Re: URIDNSBL but with full URL

Wed, 02 Sep 2015 05:13:16 -0700 

On 09/02/15 11:21, Olivier Nicole wrote:

Axb <axb.li...@gmail.com> writes:


On 09/02/15 09:51, Olivier Nicole wrote:

Hi,

I am looking at malware patrol, but they offer a list of over 300,000
rules, that is way too big.

So I was considering using it in a URIDNSBL type of way, but including
the full URL, not only the host part. It should be able to accept things
like foo.example.com:81/directory/foo?something

Does that exist already?


that doesn't exist, publicly...

There are many reasons why running this isn't trivial either.

- tracking IDs/unique identifiers in URLs
- *can* cause massive scanning overhead
- depending on special cases, DNS spec limitations.
etc, etc..

What problem are you trying to solve which cannot be solved with "known"
methods?


Malware Patrol (malwarepatrol.net) has a file with over 100,000 rules of
the form:

  body MBL_2931645              /files\.oqayiq\.biz\/javasoft\/different\//i
  describe MBL_2931645  MBL: 
https://www.malwarepatrol.net/cgi/search.pl?id=2931645
  score MBL_2931645             3.5

This causes spamassassin --lint to never terminate (well, I killed it
afetr one hour).

One way to tackle this would be to rewrite the rules in some sort of URI
DNSBL (that is simple enough to do). And I will run a local DNS.

But contrary to the standard plugin URIDNSBL, the URL include a machine
name and some directory/file name and maybe a port number, it is not
limited to the domain name.

Of course, URL would have to be recoded in a way supported by DNS, but
it is not difficult to do (and if it has been done already, i would be
glad to use any existing coding, if someone has done it already, why
bothering to do it again).
afaik, there is no code freely available to do this, on server or client side. 


The one thing that could be a problem is that the directory/file name
part would become case unsensitive because of DNS, but I can live with
that.

So the above example would be added in my DNS zone dnsbl.my.place as
something like:

files.2eoqayiq.2ebiz.2fjavasoft.2fdifferent IN A 127.0.0.2

By on the SA side, I ned to be able to grab and test
"files.oqayiq.biz/javasoft/fdifferent" and not only "oqayiq.biz" as done
by URIDNSBL
I see your point though considering how short most campaigns are (avg 1.8 hr), am VERY curious as to how many hits you see in your production traffic.

Reply via email to