{Spam?} [SURBL-Discuss] {Spam?} SBL with message body URIs

Jeff Chan jeffc at surbl.org
Sun Jul 18 14:12:32 CEST 2004


On Sunday, July 18, 2004, 8:43:09 AM, Patrik Nilsson wrote:
> Actually, having done some tests using uridnsbl under SA 3 as well as
> manual checks, I would say that SBL is an excellent tool for catching spam 
> domains in message body URIs.

> I don't think everyone is aware of what uridnsbl, as an alternative to 
> urirhsbl/urirhssub, actually does, so I'll try to explain it.

> First - SBL does not just list IPs used by known spammers to relay mail. It 
> lists any ips used by known spammers, for whatever purpose. That includes 
> web sites as well as, and most importantly, dns servers.

> uridnsbl checks the ns records for domains in URIs, resolves those ns 
> records to ip adresses, and then checks those IP adresses in SBL (by 
> default - you can add/change what RBLs it checks).
> If any of the name servers for a domain is listed in SBL, you get a rule hit.

> Spammers does not change their dns servers nearly as often as they change 
> domains.

[...]
> Also - as long as you only check the ns records for a domain, rather than 
> going further and resolving the host name in the URI, there isn't any need 
> to fear "keyed domain name" address verification by spammers of the type 
> discussed in the SURBL FAQ.

Thanks for the explanation of what uridnsbl in SA 3 does.  That
agrees with what I remember from the discussion on the SA-Talk
list.  IIRC, uridnsbl was intended to be used with an
sbl.spamhaus.org type list, which does include spammer name
servers. 

What I was trying to say is that using sbl.spamhaus.org with
urirhsbl (the program that checks URI domains, not name servers)
may not give as good results as using it with SURBLs.  Probably
I was responding to a configuration Bill was not actually using,
but I know the question has come up before.

In a nutshell urndnsbl was intended to be used with lists
like sbl.spamhaus.org, while urirhsbl and urirhssub were
meant to be used with SURBLs.  It's possible to feed either
program with the *other* kind of list, but the results aren't
as good.

That said, it looks like the original good scores Bill
Stearns reported for URIBL_SBL probably were for using
uridnsbl with sbl, as intended.  It's nice to see it
works well when used as intended.   Maybe Bill can confirm
that for us.

The only downside is that even the resolution of NS records
does have a finite time penalty, which can get into many
seconds for non-matches (i.e. when a domain no longer has NS
records which resolve).  So there is still a resolution penalty
for using uridnsbl which using urirhsbl with SURBLs doesn't have.

Jeff C.



More information about the Discuss mailing list