[SURBL-Discuss] {Spam?} SBL with message body URIs

Patrik Nilsson patrik at patrik.com
Sun Jul 18 18:43:09 CEST 2004


At Thu Jul 15 03:44:25 CEST 2004, Jeff Chan wrote:
>On Thursday, July 15, 2004, 2:21:49 AM, Robert Brooks wrote:
> > William Stearns wrote:
> >> TOP SPAM RULES FIRED
> >> ------------------------------------------------------------
> >> RANK    RULE NAME                       COUNT   PERCENT
> >> ------------------------------------------------------------
> >> -> 1    URIBL_WS_SURBL                  13057     5.36%
> >> -> 2    URIBL_SBL                       12907     5.30%
>
> > does sbl.spamhaus.org work with Mail-SpamAssassin-SpamCopURI?  The few 
> spam
> > (uri) domains I've checked don't seem to return records.
>
>sbl is not really intended to be used with message body URI
>checkers like SpamCopURI or urirhsbl, but it may get a few
>hits since I think Spamhaus may include a few spam URI domains
>in SBL.  But the results will probably not be too useful or
>productive, since it's not an intended use of sbl.spamhaus.org.

Actually, having done some tests using uridnsbl under SA 3 as well as 
manual checks, I would say that SBL is an excellent tool for catching spam 
domains in message body URIs.

I don't think everyone is aware of what uridnsbl, as an alternative to 
urirhsbl/urirhssub, actually does, so I'll try to explain it.

First - SBL does not just list IPs used by known spammers to relay mail. It 
lists any ips used by known spammers, for whatever purpose. That includes 
web sites as well as, and most importantly, dns servers.

uridnsbl checks the ns records for domains in URIs, resolves those ns 
records to ip adresses, and then checks those IP adresses in SBL (by 
default - you can add/change what RBLs it checks).
If any of the name servers for a domain is listed in SBL, you get a rule hit.

Spammers does not change their dns servers nearly as often as they change 
domains.

This means that most of all the new domains that spammers introduce hit the 
uridnsbl SBL rule immediately, even if the domain hasn't been reported to 
any blacklist yet.

I picked the 10 most recently reported domains to the SC blocklist and 
manually checked what dns servers they used, and if the IPs for those dns 
servers where already listed in SBL.
For 9 out of 10, they where.
Data included below.

This doesn't mean that we should list resolved IPs in SURBL lists.
Since there is already good data in SBL, there is no reason to.

But - I think it would be a good idea to encourage SURBL implementations to 
include functionality similar to uridnsbl in addition to regular 
urirhsbl-style SURBL list checks.
For me, it's the main reason why I plan to update all servers to SA 3 ASAP, 
as it's not possible to do this with SA 2.63 and SpamCopURI.

Also - as long as you only check the ns records for a domain, rather than 
going further and resolving the host name in the URI, there isn't any need 
to fear "keyed domain name" address verification by spammers of the type 
discussed in the SURBL FAQ.

/patrik

--------------------------------------------------------------------------
2004-07-18 09:08 digestion5594rneds.us

digestion5594rneds.us   nameserver = NS3.AIRMARAMBA.biz
Name:    NS3.AIRMARAMBA.biz
Address:  61.250.93.207
SBL listed - http://www.spamhaus.org/query/bl?ip=61.250.93.207

digestion5594rneds.us   nameserver = NS2.AUDI56SEW.biz
Name:    NS2.AUDI56SEW.biz
Address:  221.143.42.30
SBL listed - http://www.spamhaus.org/query/bl?ip=221.143.42.30

--------------------------------------------------------------------------
2004-07-18 09:10 acdfiaj.info

acdfiaj.info    nameserver = second.muchaagua.info
Name:    second.muchaagua.info
Address:  221.139.2.84
SBL listed - http://www.spamhaus.org/query/bl?ip=221.139.2.84

acdfiaj.info    nameserver = first.muchaagua.info
Name:    first.muchaagua.info
Address:  221.143.42.209
SBL listed: http://www.spamhaus.org/query/bl?ip=221.143.42.209

acdfiaj.info    nameserver = third.muchaagua.info
Name:    third.muchaagua.info
Address:  61.128.198.11
SBL listed - http://www.spamhaus.org/query/bl?ip=61.128.198.11

