB 0.5 # CBL (open relays/proxys) http://cbl.abuseat.org header RCVD_IN_CBL eval:check_rbl_txt('cbl', 'cbl.abuseat.org') describe RCVD_IN_CBL Listed in cbl.abuseat.org tflags RCVD_IN_CBL net score RCVD_IN_CBL 2.0 # UCEPROTECT1 (open relays/proxys/dialups) http://uceprotect.net header RCVD_IN_UCEPROTECT1 eval:check_rbl_txt('uceprotect1', 'dnsbl-1.uceprotect.net') describe RCVD_IN_UCEPROTECT1 Listed in dnsbl-1.uceprotect.net tflags RCVD_IN_UCEPROTECT1 net score RCVD_IN_UCEPROTECT1 1.0 # UCEPROTECT2 (open relays/proxys/dialups networks) http://uceprotect.net header RCVD_IN_UCEPROTECT2 eval:check_rbl_txt('uceprotect1', 'dnsbl-2.uceprotect.net') describe RCVD_IN_UCEPROTECT2 Network listed in dnsbl-2.uceprotect.net tflags RCVD_IN_UCEPROTECT2 net score RCVD_IN_UCEPROTECT2 0.5 # UCEPROTECT3 (bad networks) http://uceprotect.net header RCVD_IN_UCEPROTECT3 eval:check_rbl_txt('uceprotect1', 'dnsbl-3.uceprotect.net') describe RCVD_IN_UCEPROTECT3 Network listed in dnsbl-3.uceprotect.net tflags RCVD_IN_UCEPROTECT3 net score RCVD_IN_UCEPROTECT3 0.1 # DSBL-multihop (multihop open relays) http://dsbl.org header RCVD_IN_DSBL_MULTIHOP eval:check_rbl_txt('dsblmultihop', 'multihop.dsbl.org') describe RCVD_IN_DSBL_MULTIHOP Listed in multihop.dsbl.org tflags RCVD_IN_DSBL_MULTIHOP net score RCVD_IN_DSBL_MULTIHOP 0.1 # DSBL-unconfirmed (open relays) http://dsbl.org header RCVD_IN_DSBL_UNCONFIRMED eval:check_rbl_txt('dsblunconfirmed', 'unconfirmed.dsbl.org') describe RCVD_IN_DSBL_UNCONFIRMED Listed in unconfirmed.dsbl.org tflags RCVD_IN_DSBL_UNCONFIRMED net score RCVD_IN_DSBL_UNCONFIRMED 0.001 # AHBL-tor (TOR relays) http://ahbl.org header RCVD_IN_AHBL_TOR eval:check_rbl_txt('ahbltor', 'tor.ahbl.org') describe RCVD_IN_AHBL_TOR Listed in tor.ahbl.org tflags RCVD_IN_AHBL_TOR net score RCVD_IN_AHBL_TOR 0.001 # AHBL-exemptions (whitelist) http://ahbl.org header RCVD_IN_AHBL_WHITELIST eval:check_rbl_txt('ahblwhite', 'exemptions.ahbl.org') describe RCVD_IN_AHBL_WHITELIST WhiteListed in exemptions.ahbl.org tflags RCVD_IN_AHBL_WHITELIST net score RCVD_IN_AHBL_WHITELIST -0.01 # from http://www.ahbl.org/docs/mailservers/spamassassin.txt header RCVD_IN_AHBL eval:check_rbl('AHBL', 'dnsbl.ahbl.org.') describe RCVD_IN_AHBL AHBL: sender is listed in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL 1.0 tflags RCVD_IN_AHBL net header RCVD_IN_AHBL_UNKNOWN_1 eval:check_rbl_sub('AHBL', '127.0.0.1') describe RCVD_IN_AHBL_UNKNOWN_1 AHBL: Unknown Category 1 in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_UNKNOWN_1 0.01 tflags RCVD_IN_AHBL_UNKNOWN_1 net header RCVD_IN_AHBL_SMTP eval:check_rbl_sub('AHBL', '127.0.0.2') describe RCVD_IN_AHBL_SMTP AHBL: Open SMTP relay in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_SMTP 0.5 tflags RCVD_IN_AHBL_SMTP net header RCVD_IN_AHBL_PROXY eval:check_rbl_sub('AHBL', '127.0.0.3') describe RCVD_IN_AHBL_PROXY AHBL: Open Proxy server in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_PROXY 0.5 