Provided by: spamassassin_4.0.1-5_all 
NAME
URIDNSBL - look up URLs against DNS blocklists
SYNOPSIS
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
DESCRIPTION
This works by analysing message text and HTML for URLs, extracting host names from those, then querying
various DNS blocklists for either: IP addresses of these hosts (uridnsbl,a) or their nameservers
(uridnsbl,ns), or domain names of these hosts (urirhsbl), or domain names of their nameservers
(urinsrhsbl, urifullnsrhsbl).
USER SETTINGS
skip_uribl_checks ( 0 | 1 ) (default: 0)
Turning on the skip_uribl_checks setting will disable the URIDNSBL plugin.
By default, SpamAssassin will run URI DNSBL checks. Individual URI blocklists may be disabled
selectively by setting a score of a corresponding rule to 0 or through the uridnsbl_skip_domain
parameter.
See also a related configuration parameter skip_rbl_checks, which controls the DNSEval plugin
(documented in the Conf man page).
uridnsbl_skip_domain domain1 domain2 ...
Specify a domain, or a number of domains, which should be skipped for the URIBL checks. This is very
useful to specify very common domains which are not going to be listed in URIBLs.
In addition to trimmed domain, the full hostname is also checked from the list.
clear_uridnsbl_skip_domain [domain1 domain2 ...]
If no argument is given, then clears the entire list of domains declared by uridnsbl_skip_domain
configuration directives so far. Any subsequent uridnsbl_skip_domain directives will start creating a
new list of skip domains.
When given a list of domains as arguments, only the specified domains are removed from the list of
skipped domains.
RULE DEFINITIONS AND PRIVILEGED SETTINGS
uridnsbl NAME_OF_RULE dnsbl_zone lookuptype
Specify a lookup. "NAME_OF_RULE" is the name of the rule to be used, "dnsbl_zone" is the zone to
look up IPs in, and "lookuptype" is the type of lookup (TXT or A). Note that you must also define a
body-eval rule calling check_uridnsbl() to use this.
This works by collecting domain names from URLs and querying DNS blocklists with an IP address of
host names found in URLs or with IP addresses of their name servers, according to tflags as follows.
If the corresponding body rule has a tflag 'a', the DNS blocklist will be queried with an IP address
of a host found in URLs.
If the corresponding body rule has a tflag 'ns', DNS will be queried for name servers (NS records) of
a domain name found in URLs, then these name server names will be resolved to their IP addresses,
which in turn will be sent to DNS blocklist.
Tflags directive may specify either 'a' or 'ns' or both flags. In absence of any of these two flags,
a default is a 'ns', which is compatible with pre-3.4 versions of SpamAssassin.
The choice of tflags must correspond to the policy and expected use of each DNS blocklist and is
normally not a local decision. As an example, a blocklist expecting queries resulting from an 'a'
tflag is a "black_a.txt" ( http://www.uribl.com/datasets.shtml ).
Example:
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
body URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL')
describe URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist
tflags URIBL_SBLXBL net ns
uridnssub NAME_OF_RULE dnsbl_zone lookuptype subtest
Specify a DNSBL-style domain lookup with a sub-test. "NAME_OF_RULE" is the name of the rule to be
used, "dnsbl_zone" is the zone to look up IPs in, and "lookuptype" is the type of lookup (TXT or A).
Tflags 'ns' and 'a' on a corresponding body rule are recognized and have the same meaning as in the
uridnsbl directive.
