#!/usr/bin/perl

# sc_BlackList.conf, multi_dnsbl.conf
# Configuration for sc_BLcheck.pl, sc_BLpreen.pl, and Net::DNSBL::MultiDaemon
#
# version 1.12, 6-18-04
#
my $DNSBL = {

## Net::DNSBL::MultiDaemon parameters

# the OPTIONAL name of a file that will contain 'hit' statistics for DNSBLS
# this file will be used to seed the sort order of DNSBL checking if it is
# present and will be updated with the 'added' counts of each run. If it
# is deleted, it will be recreated with a new time tag at the beginning.
#
  MDstatfile      => '/usr/local/spamcannibal/mdstats.txt',

# The path for the directory where the pid file will live
#
  MDpidpath       => '/var/run',

# The zone name for this PSEUDO DNSBL
#
  MDzone          => 'pseudo.dnsbl',

###### The following optional configuration parameters
###### are shown with their default values
#
# Update frequency for the "stats" file, no
# update occurs if there is no new information
#
#  MDstatrefresh => 300,        # seconds
# The IPaddress that the daemon will listen on.
# The default will listen on ALL interfaces,   
# this is probably not what you want. A more   
# suitable value for co-installation with bind 
# on the same host would be 127.0.0.1
#
  MDipaddr        => '127.0.0.1',

# The port that the daemon will listen on
#
#  MDport         => 9953,

# Syslog facility. Specify one of:
# LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBU
#
  MDsyslog        => 'LOG_ERR',


## SpamCannibal parms follow:

# the OPTIONAL name of a file that will contain 'hit' statistics for DNSBLS
# this file will be used to seed the sort order of DNSBL checking if it is
# present and will be updated with the 'added' counts of each run. If it 
# is deleted, it will be recreated with a new time tag at the beginning.
#
  'STATS'	=>	'/usr/local/spamcannibal/blcheck_stats.txt',

# force the sc_BLpreen script to check every entry in the blcontrib
# database every time it runs. This uses a lot of cpu time and 
# bandwidth. See the description of operation in SpamCannibal.pm
# documentation
#
# normally false
#
#  'FORCE_PREEN'	=>	1,

# A multi-formated array of IP address that will never be tarpitted.
#
# WARNING: if you are using a private network, then you should include the 
# address description for the net/subnets that you are using or you might
# find your DMZ or internal mail servers blocked since many DNSBLS list the
# private network addresses as BLACKLISTED
#
#       127./8, 10./8, 172.16/12, 192.168/16
#
#       class A         xxx.0.0.0/8		255.0.0.0
#       class B         xxx.xxx.0.0/16		255.255.0.0
#       class C         xxx.xxx.xxx.0/24	255.255.255.0
#       128 subnet      xxx.xxx.xxx.xxx/25	255.255.255.128
#        64 subnet      xxx.xxx.xxx.xxx/26	255.255.255.192
#        32 subnet      xxx.xxx.xxx.xxx/27	255.255.255.224
#        16 subnet      xxx.xxx.xxx.xxx/28	255.255.255.240
#         8 subnet      xxx.xxx.xxx.xxx/29	255.255.255.248
#         4 subnet      xxx.xxx.xxx.xxx/30	255.255.255.252
#         2 subnet      xxx.xxx.xxx.xxx/31	255.255.255.254
#       single address  xxx.xxx.xxx.xxx/32	255.255.255.255
#
  'IGNORE'      => [
#           # a single address
#       '11.22.33.44',
#           # a range of ip's, ONLY VALID WITHIN THE SAME CLASS 'C'
#       '22.33.44.55 - 22.33.44.65',
#           # a CIDR range
#       '5.6.7.16/28',
#           # a range specified with a netmask
#       '7.8.9.128/255.255.255.240',
# 
#	    # you may want these
#	'10.0.0.0/8',
#	'172.16.0.0/12',
#	'192.168.0.0/16',

            # this should ALWAYS be here
        '127.0.0.0/8',  # ignore all test entries and localhost
  ],

# A multi-formatted array of addresses that will ALWAYS be tarpitted
# formats are the same as above
#
# Block known spammers
  'BLOCK'	=> [
# Webair Internet Development Inc
# WEBAIRINTERNET2
	'69.42.64.0/19',
# Webair Internet Development Inc
# WEBAIRINTERNET
	'216.130.160.0/19',
# Media Dream Land Inc.
# MDL23-BLK1 (NET-69-42-96-0-1) 69.42.96.0 - 69.42.111.255
	'69.42.96.0/20',
],

