> > I've been having a few spams slip through recently that > aren't hitting some of the SURBLs. Upon checking them using > the tool at: > > http://www.rulesemporium.com/cgi-bin/uribl.cgi > > I've noticed that some of the root domains are listed, but > the full exanded domain may not be. For instance one spam has > this URL in it: > > http://i.net.helpfulinfobox.com/?ggobwyvaxpngp > > > Now helpfulinfobox.com is listed on ws ob and multi, but > > net.helpfulinfobox.com is not > i.net.helpfulinfobox.com is also not > > It appears the spammer is using DNS wildcards as anything you > throw before helpfulinfobox.com gets resolved. > > dig z.foo.helpfulinfobox.com -> 222.47.122.8 > dig yo.momma.helpfulinfobox.com -> 222.47.122.8 > > Question, is this an effective was to spoof SURBL checkers? > Or does the checking code check each domain element in order > looking for a hit: > > i.net.helpfulinfobox.com > net.helpfulinfobox.com > helpfulinfobox.com >
The SA code will pull the true domain name using its ccTLD code to infer the domain name. That is what is checked against SURBL. The checker that you are using above uses the same Util/RegistrarBoundaries.pm file as used in your SA bundle. Prior to using this, I just looped through FQDN's until I hit the last 2 segments. This is no longer needed and I should probably update the code on it. Chris or Jeff can correct me if I'm wrong, but only the registered domain names go into SURBL lists, not host.domain.tld. Dallas
