[SPAM-TAG] [SURBL-Discuss] Subdomains in SURBL

Brandon Hutchinson hutchib at cscoe.accenture.com
Fri May 12 20:16:40 CEST 2006


> SpamAssasisn may check more than the specified levels.  For
> example, it may check at levels two and three on GTLDs, or at
> least it did at one point.

Looking at some of the SA 3.1.1 debug output, SA's URIDNSBL will query only at 
level 3 for domains with a country code (e.g. .co.uk), and level 2 for other 
GTLDs (.com).

Examples:

[5180] dbg: uri: parsed uri found, http://www.hydeparkcalling.co.uk/
[5180] dbg: uri: parsed domain, hydeparkcalling.co.uk
[5180] dbg: uridnsbl: domains to query: hydeparkcalling.co.uk

[6977] dbg: uri: parsed uri found, http://www.manage-performance.com
[6977] dbg: uri: parsed domain, manage-performance.com
[6977] dbg: uridnsbl: domains to query: manage-performance.com

So unless my understanding of SA's URIDNSBL is mistaken, and it certainly 
could be, we'll never catch any of the subdomains in SURBL. No big deal; 
someone probably is using some implementation of URI checking with SURBL that 
does.

>
> If a subdomain is listed, the subdomain should be checked.  It's
> not necessarily safe to check the base domain when a subdomain is
> listed.  For example if phishing.freehost.com is blacklisted,
> checking freehost.com is probably not a good idea.  I do realize
> this is somewhat off spec.

Thanks, this is what I was wondering.

Brandon


More information about the Discuss mailing list