[SURBL-Discuss] Re: URI with one slash not recognised by SA/SPAMCOP_URI?

Menno van Bennekom mvbengro at xs4all.nl
Tue Jun 8 11:16:43 CEST 2004 

> From: "Menno van Bennekom" > Hi,
>>
>> I get spam with a different URL, the redirect has only one '/':
>> <a
>>
> href="http://rd.yahoo.com/oashoscy/*http:/hjktccbz.woodwheel.info/mn/num17">
>>
>>
>> This is not recognised by BIZ_TLD (in this example my copy, INFO_TLD).
>> I can change that in the regular expression.
>> But I don't think SPAMCOP_URI_RBL recognizes it too because woodwheel is
>> in the database but SA gives no hit.
>> If you click on the link above it works, so it seems the one slash is
>> possible.
>> Can anyone confirm that one slash is not recognized?
>
> This should work with SpamCopURI.
>
> What version are you using?
> Have you got entry like
>
> spamcop_uri_resolve_open_redirects 1
> open_redirect_list_spamcop_uri   rd.yahoo.com *.rd.yahoo.com
>
> in spamcop_uri.cf?
>
> John
>
You are right, SpamCopURI is not bothered by the one slash.
I think my configuration (v0.16 and v0.18) is okay, I get lots of hits on
ws+sc.surbl.org in other mails on both servers, also with redirects in
them.
I have done some sniffing and SpamCopURI DOES do the lookup, only for some
reason it gets a NXdomain..
See tcpdump:
09:50:20.338446 10.1.40.12.3107 > 194.109.104.104.53:  16981+ A?
woodwheel.info.ws.surbl.org. (45) (DF)
09:50:20.357518 194.109.104.104.53 > 10.1.40.12.3107:  16981 NXDomain
0/1/0 (101)
09:50:20.376361 10.1.40.12.3107 > 194.109.104.104.53:  16982+ A?
yahoo.com.sc.surbl.org. (40) (DF)
09:50:20.397058 194.109.104.104.53 > 10.1.40.12.3107:  16982 NXDomain*
0/1/0 (108)
09:50:20.405862 10.1.40.12.3107 > 194.109.104.104.53:  16983+ A?
woodwheel.info.sc.surbl.org. (45) (DF)
09:50:20.424440 194.109.104.104.53 > 10.1.40.12.3107:  16983 NXDomain
0/1/0 (101)

But http://www.rulesemporium.com/cgi-bin/uribl.cgi says that
woodwheel.info is listed in sc.surbl.org...
Strange thing. But I'm relieved that uri's with one slash are checked by
Spamcopuri so what's left is BIZ_TLD (and INFO_TLD), the standard
regexpression doesn't recognise the one slash.
If I see more of those uri's I will change that regexp.

Regards
Menno

More information about the Discuss mailing list