In case anyone is using SpamAssassin and wants to increase their use of the available DNS Blacklists, I have a configuration file that I can make available that includes connections to some of the blacklists that I find to be more valuable. These include SPEWS, SORBS, Easynet, Blackholes.us, Spamcop and some others. Some of these blacklists were removed from current version of SpamAssassin because the original locations, like OSIRUSOFT went offline due to DDOS attacks by spammers. I have found some new locations for those so that I can continue to benefit from the blacklists that were so effective that spammers actually hired virus writers to shut them down.
You can adjust the scores to your desired level depending on how much you trust the blacklist in question. Thus, a lower score will reduce the importance of that particular list, a higher score will increase its relevance. You just edit the .cf file and then copy it into /etc/mail/spamassassin, restart SA and watch it start to work. I have found this blackhole list especially useful in targeting direct to MX spam from compromised zombie windows machines on DSL and Cable networks. If anyone would like a copy, let me know. If you are not running SpamAssassin, I am afraid that this configuration file will do you no good. Using this .cf along with a couple of edits to the local.cf file that place a higher score on html only mail among other body checks, I have gotten only one false negative out of some 4000 spam messages over the last two weeks and no false positives at all. (I do have a whitelist of commercial merchants that I actually expect to send me html mail). The file is attached below: #dnsbl.cf - Place this file in /etc/mail/spamassassin/dnsbl.cf #Note that files are loaded in alphabetical order, any entries in local.cf #will override the entries in this configuration file. # EASYNET_NL is the Easynet.nl List: http://blackholes.easynet.nl . header RCVD_IN_EASY rbleval:check_rbl('relay', 'blackholes.easynet.nl.') describe RCVD_IN_EASY Received via EASYed relay, see http://blackholes.easynet.nl tflags RCVD_IN_EASY # use *.blackholes.us DNSBL's # $Id: blackholes.cf,v 1.2 2002/08/07 06:23:58 pancrace Exp $ header RCVD_IN_ARGENTINA eval:check_rbl('country', 'argentina.blackholes.us.') describe RCVD_IN_ARGENTINA Received from Argentina header RCVD_IN_BRAZIL eval:check_rbl('country', 'brazil.blackholes.us.') describe RCVD_IN_BRAZIL Received from Brazil header RCVD_IN_CHINA eval:check_rbl('country', 'china.blackholes.us.') describe RCVD_IN_CHINA Received from China header RCVD_IN_JAPAN eval:check_rbl('country', 'japan.blackholes.us.') describe RCVD_IN_JAPAN Received from Japan header RCVD_IN_KOREA eval:check_rbl('country', 'korea.blackholes.us.') describe RCVD_IN_KOREA Received from Korea header RCVD_IN_NIGERIA eval:check_rbl('country', 'nigeria.blackholes.us.') describe RCVD_IN_NIGERIA Received from Nigeria header RCVD_IN_RUSSIA eval:check_rbl('country', 'russia.blackholes.us.') describe RCVD_IN_RUSSIA Received from Russia header RCVD_IN_SINGAPORE eval:check_rbl('country', 'singapore.blackholes.us.') describe RCVD_IN_SINGAPORE Received from Singapore header RCVD_IN_TAIWAN eval:check_rbl('country', 'taiwan.blackholes.us.') describe RCVD_IN_TAIWAN Received from Taiwan header RCVD_IN_THAILAND eval:check_rbl('country', 'thailand.blackholes.us.') describe RCVD_IN_THAILAND Received from Thailand score RCVD_IN_ARGENTINA 2.0 score RCVD_IN_BRAZIL 2.0 score RCVD_IN_CHINA 2.0 score RCVD_IN_JAPAN 2.0 score RCVD_IN_KOREA 2.0 score RCVD_IN_NIGERIA 2.0 score RCVD_IN_RUSSIA 2.0 score RCVD_IN_SINGAPORE 2.0 score RCVD_IN_TAIWAN 2.0 score RCVD_IN_THAILAND 2.0 header RCVD_IN_BROADWING eval:check_rbl('isp', 'broadwing.blackholes.us.') describe RCVD_IN_BROADWING Received from Broadwing network space header RCVD_IN_CIBERLYNX eval:check_rbl('isp', 'ciberlynx.blackholes.us.') describe RCVD_IN_CIBERLYNX Received from Ciberlynx network space header RCVD_IN_CW eval:check_rbl('isp', 'cw.blackholes.us.') describe RCVD_IN_CW Received from Cable and Wireless network space header RCVD_IN_ELI eval:check_rbl('isp', 'eli.blackholes.us.') describe RCVD_IN_ELI Received from ELI network space header RCVD_IN_EPOCH eval:check_rbl('isp', 'epoch.blackholes.us.') describe RCVD_IN_EPOCH Received from Epoch network space header RCVD_IN_HE eval:check_rbl('isp', 'he.blackholes.us.') describe RCVD_IN_HE Received from Hurricane Electric network space