logo
home
datafeed
about
usage
mirrors
rss feeds
help us
links
contact
faq

 

SpamAssassin Usage

Default Rules for Public Access

SpamAssassin includes support for URIBL by default. Please make sure you are on a recent version of SpamAssassin.

You will find the following rules in the default SpamAssassin configuration (/var/lib/spamassassin/3.00X000/updates_spamassassin_org/25_uribl.cf) on redhat/centos. It is not recommend to edit these files, as sa-update will overwrite them. To override scores for URIBL_* rules, please do so via your local configuration directory (ie /etc/mail/spamassassin). To disable URIBL tests, set scores to 0.00 for all 4 of the default rules.

urirhssub       URIBL_BLACK     multi.uribl.com.        A   2
body            URIBL_BLACK     eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK     Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK     net
reuse           URIBL_BLACK
urirhssub       URIBL_GREY      multi.uribl.com.        A   4
body            URIBL_GREY      eval:check_uridnsbl('URIBL_GREY')
describe        URIBL_GREY      Contains an URL listed in the URIBL greylist
tflags          URIBL_GREY      net
reuse           URIBL_GREY
urirhssub       URIBL_RED       multi.uribl.com.        A   8
body            URIBL_RED       eval:check_uridnsbl('URIBL_RED')
describe        URIBL_RED       Contains an URL listed in the URIBL redlist
tflags          URIBL_RED       net
reuse           URIBL_RED
urirhssub       URIBL_BLOCKED   multi.uribl.com.        A   1
body            URIBL_BLOCKED   eval:check_uridnsbl('URIBL_BLOCKED')
describe        URIBL_BLOCKED   ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
tflags          URIBL_BLOCKED   net noautolearn


Rules for Commercial Datafeed Service

Datafeed over DNS users will use the same rules, but the hostname will change from the public nameservers (multi.uribl.com) to the private custom hostname provided specific for your account.

urirhssub       URIBL_BLACK  _CUSTID.df.uribl.com.        A   2 
urirhssub       URIBL_GREY   _CUSTID.df.uribl.com.        A   4 
urirhssub       URIBL_RED    _CUSTID.df.uribl.com.        A   8
urirhssub       URIBL_GOLD   _CUSTID.df.uribl.com.        A   16 

URIBL_GOLD

URIBL Gold is integrated in the df.txt (and .gz) file provided to datafeed rsync users. This zone file contains domains that we believe will appear in future spam email, and can be utilize in SpamAssassin by adding an additional rule to check for bit 16 being returned from the df/multi zone. No default score is assigned, please test its accuracy on your network before assigning it a score!


# Example Datafeed over RSYNC usage 
################################################################################
urirhssub       URIBL_GOLD  multi.your-domain.tld.        A   16
body            URIBL_GOLD  eval:check_uridnsbl('URIBL_GOLD')
describe        URIBL_GOLD  Contains an URL listed in the URIBL greylist
tflags          URIBL_GOLD  net
# score         URIBL_GOLD  3.0
score           URIBL_GOLD  0.01
################################################################################

# Example Datafeed over DNS usage 
#   - replace _CUSTID with your unique hostname
#   - rescore as necessary
################################################################################
urirhssub       URIBL_GOLD  _CUSTID.df.uribl.com.        A   16
body            URIBL_GOLD  eval:check_uridnsbl('URIBL_GOLD')
describe        URIBL_GOLD  Contains an URL listed in the URIBL greylist
tflags          URIBL_GOLD  net
# score         URIBL_GOLD  3.0
score           URIBL_GOLD  0.01
################################################################################

URIBL_BLACK_NS

Datafeed over RSYNC users have the ability to load the black_ns.txt zone locally to utilize this rule, while Datafeed over DNS customers can query for bit 128. Checking nameservers for each link can triple your query volume as most domains have at least 2 nameservers.