# A list of COUNTRIES to block entirely
# BBC == Block By Country
#
# To print a complete list of countries and country codes, 
# use the utilty script 'list_countries.pl' in the
# Net::DNSBL::MultiDaemon distribution
#
# Use the 2 letter country codes in the array below
# 
# i.e. US MX CN TW etc...
#
#  'BBC' => [qw(
#	CN
#)],

# Text to append to BLOCK and BBC T_TXT record
# see "errors" below for syntax
#
  'REJECT'	=> 'see: http://www.myhostname.com/',

# FOR A COMPREHENSIVE LIST OF ALL DNSBL ZONES, SEE:
#	http://www.openrbl.org
# click "zones"
#
# all dnsbl servers must have a record a config entry as follows:
#
# 'zone.name'	=> {
#	accept	    => {	# a list of codes that are ok to add to tarpit from this DNSBL
#	 	'127.0.0.2' => 'reason',
#		'127.0.0.3' => 'reason',
#	},
#
#  WARNING !!! DO NOT USE THIS OPTION WITH DNSBL HOSTS THAT REPORT TARPIT ACTIVITY
#
#	confirm     => 1,			# optional, confirmation of acceptance of non - 127.0.0.2 codes
#
#	response    => '127.0.0.3',		# optional, our default response code for records
#						# added because of queries to this DNSBL server
#						# this code will be ignored if it is < 127.0.0.3
#						# and 127.0.0.3 will be used in its place
#
#  error message to use with this host. 
#  NOTE: if the DNSBL supplies a TXT record and it contains the string "http://something..." or 
#  "www.something..." then that will be use for the error string for the matching A record. 
#  Otherwise, the error string below will be appended to the whatever TXT is returned by the 
#  DNSBL. If no TXT is returned, then the "reason" code from the "accept" line for the matching 
#  127.0.0.X code will be use and the error code below will be appended.
#
#  If the error string ending matches /\?.+=$/ or /\?$/
#  then the offending IP address will be automagically added
#
#	error	    => 'IP address blocked, see http://www.somehost.com?ip=',
#
#	expire	    => '7d',	# optional default expiration if DNSBL can not be reached
#				# may be specified in any combination of seconds, minutes, hours, days, weeks
#				#  i.e. 604800 or 604800s, 10080m, 168h
#				#	1w 3d
#
#	timeout	    => 30,	# default seconds to wait for dnsbl query to timeout

# WARNING!!     The default timeout in sendmail for DNS queries is "5 seconds"
#		If this configuration is used with Net::DNSBL::MultiDaemon it is
#		recommended that the timeouts here be set to 5 seconds and that the
#		timeout parameter in the SENDMAIL m4 configuration build file for lookups be
#		extended to at least 15 seconds -- particularly if you invoke reverse lookups
#		with the in-addr.arpa parameter below.
#
#	define(`confTO_RESOLVER_RETRANS_FIRST', `15s')dnl
#	  or
#	define(`confTO_RESOLVER_RETRANS', `15s')dnl
#
#	see: http://www.sendmail.org/m4/tweaking_config.html
#
#	Similar precautions must be taken for other MTA's
#
 
# To check that ip addresses have some kind of reverse DNS entry, add a zone
# for in-addr.arpa as shown below. You must have reverse DNS entries for    
# ip blocks 127, 10, 172, 192 or use the IGNORE blocks above to prevent     
# rejects for these address blocks as they DO NOT HAVE worldwide RDNS       

  'in-addr.arpa'        => {    # check for lack of reverse DNS
  # accept is not needed for reverse DNS checking
	error	    => 'no reverse DNS, see http://www.myhostname.com/?page=lookup&lookup=',
        timeout     => 5,
  },

# working, sample file entries

  'dnsbl.sorbs.net'	=> {	# see http://www.dnsbl.sorbs.net/using.html
	accept	=> {	# list of codes for which we tarpit
		'127.0.0.2'  =>	'open http proxie',
		'127.0.0.3'  =>	'open socks proxie',
		'127.0.0.4'  =>	'open proxy server',
		'127.0.0.5'  =>	'open smtp relay',
#		'127.0.0.6'  =>	'spam supporting ISP',
		'127.0.0.7'  =>	'open web - form mail servers',
		'127.0.0.8'  =>	'blocked hosts',
		'127.0.0.9'  =>	'zombie - hijacked netblock',
		'127.0.0.10' =>	'dynamic address range',
		'127.0.0.11' =>	'bad config -- MX or A records inaccurate',
		'127.0.0.12' =>	'no mail ever sent from these domains',
  	},
	confirm		=> 1,
	error		=> 'for removal see: http://www.dnsbl.sorbs.net/cgi-bin/lookup?js&IP=',
	expire		=> '30d',
	timeout		=> '15',
  },

