Folks, with some of the nice functionality that the SA devs built into the URIDNSBL plug-in (see http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...), you can do cool things like:
===== # URIDNSBL (queries URIs against standard DNSBLs)
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL blocklist tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
uridnsbl URIBL_NJA_DNSBL combined.njabl.org. TXT body URIBL_NJA_DNSBL eval:check_uridnsbl('URIBL_NJA_DNSBL') describe URIBL_NJA_DNSBL Contains a URL listed in the NJA DNSBL blocklist tflags URIBL_NJA_DNSBL net score URIBL_NJA_DNSBL 0.5
uridnsbl URIBL_SBL_XBL sbl-xbl.spamhaus.org. TXT body URIBL_SBL_XBL eval:check_uridnsbl('URIBL_SBL_XBL') describe URIBL_SBL_XBL Contains a URL listed in the SBL-XBL DNSBL blocklist tflags URIBL_SBL_XBL net score URIBL_SBL_XBL 0.5
uridnsbl URIBL_SORBS_DNSBL dnsbl.sorbs.net. TXT body URIBL_SORBS_DNSBL eval:check_uridnsbl('URIBL_SORBS_DNSBL') describe URIBL_SORBS_DNSBL Contains a URL listed in the SORBS DNSBL blocklist tflags URIBL_SORBS_DNSBL net score URIBL_SORBS_DNSBL 0.5
# URIRHSBL (queries URIs against standard RHSBLs)
urirhsbl URIBL_AH_RHSBL rhsbl.ahbl.org. A body URIBL_AH_RHSBL eval:check_uridnsbl('URIBL_AH_RHSBL') describe URIBL_AH_RHSBL Contains a URL listed in the AH RHSBL blocklist tflags URIBL_AH_RHSBL net score URIBL_AH_RHSBL 0.5
urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL') describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL blocklist tflags URIBL_MP_RHSBL net score URIBL_MP_RHSBL 0.5
urirhsbl URIBL_SS_RHSBL blackhole.securitysage.com. A body URIBL_SS_RHSBL eval:check_uridnsbl('URIBL_SS_RHSBL') describe URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL blocklist tflags URIBL_SS_RHSBL net score URIBL_SS_RHSBL 0.5 =====
I have been running these additional URI tests for about two weeks and have gotten very good results. If you decide to try out these tests, you may want to run them with minimal scores until you see how they are going to perform for you in your particular environment.
Bill
Bill Landry wrote:
Folks, with some of the nice functionality that the SA devs built into the URIDNSBL plug-in (see http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...), you can do cool things like:
===== # URIDNSBL (queries URIs against standard DNSBLs)
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL blocklist tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
I have been running these additional URI tests for about two weeks and have gotten very good results. If you decide to try out these tests, you may want to run them with minimal scores until you see how they are going to perform for you in your particular environment.
Bill or anybody,
Will these lookups also work with SA 2.6x/SpamcopURI ?
thanks
Alex
----- Original Message ----- From: "Alex Broens" surbl@alexb.ch
Folks, with some of the nice functionality that the SA devs built into
the
URIDNSBL plug-in (see
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...),
you can do cool things like:
===== # URIDNSBL (queries URIs against standard DNSBLs)
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL blocklist tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
I have been running these additional URI tests for about two weeks and
have
gotten very good results. If you decide to try out these tests, you may want to run them with minimal scores until you see how they are going to perform for you in your particular environment.
Bill or anybody,
Will these lookups also work with SA 2.6x/SpamcopURI ?
Alex, I'm sure it would work fine for the RHSBLs (in fact, I was using SpamcopURI against the MailPolice RHSBL before upgrading to SA 3.0.x), but probably will not for the DNSBLs, since I don't think it supports the functionality of doing a DNS lookup on the URI and then querying the DNSBL with the IP address (instead of the domain) like the URIDNSBL plug-in does.
Bill
On Sunday, October 31, 2004, 11:24:33 PM, Bill Landry wrote:
----- Original Message ----- From: "Alex Broens" surbl@alexb.ch
Folks, with some of the nice functionality that the SA devs built into
the
URIDNSBL plug-in (see
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...),
you can do cool things like:
===== # URIDNSBL (queries URIs against standard DNSBLs)
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL blocklist tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
I have been running these additional URI tests for about two weeks and
have
gotten very good results. If you decide to try out these tests, you may want to run them with minimal scores until you see how they are going to perform for you in your particular environment.
Will these lookups also work with SA 2.6x/SpamcopURI ?
Alex, I'm sure it would work fine for the RHSBLs (in fact, I was using SpamcopURI against the MailPolice RHSBL before upgrading to SA 3.0.x), but probably will not for the DNSBLs, since I don't think it supports the functionality of doing a DNS lookup on the URI and then querying the DNSBL with the IP address (instead of the domain) like the URIDNSBL plug-in does.
