[SURBL-Discuss] RE: ANNOUNCE: Mail::SpamAsssassin::SpamCopURI 0.11
Simon Byrnand
simon at igrin.co.nz
Thu Apr 22 14:14:51 CEST 2004
(I've moved this message from the SA list to the SURBL list where it's more
relevant and wont get lost in the noise....)
At 06:14 22/04/2004, Dallas L. Engelken wrote:
> >
> > > I have just released SpamCopURI version 0.11. This fixes a
> > few bugs
> > > that had been reported and adds open redirect resolution.
> > [...]
> >
>
>Just installed it... Can you tell me what is up with this.
>
>@400000004086b7c400ac051c debug: Query failed for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c400ad2244 debug: querying for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c400ad262c
>@400000004086b7c400d251cc debug: Query failed for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c400d74b3c debug: querying for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c400d7530c
>@400000004086b7c400f8d144 debug: Query failed for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c400f9ea84 debug: querying for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c400f9f254
>@400000004086b7c4011e6e2c debug: Query failed for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c40123d8e4 debug: querying for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c40123e0b4
>@400000004086b7c4014c5814 debug: Query failed for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c4014d7924 debug: querying for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c4014d7d0c
>@400000004086b7c401729524 debug: Query failed for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c401777724 debug: querying for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c401777ef4
>@400000004086b7c401993f94 debug: Query failed for
>thegolfchannel.com.ws.surbl.org
>@400000004086b7c4019a648c debug: querying for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c4019a6c5c
>@400000004086b7c401bec124 debug: Query failed for
>www.thegolfchannel.com.ws.surbl.org
>@400000004086b7c401c3a324 debug: querying for
>thegolfchannel.com.ws.surbl.org
>
>Like 20 some times it tried to query before it finally stopped. Does
>query failed actually mean 'failed' or there was no A record found? If
>I send a test from the command line on a message that contains a uri on
>both lists, it works fine.
>
>[root at localhost service]# echo -e 'From: dallase\n\n<a
>href="http://8006hosting.com">click here</A>' | spamc
> ...
> * 3.0 SC_URI_RBL Contains a URL listed in the SC SURBL
>blocklist
> * 2.5 WS_URI_RBL Contains a URL listed in the WS SURBL
>blocklist
> ...
>
>Do I need a new DNS::Resolver or is this normal behavior?
I'm seeing the same thing with SpamCopURI-0.12 as well, I don't remember
whether I was seeing that with 0.10 though. I've seen cases where one
message is causing 20 or more lookings for the "same" dns record.
I think I've worked out what is happening. Basically each different
variation of a subdomain URL found in a message is causing a seperate
lookup, even though the base domains that are actually being looked up are
the same. For example I made a test message that looked like this:
http://serbserb.testdomain.co.nz/blah
http://sebserbr.testdomain.co.nz/blah
http://bsertbse.testdomain.co.nz/blah
http://srtnsrtn.testdomain.co.nz/blah
http://nrtnsrtn.testdomain.co.nz/blah
http://saerbsee.testdomain.co.nz/blah
http://rtndrtsn.testdomain.co.nz/blah
http://nrtndrtn.testdomain.co.nz/blah
http://sdfgserg.testdomain.co.nz/blah
http://bcvcvbcx.testdomain.co.nz/blah
http://ergsergh.testdomain.co.nz/blah
http://qwertybe.testdomain.co.nz/blah
http://lphtrhtr.testdomain.co.nz/blah
http://bxdfbgnf.testdomain.co.nz/blah
http://ergerger.testdomain.co.nz/blah
http://cbxcvbxc.testdomain.co.nz/blah
http://tyjftyjt.testdomain.co.nz/blah
http://awefawfe.testdomain.co.nz/blah
http://awefawef.testdomain.co.nz/blah
http://awefawef.testdomain.co.nz/blah
Where there is a randomized subdomain in front of the actual domain. Many
spams with lots of image links (ones selling printer cartridges, etc etc)
effectively do this. (Each URL refers to a randomized subdomain)
Each URL above generated a dns lookup for testdomain.co.nz.sc.surbl.org and
co.nz.sc.surbl.org, so a total of 40 dns lookups just for the sc list. I'm
also using ws and be lists too, so thats a total of 120 dns lookups
generated by an email with 20 randomized URLs :(
Luckily local dns caching largely offsets the problem but it would be good
to avoid in the first place. Somehow as each URL is stripped down, a list
of stripped names needs to be created with duplicates removed before doing
the DNS queries.... extra coding I guess...
Regards,
Simon
More information about the Discuss
mailing list