"subtest" is a sub-test to run against the returned data. The sub-test may be in one of the
following forms: m, n1-n2, or n/m, where n,n1,n2,m can be any of: decimal digits, 0x followed by up
to 8 hexadecimal digits, or an IPv4 address in quad-dot form. The 'A' records (IPv4 dotted address)
as returned by DNSBLs lookups are converted into a numerical form (r) and checked against the
specified sub-test as follows: for a range n1-n2 the following must be true: (r >= n1 && r <= n3);
for a n/m form the following must be true: (r & m) == (n & m); for a single value in quad-dot form
the following must be true: r == n; for a single decimal or hex form the following must be true:
((r & n) != 0) && ((r & 0xff000000) == 0x7f000000), i.e. within 127.0.0.0/8
Some typical examples of a sub-test are: 127.0.1.2, 127.0.1.20-127.0.1.39, 127.0.1.0/255.255.255.0,
0.0.0.16/0.0.0.16, 0x10/0x10, 16, 0x10 .
Note that, as with "uridnsbl", you must also define a body-eval rule calling check_uridnsbl() to use
this.
Example:
uridnssub URIBL_DNSBL_4 dnsbl.example.org. A 127.0.0.4
uridnssub URIBL_DNSBL_8 dnsbl.example.org. A 8
urirhsbl NAME_OF_RULE rhsbl_zone lookuptype
Specify a RHSBL-style domain lookup. "NAME_OF_RULE" is the name of the rule to be used, "rhsbl_zone"
is the zone to look up domain names in, and "lookuptype" is the type of lookup (TXT or A). Note
that you must also define a body-eval rule calling check_uridnsbl() to use this.
An RHSBL zone is one where the domain name is looked up, as a string; e.g. a URI using the domain
"foo.com" will cause a lookup of "foo.com.uriblzone.net". Note that hostnames are trimmed to the
domain portion in the URIBL lookup, so the domain "foo.bar.com" will look up "bar.com.uriblzone.net",
and "foo.bar.co.uk" will look up "bar.co.uk.uriblzone.net". Using tflag "notrim" will force full
hostname lookup, but the specific uribl must support this method.
If an URI consists of an IP address instead of a hostname, the IP address is looked up (using the
standard reversed quads method) in each "rhsbl_zone".
Example:
urirhsbl URIBL_RHSBL rhsbl.example.org. TXT
urirhssub NAME_OF_RULE rhsbl_zone lookuptype subtest
Specify a RHSBL-style domain lookup with a sub-test. "NAME_OF_RULE" is the name of the rule to be
used, "rhsbl_zone" is the zone to look up domain names in, and "lookuptype" is the type of lookup
(TXT or A).
"subtest" is a sub-test to run against the returned data. The sub-test may be in one of the
following forms: m, n1-n2, or n/m, where n,n1,n2,m can be any of: decimal digits, 0x followed by up
to 8 hexadecimal digits, or an IPv4 address in quad-dot form. The 'A' records (IPv4 dotted address)
as returned by DNSBLs lookups are converted into a numerical form (r) and checked against the
specified sub-test as follows: for a range n1-n2 the following must be true: (r >= n1 && r <= n2);
for a n/m form the following must be true: (r & m) == (n & m); for a single value in quad-dot form
the following must be true: r == n; for a single decimal or hex form the following must be true:
((r & n) != 0) && ((r & 0xff000000) == 0x7f000000), i.e. within 127.0.0.0/8
Some typical examples of a sub-test are: 127.0.1.2, 127.0.1.20-127.0.1.39, 127.2.3.0/255.255.255.0,
0.0.0.16/0.0.0.16, 0x10/0x10, 16, 0x10 .
Note that, as with "urirhsbl", you must also define a body-eval rule calling check_uridnsbl() to use
this. Hostname to domain trimming is also done similarly.
Example:
urirhssub URIBL_RHSBL_4 rhsbl.example.org. A 127.0.0.4
urirhssub URIBL_RHSBL_8 rhsbl.example.org. A 8
urinsrhsbl NAME_OF_RULE rhsbl_zone lookuptype
Perform a RHSBL-style domain lookup against the contents of the NS records for each URI. In other
words, a URI using the domain "foo.com" will cause an NS lookup to take place; assuming that domain
has an NS of "ns0.bar.com", that will cause a lookup of "bar.com.uriblzone.net". Note that hostnames
are stripped from both the domain used in the URI, and the domain in the lookup.
