[SURBL-Discuss] Nice URIDNSBL functionality

Jeff Chan jeffc at surbl.org
Mon Nov 1 23:36:58 CET 2004


On Monday, November 1, 2004, 2:12:26 PM, Justin Mason wrote:
> Fred writes:
>> Jeff Chan wrote:
>> > It may be worth pointing out that uridnsbl does not look up the
>> > IP address of the URI against RBLs, but the IP address of the
>> > URI domain's *name server*.  It's not the same thing as checking
>> > the web server against an RBL, but looking up name servers is
>> > quite effective if the RBL contains some addresses of spammer
>> > name servers, as sbl.spamhaus.org definitely does.
>> 
>> I just have to say THANK YOU BILL!  I sat down today to accomplish exactly
>> this, I thought I had an original idea but it looks like you beat me to it.
>> I posted in Bugzilla  few days ago to the SA devs that we need this
>> functionality.

FWIW I'm not sure that Fred was the author of the SpamAssassin
uridnsbl code, but it was certainly useful of him to point out
some uses of it with data sources other than spamhaus.

>> I just wanted to querry the websites NS server to see if it's listed in
>> SBL-XBL because 9 times out of 10 when I go to report a domain to WS, it's
>> almost always listed in SBL-XBL.
>> 
>> How hard would it be to querry the A record for the domain as well?

> hi guys --

> the difficulty with the latter is that it's trivial to avoid.  a
> spammer can do

>   <a href=http://49583495849skjldkjfsdio7345809.domain.com/>spam!</a>

> and just ensure that "49583495849skjldkjfsdio7345809.domain.com" has an A
> record, and that "www.domain.com" and "domain.com" do not, and their spam
> gets past.

Which falls out of needing to reduce domains to some base form,
such as the registrar domain.

One *could* resolve the wild FQDN as found in the spam, but that
resolution can be used by the spammer to confirm the delivery
of specific messages, for example if 49583495849skjldkjfsdio7345809
in the domain name meant the message was sent to joe at user.com ,
and there are some other pitfalls.

> However no domain can avoid having an NS record for "domain.com".

Yes, every (registrar) domain must have an NS record, and
resolving that is much safer than the A record of the URI
domain.

However, as Daniel Quinlan pointed out to me, all this name
resolution is very time consuming.  (I'm working on getting
our DNS queries that match NS records in spamhaus into SURBL
form per his suggestion, in order to avoid even that
resolution.)

Jeff C.
--
"If it appears in hams, then don't list it."



More information about the Discuss mailing list