RE: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Thu, 11 Aug 2005 16:46:48 -0700 

> -----Original Message-----
> From: wolfgang [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, August 11, 2005 6:36 PM
> To: users@spamassassin.apache.org
> Subject: Re: Phishing IP listed in URIBL and SURBL, but not 
> triggering URI rules
> 
> In an older episode (Friday, 12. August 2005 01:18), Dallas 
> L. Engelken wrote:
> 
> > Looks like we agree with surbl..
> > 
> > # host -tTXT 158.194.144.219.multi.uribl.com 
> > 158.194.144.219.multi.uribl.com descriptive text "Listed on 
> [black] - 
> > See http://lookup.uribl.com/?domain=158.194.144.219";
> 
> Yes, but - as Dirk pointed out - that does *not* result in SA 
> recognizing
> 219.194.144.158 as listed - only the surbl lookup cgi handles 
> that "reversed dotted decimal" as a signal that 
> 219.194.144.158 is listed. In other words, that entry is 
> useless for SA. Correct me if I am wrong here.
> 

Hrmmm??  What version are you running?  Mine gets it right.

# echo -e "From: test\n\nhttp://219.144.194.158/test.html"; | spamc
X-Spam-Report: 11.0 points, 4.0 required
        *  3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
        *      [URIs: 219.144.194.158]
        *  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
        *      [URIs: 219.144.194.158]
        *  2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL
blocklist
        *      [URIs: 219.144.194.158]

>
> I wonder what's the purpose of that entry and other IP 
> entries in uribl/surbl. 
>

The point is the listing was accurate, and for clients that parse it
right, they will get valid results back.  Albeit the IP does not
response to HTTP requets now and should probably be delisted.  At
uribl.com, IP listings are automatically purged after 30 days.

>
> Is other software (besides the surbl cgi :) using them?
> 

Surbl.org lists several tools on their main page that use SURBL data,
some which do not rely on spamassassin uri parser.  I know uricat
(http://ry.ca/geturi/) gets it right, as does SA 3.1.x of which has been
getting it right since very early in the 3.1.0 trunk.  As for the other
clients/tools, I havent a clue.

>
> cheers,
> 
> wolfgang
> 
> 

Dallas

Reply via email to