Alex,
here are some suggestions:
In your rbldnsd-formatted file, put a dot at the beginning, which serves
as a wildcard.
So your three examples:
109 .73 .134 .241
51steel1 .org
amessofblues1 .com
(I added spaces here to evade spam filtering, but those spaces shouldn't
actually be there)
would like like this:
.241 .134 .73 .109
.51steel1 .org
.amessofblues1 .com
(again, the extra spaces shouldn't be there)
NOTICE 2 things:
(1) The extra dot at the beginning
-and-
(2) the fact that the IP is in reverse order. The great part about
rbldnsd is that a lookup on either
example.com
OR
www.example.com
OR
foo.bar.foo.example.com
ALL of those will get a "hit" when the rbldnsd file has
.example.com
------------------------------------------------
When it comes to formatting the rbldnsd-formatted file, in addition to
my suggestions above, it comes down to a choice... make it a simply list
of the domains and (reverse-ordered) IPs? Or provide more information
for each individual IP, such as a custom text response, as you did here:
foo.example.com:127.0.0.2:Blocked System
in my experience, I haven't been able to get this to work unless I put a
space just before the first colon, as follows
foo.example.com :127.0.0.2:Blocked System
But sometimes you don't need that and can simply use just the domain or
IP on each line, since much of that can be accomplished with a single
line at/near the top of the file, such as this one that I use for the
invaluement URI list:
:127.0.0.2:Blocked by ivmURI - see http://www.invaluement.com/lookup/?item=$
...which then causes all following lines of just domains and IPs... to
use this line above as if it were on every single line. - and the "$"
causes the actual listed item to show up in the SMTP text message. That
"$" feature can be very informative and helpful!
of course, the most difficult part is not collecting spammy IPs and
domains... that part is easy. The most difficult part is knowing when
NOT to blacklist a domain--which would be a decoy domain found in a
spam, that wasn't the actual "payload" for the spam and is instead an
innocent bystander's domain -- and/or generally keeping FPs super low.
THAT is the hard part.
There are other issues as to WHERE to divide the domain.
For example, if you listed
.foo.bar.foo.bar.foo.bar.foo.bar.example.com
... but foo.bar.foo.bar.foo.bar.foo.bar. was just decoy material added
by the spammer... then...
foo.bar.example.com comes in and guess what? your lookup fails to find
it. Yet all such variations would be listed if you had simply blacklisted:
.example.com
(again, with the dot in front)
But try this and blacklist:
.blogspot.com
...and trigger massive FPs... when you should have listed:
.somehorrificspammerfromhell.blogspot.com
so that either
www.somehorrificspammerfromhell.blogspot.com
OR
somehorrificspammerfromhell.blogspot.com
foo.bar.foo.bar.somehorrificspammerfromhell.blogspot.com
would ALL return listing, but
blogspot.com
...wouldn't.
So it also takes some work determining those boundaries. Some of those
are simple domains... while others like blogspot.com or wordpress.com,
are more "artificial" (but still critically important).
--
Rob McEwen
invaluement.com
