-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dan Mahoney, System Admin writes:
On Thu, 9 Sep 2004, Matt Kettler wrote:
If it's blacklisting based on resolved ip, it should probably be noted that there are a couple of caveats:
- Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e. query each NS multiple times to make sure it's not being round-robined or reported differently from multiple DNS servers.
- I can easily forsee spammers doing a wildcard subdomain as an effort to
thwart this, if we're doing nslookups.
they already do. this also opens a list-washing hole, as a hidden link to <a href=http://myaddress-rot13-encoded.spammer.com/> will be resolved, indicating to the spammer that some software at the remote end is resolving all links in the message.
If OTOH you choose not to use the exact hostname parts of hrefs to avoid this, instead just resolving "www.spammer.com", they can then ensure that spammer.com and www.spammer.com do not resolve to hostnames and spam using links to notwww.spammer.com/payload.html instead.
- --j.
- It's a common case that spammers use disposable landing sites, such as
the forwarding services offered by tinyurl, zoneedit, and the like, or will put an HTTP redirect on a hotmail or geocities page. Should those be exempt from this, since they have a fair number of legitimate domains as well?
-Dan
At 04:56 PM 9/9/2004, Chris Santerre wrote:
So is there a way to use the IP info in a good way? Could SA or SURBL do a quick ping of the URL and match against a URL? This would allow us to simply list 1 IP instead of all these domains.
Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs based on resolved IP. (as well as surbl-style based on domain name). So theoretically, SURBL could open up a separate list based on IP's (i.e.: multi.dnsbl.surbl.org)
Take a look at the example where it checks the resolved IP of a URL against the SBL (an IP based list):
uridnsbl URIBL_SBL sbl.spamhaus.org. TXT header URIBL_SBL eval:check_uridnsbl('URIBL_SBL') describe URIBL_SBL Contains a URL listed in the SBLblocklist tflags URIBL_SBL net
and from URIDNSBL.pm:
This works by analysing message text and HTML for URLs, extractingthe domain names from those, querying their NS records in DNS, resolving the hostnames used therein, and querying various DNS blocklists for those IP addresses. This is quite effective.
SYNOPSIS loadplugin Mail::SpamAssassin::Plugin::URIDNSBL uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT--
"I hate Windows"
-Tigerwolf, Anthrocon 2004
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org