最後更新: 2018-04-10

介紹

The following blocklist providers have implemented a Block Notification Rule with SpamAssassin:

(free 的 provider)

• URIBL http://www.uribl.com/
• DNSWL http://www.dnswl.org/
• Spamhaus http://www.spamhaus.org/
• SURBL http://www.surbl.org/

目錄

• Score Setting
• URIBL
• dnswl
• surbl
• RBL

 

---

Score Setting

 

URIBL

URIBL_BLACK            # Contains an URL listed in the URIBL blacklist
URIBL_GREY             # Contains an URL listed in the URIBL greylist
URIBL_RED              # Contains an URL listed in the URIBL redlist
URIBL_BLOCKED          # ADMINISTRATOR NOTICE: The query to URIBL was blocked.

SURBL

URIBL_ABUSE_SURBL      # Contains an URL listed in the ABUSE SURBL blocklist
                       # This list contains mainly general spam sites (pills, dating, etc).
                       # It combines data from the formerly separate JP, WS, SC and AB lists.
                       
URIBL_PH_SURBL         # Contains an URL listed in the PH SURBL blocklist (PHISHING)
                       # Phishing and malware data from multiple sources are included in the ph Phishing data source.

# Spamassassin Setting

/var/lib/spamassassin/3.00X000/updates_spamassassin_org/25_uribl.cf

# Spamassassin Score

/var/lib/spamassassin/3.00X000/updates_spamassassin_org/50_scores.cf

# My URIBL Score Setting

/etc/mail/spamassassin/local.cf

score URIBL_ABUSE_SURBL 3
score URIBL_PH_SURBL    3

 

---

URIBL

 

Distributes information about domain names as they are related to email, primarily Unsolicited Bulk/Commercial Email (UBE/UCE).

 

uribl reault = DNS responses

127.0.0.X

Public URIBL Lists

# black.uribl.com

This lists contains domain names belonging to and used by spammers

responses

127.0.0.1 not a positive listing

127.0.0.2 indicate a listing on black.uribl.com

# white.uribl.com

This list contains legit domain names that we do not want to show up on any other URIBL lists.

# grey.uribl.com

This lists contains domains found in UBE/UCE, and possibly honour opt-out requests.

# multi.uribl.com

Which checks to see if a domain is on any of our lists. This zone rebuilds if any of the above zones are rebuilt, with the exception of white.

* multi.uribl.com list contains all of the list data

127.0.0.X

X   Binary    On List
---------------------------------------------------------
1   00000001  Query blocked, possibly due to high volume
2   00000010  black
4   00000100  grey
8   00001000  red
14  00001110  black,grey,red (for testpoints)

IP addresses format

1.2.3.4 should be queried as 4.3.2.1.multi.uribl.com.

dig 4.3.2.1.multi.uribl.com

;; ANSWER SECTION:
4.3.2.1.multi.uribl.com. 2100   IN      A       127.0.0.1

Testing

published test points on each zone.

• 2.0.0.127
• test.uribl.com.

LISTED TEST RESULTS

dig +short 2.0.0.127.multi.uribl.com

127.0.0.14

dig +short -t txt 2.0.0.127.multi.uribl.com

"permanent testpoint"

NOT LISTED TEST RESULTS

dig +short 8.8.8.8.multi.uribl.com

沒有 ANSWER SECTION

uribl.com 的防濫用:

* uribl public mirror infastructure consists of donated hardware and bandwidth.

If you abuse it, we will block your IP, or your nameserver IP that is producing the excessive queries.

BLOCKED DNS Server IP

dig +short 2.0.0.127.multi.uribl.com

127.0.0.1

dig +short -t txt 2.0.0.127.multi.uribl.com

"127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: x.x.x.x]"

dig +short -t txt test.uribl.com.multi.uribl.com

"127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: x.x.x.x]"

Private URIBL Lists

# df.uribl.com

This zone is a drop in replacement for "multi.uribl.com". It contains everything multi does, and adds additional return bits for

• Gold (127.0.0.16),
• black_a (127.0.0.32),
• black_ns (127.0.0.64),
• black_nsip (127.0.0.128)

 

---

dnswl

 

