-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dan Mahoney, System Admin writes: > On Thu, 9 Sep 2004, Matt Kettler wrote: > > If it's blacklisting based on resolved ip, it should probably be noted > that there are a couple of caveats: > > 1) Spammers can set up multiple ip addresses to an A record. Whatever > does the reporting should check all A records, from the top down. i.e. > query each NS multiple times to make sure it's not being round-robined or > reported differently from multiple DNS servers. > > 2) I can easily forsee spammers doing a wildcard subdomain as an effort to > thwart this, if we're doing nslookups. they already do. this also opens a list-washing hole, as a hidden link to <a href=http://myaddress-rot13-encoded.spammer.com/> will be resolved, indicating to the spammer that some software at the remote end is resolving all links in the message. If OTOH you choose not to use the exact hostname parts of hrefs to avoid this, instead just resolving "www.spammer.com", they can then ensure that spammer.com and www.spammer.com do not resolve to hostnames and spam using links to notwww.spammer.com/payload.html instead. - --j. > 3) It's a common case that spammers use disposable landing sites, such as > the forwarding services offered by tinyurl, zoneedit, and the like, or > will put an HTTP redirect on a hotmail or geocities page. Should those be > exempt from this, since they have a fair number of legitimate domains as > well? > > -Dan > > > At 04:56 PM 9/9/2004, Chris Santerre wrote: > >> So is there a way to use the IP info in a good way? Could SA or SURBL do a > >> quick ping of the URL and match against a URL? This would allow us to > >> simply > >> list 1 IP instead of all these domains. > > > > Chris, SA 3.0 appears to already support checking DNS blacklisting of URLs > > based on resolved IP. (as well as surbl-style based on domain name). So > > theoretically, SURBL could open up a separate list based on IP's (i.e.: > > multi.dnsbl.surbl.org) > > > > > > Take a look at the example where it checks the resolved IP of a URL against > > the SBL (an IP based list): > > > > uridnsbl URIBL_SBL sbl.spamhaus.org. TXT > > header URIBL_SBL eval:check_uridnsbl('URIBL_SBL') > > describe URIBL_SBL Contains a URL listed in the SBL > > blocklist > > tflags URIBL_SBL net > > > > > > and from URIDNSBL.pm: > > > > This works by analysing message text and HTML for URLs, extracting > > the > > domain names from those, querying their NS records in DNS, resolving > > the hostnames used therein, and querying various DNS blocklists for > > those IP addresses. This is quite effective. > > > > SYNOPSIS > > > > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > > uridnsbl URIBL_SBLXBL sbl-xbl.spamhaus.org. TXT > > > > > > -- > > "I hate Windows" > > -Tigerwolf, Anthrocon 2004 > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBQNAFQTcbUG5Y7woRAhkcAKDt7oEJQGXy8kmNB/WIsFLmd3FA2wCcCctF Va29n1TjRqwMLV2x0uSBONA= =kgk9 -----END PGP SIGNATURE-----