tflags RCVD_IN_AHBL_PROXY net header RCVD_IN_AHBL_SPAM eval:check_rbl_sub('AHBL', '127.0.0.4') describe RCVD_IN_AHBL_SPAM AHBL: Spam Source in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_SPAM 0.5 tflags RCVD_IN_AHBL_SPAM net header RCVD_IN_AHBL_RTB eval:check_rbl_sub('AHBL', '127.0.0.5') describe RCVD_IN_AHBL_RTB AHBL: Real-Time Blocked in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_RTB 0.01 tflags RCVD_IN_AHBL_RTB net header RCVD_IN_AHBL_FORMMAIL eval:check_rbl_sub('AHBL', '127.0.0.6') describe RCVD_IN_AHBL_FORMMAIL AHBL: Abuseable Form Mail in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_FORMMAIL 0.5 tflags RCVD_IN_AHBL_FORMMAIL net header RCVD_IN_AHBL_SPAM_SUPPORT eval:check_rbl_sub('AHBL', '127.0.0.7') describe RCVD_IN_AHBL_SPAM_SUPPORT AHBL: Spam Supporter in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_SPAM_SUPPORT 0.5 tflags RCVD_IN_AHBL_SPAM_SUPPORT net header RCVD_IN_AHBL_I_SPAM_SUPPORT eval:check_rbl_sub('AHBL', '127.0.0.8') describe RCVD_IN_AHBL_I_SPAM_SUPPORT AHBL: Indirect Spam supporter in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_I_SPAM_SUPPORT 0.5 tflags RCVD_IN_AHBL_I_SPAM_SUPPORT net header RCVD_IN_AHBL_ENDUSER eval:check_rbl_sub('AHBL', '127.0.0.9') describe RCVD_IN_AHBL_ENDUSER AHBL: End User (non mail system) in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_ENDUSER 0.5 tflags RCVD_IN_AHBL_ENDUSER net header RCVD_IN_AHBL_SOS eval:check_rbl_sub('AHBL-notfirsthop', '127.0.0.10') describe RCVD_IN_AHBL_SOS AHBL: Shoot On Sight in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_SOS 0.5 tflags RCVD_IN_AHBL_SOS net header RCVD_IN_AHBL_RFCI_PA eval:check_rbl_sub('AHBL', '127.0.0.11') describe RCVD_IN_AHBL_RFCI_PA AHBL: Missing Postmaster or Abuse Address in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_RFCI_PA 0.5 tflags RCVD_IN_AHBL_RFCI_PA net header RCVD_IN_AHBL_5XXI eval:check_rbl_sub('AHBL', '127.0.0.12') describe RCVD_IN_AHBL_5XXI AHBL: Does not properly handle 5xx errors in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_5XXI 0.5 tflags RCVD_IN_AHBL_5XXI net header RCVD_IN_AHBL_RFCI_MISC eval:check_rbl_sub('AHBL', '127.0.0.13') describe RCVD_IN_AHBL_RFCI_MISC AHBL: Other Non-RFC Compliant in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_RFCI_MISC 0.5 tflags RCVD_IN_AHBL_RFCI_MISC net header RCVD_IN_AHBL_COMP_DDOS eval:check_rbl_sub('AHBL', '127.0.0.14') describe RCVD_IN_AHBL_COMP_DDOS AHBL: Compromised System - DDoS in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_COMP_DDOS 0.5 tflags RCVD_IN_AHBL_COMP_DDOS net header RCVD_IN_AHBL_COMP_RELAY eval:check_rbl_sub('AHBL', '127.0.0.15') describe RCVD_IN_AHBL_COMP_RELAY AHBL: Compromised System - Relay in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_COMP_RELAY 0.5 tflags RCVD_IN_AHBL_COMP_RELAY net header RCVD_IN_AHBL_COMP_SCANNER eval:check_rbl_sub('AHBL', '127.0.0.16') describe RCVD_IN_AHBL_COMP_SCANNER AHBL: Compromised System - Autorooter/Scanner