# Example Datafeed over Rsync usage
#   - urifullnsrhssub requires SpamAssassin 3.3x or higher! 
#   - Change blackns.your-domain.tld to the host you have this data loaded in
#   - Rescore from 0.01 after testing effectiveness on your mail flow
################################################################################
urifullnsrhssub	URIBL_BLACK_NS        blackns.your-domain.tld.  A   2
body            URIBL_BLACK_NS        eval:check_uridnsbl('URIBL_BLACK_NS')
tflags          URIBL_BLACK_NS        net
# score         URIBL_BLACK_NS        3.0
score           URIBL_BLACK_NS        0.01
################################################################################

# Example Datafeed over DNS usage
#   - urifullnsrhssub requires SpamAssassin 3.3x or higher! 
#   - replace _CUSTID with your unique hostname
#   - rescore as necessary
################################################################################
urifullnsrhssub    URIBL_BLACK_NS     _CUSTID.df.uribl.com.   A       128
body               URIBL_BLACK_NS     eval:check_uridnsbl('URIBL_BLACK_NS')
describe           URIBL_BLACK_NS     Contains a URL which has a known bad nameserver
tflags             URIBL_BLACK_NS     net
# score            URIBL_BLACK_NS     3.0
score              URIBL_BLACK_NS     0.01 
################################################################################

URIBL_BLACK_NSIP

Datafeed over RSYNC users have the ability to load the black_nsip.txt zone locally to utilize this rule, while Datafeed over DNS customers can query for bit 64. Checking nameserver IPs for each link can triple your query volume as most domains have at least 2 nameservers.


# Example Datafeed over RSYNC usage
#  - This rule will work in all SpamAssassin versions, as it works in the same 
#    fasion as the Spamhaus SBL rule (URIBL_SBL).
#  - Change blacknsip.your-domain.tld to the host you have this data loaded in
#  - Rescore from 0.01 after testing effectiveness on your mail flow 
################################################################################
uridnsbl         URIBL_BLACK_NSIP         blacknsip.your-domain.tld.  A    2
body             URIBL_BLACK_NSIP         eval:check_uridnsbl('URIBL_BLACK_NSIP')
tflags           URIBL_BLACK_NSIP         net
# score          URIBL_BLACK_NSIP         3.0
score            URIBL_BLACK_NSIP         0.01
################################################################################

# Example Datafeed over DNS usage
#  - replace _CUSTID with your unique hostname
#  - Rescore from 0.01 after testing effectiveness on your mail flow 
################################################################################
uridnssub          URIBL_BLACK_NSIP   _CUSTID.df.uribl.com.   A       64
body               URIBL_BLACK_NSIP   eval:check_uridnsbl('URIBL_BLACK_NSIP')
describe           URIBL_BLACK_NSIP   Contains a URL which has a known bad nameserver IP
tflags             URIBL_BLACK_NSIP   net
# score            URIBL_BLACK_NSIP   3.0
score              URIBL_BLACK_NSIP   0.01 
################################################################################

URIBL_BLACK_A

Datafeed over RSYNC users have the ability to load the black_nsip.txt zone locally to utilize this rule, while Datafeed over DNS customers can query for bit 64. Checking IP address for each link can double your query volume as the domain, and the A record for the domain will both be looked up.


# Example Datafeed over RSYNC usage
#   - requires SpamAssassin 3.4x or higher! 
#   - Change blacka.your-domain.tld to the host you have this data loaded in
#   - Rescore from 0.01 after testing effectiveness on your mail flow 
################################################################################
uridnsbl        URIBL_BLACK_A   blacka.your-domain.tld.   A	2
body            URIBL_BLACK_A   eval:check_uridnsbl('URIBL_BLACK_A')
describe        URIBL_BLACK_A   Contains a URL's A listed in the URIBL_BLACK_A blocklist
tflags          URIBL_BLACK_A   net a
# score         URIBL_BLACK_A   3.0
score           URIBL_BLACK_A   0.01
################################################################################

# Example Datafeed over DNS usage
#  - replace _CUSTID with your unique hostname
#  - Rescore from 0.01 after testing effectiveness on your mail flow 
################################################################################
uridnssub          URIBL_BLACK_A      _CUSTID.df.uribl.com.   A       32
body               URIBL_BLACK_A      eval:check_uridnsbl('URIBL_BLACK_A')
describe           URIBL_BLACK_A      Contains a URL which is hosted on a known bad IP
tflags             URIBL_BLACK_A      net
# score            URIBL_BLACK_A      3.0
score              URIBL_BLACK_A      0.01
################################################################################