  'dnsbl.njabl.org'	=> {	# see http://dnsbl.njabl.org/use.html
	accept	=> {	# list of codes for which we tarpit
		'127.0.0.2'  =>	'open relays',
		'127.0.0.3'  =>	'dial-up/dynamic IP ranges',
		'127.0.0.4'  =>	'spam sources',
		'127.0.0.5'  =>	'multi-stage openrelay',
		'127.0.0.8'  =>	'open web - form mail servers',
		'127.0.0.9'  =>	'open proxy servers',
	},
	confirm		=> 1,
	error		=> 'for removal see: http://www.dnsbl.njabl.org/cgi-bin/lookup.cgi?query=',
	expire		=> '30d',
	timeout		=> '15',
  },

  'relays.ordb.org'	=> {	# see http://www.ordb.org/faq/#usage_dns
	accept	=> {
		'127.0.0.2' => '',
	},
	error		=> 'for removal see: http://www.ordb.org/submit',
	expire		=> '30d',
	timeout		=> '15',
  },

  'bl.spamcop.net'	=> {	# see http://spamcop.net/fom-serve/cache/291.html
	accept	=> {
		'127.0.0.2' => '',
	},
	error		=> 'for removal see: http://www.spamcop.net/w3m?action=checkblock&ip=',
	expire		=> '30d',
	timeout		=> '15',
  },

  'cbl.abuseat.org'	=> {	# see http://cbl.abuseat.org
	accept  => {
		'127.0.0.2' => '',
	},
	error		=> 'for removal see: http://cbl.abuseat.org/lookup.cgi?.submit=lookup&ip=',
	expire		=> '30d',
	timeout		=> '15',
  },

  'sbl.spamhaus.org'	=> {	# see http://www.spamhaus.org
	accept	=> {
		'127.0.0.2' => '',
	},
	error		=> 'for removal see http://abuse.net/sbl.phtml?IP=',
	expire		=> '30d',
	timeout		=> '15',
  },

  'dynablock.njabl.org'	=> {	# see http://dnsbl.njabl.org/use.html
	accept => {
		'127.0.0.3' => 'dynamic IP address not allowed',
	},
	error		=> 'see http://www.dnsbl.njabl.org/cgi-bin/lookup.cgi?query=',
	expire		=> '30d',
	timeout		=> '15',
  },

  'list.dsbl.org'       => {    # see http://dsbl.org
	accept => {
		'127.0.0.2' => '', 
	},
	error		=> 'for removal see http://dsbl.org/listing?',
	expire		=> '30d',
	timeout		=> '15',
  },

#  'spews.dnsbl.net.au'	=> {	# see http://www.spews.org/
#	accept	=> {
#		'127.0.0.2' => '',
#	},
#	error		=> 'blocked see: http://www.spews.org/ask.cgi?x=',
#	expire		=> '30d',
#	timeout		=> '15',
#  },
#
#  'bogons.dnsiplists.completewhois.com' => { # see http://completewhois.com/bogons/
#	accept	=> {
#		'127.0.0.2' => 'bogus IP address',
#	},
#	error		=> 'see: http://completewhois.com/bogons/',
#	expire		=> '30d',
#	timeout		=> '15',
#  },
#
#  'hijacked.dnsiplists.completewhois.com' => { # see http://completewhois.com/bogons/bogons_usage.html
#	accept	=> {
#		'127.0.0.2' => 'hijacked IP address',
#	},
#	error		=> 'see: http://completewhois.com/bogons/bogons_usage.html#dns',
#	expire		=> '30d',
#	timeout		=> '15',
#  },
#
# higher risk
#  'blackholes.five-ten-sg.com' => { # see http://www.five-ten-sg.com/blackhole.php
#	accept => {
#		'127.0.0.2' => 'spam source',
#		'127.0.0.3' => 'dialup address',
#		'127.0.0.4' => 'multistage open relay',
#		'127.0.0.5' => 'openrelay',
#		'127.0.0.6' => 'spam supporting ISP',
#		'127.0.0.7' => 'web form',
#		'127.0.0.8' => 'relay/open proxy',
#		'127.0.0.9' => 'klez source',
#		'127.0.0.10' => 'violate TCPA',
#		'127.0.0.11' => 'spam supporting freemailer',
#	},
#	confirm		=> 1,
#	error		=> 'for removal see http://www.five-ten-sg.com/blackhole.php?ip=',
#	expire		=> '30d',
#	timeout		=> '15',
#  },
};