in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_COMP_SCANNER 0.5 tflags RCVD_IN_AHBL_COMP_SCANNER net header RCVD_IN_AHBL_COMP_WORM eval:check_rbl_sub('AHBL', '127.0.0.17') describe RCVD_IN_AHBL_COMP_WORM AHBL: Compromised System - Worm or mass mailing virus in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_COMP_WORM 0.5 tflags RCVD_IN_AHBL_COMP_WORM net header RCVD_IN_AHBL_COMP_VIRUS eval:check_rbl_sub('AHBL', '127.0.0.18') describe RCVD_IN_AHBL_COMP_VIRUS AHBL: Compromised System - Other Virus in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_COMP_VIRUS 0.5 tflags RCVD_IN_AHBL_COMP_VIRUS net header RCVD_IN_AHBL_PROXY eval:check_rbl_sub('AHBL', '127.0.0.19') describe RCVD_IN_AHBL_PROXY AHBL: Open Proxy in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_PROXY 0.5 tflags RCVD_IN_AHBL_PROXY net header RCVD_IN_AHBL_BLOG eval:check_rbl_sub('AHBL', '127.0.0.19') describe RCVD_IN_AHBL_BLOG AHBL: Blog/Wiki/Comment Spammer in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_BLOG 0.5 tflags RCVD_IN_AHBL_BLOG net header RCVD_IN_AHBL_MISC eval:check_rbl_sub('AHBL', '127.0.0.127') describe RCVD_IN_AHBL_MISC AHBL: Misc (other) in BlackList / BlockList dnsbl.ahbl.org score RCVD_IN_AHBL_MISC 0.5 tflags RCVD_IN_AHBL_MISC net # bondedsender whitelist (commercial?) http://www.returnpath.org/senderscorecertified header RCVD_IN_BONDEDSENDER_WHITELIST eval:check_rbl('bondedsender', 'sa.bondedsender.org') describe RCVD_IN_BONDEDSENDER_WHITELIST Received via a whitelisted Bonded Sender address score RCVD_IN_BONDEDSENDER_WHITELIST -0.001 tflags RCVD_IN_BONDEDSENDER_WHITELIST net header RCVD_IN_BONDEDSENDER_WHITELIST1 eval:check_rbl('bondedsender1', 'query.bondedsender.org', '127.0.0.10') describe RCVD_IN_BONDEDSENDER_WHITELIST1 Received via a whitelisted Bonded Sender address score RCVD_IN_BONDEDSENDER_WHITELIST1 -0.001 tflags RCVD_IN_BONDEDSENDER_WHITELIST1 net # test, if we catch dialup-relays (additional to standard spamassassin) header RCVD_IN_NJABL_DUL2 eval:check_rbl('njabl2-notfirsthop', 'combined.njabl.org.', '127.0.0.3') describe RCVD_IN_NJABL_DUL2 NJABL: dialup sender did non-local SMTP score RCVD_IN_NJABL_DUL2 0.1 tflags RCVD_IN_NJABL_DUL2 net header RCVD_IN_MAPS_DUL2 eval:check_rbl('dialup2-notfirsthop', 'dialups.mail-abuse.org.') describe RCVD_IN_MAPS_DUL2 Relay in DUL, http://www.mail-abuse.org/dul/ score RCVD_IN_MAPS_DUL2 0.1 tflags RCVD_IN_MAPS_DUL2 net header RCVD_IN_SORBS_DUL2 eval:check_rbl('sorbs2-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10') describe RCVD_IN_SORBS_DUL2 SORBS: sent directly from dynamic IP address tflags RCVD_IN_SORBS_DUL2 net score RCVD_IN_SORBS_DUL2 0.1 # FIVETENSG http://www.five-ten-sg.com header RCVD_IN_FIVETENSG eval:check_rbl('FIVETENSG', 'blackholes.five-ten-sg.com.') describe RCVD_IN_FIVETENSG sender is listed in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG 1.0 tflags RCVD_IN_FIVETENSG net header RCVD_IN_FIVETENSG_UNKNOWN_1 