"NAME_OF_RULE" is the name of the rule to be used, "rhsbl_zone" is the zone to look up domain names
in, and "lookuptype" is the type of lookup (TXT or A).
Note that, as with "urirhsbl", you must also define a body-eval rule calling check_uridnsbl() to use
this.
urinsrhssub NAME_OF_RULE rhsbl_zone lookuptype subtest
Specify a RHSBL-style domain-NS lookup, as above, with a sub-test. "NAME_OF_RULE" is the name of the
rule to be used, "rhsbl_zone" is the zone to look up domain names in, and "lookuptype" is the type of
lookup (TXT or A). "subtest" is the sub-test to run against the returned data; see "urirhssub".
Note that, as with "urirhsbl", you must also define a body-eval rule calling check_uridnsbl() to use
this.
urifullnsrhsbl NAME_OF_RULE rhsbl_zone lookuptype
Perform a RHSBL-style domain lookup against the contents of the NS records for each URI. In other
words, a URI using the domain "foo.com" will cause an NS lookup to take place; assuming that domain
has an NS of "ns0.bar.com", that will cause a lookup of "ns0.bar.com.uriblzone.net".
"NAME_OF_RULE" is the name of the rule to be used, "rhsbl_zone" is the zone to look up domain names
in, and "lookuptype" is the type of lookup (TXT or A).
Note that, as with "urirhsbl", you must also define a body-eval rule calling check_uridnsbl() to use
this.
urifullnsrhssub NAME_OF_RULE rhsbl_zone lookuptype subtest
Specify a RHSBL-style domain-NS lookup, as above, with a sub-test. "NAME_OF_RULE" is the name of the
rule to be used, "rhsbl_zone" is the zone to look up domain names in, and "lookuptype" is the type of
lookup (TXT or A). "subtest" is the sub-test to run against the returned data; see "urirhssub".
Note that, as with "urirhsbl", you must also define a body-eval rule calling check_uridnsbl() to use
this.
tflags NAME_OF_RULE ips_only
Only URIs containing IP addresses as the "host" component will be matched against the named
"urirhsbl"/"urirhssub" rule.
tflags NAME_OF_RULE domains_only
Only URIs containing a non-IP-address "host" component will be matched against the named
"urirhsbl"/"urirhssub" rule.
tflags NAME_OF_RULE ns
The 'ns' flag may be applied to rules corresponding to uridnsbl and uridnssub directives. Host names
from URLs will be mapped to their name server IP addresses (a NS lookup followed by an A lookup),
which in turn will be sent to blocklists. This is a default when neither 'a' nor 'ns' flags are
specified.
tflags NAME_OF_RULE a
The 'a' flag may be applied to rules corresponding to uridnsbl and uridnssub directives. Host names
from URLs will be mapped to their IP addresses, which will be sent to blocklists. When both 'ns' and
'a' flags are specified, both queries will be performed.
tflags NAME_OF_RULE notrim
The full hostname component will be matched against the named "urirhsbl"/"urirhssub" rule, instead of
using the trimmed domain. This works better, but the specific uribl must support this method.
ADMINISTRATOR SETTINGS
uridnsbl_max_domains N (default: 20)
The maximum number of domains to look up.
parse_dkim_uris ( 0 / 1 )
Include DKIM uris in lookups. This option is documented in Mail::SpamAssassin::Conf.
uridnsbl_skip_mailto ( 0 / 1) (default: 1)
Skip mailto links on uris lookups.
NOTES
The "uridnsbl_timeout" option has been obsoleted by the "rbl_timeout" option. See the
"Mail::SpamAssassin::Conf" POD for details on "rbl_timeout".
perl v5.40.1 2025-06-26 Mail::SpamAssas...lugin::URIDNSBL(3pm)