DNS-based whitelists

HomePage: dnswl.org

Query DNSWL

host 4.3.2.1.list.dnswl.org

Test entry

IP: 127.0.0.2

i.e.

host 2.0.0.127.list.dnswl.org

2.0.0.127.list.dnswl.org has address 127.0.10.0

Return codes

127.0.x.y

x

2 – Financial services
3 – Email Service Providers
4 – Organisations (both for-profit [ie companies] and non-profit)
...
10 – some special cases
...

y

0 = none – only avoid outright blocking (eg large ESP mailservers, -0.1)
1 = low – reduce chance of false positives (-1.0)
2 = medium – make sure to avoid false positives but allow override for clear cases (-10.0)
3 = high – avoid override (-100.0).

Special return code 127.0.0.255

your nameserver issues more than 100’000 queries / 24 hours

[方法1] postfix

allow all whitelisted clients to connect

smtpd_recipient_restrictions =
  permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
  reject_rbl_client someblacklist.example.com,
  permit_mynetworks,
  reject_unauth_destination

[方法2] postscreen

For weighted scores above postscreen_dnsbl_threshold, the message will be rejected

*2, -5           # The weights can of course be adjusted and combined with numerous black/whitelsits

[1..3]            # restrict the dnswl whitelisting to score "low", "med" and "hi"

postscreen_dnsbl_sites =
  highqualityblacklist.example.com*2
  lowerqualityblacklist.example.net
  list.dnswl.org=127.0.[0..255].[1..3]*-5

[方法3] SpamAssassin

header  __RCVD_IN_DNSWL         eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
tflags  __RCVD_IN_DNSWL         nice net
...
header  RCVD_IN_DNSWL_HI        eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$')
describe RCVD_IN_DNSWL_HI       Sender listed at http://www.dnswl.org/, high trust
tflags RCVD_IN_DNSWL_HI         nice net
...
score RCVD_IN_DNSWL_HI          -100

 

---

surbl

 

surbl 的運作過程

1 Extract URIs from message bodies

2. Extract base (registered) domains from those URIs.

    For any domain on the three level list, check it at the fourth level  ()
    For any domain on the two level list, check it at the third level (.com.hk)
    For any other domain, check it at the second level (.com)

    domainundertest.com.multi.surbl.org, then doing Address (A) record DNS resolution on the resulting combined name.

3. Look up the domain name in the SURBL by prepending it to the name of the SURBL ( domainundertest.com.multi.surbl.org )
    SURBL matches also have a TXT record associated with them containing a descriptive reason for list inclusion,
    but the A record is the strongly preferred response for automated use.
    A non-result (NXDOMAIN) indicates lack of inclusion in the list.
    An Address result indicates list inclusion.

Blocked DNS Server IP

If you get a result of 127.0.0.1 when doing a SURBL DNS query into the public nameservers,

then it means your access is blocked.

Please see SURBL's Usage Policy and sign up for SURBL's Sponsored Data Service (SDS).

真實測試

dig +short modern-machinery.net.multi.surbl.org

127.0.0.8

dig -t txt +short modern-machinery.net.multi.surbl.org

"Blocked, modern-machinery.net on lists [ph], See: http://www.surbl.org/lists.html"

Response

All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org.

DNS A record whose last octet indicates which lists it belongs to

127.0.0.X

8 = listed on PH           # Phishing sites
16 = listed on MW          # Malware sites
64 = listed on ABUSE       # spam and other abuse sites
128 = listed on CR         # Cracked sites

127.0.0.80 means a record is on both MW and ABUSE (comes from: 16 + 64 = 80)

  * Default TTL for the live data in the multi list is 3 minutes.
     The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.

