Thread MTA mit DNSBL?: Erfahrungen, Tipps? (19 answers)
Opened by jan at 2005-01-08 20:17

esskar
 2005-01-12 18:34
#95147 #95147
User since
2003-08-04
7321 Artikel
ModeratorIn

user image
hier mal die BlackList Einstellungen von unserem SpamAssassin:

Code: (dl )
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# SpamAssassin rules file: DNS blacklist tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail3/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of either the Artistic License or the GNU General
# Public License as published by the Free Software Foundation; either
# version 1 of the License, or (at your option) any later version.
#
# See the file "License" in the top level of the SpamAssassin source
# distribution for more details.
#
###########################################################################

require_version 2.63

# See the Mail::SpamAssassin::Conf manual page for details of how to use
# check_rbl().

# ---------------------------------------------------------------------------
# Multizone / Multi meaning BLs first.
#
# Note that currently TXT queries cannot be used for these, since the
# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
# Well, at least NJABL doesn't, it seems, as of Apr 7 2003.

# ---------------------------------------------------------------------------
# NJABL
# URL: http://www.dnsbl.njabl.org/

header RCVD_IN_NJABL eval:check_rbl('njabl', 'dnsbl.njabl.org.')
describe RCVD_IN_NJABL Received via a relay in dnsbl.njabl.org
tflags RCVD_IN_NJABL net

header RCVD_IN_NJABL_RELAY eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY net

header RCVD_IN_NJABL_DIALUP eval:check_rbl('njabl-notfirsthop', 'dnsbl.njabl.org.', '127.0.0.3')
describe RCVD_IN_NJABL_DIALUP NJABL: dialup sender did non-local SMTP
tflags RCVD_IN_NJABL_DIALUP net

header RCVD_IN_NJABL_SPAM eval:check_rbl_sub('njabl', '127.0.0.4')
describe RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source
tflags RCVD_IN_NJABL_SPAM net

header RCVD_IN_NJABL_MULTI eval:check_rbl_sub('njabl', '127.0.0.5')
describe RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay
tflags RCVD_IN_NJABL_MULTI net

header RCVD_IN_NJABL_CGI eval:check_rbl_sub('njabl', '127.0.0.8')
describe RCVD_IN_NJABL_CGI NJABL: sender is an open formmail
tflags RCVD_IN_NJABL_CGI net

header RCVD_IN_NJABL_PROXY eval:check_rbl_sub('njabl', '127.0.0.9')
describe RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy
tflags RCVD_IN_NJABL_PROXY net

# ---------------------------------------------------------------------------
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request

header RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags RCVD_IN_SORBS net

header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP net

header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS net

header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC net

header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP net

header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
describe RCVD_IN_SORBS_SPAM SORBS: spam source or spam-supporting ISP
tflags RCVD_IN_SORBS_SPAM net

header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
tflags RCVD_IN_SORBS_WEB net

header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK net

header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE net

# Dynablock used to be at easynet.nl; closed down there, but reopened
# by SORBS.
header RCVD_IN_DYNABLOCK eval:check_rbl('sorbs-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_DYNABLOCK Sent directly from dynamic IP address
tflags RCVD_IN_DYNABLOCK net

# ---------------------------------------------------------------------------
# OPM (recommended, supports TXT queries, but A queries needed for sub-tests)
# transfers: axfr/ixfr for trusted sites
# url: http://opm.blitzed.org/
# pay-to-use: no
# delist: automatic expiry, no fee, retested on request (free)

header RCVD_IN_OPM eval:check_rbl('opm', 'opm.blitzed.org.')
describe RCVD_IN_OPM Received via a relay in opm.blitzed.org
tflags RCVD_IN_OPM net

header RCVD_IN_OPM_WINGATE eval:check_rbl_sub('opm', '1')
describe RCVD_IN_OPM_WINGATE OPM: sender is open WinGate proxy
tflags RCVD_IN_OPM_WINGATE net

header RCVD_IN_OPM_SOCKS eval:check_rbl_sub('opm', '2')
describe RCVD_IN_OPM_SOCKS OPM: sender is open SOCKS proxy
tflags RCVD_IN_OPM_SOCKS net

header RCVD_IN_OPM_HTTP eval:check_rbl_sub('opm', '4')
describe RCVD_IN_OPM_HTTP OPM: sender is open HTTP CONNECT proxy
tflags RCVD_IN_OPM_HTTP net

header RCVD_IN_OPM_ROUTER eval:check_rbl_sub('opm', '8')
describe RCVD_IN_OPM_ROUTER OPM: sender is open router proxy
tflags RCVD_IN_OPM_ROUTER net

header RCVD_IN_OPM_HTTP_POST eval:check_rbl_sub('opm', '16')
describe RCVD_IN_OPM_HTTP_POST OPM: sender is open HTTP POST proxy
tflags RCVD_IN_OPM_HTTP_POST net

