You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Dirk Bonengel <di...@bonengel.de> on 2005/08/11 22:46:39 UTC

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Well, the IP is listed OK, but one needs to do reverse queries:

dig 158.194.144.219.multi.surbl.org
gives
158.194.144.219.multi.surbl.org. 1850 IN A      127.0.0.12
which sounds good to me.

Dirk

Chris Santerre schrieb:

>>-----Original Message-----
>>From: wolfgang [mailto:mewolf1@gmx.net]
>>Sent: Thursday, August 11, 2005 2:56 PM
>>To: users@spamassassin.apache.org
>>Subject: Re: Phishing IP listed in URIBL and SURBL, but not triggering
>>URI rules
>>
>>
>>In an older episode (Thursday, 11. August 2005 12:31), Jeff 
>>Chan wrote:
>>    
>>
>>>On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
>>>      
>>>
>>>>the IP
>>>>219 dot 144 dot 194 dot 158
>>>>is shown as listed by 
>>>>        
>>>>
>>http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
>>    
>>
>>>>phishing mail with
>>>>
>>>>        
>>>>
>>http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb
>>/privat/login/login.htm
>>    
>>
>>>>in it's body does not trigger any uribl rules tho. Why is that so?
>>>>        
>>>>
>>>What happens if you give the message to SpamAssassin in debug
>>>mode:
>>>
>>>  spamassassin -D < message
>>>
>>>      
>>>
>>I doubt that all the output is important. After running
>> echo -e "Subject: 
>>test\\n\\nhttp://219.144.194.158"|spamassassin -D -t > 
>>uribl.out 2>&1
>>and then
>>grep -i URI uribl.out 
>>i get:
>>debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
>>debug: config: read file /usr/share/spamassassin/25_uribl.cf
>>debug: config: read file /etc/spamassassin/uribl_jp.cf
>>debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
>>debug: plugin: registered 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410)
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'parse_config'
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'parsed_metadata'
>>debug: uri found: http://219.144.194.158
>>debug: URIDNSBL: domains to query: 219.144.194.158
>>debug: running uri tests; score so far=-3.181
>>debug: registering glue method for check_uridnsbl 
>>(Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410))
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'check_tick'
>>debug: URIDNSBL: query for 219.144.194.158 took 3 seconds to look up 
>>(sbl.spamhaus.org.:158.194.144.219)
>>debug: URIDNSBL: queries completed: 1 started: 0
>>debug: URIDNSBL: queries active:  at Thu Aug 11 20:42:10 2005
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'check_post_dnsbl'
>>debug: running uri tests; score so far=0.61
>>debug: running uri tests; score so far=0.61
>>debug: uri found: http://219.144.194.158
>> 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP 
>>address in URL
>>
>>when i do the same with http://ealzDOTcom instead, i get far 
>>more output, 
>>including:
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_WS_SURBL): 127.0.0.86
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_JP_SURBL): 127.0.0.86
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_OB_SURBL): 127.0.0.86
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_SC_SURBL): 127.0.0.86
>>
>>WS is one of the uribl's where 219.144.194.158 is listed, so 
>>at least WS 
>>should have returned a "listed" for that IP too, shouldn't it?
>>
>>In an older episode (Thursday, 11. August 2005 18:36), Theo 
>>Van Dinter wrote:
>>    
>>
>>>Unless I'm missing something obvious, the URIBL plugin 
>>>      
>>>
>>doesn't check IPs,
>>    
>>
>>>only domains.  (At least I don't see where it 
>>>      
>>>
>>differentiates and checks 
>>IPs.)
>>
>>Theo, I get the impression that you are right about that.
>>    
>>
>
>Well, URIBL lists the phish and evil IPs. So is there any future plas for
>looking up IPs in URLs?
>
>--Chris
>  
>

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Dirk Bonengel <di...@bonengel.de>.

Nee,

but the subrl/uribl backoffice does, and, yes, thinking of it they're 
overdoing it:
The phish IP you mentioned was 219.144.194.158
In the zone files it's in reverse notation
extract of multi.surbl.org.rbldnsd (Zonefile for the rbldnsd I host:)

158.194.144.219 :127.0.0.12:Blocked, 158.194.144.219 on lists [ws][ph], 
See: http://www.surbl.org/lists.html
and also
2.0.0.127       :2:multi.surbl.org permanent test point

but just as you can't lookup 127.0.0.2.multi.surbl.org you'll fail with 
219.144.194.158.
So SURBL has to remove the reverse notation thing in their zonefiles.

wolfgang schrieb:

>In an older episode (Thursday, 11. August 2005 22:46), Dirk Bonengel wrote:
>  
>
>>Well, the IP is listed OK, but one needs to do reverse queries:
>>
>>dig 158.194.144.219.multi.surbl.org
>>gives
>>158.194.144.219.multi.surbl.org. 1850 IN A      127.0.0.12
>>which sounds good to me.
>>    
>>
>
>But the uribl plugin doesn't reverse queries, does it?
>
>cheers,
>
>wolfgang
>
>  
>

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by wolfgang <me...@gmx.net>.

In an older episode (Thursday, 11. August 2005 22:46), Dirk Bonengel wrote:
> Well, the IP is listed OK, but one needs to do reverse queries:
> 
> dig 158.194.144.219.multi.surbl.org
> gives
> 158.194.144.219.multi.surbl.org. 1850 IN A      127.0.0.12
> which sounds good to me.

But the uribl plugin doesn't reverse queries, does it?

cheers,

wolfgang