At Thu Jul 15 03:44:25 CEST 2004, Jeff Chan wrote:
On Thursday, July 15, 2004, 2:21:49 AM, Robert Brooks wrote:
William Stearns wrote:
TOP SPAM RULES FIRED
RANK RULE NAME COUNT PERCENT
-> 1 URIBL_WS_SURBL 13057 5.36% -> 2 URIBL_SBL 12907 5.30%
does sbl.spamhaus.org work with Mail-SpamAssassin-SpamCopURI? The few
spam
(uri) domains I've checked don't seem to return records.
sbl is not really intended to be used with message body URI checkers like SpamCopURI or urirhsbl, but it may get a few hits since I think Spamhaus may include a few spam URI domains in SBL. But the results will probably not be too useful or productive, since it's not an intended use of sbl.spamhaus.org.
Actually, having done some tests using uridnsbl under SA 3 as well as manual checks, I would say that SBL is an excellent tool for catching spam domains in message body URIs.
I don't think everyone is aware of what uridnsbl, as an alternative to urirhsbl/urirhssub, actually does, so I'll try to explain it.
First - SBL does not just list IPs used by known spammers to relay mail. It lists any ips used by known spammers, for whatever purpose. That includes web sites as well as, and most importantly, dns servers.
uridnsbl checks the ns records for domains in URIs, resolves those ns records to ip adresses, and then checks those IP adresses in SBL (by default - you can add/change what RBLs it checks). If any of the name servers for a domain is listed in SBL, you get a rule hit.
Spammers does not change their dns servers nearly as often as they change domains.
This means that most of all the new domains that spammers introduce hit the uridnsbl SBL rule immediately, even if the domain hasn't been reported to any blacklist yet.
I picked the 10 most recently reported domains to the SC blocklist and manually checked what dns servers they used, and if the IPs for those dns servers where already listed in SBL. For 9 out of 10, they where. Data included below.
This doesn't mean that we should list resolved IPs in SURBL lists. Since there is already good data in SBL, there is no reason to.
But - I think it would be a good idea to encourage SURBL implementations to include functionality similar to uridnsbl in addition to regular urirhsbl-style SURBL list checks. For me, it's the main reason why I plan to update all servers to SA 3 ASAP, as it's not possible to do this with SA 2.63 and SpamCopURI.
Also - as long as you only check the ns records for a domain, rather than going further and resolving the host name in the URI, there isn't any need to fear "keyed domain name" address verification by spammers of the type discussed in the SURBL FAQ.
/patrik
-------------------------------------------------------------------------- 2004-07-18 09:08 digestion5594rneds.us
digestion5594rneds.us nameserver = NS3.AIRMARAMBA.biz Name: NS3.AIRMARAMBA.biz Address: 61.250.93.207 SBL listed - http://www.spamhaus.org/query/bl?ip=61.250.93.207
digestion5594rneds.us nameserver = NS2.AUDI56SEW.biz Name: NS2.AUDI56SEW.biz Address: 221.143.42.30 SBL listed - http://www.spamhaus.org/query/bl?ip=221.143.42.30
-------------------------------------------------------------------------- 2004-07-18 09:10 acdfiaj.info
acdfiaj.info nameserver = second.muchaagua.info Name: second.muchaagua.info Address: 221.139.2.84 SBL listed - http://www.spamhaus.org/query/bl?ip=221.139.2.84
acdfiaj.info nameserver = first.muchaagua.info Name: first.muchaagua.info Address: 221.143.42.209 SBL listed: http://www.spamhaus.org/query/bl?ip=221.143.42.209
acdfiaj.info nameserver = third.muchaagua.info Name: third.muchaagua.info Address: 61.128.198.11 SBL listed - http://www.spamhaus.org/query/bl?ip=61.128.198.11
-------------------------------------------------------------------------- 2004-07-18 09:24 pro-svcs.com
pro-svcs.com nameserver = ns2.3070.biz ns2.3070.biz internet address = 202.104.237.173 SBL listed - http://www.spamhaus.org/query/bl?ip=202.104.237.173
pro-svcs.com nameserver = ns3.3070.biz ns3.3070.biz internet address = 200.153.20.31 SBL listed - http://www.spamhaus.org/query/bl?ip=200.153.20.31
pro-svcs.com nameserver = ns1.3070.biz ns1.3070.biz internet address = 200.40.40.1 NOT SBL listed.