spamassassin score

# surbl Setting
score URIBL_PH_SURBL    2.5
score URIBL_CR_SURBL    2.5
score URIBL_MW_SURBL    2.5
score URIBL_ABUSE_SURBL 2.5

spamassassin rule setting

/usr/share/spamassassin/25_uribl.cf

urirhssub       URIBL_PH_SURBL  multi.surbl.org.        A   8
body            URIBL_PH_SURBL  eval:check_uridnsbl('URIBL_PH_SURBL')
describe        URIBL_PH_SURBL  Contains an URL listed in the PH SURBL blocklist
tflags          URIBL_PH_SURBL  net
reuse           URIBL_PH_SURBL

urirhssub       URIBL_MW_SURBL  multi.surbl.org.        A   16
body            URIBL_MW_SURBL  eval:check_uridnsbl('URIBL_MW_SURBL')
describe        URIBL_MW_SURBL  Contains an URL listed in the MW SURBL blocklist
tflags          URIBL_MW_SURBL  net
reuse           URIBL_MW_SURBL

urirhssub       URIBL_ABUSE_SURBL  multi.surbl.org.        A   64
body            URIBL_ABUSE_SURBL  eval:check_uridnsbl('URIBL_ABUSE_SURBL')
describe        URIBL_ABUSE_SURBL  Contains an URL listed in the ABUSE SURBL blocklist
tflags          URIBL_ABUSE_SURBL  net
reuse           URIBL_ABUSE_SURBL

urirhssub       URIBL_CR_SURBL  multi.surbl.org.        A   128
body            URIBL_CR_SURBL  eval:check_uridnsbl('URIBL_CR_SURBL')
describe        URIBL_CR_SURBL  Contains an URL listed in the CR SURBL blocklist
tflags          URIBL_CR_SURBL  net
reuse           URIBL_CR_SURBL

options

urirhssub

urirhssub NAME_OF_RULE rhsbl_zone lookuptype subtest

subtest is the sub-test to run against the returned data.

Note that, as with urirhsbl, you must also define a body-eval rule calling check_uridnsbl() to use this.

tflags

tflags SYMBOLIC_TEST_NAME [ {net|nice|learn|userconf|noautolearn} ]

Used to set flags on a test.

net

    The test is a network test, and will not be run in the mass checking system or if -L is used, therefore its score should not be modified.

nice

    The test is intended to compensate for common false positives, and should be assigned a negative score.

userconf

    The test requires user configuration before it can be used (like language- specific tests).

learn

    The test requires training before it can be used.

noautolearn

    The test will explicitly be ignored when calculating the score for learning systems.

reuse

For reusing old rule hits during a mass-check

 

---

RBL(Realtime Blackhole Lists)

 

如果 spamhaus 運作正常的話, 只有以下兩個 result

• 'Not listed' queries must always return NXDOMAIN
• "Listed" in a Spamhaus zone 127.0.0.X

DNS Server 的支援測試:

支援的 result

dig +short 2.0.0.127.zen.spamhaus.org

127.0.0.4
127.0.0.10
127.0.0.2

不支援的 result

dig +short 1.0.0.127.zen.spamhaus.org @8.8.8.8

<空白>

 

SBL(Spamhaus Block List)     sbl.spamhaus.org     127.0.0.2-3    

Static UBE sources, verified spam services (hosting or support) and ROKSO spammers

CSS:

Direct snowshoe spam sources detected via automation

If you are already using the SBL or ZEN you should not need to do anything

except ensure that your spam filter handles the additional 127.0.0.3 return code.

XBL     xbl.spamhaus.org     127.0.0.4-7    

Illegal 3rd party exploits, including proxies, worms and trojan exploits

PBL     pbl.spamhaus.org     127.0.0.10-11    

IP ranges which should not be delivering unauthenticated SMTP email.

* PBL lists normal customer IP space, do not use PBL on smarthosts or SMTP AUTH outbound servers for your own customers

 

Zen Block List

combination of all Spamhaus IP-based DNSBLs into one

Includes SBL, XBL and PBL.

Domain                      Result

zen.spamhaus.org     127.0.0.2-11

* not use ZEN together with other Spamhaus IP blocklists

Return Code

127.0.0.2       SBL     Spamhaus SBL Data
127.0.0.3       SBL     Spamhaus SBL CSS Data
127.0.0.4       XBL     CBL Data
127.0.0.10     PBL     ISP Maintained
127.0.0.11     PBL     Spamhaus Maintained

* commercial spam filter companies requires a subscription to the Spamhaus dedicated Data Feed Service

* DBL is for domains, Zen is for IP addresses

 

---

Doc

https://www.intra2net.com/en/support/antispam/