You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by qu...@apache.org on 2004/05/29 03:57:40 UTC
svn commit: rev 20565 - incubator/spamassassin/trunk/rules
Author: quinlan
Date: Fri May 28 18:57:39 2004
New Revision: 20565
Modified:
incubator/spamassassin/trunk/rules/20_dnsbl_tests.cf
incubator/spamassassin/trunk/rules/70_testing.cf
Log:
change the three DNSBLS that improved the most via -firsttrusted logic
to use it: RCVD_IN_XBL, RCVD_IN_DSBL
promote all of the RFC-Ignorant EnvelopeFrom rules, delete the old
RFC-Ignorant From: rules
Modified: incubator/spamassassin/trunk/rules/20_dnsbl_tests.cf
==============================================================================
--- incubator/spamassassin/trunk/rules/20_dnsbl_tests.cf (original)
+++ incubator/spamassassin/trunk/rules/20_dnsbl_tests.cf Fri May 28 18:57:39 2004
@@ -126,11 +126,47 @@
tflags RCVD_IN_SBL net
# XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
-header RCVD_IN_XBL eval:check_rbl_sub('sblxbl', '127.0.0.[456]')
+header RCVD_IN_XBL eval:check_rbl('sblxbl-firsttrusted', '127.0.0.[456]')
describe RCVD_IN_XBL Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL net
# ---------------------------------------------------------------------------
+# RFC-Ignorant blacklists (both name and IP based)
+
+header __RFC_IGNORANT_ENVFROM eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.')
+tflags __RFC_IGNORANT_ENVFROM net
+
+header DNS_FROM_RFC_DSN eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
+describe DNS_FROM_RFC_DSN Envelope sender listed in dsn.rfc-ignorant.org
+tflags DNS_FROM_RFC_DSN net
+
+header DNS_FROM_RFC_POST eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
+describe DNS_FROM_RFC_POST Envelope sender in postmaster.rfc-ignorant.org
+tflags DNS_FROM_RFC_POST net
+
+header DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
+describe DNS_FROM_RFC_ABUSE Envelope sender in abuse.rfc-ignorant.org
+tflags DNS_FROM_RFC_ABUSE net
+
+header DNS_FROM_RFC_WHOIS_A eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
+describe DNS_FROM_RFC_WHOIS_A Envelope sender in whois.rfc-ignorant.org
+tflags DNS_FROM_RFC_WHOIS_A net
+
+# this is 127.0.0.6 if querying fullip.rfc-ignorant.org, but since there
+# is only one right now, we might as well get the TXT record version
+header RCVD_IN_RFC_IPWHOIS eval:check_rbl_txt('ipwhois-firsttrusted', 'ipwhois.rfc-ignorant.org.')
+describe RCVD_IN_RFC_IPWHOIS Sent via a relay in ipwhois.rfc-ignorant.org
+tflags RCVD_IN_RFC_IPWHOIS net
+
+header DNS_FROM_RFC_WHOIS_B eval:check_rbl_sub('rfci_envfrom', '127.0.0.7')
+describe DNS_FROM_RFC_WHOIS_B Envelope sender TLD in whois.rfc-ignorant.org
+tflags DNS_FROM_RFC_WHOIS_B net
+
+header DNS_FROM_RFC_BOGUSMX eval:check_rbl_sub('rfci_envfrom', '127.0.0.8')
+describe DNS_FROM_RFC_BOGUSMX Envelope sender listed in bogusmx.rfc-ignorant.org
+tflags DNS_FROM_RFC_BOGUSMX net
+
+# ---------------------------------------------------------------------------
# Now, single zone BLs follow:
# DSBL catches open relays, badly-installed CGI scripts and open SOCKS and
@@ -141,19 +177,11 @@
# transfers: yes - rsync and http, see http://dsbl.org/usage
# pay-to-use: no
# delist: automated/distributed
-header RCVD_IN_DSBL eval:check_rbl_txt('dsbl', 'list.dsbl.org.')
+header RCVD_IN_DSBL eval:check_rbl_txt('dsbl-firsttrusted', 'list.dsbl.org.')
describe RCVD_IN_DSBL Received via a relay in list.dsbl.org
tflags RCVD_IN_DSBL net
-# Other miscellaneous RBLs are listed here:
-header RCVD_IN_RFCI eval:check_rbl_txt('rfci', 'ipwhois.rfc-ignorant.org.')
-describe RCVD_IN_RFCI Sent via a relay in ipwhois.rfc-ignorant.org
-tflags RCVD_IN_RFCI net
-
-# DSN is a domain-based blacklist
-header DNS_FROM_RFCI_DSN eval:check_rbl_from_host('rfci-dsn', 'dsn.rfc-ignorant.org.')
-describe DNS_FROM_RFCI_DSN From: sender listed in dsn.rfc-ignorant.org
-tflags DNS_FROM_RFCI_DSN net
+########################################################################
# another domain-based blacklist
header DNS_FROM_AHBL_RHSBL eval:check_rbl_from_host('ahbl', 'rhsbl.ahbl.org.')
