[SURBL-Discuss] Re: Start an IP list to block?
Dan Mahoney, System Admin
danm at prime.gushi.org
Thu Sep 9 23:48:51 CEST 2004
On Thu, 9 Sep 2004, Matt Kettler wrote:
If it's blacklisting based on resolved ip, it should probably be noted
that there are a couple of caveats:
1) Spammers can set up multiple ip addresses to an A record. Whatever
does the reporting should check all A records, from the top down. i.e.
query each NS multiple times to make sure it's not being round-robined or
reported differently from multiple DNS servers.
2) I can easily forsee spammers doing a wildcard subdomain as an effort to
thwart this, if we're doing nslookups.
3) It's a common case that spammers use disposable landing sites, such as
the forwarding services offered by tinyurl, zoneedit, and the like, or
will put an HTTP redirect on a hotmail or geocities page. Should those be
exempt from this, since they have a fair number of legitimate domains as
well?
-Dan
> At 04:56 PM 9/9/2004, Chris Santerre wrote:
>> So is there a way to use the IP info in a good way? Could SA or SURBL do a
>> quick ping of the URL and match against a URL? This would allow us to
>> simply
>> list 1 IP instead of all these domains.
>
> Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs
> based on resolved IP. (as well as surbl-style based on domain name). So
> theoretically, SURBL could open up a separate list based on IP's (i.e.:
> multi.dnsbl.surbl.org)
>
>
> Take a look at the example where it checks the resolved IP of a URL against
> the SBL (an IP based list):
>
> uridnsbl URIBL_SBL sbl.spamhaus.org. TXT
> header URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
> describe URIBL_SBL Contains a URL listed in the SBL
> blocklist
> tflags URIBL_SBL net
>
>
> and from URIDNSBL.pm:
>
> This works by analysing message text and HTML for URLs, extracting
> the
> domain names from those, querying their NS records in DNS, resolving
> the hostnames used therein, and querying various DNS blocklists for
> those IP addresses. This is quite effective.
>
> SYNOPSIS
>
> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
> uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT
>
>
--
"I hate Windows"
-Tigerwolf, Anthrocon 2004
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the Discuss
mailing list