[SURBL-Discuss] Combined SURBL A record format (Was: Re: Bill Stearns' sa-blacklist available as SURBL: ws.surbl.org)

Jeff Chan jeffc at surbl.org
Wed Apr 21 01:12:14 CEST 2004

On Tuesday, April 20, 2004, 11:45:16 PM, Daniel Quinlan wrote:
> Anyhow, using a bitmask is done.  OPM is probably the cleanest example.
> We (used to, OPM is now included in another blacklist so we dropped the
> rules) do OPM like this:

> # header __RCVD_IN_OPM          eval:check_rbl('opm', 'opm.blitzed.org.')
> # describe __RCVD_IN_OPM        Received via a relay in opm.blitzed.org
> # tflags __RCVD_IN_OPM          net
> # 
> # header RCVD_IN_OPM_WINGATE    eval:check_rbl_sub('opm', '1')
> # describe RCVD_IN_OPM_WINGATE  OPM: sender is open WinGate proxy
> # tflags RCVD_IN_OPM_WINGATE    net
> # 
> # header RCVD_IN_OPM_SOCKS      eval:check_rbl_sub('opm', '2')
> # describe RCVD_IN_OPM_SOCKS    OPM: sender is open SOCKS proxy
> # tflags RCVD_IN_OPM_SOCKS      net
> # 
> # header RCVD_IN_OPM_HTTP       eval:check_rbl_sub('opm', '4')
> # describe RCVD_IN_OPM_HTTP     OPM: sender is open HTTP CONNECT proxy
> # tflags RCVD_IN_OPM_HTTP       net

> The second argument in check_rbl_sub is the bitmask (in decimal, not
> hex).  We'd need to make some modifications to our URIBL module to do
> the same for a bitmasked SURBL, but I'm sure we would.

> We'd be just as happy with multiple A record returns.  NJABL is a good
> example of this:

> ------- start of cut text --------------
> header __RCVD_IN_NJABL          eval:check_rbl('njabl', 'dnsbl.njabl.org.')
> describe __RCVD_IN_NJABL        Received via a relay in dnsbl.njabl.org
> tflags __RCVD_IN_NJABL          net

> header RCVD_IN_NJABL_RELAY      eval:check_rbl_sub('njabl', '')
> describe RCVD_IN_NJABL_RELAY    NJABL: sender is confirmed open relay
> tflags RCVD_IN_NJABL_RELAY      net

> header RCVD_IN_NJABL_DIALUP     eval:check_rbl('njabl-notfirsthop', 'dnsbl.njabl
> .org.', '')
> describe RCVD_IN_NJABL_DIALUP   NJABL: dialup sender did non-local SMTP
> tflags RCVD_IN_NJABL_DIALUP     net

> header RCVD_IN_NJABL_SPAM       eval:check_rbl_sub('njabl', '')
> describe RCVD_IN_NJABL_SPAM     NJABL: sender is confirmed spam source
> tflags RCVD_IN_NJABL_SPAM       net

> header RCVD_IN_NJABL_MULTI      eval:check_rbl_sub('njabl', '')
> describe RCVD_IN_NJABL_MULTI    NJABL: sent through multi-stage open relay
> tflags RCVD_IN_NJABL_MULTI      net

Good to know.  Sounds like it's mostly a question of style
then, though multiple A records would require no new coding
whereas bitmasks would.


> Using the DNSBL
> Anyone can query our DNSBL through normal DNS means. Just
> reverse the octets and do a name lookup. For example, to check
> if is present in opm.blitzed.org, do a DNS lookup on
> Each entry in the DNSBL has an A
> record and a TXT record associated with it, the TXT record
> contains a URL to the proxy information page specific to that
> IP address telling the user a little information about how to
> sort out the proxy. 
> In opm.blitzed.org, the A record has an IP address of 127.1.0.x
> where x is a bitmask of the types of proxy that have been
> reported to be running on the host. The values of the bitmask
> are as follows: 
> WinGate       1
> SOCKS         2
> Router        8
> HTTP POST     16

The bitmask approach is more compact, but the multiple A record
approach is more human-readable and transparent IMO.  I'm leaning
towards the latter, but am interested in any other comments.

Jeff C.

More information about the Discuss mailing list