It may be worth pointing out that uridnsbl does not look up the IP address of the URI against RBLs, but the IP address of the URI domain's *name server*. It's not the same thing as checking the web server against an RBL, but looking up name servers is quite effective if the RBL contains some addresses of spammer name servers, as sbl.spamhaus.org definitely does.
Jeff C. -- "If it appears in hams, then don't list it."
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org
Folks, with some of the nice functionality that the SA devs built
into
the
URIDNSBL plug-in (see
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...),
you can do cool things like:
===== # URIDNSBL (queries URIs against standard DNSBLs)
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL
blocklist
tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
I have been running these additional URI tests for about two weeks
and
have
gotten very good results. If you decide to try out these tests, you
may
want to run them with minimal scores until you see how they are going
to
perform for you in your particular environment.
Will these lookups also work with SA 2.6x/SpamcopURI ?
Alex, I'm sure it would work fine for the RHSBLs (in fact, I was using SpamcopURI against the MailPolice RHSBL before upgrading to SA 3.0.x),
but
probably will not for the DNSBLs, since I don't think it supports the functionality of doing a DNS lookup on the URI and then querying the
DNSBL
with the IP address (instead of the domain) like the URIDNSBL plug-in
does.
It may be worth pointing out that uridnsbl does not look up the IP address of the URI against RBLs, but the IP address of the URI domain's *name server*. It's not the same thing as checking the web server against an RBL, but looking up name servers is quite effective if the RBL contains some addresses of spammer name servers, as sbl.spamhaus.org definitely does.
Yes, thanks for clarifying!
Bill
Jeff Chan wrote:
It may be worth pointing out that uridnsbl does not look up the IP address of the URI against RBLs, but the IP address of the URI domain's *name server*. It's not the same thing as checking the web server against an RBL, but looking up name servers is quite effective if the RBL contains some addresses of spammer name servers, as sbl.spamhaus.org definitely does.
I just have to say THANK YOU BILL! I sat down today to accomplish exactly this, I thought I had an original idea but it looks like you beat me to it. I posted in Bugzilla few days ago to the SA devs that we need this functionality.
I just wanted to querry the websites NS server to see if it's listed in SBL-XBL because 9 times out of 10 when I go to report a domain to WS, it's almost always listed in SBL-XBL.
How hard would it be to querry the A record for the domain as well?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred writes:
Jeff Chan wrote:
It may be worth pointing out that uridnsbl does not look up the IP address of the URI against RBLs, but the IP address of the URI domain's *name server*. It's not the same thing as checking the web server against an RBL, but looking up name servers is quite effective if the RBL contains some addresses of spammer name servers, as sbl.spamhaus.org definitely does.
I just have to say THANK YOU BILL! I sat down today to accomplish exactly this, I thought I had an original idea but it looks like you beat me to it. I posted in Bugzilla few days ago to the SA devs that we need this functionality.
I just wanted to querry the websites NS server to see if it's listed in SBL-XBL because 9 times out of 10 when I go to report a domain to WS, it's almost always listed in SBL-XBL.
How hard would it be to querry the A record for the domain as well?
hi guys --
the difficulty with the latter is that it's trivial to avoid. a spammer can do
<a href=http://49583495849skjldkjfsdio7345809.domain.com/>spam!</a>
and just ensure that "49583495849skjldkjfsdio7345809.domain.com" has an A record, and that "www.domain.com" and "domain.com" do not, and their spam gets past.
However no domain can avoid having an NS record for "domain.com".
- --j.
On Monday, November 1, 2004, 2:12:26 PM, Justin Mason wrote:
Fred writes:
Jeff Chan wrote:
It may be worth pointing out that uridnsbl does not look up the IP address of the URI against RBLs, but the IP address of the URI domain's *name server*. It's not the same thing as checking the web server against an RBL, but looking up name servers is quite effective if the RBL contains some addresses of spammer name servers, as sbl.spamhaus.org definitely does.
I just have to say THANK YOU BILL! I sat down today to accomplish exactly this, I thought I had an original idea but it looks like you beat me to it. I posted in Bugzilla few days ago to the SA devs that we need this functionality.
FWIW I'm not sure that Fred was the author of the SpamAssassin uridnsbl code, but it was certainly useful of him to point out some uses of it with data sources other than spamhaus.
I just wanted to querry the websites NS server to see if it's listed in SBL-XBL because 9 times out of 10 when I go to report a domain to WS, it's almost always listed in SBL-XBL.
How hard would it be to querry the A record for the domain as well?
hi guys --
the difficulty with the latter is that it's trivial to avoid. a spammer can do
<a href=http://49583495849skjldkjfsdio7345809.domain.com/>spam!</a>
and just ensure that "49583495849skjldkjfsdio7345809.domain.com" has an A record, and that "www.domain.com" and "domain.com" do not, and their spam gets past.
Which falls out of needing to reduce domains to some base form, such as the registrar domain.
