> -----Original Message----- > From: wolfgang [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 11, 2005 2:56 PM > To: users@spamassassin.apache.org > Subject: Re: Phishing IP listed in URIBL and SURBL, but not triggering > URI rules > > > In an older episode (Thursday, 11. August 2005 12:31), Jeff > Chan wrote: > > On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote: > > > the IP > > > 219 dot 144 dot 194 dot 158 > > > is shown as listed by > http://www.rulesemporium.com/cgi-bin/uribl.cgi - a > > > phishing mail with > > > > http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb > /privat/login/login.htm > > > in it's body does not trigger any uribl rules tho. Why is that so? > > > > What happens if you give the message to SpamAssassin in debug > > mode: > > > > spamassassin -D < message > > > > I doubt that all the output is important. After running > echo -e "Subject: > test\\n\\nhttp://219.144.194.158";|spamassassin -D -t > > uribl.out 2>&1 > and then > grep -i URI uribl.out > i get: > debug: config: read file /usr/share/spamassassin/20_uri_tests.cf > debug: config: read file /usr/share/spamassassin/25_uribl.cf > debug: config: read file /etc/spamassassin/uribl_jp.cf > debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC > debug: plugin: registered > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) > debug: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements > 'parse_config' > debug: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements > 'parsed_metadata' > debug: uri found: http://219.144.194.158 > debug: URIDNSBL: domains to query: 219.144.194.158 > debug: running uri tests; score so far=-3.181 > debug: registering glue method for check_uridnsbl > (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410)) > debug: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements > 'check_tick' > debug: URIDNSBL: query for 219.144.194.158 took 3 seconds to look up > (sbl.spamhaus.org.:158.194.144.219) > debug: URIDNSBL: queries completed: 1 started: 0 > debug: URIDNSBL: queries active: at Thu Aug 11 20:42:10 2005 > debug: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements > 'check_post_dnsbl' > debug: running uri tests; score so far=0.61 > debug: running uri tests; score so far=0.61 > debug: uri found: http://219.144.194.158 > 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP > address in URL > > when i do the same with http://ealzDOTcom instead, i get far > more output, > including: > debug: URIDNSBL: domain "ealz.com" listed (URIBL_WS_SURBL): 127.0.0.86 > debug: URIDNSBL: domain "ealz.com" listed (URIBL_JP_SURBL): 127.0.0.86 > debug: URIDNSBL: domain "ealz.com" listed (URIBL_OB_SURBL): 127.0.0.86 > debug: URIDNSBL: domain "ealz.com" listed (URIBL_SC_SURBL): 127.0.0.86 > > WS is one of the uribl's where 219.144.194.158 is listed, so > at least WS > should have returned a "listed" for that IP too, shouldn't it? > > In an older episode (Thursday, 11. August 2005 18:36), Theo > Van Dinter wrote: > > Unless I'm missing something obvious, the URIBL plugin > doesn't check IPs, > > only domains. (At least I don't see where it > differentiates and checks > IPs.) > > Theo, I get the impression that you are right about that.
Well, URIBL lists the phish and evil IPs. So is there any future plas for looking up IPs in URLs? --Chris