-------------------------------------------------------------------------- 2004-07-18 10:35 tophgh.com
tophgh.com nameserver = ns2.dns.com.cn Name: ns2.dns.com.cn Address: 218.244.47.6 NOT SBL listed.
tophgh.com nameserver = ns1.dns.com.cn Name: ns1.dns.com.cn Address: 218.244.47.5 NOT SBL listed.
-------------------------------------------------------------------------- 2004-07-18 11:26 fox621dryg.us
fox621dryg.us nameserver = NS2.AUDI56SEW.biz Name: NS2.AUDI56SEW.biz Address: 221.143.42.30 SBL listed - http://www.spamhaus.org/query/bl?ip=221.143.42.30
fox621dryg.us nameserver = NS3.AIRMARAMBA.biz Name: NS3.AIRMARAMBA.bi Address: 61.250.93.207 SBL listed - http://www.spamhaus.org/query/bl?ip=61.250.93.207
-------------------------------------------------------------------------- 2004-07-18 12:08 polishebertikas.org
polishebertikas.org nameserver = ns1.kaleinc-dns-server.org Name: ns1.kaleinc-dns-server.org Address: 201.3.240.234 SBL listed - http://www.spamhaus.org/query/bl?ip=201.3.240.234
polishebertikas.org nameserver = ns1.kaleinc-dns-server2.org Name: ns1.kaleinc-dns-server2.org Address: 201.3.240.234 SBL listed - http://www.spamhaus.org/query/bl?ip=201.3.240.234
polishebertikas.org nameserver = ns1.koleyfore.org Name: ns1.koleyfore.org Address: 211.158.15.58 SBL listed - http://www.spamhaus.org/query/bl?ip=211.158.15.58
-------------------------------------------------------------------------- 2004-07-18 12:20 greenpill.info
greenpill.info nameserver = ns1.greenpill.info ns1.greenpill.info internet address = 219.148.49.244 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.244
greenpill.info nameserver = ns2.greenpill.info ns2.greenpill.info internet address = 219.148.49.245 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.245
-------------------------------------------------------------------------- 2004-07-18 13:20 medsparadise.info
medsparadise.info nameserver = ns2.medsparadise.info ns1.medsparadise.info internet address = 219.148.49.244 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.244
medsparadise.info nameserver = ns1.medsparadise.info ns2.medsparadise.info internet address = 219.148.49.245 SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.245
-------------------------------------------------------------------------- 2004-07-18 14:24 misogynist2527dryg.biz
misogynist2527dryg.biz nameserver = www.misogynist2527dryg.biz Name: misogynist2527dryg.biz Address: 200.193.29.211 Aliases: www.misogynist2527dryg.biz SBL listed - http://www.spamhaus.org/query/bl?ip=200.193.29.211
-------------------------------------------------------------------------- 2004-07-18 14:32 hedhoncho.net
hedhoncho.net nameserver = ns2.3070.biz ns2.3070.biz internet address = 202.104.237.173 http://www.spamhaus.org/query/bl?ip=202.104.237.173
hedhoncho.net nameserver = ns3.3070.biz ns3.3070.biz internet address = 200.153.20.31 http://www.spamhaus.org/query/bl?ip=200.153.20.31
hedhoncho.net nameserver = ns1.3070.biz ns1.3070.biz internet address = 200.40.40.1 NOT SBL listed.
--------------------------------------------------------------------------