One *could* resolve the wild FQDN as found in the spam, but that resolution can be used by the spammer to confirm the delivery of specific messages, for example if 49583495849skjldkjfsdio7345809 in the domain name meant the message was sent to joe@user.com , and there are some other pitfalls.
However no domain can avoid having an NS record for "domain.com".
Yes, every (registrar) domain must have an NS record, and resolving that is much safer than the A record of the URI domain.
However, as Daniel Quinlan pointed out to me, all this name resolution is very time consuming. (I'm working on getting our DNS queries that match NS records in spamhaus into SURBL form per his suggestion, in order to avoid even that resolution.)
Jeff C. -- "If it appears in hams, then don't list it."
----- Original Message ----- From: "Fred" tech2@i-is.com
I just have to say THANK YOU BILL! I sat down today to accomplish exactly this, I thought I had an original idea but it looks like you beat me to
it.
I posted in Bugzilla few days ago to the SA devs that we need this functionality.
You're welcome.
I just wanted to querry the websites NS server to see if it's listed in SBL-XBL because 9 times out of 10 when I go to report a domain to WS, it's almost always listed in SBL-XBL.
Yep, that's why I was interesting in using these new test capabilities, as well. You might want to try MailPolice, also. I have gotten pretty good test results from them.
How hard would it be to querry the A record for the domain as well?
This seems to say that you could do this (see http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...): ===== uridnsbl NAME_OF_RULE dnsbl_zone lookuptype
Specify a lookup. NAME_OF_RULE is the name of the rule to be used, dnsbl_zone is the zone to look up IPs in, and lookuptype is the type of lookup (TXT or A). Note that you must also define a header-eval rule calling check_uridnsbl() to use this. Example:
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT header URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL') describe URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist =====
by changing "TXT" to "A" in the above rule definition, but I could be wrong and have not tested it.
Bill
On Monday, November 1, 2004, 2:20:31 PM, Bill Landry wrote:
From: "Fred" tech2@i-is.com
How hard would it be to querry the A record for the domain as well?
This seems to say that you could do this (see http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_...): ===== uridnsbl NAME_OF_RULE dnsbl_zone lookuptype
Specify a lookup. NAME_OF_RULE is the name of the rule to be used, dnsbl_zone is the zone to look up IPs in, and lookuptype is the type of lookup (TXT or A). Note that you must also define a header-eval rule calling check_uridnsbl() to use this. Example:
uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT header URIBL_SBLXBL eval:check_uridnsbl('URIBL_SBLXBL') describe URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist =====
by changing "TXT" to "A" in the above rule definition, but I could be wrong and have not tested it.
I think that's referring to the lookup type into the RBL, not the lookup of the domain under test.
Jeff C. -- "If it appears in hams, then don't list it."
----- Original Message ----- From: "Jeff Chan" jeffc@surbl.org To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Monday, November 01, 2004 5:38 PM Subject: Re: [SURBL-Discuss] Nice URIDNSBL functionality
by changing "TXT" to "A" in the above rule definition, but I could be
wrong
and have not tested it.
I think that's referring to the lookup type into the RBL, not the lookup of the domain under test.
I have to agree, I tried using NS but was not successful. I was confused when I wrote my original message, I am still recovering ;) I thought this was doing something that it's not doing. I need to do some more work here..
On Monday 01 November 2004 12:42 am, Alex Broens wrote:
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL blocklist tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
I have been running these additional URI tests for about two weeks and have gotten very good results. If you decide to try out these tests, you may want to run them with minimal scores until you see how they are going to perform for you in your particular environment.
Bill or anybody,
Will these lookups also work with SA 2.6x/SpamcopURI ?
thanks
Alex
Alex, did you incorporate this into your 2.6x setup? If so, did you just add it to the spamcop_uri rule?
Thanks Chris
Chris wrote:
On Monday 01 November 2004 12:42 am, Alex Broens wrote:
uridnsbl URIBL_AH_DNSBL dnsbl.ahbl.org. TXT body URIBL_AH_DNSBL eval:check_uridnsbl('URIBL_AH_DNSBL') describe URIBL_AH_DNSBL Contains a URL listed in the AH DNSBL blocklist tflags URIBL_AH_DNSBL net score URIBL_AH_DNSBL 0.5
I have been running these additional URI tests for about two weeks and have gotten very good results. If you decide to try out these tests, you may want to run them with minimal scores until you see how they are going to perform for you in your particular environment.
Bill or anybody,
Will these lookups also work with SA 2.6x/SpamcopURI ?
thanks
Alex
Alex, did you incorporate this into your 2.6x setup? If so, did you just add it to the spamcop_uri rule?
my only 2.6x installation left is a Windows box but it seems that RBL lookups are broken on that box - it didn't work. Still haven't found a fix.
Alex
-
Alex Broens -
Bill Landry -
Chris -
Fred -
Jeff Chan -
jm@jmason.org