[SURBL-Discuss] Re: Start an IP list to block?

Justin Mason jm at jmason.org
Thu Sep 9 23:49:57 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dan Mahoney, System Admin writes:
> On Thu, 9 Sep 2004, Matt Kettler wrote:
> 
> If it's blacklisting based on resolved ip, it should probably be noted 
> that there are a couple of caveats:
> 
> 1) Spammers can set up multiple ip addresses to an A record.  Whatever 
> does the reporting should check all A records, from the top down.  i.e. 
> query each NS multiple times to make sure it's not being round-robined or 
> reported differently from multiple DNS servers.
> 
> 2) I can easily forsee spammers doing a wildcard subdomain as an effort to 
> thwart this, if we're doing nslookups.

they already do.  this also opens a list-washing hole, as a hidden link to
<a href=http://myaddress-rot13-encoded.spammer.com/> will be resolved,
indicating to the spammer that some software at the remote end is
resolving all links in the message.

If OTOH you choose not to use the exact hostname parts of hrefs to avoid
this, instead just resolving "www.spammer.com", they can then ensure that
spammer.com and www.spammer.com do not resolve to hostnames and spam using
links to notwww.spammer.com/payload.html instead.

- --j.

> 3) It's a common case that spammers use disposable landing sites, such as 
> the forwarding services offered by tinyurl, zoneedit, and the like, or 
> will put an HTTP redirect on a hotmail or geocities page.  Should those be 
> exempt from this, since they have a fair number of legitimate domains as 
> well?
> 
> -Dan
> 
> > At 04:56 PM 9/9/2004, Chris Santerre wrote:
> >> So is there a way to use the IP info in a good way? Could SA or SURBL do a
> >> quick ping of the URL and match against a URL? This would allow us to 
> >> simply
> >> list 1 IP instead of all these domains.
> >
> > Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs 
> > based on resolved IP. (as well as surbl-style based on domain name). So 
> > theoretically, SURBL could open up a separate list based on IP's (i.e.: 
> > multi.dnsbl.surbl.org)
> >
> >
> > Take a look at the example where it checks the resolved IP of a URL against 
> > the SBL (an IP based list):
> >
> >        uridnsbl        URIBL_SBL       sbl.spamhaus.org.       TXT
> >        header          URIBL_SBL       eval:check_uridnsbl('URIBL_SBL')
> >        describe        URIBL_SBL       Contains a URL listed in the SBL 
> > blocklist
> >        tflags          URIBL_SBL       net
> >
> >
> > and from URIDNSBL.pm:
> >
> >        This works by analysing message text and HTML for URLs, extracting 
> > the
> >        domain names from those, querying their NS records in DNS, resolving
> >        the hostnames used therein, and querying various DNS blocklists for
> >        those IP addresses.  This is quite effective.
> >
> >        SYNOPSIS
> >
> >        loadplugin    Mail::SpamAssassin::Plugin::URIDNSBL
> >        uridnsbl      URIBL_SBLXBL    sbl-xbl.spamhaus.org.   TXT
> >
> >
> 
> --
> 
> "I hate Windows"
> 
> -Tigerwolf, Anthrocon 2004
> 
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBQNAFQTcbUG5Y7woRAhkcAKDt7oEJQGXy8kmNB/WIsFLmd3FA2wCcCctF
Va29n1TjRqwMLV2x0uSBONA=
=kgk9
-----END PGP SIGNATURE-----



More information about the Discuss mailing list