[SURBL-Discuss] Lookup of (phishing) URLs with an IP

Jeff Chan jeffc at surbl.org
Sat Aug 13 06:24:56 CEST 2005

On Friday, August 12, 2005, 10:07:47 AM, Dirk Bonengel wrote:
> Given: A (phishing-)mail containg a  link to the IP

> The lookup page on rulesemporium.com says it's listed on ws and ph in SURBL

> However, I find that the current SpamAssassin (3.0.4) does not appear to 
> lookup IP-based URLs. Is that correct?

This is more of a SpamAssassin question, but I believe SA 3.1
handles IP URIs correctly, or at least I hope it does.

> Secondly, which form would be correct to lookup that IP via dig (or 
> whatever), and how should SA handle it if it tried to lookup IP-based URIs?
> dig gives no results back, but the 
> reversed dotted decimal form does:
> dig returns

That's correct.  IPs looked up in RBLs usually have their octets
reversed as in the second example.  We have followed that
convention in SURBLs.

SA should do exactly the same thing as the dig example; when an
IP is found in a URI, reverse the octets and look up the
octet-reversed IP in the SURBL:


Jeff C.
Don't harm innocent bystanders.

More information about the Discuss mailing list