[SURBL-Discuss] Re: Start an IP list to block?

Dan Mahoney, System Admin danm at prime.gushi.org
Thu Sep 9 23:48:51 CEST 2004


On Thu, 9 Sep 2004, Matt Kettler wrote:

If it's blacklisting based on resolved ip, it should probably be noted 
that there are a couple of caveats:

1) Spammers can set up multiple ip addresses to an A record.  Whatever 
does the reporting should check all A records, from the top down.  i.e. 
query each NS multiple times to make sure it's not being round-robined or 
reported differently from multiple DNS servers.

2) I can easily forsee spammers doing a wildcard subdomain as an effort to 
thwart this, if we're doing nslookups.

3) It's a common case that spammers use disposable landing sites, such as 
the forwarding services offered by tinyurl, zoneedit, and the like, or 
will put an HTTP redirect on a hotmail or geocities page.  Should those be 
exempt from this, since they have a fair number of legitimate domains as 
well?

-Dan


> At 04:56 PM 9/9/2004, Chris Santerre wrote:
>> So is there a way to use the IP info in a good way? Could SA or SURBL do a
>> quick ping of the URL and match against a URL? This would allow us to 
>> simply
>> list 1 IP instead of all these domains.
>
> Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs 
> based on resolved IP. (as well as surbl-style based on domain name). So 
> theoretically, SURBL could open up a separate list based on IP's (i.e.: 
> multi.dnsbl.surbl.org)
>
>
> Take a look at the example where it checks the resolved IP of a URL against 
> the SBL (an IP based list):
>
>        uridnsbl        URIBL_SBL       sbl.spamhaus.org.       TXT
>        header          URIBL_SBL       eval:check_uridnsbl('URIBL_SBL')
>        describe        URIBL_SBL       Contains a URL listed in the SBL 
> blocklist
>        tflags          URIBL_SBL       net
>
>
> and from URIDNSBL.pm:
>
>        This works by analysing message text and HTML for URLs, extracting 
> the
>        domain names from those, querying their NS records in DNS, resolving
>        the hostnames used therein, and querying various DNS blocklists for
>        those IP addresses.  This is quite effective.
>
>        SYNOPSIS
>
>        loadplugin    Mail::SpamAssassin::Plugin::URIDNSBL
>        uridnsbl      URIBL_SBLXBL    sbl-xbl.spamhaus.org.   TXT
>
>

--

"I hate Windows"

-Tigerwolf, Anthrocon 2004

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



More information about the Discuss mailing list