Chris, > > From: Chris Santerre [mailto:[EMAIL PROTECTED] > > Negative ghostrider! > > We aren't getting the ip. We are taking the ip directly from > the URL, not doing a reverse lookup. I haven't seen a legit > email use an IP in a URL in ages. And even if it was legit, > it would have to be listed in URIBL. > > Again, no reverse lookups being done. Just using what is > listed in the URL. >
You say "Reverse Lookup", but I think you mean "Forward lookup". A reverse lookup would be on a IP-base URI and produce a domain name... A forward lookup would take a Domain-based URI and produce an IP address. A forward lookup would have potential for collateral damage on vhosted domains, a reverse lookup only effects the domain it reverses too... Ie.. Forward lookup on uri http://domainA.com -> 1.2.3.4 And running a lookup on 4.3.2.1.list.blacklist.tld may have consequences, because if http://domainB.com also resolved to 1.2.3.4, you'd run into the situation that Greg discusses below. OTOH, A reverse lookup would be no harm done. You get a URI in an email that says http://1.2.3.4, you pull a PTR for 4.3.2.1.in-addr.arpa and get domainA.com, you lookup domainA.com.list.blacklist.tld. Then you don't effect domainB.com There is abolutely no reason I can think of that we would want to or need to use either of these methods. The only forward lookups to IP addresses right now are for the NS's of the URIs which are then compared to IP blacklists like SBL. This is a functionality of the 'uridnsbl' rule. URIBL_* rules use 'urirhssub' which do no NS resolution.. Hopefully that made some sense... > > > -----Original Message----- > > From: Greg Allen [mailto:[EMAIL PROTECTED] > > Sent: Thursday, August 11, 2005 4:59 PM > > To: 'users@spamassassin.apache.org' > > Subject: RE: Phishing IP listed in URIBL and SURBL, but not > triggering > > URI rules > > > > > > This is a very, very dangerous road to go down. You would > see a lot of > > collateral damage by doing a URIBL by IP. A lot of domain > hosts these > > days use shared IPs. I could host any number of legit > websites on one > > virtual IP...and I do. I share IPs with any number of other > websites > > at the web hosting companies where I have websites. There > is nothing > > wrong with this practice. It is common place on the Internet and is > > very cost efective. I don't want other people's spam baggage thank > > you. It would be much better to stick with URIBLs by name > and let RBLs > > do the IP lookups like we already do. > > > > Like chris said, we only list the IP that is found in the email, if your 'tools' resolve all uri's to an A record and then query our list, then you have potential for collateral damage. If you are using SpamAssassin, you should be safe. > > > > > > > > > > Well, URIBL lists the phish and evil IPs. So is there any > > future plas for > > > looking up IPs in URLs? > > > > > > --Chris > > > > > > Who said Spamassassin cant lookup IP-based URI's against urirhssub rules??? Was that you Theo? Its been doing it for me in 3.10-pre3 and current trunk. # echo -e "From: test\n\nhttp://127.0.0.2/test.html"; | spamc .. * 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: 127.0.0.2] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: 127.0.0.2] * 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: 127.0.0.2] * 1.0 URIBL_GREY Contains an URL listed in the URIBL greylist * [URIs: 127.0.0.2] .. # echo -e "From: test\n\nhttp://66.115.184.194/test.html"; | sp .. X-Spam-Report: 10.3 points, 4.0 required * 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: 66.115.184.194] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: 66.115.184.194] .. Dallas