--------------------------------------------------------------------------
2004-07-18 09:24 pro-svcs.com

pro-svcs.com    nameserver = ns2.3070.biz
ns2.3070.biz    internet address = 202.104.237.173
SBL listed - http://www.spamhaus.org/query/bl?ip=202.104.237.173

pro-svcs.com    nameserver = ns3.3070.biz
ns3.3070.biz    internet address = 200.153.20.31
SBL listed - http://www.spamhaus.org/query/bl?ip=200.153.20.31

pro-svcs.com    nameserver = ns1.3070.biz
ns1.3070.biz    internet address = 200.40.40.1
NOT SBL listed.

--------------------------------------------------------------------------
2004-07-18 10:35 tophgh.com

tophgh.com      nameserver = ns2.dns.com.cn
Name:    ns2.dns.com.cn
Address:  218.244.47.6
NOT SBL listed.

tophgh.com      nameserver = ns1.dns.com.cn
Name:    ns1.dns.com.cn
Address:  218.244.47.5
NOT SBL listed.

--------------------------------------------------------------------------
2004-07-18 11:26 fox621dryg.us

fox621dryg.us   nameserver = NS2.AUDI56SEW.biz
Name:    NS2.AUDI56SEW.biz
Address:  221.143.42.30
SBL listed - http://www.spamhaus.org/query/bl?ip=221.143.42.30

fox621dryg.us   nameserver = NS3.AIRMARAMBA.biz
Name:    NS3.AIRMARAMBA.bi
Address:  61.250.93.207
SBL listed - http://www.spamhaus.org/query/bl?ip=61.250.93.207

--------------------------------------------------------------------------
2004-07-18 12:08 polishebertikas.org

polishebertikas.org     nameserver = ns1.kaleinc-dns-server.org
Name:    ns1.kaleinc-dns-server.org
Address:  201.3.240.234
SBL listed - http://www.spamhaus.org/query/bl?ip=201.3.240.234

polishebertikas.org     nameserver = ns1.kaleinc-dns-server2.org
Name:    ns1.kaleinc-dns-server2.org
Address:  201.3.240.234
SBL listed - http://www.spamhaus.org/query/bl?ip=201.3.240.234

polishebertikas.org     nameserver = ns1.koleyfore.org
Name:    ns1.koleyfore.org
Address:  211.158.15.58
SBL listed - http://www.spamhaus.org/query/bl?ip=211.158.15.58

--------------------------------------------------------------------------
2004-07-18 12:20 greenpill.info

greenpill.info  nameserver = ns1.greenpill.info
ns1.greenpill.info      internet address = 219.148.49.244
SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.244

greenpill.info  nameserver = ns2.greenpill.info
ns2.greenpill.info      internet address = 219.148.49.245
SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.245

--------------------------------------------------------------------------
2004-07-18 13:20 medsparadise.info

medsparadise.info       nameserver = ns2.medsparadise.info
ns1.medsparadise.info   internet address = 219.148.49.244
SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.244

medsparadise.info       nameserver = ns1.medsparadise.info
ns2.medsparadise.info   internet address = 219.148.49.245
SBL listed - http://www.spamhaus.org/query/bl?ip=219.148.49.245

--------------------------------------------------------------------------
2004-07-18 14:24 misogynist2527dryg.biz

misogynist2527dryg.biz  nameserver = www.misogynist2527dryg.biz
Name:    misogynist2527dryg.biz
Address:  200.193.29.211
Aliases:  www.misogynist2527dryg.biz
SBL listed - http://www.spamhaus.org/query/bl?ip=200.193.29.211

--------------------------------------------------------------------------
2004-07-18 14:32 hedhoncho.net

hedhoncho.net   nameserver = ns2.3070.biz
ns2.3070.biz    internet address = 202.104.237.173
http://www.spamhaus.org/query/bl?ip=202.104.237.173

hedhoncho.net   nameserver = ns3.3070.biz
ns3.3070.biz    internet address = 200.153.20.31
http://www.spamhaus.org/query/bl?ip=200.153.20.31

hedhoncho.net   nameserver = ns1.3070.biz
ns1.3070.biz    internet address = 200.40.40.1
NOT SBL listed.

--------------------------------------------------------------------------




More information about the Discuss mailing list