Jeff Chan wrote:
On Monday, July 24, 2006, 1:34:35 AM, Daryl O'Shea wrote:
Being a simple visible redirector, SA actually does detect it:
[7375] dbg: uri: cleaned html uri,
http://1092229727:9999/https-www.paypal.com/webscrr/index.php
[7375] dbg: uri: html domain, google.com
The problem is that SA doesn't then go on to do checks on the IP
1092229727 (CPE-65-26-26-95.kc.res.rr.com [65.26.26.95]) like it would
if it was in dotted-quad notation. Thus the hit on Sorbs' DUHL is avoided.
This is definitely a bug. Please open a bug report and attach a
complete sample to the bug.
http://issues.apache.org/SpamAssassin/
Note that we also blacklist phish site IPs on SURBLs, when they
appear as IPs. In this case I blacklisted 1092229727 as
65.26.26.95, so hopefully any SA patch checks these in terms of
dotted quad and not 1092229727. Arguments could probably be
made for checking either, but for SURBLs, IPs are expected to be
dotted quads only.
Yeah, the dotted quad would be checked against SURBLs too. I just
mentioned Sorbs' DUHL since it was the only one I got a hit on
65.26.26.95 from.
Daryl