Modified: incubator/spamassassin/trunk/rules/70_testing.cf
==============================================================================
--- incubator/spamassassin/trunk/rules/70_testing.cf (original)
+++ incubator/spamassassin/trunk/rules/70_testing.cf Fri May 28 18:57:39 2004
@@ -209,43 +209,12 @@
meta T_NIGERIAN_BODY_3 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 + __NIGERIAN_BODY_43 + __NIGERIAN_BODY_44 + __NIGERIAN_BODY_45 + __NIGERIAN_BODY_46 + __T_FRAUD_92 + __T_FRAUD_110 + __T_FRAUD_2 + __T_FRAUD_102 + __T_FRAUD_144 + __T_FRAUD_235 + __T_FRAUD_258 + __T_FRAUD_113 + __T_FRAUD_44 + __T_FRAUD_81 + __T_FRAUD_58 + __T_FRAUD_259 + __T_FRAUD_149 + __T_FRAUD_236 + __T_FRAUD_249 + __T_FRAUD_125 + __T_FRAUD_252 + __T_FRAUD_132 + __T_FRAUD_227 + __T_FRAUD_100 + __T_FRAUD_26 + __T_FRAUD_88 + __T_FRAUD_16 + __T_FRAUD_240 + __T_FRAUD_157 + __T_FRAUD_46 + __T_FRAUD_133 + __T_FRAUD_228 + __T_FRAUD_120 + __T_FRAUD_114 + __T_FRAUD_142 + __T_FRAUD_94 + __T_FRAUD_146 + __T_FRAUD_96 + __T_FRAUD_41 + __T_FRAUD_216 + __T_FRAUD_137 + __T_FRAUD_82 + __T_FRAUD_251 + __T_FRAUD_19 + __T_FRAUD_254 + __T_FRAUD_241 + __T_FRAUD_35 + __T_FRAUD_217 + __T_FRAUD_221 + __T_FRAUD_124 + __T_FRAUD_18 + __T_FRAUD_42 + __T_FRAUD_31 + __T_FRAUD_115 + __T_FRAUD_3 + __T_FRAUD_220 ) > 3
meta T_NIGERIAN_BODY_4 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 + __NIGERIAN_BODY_43 + __NIGERIAN_BODY_44 + __NIGERIAN_BODY_45 + __NIGERIAN_BODY_46 + __T_FRAUD_92 + __T_FRAUD_110 + __T_FRAUD_2 + __T_FRAUD_102 + __T_FRAUD_144 + __T_FRAUD_235 + __T_FRAUD_258 + __T_FRAUD_113 + __T_FRAUD_44 + __T_FRAUD_81 + __T_FRAUD_58 + __T_FRAUD_259 + __T_FRAUD_149 + __T_FRAUD_236 + __T_FRAUD_249 + __T_FRAUD_125 + __T_FRAUD_252 + __T_FRAUD_132 + __T_FRAUD_227 + __T_FRAUD_100 + __T_FRAUD_26 + __T_FRAUD_88 + __T_FRAUD_16 + __T_FRAUD_240 + __T_FRAUD_157 + __T_FRAUD_46 + __T_FRAUD_133 + __T_FRAUD_228 + __T_FRAUD_120 + __T_FRAUD_114 + __T_FRAUD_142 + __T_FRAUD_94 + __T_FRAUD_146 + __T_FRAUD_96 + __T_FRAUD_41 + __T_FRAUD_216 + __T_FRAUD_137 + __T_FRAUD_82 + __T_FRAUD_251 + __T_FRAUD_19 + __T_FRAUD_254 + __T_FRAUD_241 + __T_FRAUD_35 + __T_FRAUD_217 + __T_FRAUD_221 + __T_FRAUD_124 + __T_FRAUD_18 + __T_FRAUD_42 + __T_FRAUD_31 + __T_FRAUD_115 + __T_FRAUD_3 + __T_FRAUD_220 ) > 4
-# bug 3410
-header __RFC_IGNORANT eval:check_rbl_envfrom('rfci_envfrom', 'fulldom.rfc-ignorant.org.')
-tflags __RFC_IGNORANT net
-
-header T_DNS_FROM_RFC_DSN eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
-describe T_DNS_FROM_RFC_DSN Envelope sender listed in dsn.rfc-ignorant.org
-tflags T_DNS_FROM_RFC_DSN net
-
-header T_DNS_FROM_RFC_POST eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
-describe T_DNS_FROM_RFC_POST Envelope sender in postmaster.rfc-ignorant.org
-tflags T_DNS_FROM_RFC_POST net
-
-header T_DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
-describe T_DNS_FROM_RFC_ABUSE Envelope sender listed in abuse.rfc-ignorant.org
-tflags T_DNS_FROM_RFC_ABUSE net
-
-header T_DNS_FROM_RFC_WHOIS_A eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
-describe T_DNS_FROM_RFC_WHOIS_A Envelope sender listed in whois.rfc-ignorant.org
-tflags T_DNS_FROM_RFC_WHOIS_A net
-
# ratware: forging Postfix Receiveds
# this doesn't seem to be working. It works with pcregrep, though...
# odd...
header T_RATWARE_RCVD_PF_1 Received =~ / \(Postfix\) with ESMTP id .+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
header T_RATWARE_RCVD_AT Received =~ / by \S+\@\S+ with Microsoft SMTPSVC/
-
-header T_DNS_FROM_RFC_WHOIS_B eval:check_rbl_sub('rfci_envfrom', '127.0.0.7')
-describe T_DNS_FROM_RFC_WHOIS_B Envelope sender TLD in whois.rfc-ignorant.org
-tflags T_DNS_FROM_RFC_WHOIS_B net
-
-header T_DNS_FROM_RFC_BOGUSMX eval:check_rbl_sub('rfci_envfrom', '127.0.0.8')
-describe T_DNS_FROM_RFC_BOGUSMX Envelope sender listed in bogusmx.rfc-ignorant.org
-tflags T_DNS_FROM_RFC_BOGUSMX net
-
-# double check that both are never listed together
-meta T_DNS_FROM_RFC_WHOIS_C (T_DNS_FROM_RFC_WHOIS_A && T_DNS_FROM_RFC_WHOIS_B)
# test AHBL using envelope-from
header T_DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl-rhs2', 'rhsbl.ahbl.org.')