eval:check_rbl_sub('FIVETENSG', '127.0.0.1') describe RCVD_IN_FIVETENSG_UNKNOWN_1 Unknown Category 1 in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_UNKNOWN_1 0.001 tflags RCVD_IN_FIVETENSG_UNKNOWN_1 net header RCVD_IN_FIVETENSG_SPAM eval:check_rbl_sub('FIVETENSG', '127.0.0.2') describe RCVD_IN_FIVETENSG_SPAM Spammer in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_SPAM 0.5 tflags RCVD_IN_FIVETENSG_SPAM net header RCVD_IN_FIVETENSG_DUL eval:check_rbl_sub('FIVETENSG', '127.0.0.3') describe RCVD_IN_FIVETENSG_DUL Dialup in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_DUL 0.01 tflags RCVD_IN_FIVETENSG_DUL net header RCVD_IN_FIVETENSG_BULK eval:check_rbl_sub('FIVETENSG', '127.0.0.4') describe RCVD_IN_FIVETENSG_BULK Bulk-Mailer in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_BULK 0.01 tflags RCVD_IN_FIVETENSG_BULK net header RCVD_IN_FIVETENSG_MULTISTAGE eval:check_rbl_sub('FIVETENSG', '127.0.0.5') describe RCVD_IN_FIVETENSG_MULTISTAGE Multistage Open Relay in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_MULTISTAGE 0.1 tflags RCVD_IN_FIVETENSG_MULTISTAGE net header RCVD_IN_FIVETENSG_SINGLESTAGE eval:check_rbl_sub('FIVETENSG', '127.0.0.6') describe RCVD_IN_FIVETENSG_SINGLESTAGE Singlestage Open Relay in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_SINGLESTAGE 0.1 tflags RCVD_IN_FIVETENSG_SINGLESTAGE net header RCVD_IN_FIVETENSG_SUPPORT eval:check_rbl_sub('FIVETENSG', '127.0.0.7') describe RCVD_IN_FIVETENSG_SUPPORT Spam-Supporter in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_SUPPORT 0.1 tflags RCVD_IN_FIVETENSG_SUPPORT net header RCVD_IN_FIVETENSG_WEBFORM eval:check_rbl_sub('FIVETENSG', '127.0.0.8') describe RCVD_IN_FIVETENSG_WEBFORM Web2Mail in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_WEBFORM 0.1 tflags RCVD_IN_FIVETENSG_WEBFORM net header RCVD_IN_FIVETENSG_SUSPECT eval:check_rbl_sub('FIVETENSG', '127.0.0.9') describe RCVD_IN_FIVETENSG_SUSPECT Suspected system in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_SUSPECT 0.01 tflags RCVD_IN_FIVETENSG_SUSPECT net header RCVD_IN_FIVETENSG_KLEZ eval:check_rbl_sub('FIVETENSG', '127.0.0.10') describe RCVD_IN_FIVETENSG_KLEZ Virus Notification Sender in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_KLEZ 0.01 tflags RCVD_IN_FIVETENSG_KLEZ net header RCVD_IN_FIVETENSG_FREEMAIL eval:check_rbl_sub('FIVETENSG', '127.0.0.12') describe RCVD_IN_FIVETENSG_FREEMAIL Freemailer in blackholes.five-ten-sg.com score RCVD_IN_FIVETENSG_FREEMAIL 0.01 tflags RCVD_IN_FIVETENSG_FREEMAIL net # bl.csma.biz - Repeat SPAM Sources header RCVD_IN_BLCSMA eval:check_rbl('blcsma', 'bl.csma.biz.') describe RCVD_IN_BLCSMA Received via a blocked site in bl.csma.biz score RCVD_IN_BLCSMA 0.5 tflags RCVD_IN_BLCSMA net # sbl.csma.biz - Suspect SPAM Sources header RCVD_IN_SBLCSMA eval:check_rbl('sblcsma', 'sbl.csma.biz.') describe RCVD_IN_SBLCSMA Received via a blocked site in sbl.csma.biz score RCVD_IN_SBLCSMA 0.1 tflags RCVD_IN_SBLCSMA net