OT? RBL's

Lyle Bickley lbickley at bickleywest.com
Thu Jun 29 15:14:58 CDT 2006 

Zane,

On Thursday 29 June 2006 12:11, Zane H. Healy wrote:
> Does anyone have a list of favorite RBL's (Real-time Spam Black Lists)? 
> I'm currently using the following and am looking for something a bit
> better.
>
> RBLs: relays.orbs.org, sbl.spamhaus.org, relays.ordb.org,
>         bl.spamcop.net

Here's all the RBL's I check using Spamassassin:

# ---------------------------------------------------------------------------
# NJABL
# URL: http://www.dnsbl.njabl.org/

header __RCVD_IN_NJABL		eval:check_rbl('njabl', 'combined.njabl.org.')
describe __RCVD_IN_NJABL	Received via a relay in combined.njabl.org
tflags __RCVD_IN_NJABL		net

header RCVD_IN_NJABL_RELAY	eval:check_rbl_sub('njabl', '127.0.0.2')
describe RCVD_IN_NJABL_RELAY	NJABL: sender is confirmed open relay
tflags RCVD_IN_NJABL_RELAY	net

header RCVD_IN_NJABL_DUL	eval:check_rbl('njabl-notfirsthop', 
'combined.njabl.org.', '127.0.0.3')
describe RCVD_IN_NJABL_DUL	NJABL: dialup sender did non-local SMTP
tflags RCVD_IN_NJABL_DUL	net

header RCVD_IN_NJABL_SPAM	eval:check_rbl_sub('njabl', '127.0.0.4')
describe RCVD_IN_NJABL_SPAM	NJABL: sender is confirmed spam source
tflags RCVD_IN_NJABL_SPAM	net

header RCVD_IN_NJABL_MULTI	eval:check_rbl_sub('njabl', '127.0.0.5')
describe RCVD_IN_NJABL_MULTI	NJABL: sent through multi-stage open relay
tflags RCVD_IN_NJABL_MULTI	net

header RCVD_IN_NJABL_CGI	eval:check_rbl_sub('njabl', '127.0.0.8')
describe RCVD_IN_NJABL_CGI	NJABL: sender is an open formmail
tflags RCVD_IN_NJABL_CGI	net

header RCVD_IN_NJABL_PROXY	eval:check_rbl_sub('njabl', '127.0.0.9')
describe RCVD_IN_NJABL_PROXY	NJABL: sender is an open proxy
tflags RCVD_IN_NJABL_PROXY	net

# ---------------------------------------------------------------------------
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request

header __RCVD_IN_SORBS		eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS	SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS		net

header RCVD_IN_SORBS_HTTP	eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP	SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP	net

header RCVD_IN_SORBS_SOCKS	eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS	SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS	net

header RCVD_IN_SORBS_MISC	eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC	SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC	net

header RCVD_IN_SORBS_SMTP	eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP	SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP	net

# delist: $50 fee
#header RCVD_IN_SORBS_SPAM	eval:check_rbl_sub('sorbs', '127.0.0.6')
#describe RCVD_IN_SORBS_SPAM	SORBS: sender is a spam source
#tflags RCVD_IN_SORBS_SPAM	net

header RCVD_IN_SORBS_WEB	eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB	SORBS: sender is a abuseable web server
tflags RCVD_IN_SORBS_WEB	net

header RCVD_IN_SORBS_BLOCK	eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK	SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK	net

header RCVD_IN_SORBS_ZOMBIE	eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE	SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE	net

header RCVD_IN_SORBS_DUL	eval:check_rbl('sorbs-notfirsthop', 
'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address
tflags RCVD_IN_SORBS_DUL	net

# ---------------------------------------------------------------------------
# Spamhaus SBL+XBL
#
# Spamhaus XBL contains both the Abuseat CBL (cbl.abuseat.org) and Blitzed
# OPM (opm.blitzed.org) lists so it's not necessary to query those as well.

header __RCVD_IN_SBL_XBL	eval:check_rbl('sblxbl', 'sbl-xbl.spamhaus.org.')
describe __RCVD_IN_SBL_XBL	Received via a relay in Spamhaus SBL+XBL
tflags __RCVD_IN_SBL_XBL	net

# SBL is the Spamhaus Block List: http://www.spamhaus.org/sbl/
header RCVD_IN_SBL		eval:check_rbl_sub('sblxbl', '127.0.0.2')
describe RCVD_IN_SBL		Received via a relay in Spamhaus SBL
tflags RCVD_IN_SBL		net

# XBL is the Exploits Block List: http://www.spamhaus.org/xbl/
header RCVD_IN_XBL		eval:check_rbl('sblxbl-notfirsthop', 
'sbl-xbl.spamhaus.org.', '127.0.0.[456]')
describe RCVD_IN_XBL		Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL		net

# ---------------------------------------------------------------------------
# RFC-Ignorant blacklists (both name and IP based)

header __RFC_IGNORANT_ENVFROM	eval:check_rbl_envfrom('rfci_envfrom', 
'fulldom.rfc-ignorant.org.')
tflags __RFC_IGNORANT_ENVFROM	net

header DNS_FROM_RFC_DSN		eval:check_rbl_sub('rfci_envfrom', '127.0.0.2')
describe DNS_FROM_RFC_DSN	Envelope sender in dsn.rfc-ignorant.org
tflags DNS_FROM_RFC_DSN		net

header DNS_FROM_RFC_POST	eval:check_rbl_sub('rfci_envfrom', '127.0.0.3')
describe DNS_FROM_RFC_POST	Envelope sender in postmaster.rfc-ignorant.org
tflags DNS_FROM_RFC_POST	net

header DNS_FROM_RFC_ABUSE	eval:check_rbl_sub('rfci_envfrom', '127.0.0.4')
describe DNS_FROM_RFC_ABUSE	Envelope sender in abuse.rfc-ignorant.org
tflags DNS_FROM_RFC_ABUSE	net

header DNS_FROM_RFC_WHOIS	eval:check_rbl_sub('rfci_envfrom', '127.0.0.5')
describe DNS_FROM_RFC_WHOIS	Envelope sender in whois.rfc-ignorant.org
tflags DNS_FROM_RFC_WHOIS	net

Cheers,
Lyle
-- 
Lyle Bickley
Bickley Consulting West Inc.
Mountain View, CA
http://bickleywest.com

"Black holes are where God is dividing by zero"

More information about the cctalk mailing list