On Sunday, July 18, 2004, 8:43:09 AM, Patrik Nilsson wrote:
Actually, having done some tests using uridnsbl under SA 3 as well as manual checks, I would say that SBL is an excellent tool for catching spam domains in message body URIs.
I don't think everyone is aware of what uridnsbl, as an alternative to urirhsbl/urirhssub, actually does, so I'll try to explain it.
First - SBL does not just list IPs used by known spammers to relay mail. It lists any ips used by known spammers, for whatever purpose. That includes web sites as well as, and most importantly, dns servers.
uridnsbl checks the ns records for domains in URIs, resolves those ns records to ip adresses, and then checks those IP adresses in SBL (by default - you can add/change what RBLs it checks). If any of the name servers for a domain is listed in SBL, you get a rule hit.
Spammers does not change their dns servers nearly as often as they change domains.
[...]
Also - as long as you only check the ns records for a domain, rather than going further and resolving the host name in the URI, there isn't any need to fear "keyed domain name" address verification by spammers of the type discussed in the SURBL FAQ.
Thanks for the explanation of what uridnsbl in SA 3 does. That agrees with what I remember from the discussion on the SA-Talk list. IIRC, uridnsbl was intended to be used with an sbl.spamhaus.org type list, which does include spammer name servers.
What I was trying to say is that using sbl.spamhaus.org with urirhsbl (the program that checks URI domains, not name servers) may not give as good results as using it with SURBLs. Probably I was responding to a configuration Bill was not actually using, but I know the question has come up before.
In a nutshell urndnsbl was intended to be used with lists like sbl.spamhaus.org, while urirhsbl and urirhssub were meant to be used with SURBLs. It's possible to feed either program with the *other* kind of list, but the results aren't as good.
That said, it looks like the original good scores Bill Stearns reported for URIBL_SBL probably were for using uridnsbl with sbl, as intended. It's nice to see it works well when used as intended. Maybe Bill can confirm that for us.
The only downside is that even the resolution of NS records does have a finite time penalty, which can get into many seconds for non-matches (i.e. when a domain no longer has NS records which resolve). So there is still a resolution penalty for using uridnsbl which using urirhsbl with SURBLs doesn't have.
Jeff C.