header RCVD_IN_INFLOW eval:check_rbl('isp', 'inflow.blackholes.us.') describe RCVD_IN_INFLOW Received from Inflow network space header RCVD_IN_INTERNAP eval:check_rbl('isp', 'internap.blackholes.us.') describe RCVD_IN_INTERNAP Received from Internap network space header RCVD_IN_LEVEL3 eval:check_rbl('isp', 'level3.blackholes.us.') describe RCVD_IN_LEVEL3 Received from Level 3 network space header RCVD_IN_RACKSPACE eval:check_rbl('isp', 'rackspace.blackholes.us.') describe RCVD_IN_RACKSPACE Received from Rackspace network space header RCVD_IN_RR eval:check_rbl('isp', 'rr.blackholes.us.') describe RCVD_IN_RR Received from Road Runner network space header RCVD_IN_SKYNETWEB eval:check_rbl('isp', 'skynetweb.blackholes.us.') describe RCVD_IN_SKYNETWEB Received from SkynetWeb network space header RCVD_IN_VALUEWEB eval:check_rbl('isp', 'valueweb.blackholes.us.') describe RCVD_IN_VALUEWEB Received from Valueweb/Cybergate network space header RCVD_IN_VERIO eval:check_rbl('isp', 'verio.blackholes.us.') describe RCVD_IN_VERIO Received from Verio network space header RCVD_IN_WANADOOFR eval:check_rbl('isp', 'wanadoo-fr.blackholes.us.') describe RCVD_IN_WANADOOFR Received from Wanadoo.fr network space header RCVD_IN_XO eval:check_rbl('isp', 'xo.blackholes.us.') describe RCVD_IN_XO Received from XO/Concentric network space header RCVD_IN_SORBS eval:check_rbl('isp', 'dnsbl.sorbs.net.') describe RCVD_IN_SORBS Received from IP in dnsbl.sorbs.net header RCVD_IN_SPEWS eval:check_rbl('isp', 'l1.spews.dnsbl.sorbs.net.') describe RCVD_IN_SPEWS Received from IP in Spews.sorbs.net header RCVD_IN_ROGERS eval:check_rbl('isp', 'rogers.blackholes.us.') describe RCVD_IN_ROGERS Received from rogers network space score RCVD_IN_BROADWING 2.0 score RCVD_IN_CIBERLYNX 2.0 score RCVD_IN_CW 2.0 score RCVD_IN_ELI 2.0 score RCVD_IN_EPOCH 2.0 score RCVD_IN_HE 2.0 score RCVD_IN_INFLOW 2.0 score RCVD_IN_INTERNAP 2.0 score RCVD_IN_LEVEL3 2.0 score RCVD_IN_RACKSPACE 2.0 score RCVD_IN_RR 2.0 score RCVD_IN_SKYNETWEB 2.0 score RCVD_IN_VALUEWEB 2.0 score RCVD_IN_VERIO 2.0 score RCVD_IN_WANADOOFR 2.0 score RCVD_IN_XO 2.0 score RCVD_IN_SORBS 2.0 score RCVD_IN_ROGERS 2.0 score RCVD_IN_CBL 2.0 score RCVD_IN_SBL 2.0 score RCVD_IN_BL_SPAMCOP_NET 2.0 score RCVD_IN_EASY 2.0 score RCVD_IN_SPEWS 2.0 score RCVD_IN_DSBL 2.0 #Single Zone BL's first #CBL.ABUSEAT.ORG is a DNSBL of senders who have sent to spamtrap addresses. This one is pretty good at hitting crap spammers not caught by some others, especially clueless cable modem spammers. header RCVD_IN_CBL rbleval:check_rbl('relay', 'cbl.abuseat.org') describe RCVD_IN_CBL DNSBL: sender has sent spam to spamtraps tflags RCVD_IN_CBL net # Multizone / Multi meaning BLs next # SORBS, like MAPS RBL+ is a multi-meaning BL, so it is treated separately header RCVD_IN_SORBS rbleval:check_rbl('sorbs', 'dnsbl.sorbs.net.') describe RCVD_IN_SORBS Received via a relay in dnsbl.sorbs.net tflags RCVD_IN_SORBS # X prefix was used to insure that it was run at the end, but it's not needed # anymore since we run the rule with rblreseval -- Marc header X_SORBS_OPEN_HTTP rbleval:check_rbl_results_for('sorbs', '127.0.0.2') describe X_SORBS_OPEN_HTTP DNSBL: sender is Confirmed Open Proxy tflags X_SORBS_OPEN_HTTP net header X_SORBS_SOCKS rbleval:check_rbl_results_for('sorbs', '127.0.0.3') describe X_SORBS_SOCKS DNSBL: sender ip address Confirmed Open Socks Proxy tflags X_SORBS_SOCKS header X_SORBS_MISC rbleval:check_rbl_results_for('sorbs', '127.0.0.4') describe X_SORBS_MISC DNSBL: sender is Confirmed Open Misc Proxy tflags X_SORBS_MISC header X_SORBS_SMTP rbleval:check_rbl_results_for('sorbs', '127.0.0.5') describe X_SORBS_SMTP DNSBL: sender is a Confirmed Open Relay tflags X_SORBS_SMTP header X_SORBS_SPAM rbleval:check_rbl_results_for('sorbs', '127.0.0.6') describe X_SORBS_SPAM DNSBL: sender is a Confirmed spam Source tflags X_SORBS_SPAM header X_SORBS_WEB rbleval:check_rbl_results_for('sorbs', '127.0.0.7') describe X_SORBS_WEB DNSBL: sender is a Confirmed Spam Support Web Server tflags X_SORBS_WEB header X_SORBS_ZOMBIE rbleval:check_rbl_results_for('sorbs', '127.0.0.9') describe X_SORBS_ZOMBIE DNSBL: sender is a Zombie Domain tflags X_SORBS_ZOMBIE header X_SORBS_NOMAIL rbleval:check_rbl_results_for('sorbs', '127.0.0.12') describe X_SORBS_NOMAIL DNSBL: sender is a Confirmed No Mail Ever zone tflags X_SORBS_NOMAIL num_check_received 5 -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
