On Friday, August 12, 2005, 10:07:47 AM, Dirk Bonengel wrote:
Given: A (phishing-)mail containg a link to the IP 219.144.194.158
The lookup page on rulesemporium.com says it's listed on ws and ph in SURBL
However, I find that the current SpamAssassin (3.0.4) does not appear to lookup IP-based URLs. Is that correct?
This is more of a SpamAssassin question, but I believe SA 3.1 handles IP URIs correctly, or at least I hope it does.
Secondly, which form would be correct to lookup that IP via dig (or whatever), and how should SA handle it if it tried to lookup IP-based URIs? dig 219.144.194.158.multi.surbl.org gives no results back, but the reversed dotted decimal form does: dig 158.194.144.219.multi.surbl.org returns 127.0.0.12.
That's correct. IPs looked up in RBLs usually have their octets reversed as in the second example. We have followed that convention in SURBLs.
SA should do exactly the same thing as the dig example; when an IP is found in a URI, reverse the octets and look up the octet-reversed IP in the SURBL:
http://www.surbl.org/implementation.html
Jeff C. -- Don't harm innocent bystanders.