Hi,
sorry for crossposting, but I think this concerns both SURBL and URIBL.
Given: A (phishing-)mail containg a link to the IP 219.144.194.158
The lookup page on rulesemporium.com says it's listed on ws and ph in SURBL
However, I find that the current SpamAssassin (3.0.4) does not appear to lookup IP-based URLs. Is that correct?
Secondly, which form would be correct to lookup that IP via dig (or whatever), and how should SA handle it if it tried to lookup IP-based URIs? dig 219.144.194.158.multi.surbl.org gives no results back, but the reversed dotted decimal form does: dig 158.194.144.219.multi.surbl.org returns 127.0.0.12.
Lastly: The URIBL-Lookup page says that the IP 219.144.194.158 is neither listed on SURBL nor URIBL but claims that 158.194.144.219 is listed both in SURBL (ws and ph) and URIBL (black). I take that to be simply wrong.
Dirk
Sorry, forget about the last point - overlooked the 'reverse IP addresses' option (as Dallas E pointed out correctly)
Hi,
sorry for crossposting, but I think this concerns both SURBL and URIBL.
Given: A (phishing-)mail containg a link to the IP 219.144.194.158
The lookup page on rulesemporium.com says it's listed on ws and ph in SURBL
However, I find that the current SpamAssassin (3.0.4) does not appear to lookup IP-based URLs. Is that correct?
Secondly, which form would be correct to lookup that IP via dig (or whatever), and how should SA handle it if it tried to lookup IP-based URIs? dig 219.144.194.158.multi.surbl.org gives no results back, but the reversed dotted decimal form does: dig 158.194.144.219.multi.surbl.org returns 127.0.0.12.
Lastly: The URIBL-Lookup page says that the IP 219.144.194.158 is neither listed on SURBL nor URIBL but claims that 158.194.144.219 is listed both in SURBL (ws and ph) and URIBL (black). I take that to be simply wrong.
Dirk
Uribl-discuss mailing list Uribl-discuss@lists.maddoc.net http://lists.uribl.com/mailman/listinfo/uribl-discuss
On Friday, August 12, 2005, 10:07:47 AM, Dirk Bonengel wrote:
Given: A (phishing-)mail containg a link to the IP 219.144.194.158
The lookup page on rulesemporium.com says it's listed on ws and ph in SURBL
However, I find that the current SpamAssassin (3.0.4) does not appear to lookup IP-based URLs. Is that correct?
This is more of a SpamAssassin question, but I believe SA 3.1 handles IP URIs correctly, or at least I hope it does.
Secondly, which form would be correct to lookup that IP via dig (or whatever), and how should SA handle it if it tried to lookup IP-based URIs? dig 219.144.194.158.multi.surbl.org gives no results back, but the reversed dotted decimal form does: dig 158.194.144.219.multi.surbl.org returns 127.0.0.12.
That's correct. IPs looked up in RBLs usually have their octets reversed as in the second example. We have followed that convention in SURBLs.
SA should do exactly the same thing as the dig example; when an IP is found in a URI, reverse the octets and look up the octet-reversed IP in the SURBL:
http://www.surbl.org/implementation.html
Jeff C. -- Don't harm innocent bystanders.
-
Dirk Bonengel -
Jeff Chan