# ---------------------------------------------------------------------------
# Now, single zone BLs follow:

# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
header RCVD_IN_SBL eval:check_rbl_txt('sbl', 'sbl.spamhaus.org.')
describe RCVD_IN_SBL Received via a relay in Spamhaus Block List
tflags RCVD_IN_SBL net

# DSBL catches open relays, badly-installed CGI scripts and open SOCKS and
# HTTP proxies. list.dsbl.org lists servers tested by "trusted" users,
# multihop.dsbl.org lists servers which open SMTP servers relay through,
# unconfirmed.dsbl.org lists servers tested by "untrusted" users.
# See http://dsbl.org/ for full details.
# transfers: yes - rsync and http, see http://dsbl.org/usage
# pay-to-use: no
# delist: automated/distributed
header RCVD_IN_DSBL eval:check_rbl_txt('dsbl', 'list.dsbl.org.')
describe RCVD_IN_DSBL Received via a relay in list.dsbl.org
tflags RCVD_IN_DSBL net

# Other miscellaneous RBLs are listed here:
header RCVD_IN_RFCI eval:check_rbl_txt('rfci', 'ipwhois.rfc-ignorant.org.')
describe RCVD_IN_RFCI Sent via a relay in ipwhois.rfc-ignorant.org
tflags RCVD_IN_RFCI net

# DSN is a domain-based blacklist
header DNS_FROM_RFCI_DSN eval:check_rbl_from_host('rfci-dsn', 'dsn.rfc-ignorant.org.')
describe DNS_FROM_RFCI_DSN From: sender listed in dsn.rfc-ignorant.org
tflags DNS_FROM_RFCI_DSN net

# sa-hil.habeas.com for SpamAssassin queries
# hil.habeas.com for everything else
header HABEAS_VIOLATOR eval:check_rbl_swe('hil', 'sa-hil.habeas.com.')
describe HABEAS_VIOLATOR Has Habeas warrant mark and on Infringer List
tflags HABEAS_VIOLATOR net

header RCVD_IN_BSP_TRUSTED eval:check_rbl_txt('bsp-firsttrusted', 'sa-trusted.bondedsender.org.')
describe RCVD_IN_BSP_TRUSTED Sender is in Bonded Sender Program (trusted relay)
tflags RCVD_IN_BSP_TRUSTED net nice

header RCVD_IN_BSP_OTHER eval:check_rbl_txt('bsp-untrusted', 'sa-other.bondedsender.org.')
describe RCVD_IN_BSP_OTHER Sender is in Bonded Sender Program (other relay)
tflags RCVD_IN_BSP_OTHER net nice

# SenderBase provides information about senders
# sa.senderbase.org for SpamAssassin queries
# test.senderbase.org for everything else (until SenderBase is in production)
#header SENDERBASE net

# ---------------------------------------------------------------------------
# NOTE: donation tests, see README file for details

header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.')
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags RCVD_IN_BL_SPAMCOP_NET net

# ---------------------------------------------------------------------------
# NOTE: commercial tests, see README file for details

header RCVD_IN_MAPS_RBL eval:check_rbl('rbl', 'blackholes.mail-abuse.org.')
describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/
tflags RCVD_IN_MAPS_RBL net

header RCVD_IN_MAPS_DUL eval:check_rbl('dialup-notfirsthop', 'dialups.mail-abuse.org.')
describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/
tflags RCVD_IN_MAPS_DUL net

header RCVD_IN_MAPS_RSS eval:check_rbl('rss', 'relays.mail-abuse.org.')
describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/
tflags RCVD_IN_MAPS_RSS net

header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.org.')
describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/
tflags RCVD_IN_MAPS_NML net

# if you're subscribed to RBL+, then comment out the above rules (just the
# "header" lines, not the "describe" or "tflags" lines) and uncomment the
# below lines
#header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'rbl-plus.mail-abuse.org.', '1')
#header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-notfirsthop', 'rbl-plus.mail-abuse.org.', '2')
#header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4')
#header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8')
#describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.org/ops/
#tflags RCVD_IN_MAPS_OPS net

View full thread MTA mit DNSBL?: Erfahrungen, Tipps?