You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Boyl <ro...@gmail.com> on 2016/08/02 14:36:50 UTC
eval:check_uridnsbl to check subdomains
Hi, everyone
We are trying to query subdomains of a DNSBL in body of message, but
learned that the default plugin we use, used by URIBL, caps off subdomains.
This is the rule we based ourselves on... it works fine, except for
subdomains... it considers the domain part...
urirhssub URIBL_GREY multi.uribl.com. A 2
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.25
Explained here
http://www.gossamer-threads.com/lists/spamassassin/users/194077
How can I make it work with subdomains also?
Perhaps adapt the plugin? Or use some other plugin that is able to check
subdomains and doesnt cap them off?
Thanks a lot,
Robert
Re: eval:check_uridnsbl to check subdomains
Posted by Axb <ax...@gmail.com>.
On 08/02/2016 04:36 PM, Robert Boyl wrote:
> Hi, everyone
>
> We are trying to query subdomains of a DNSBL in body of message, but
> learned that the default plugin we use, used by URIBL, caps off subdomains.
>
> This is the rule we based ourselves on... it works fine, except for
> subdomains... it considers the domain part...
>
> urirhssub URIBL_GREY multi.uribl.com. A 2
> body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
> describe URIBL_GREY Contains an URL listed in the URIBL greylist
> tflags URIBL_GREY net
> score URIBL_GREY 0.25
>
> Explained here
>
> http://www.gossamer-threads.com/lists/spamassassin/users/194077
>
> How can I make it work with subdomains also?
>
> Perhaps adapt the plugin? Or use some other plugin that is able to check
> subdomains and doesnt cap them off?
Are you planning to run a private zone for this? or do you expect to
apply the lookups to an existing public zone?
iirc, in a private zone you can wildcard the lookups so you can list
host.mail.tld and the URIBL pluging will hit like in the case of DBL.
For this you can start off with the DBL rules as a sample.
You may also want to look into util_rb_2tld & util_rb_3tld definitions.
Axb
Re: eval:check_uridnsbl to check subdomains
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 08.08.16 06:39, robertboyl wrote:
>I added
>
>util_rb_3tld nibo.com.br
>
>then sent msg with this in body -: http://conteudo.nibo.com.br
can you check spamassassin -D over the message?
>this is listed in the DNSBL which has a rule to check for it via uridnsbl
>plugin, but no hit. Also tried to add tld and 2tld... but no luck.
>
>Ill just use SA rules that check body for the URL... as its less work...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Re: eval:check_uridnsbl to check subdomains
Posted by robertboyl <ro...@gmail.com>.
Thanks a lot for your help.
It didnt work.
I added
util_rb_3tld nibo.com.br
then sent msg with this in body -: http://conteudo.nibo.com.br
this is listed in the DNSBL which has a rule to check for it via uridnsbl
plugin, but no hit. Also tried to add tld and 2tld... but no luck.
Ill just use SA rules that check body for the URL... as its less work...
Thanks again.
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/eval-check-uridnsbl-to-check-subdomains-tp121922p122027.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: eval:check_uridnsbl to check subdomains
Posted by Axb <ax...@gmail.com>.
On 08/05/2016 08:46 PM, Kevin Golding wrote:
> On Fri, 05 Aug 2016 19:17:16 +0100, robertboyl <ro...@gmail.com>
> wrote:
>
>> .com.br afaik is TLD
>> nibo.com.br is a 2tld
>> conteudo.nibo.com.br a 3tld
>
> Your counting is off:
>
> .br is a top level domain - ref: http://www.iana.org/domains/root/db
> .com.br is a 2nd level domain
> .nibo.com.br is a 3rd level domain
>
> Adding nibo.com.br to util_rb_3tld means you will query the fourth
> level, in this case conteudo.nibo.com.br will be the domain queried.
>
>> I could perhaps auto generate some file via DNSBL data... But Im
>> thinking it
>> might be easier to create body rules that check URIs/hosts/subdomains
>> explicitly, not best in terms of processing though and updates.
>
> If it's a fairly small number of domains and they don't change very
> often then that would possibly be more efficient. RBLs are good for
> large volumes and rapid changes. Static rules work fairly well for
> simpler situations and it cuts back on maintaining the RBL and the DNS
> queries on every mail.
and for repeat cases, the simplest and most efficient still remains
(often forgotten)
blacklist_uri_host conteudo.nibo.com.br
Re: eval:check_uridnsbl to check subdomains
Posted by Kevin Golding <kp...@caomhin.org>.
On Fri, 05 Aug 2016 19:17:16 +0100, robertboyl <ro...@gmail.com>
wrote:
> .com.br afaik is TLD
> nibo.com.br is a 2tld
> conteudo.nibo.com.br a 3tld
Your counting is off:
.br is a top level domain - ref: http://www.iana.org/domains/root/db
.com.br is a 2nd level domain
.nibo.com.br is a 3rd level domain
Adding nibo.com.br to util_rb_3tld means you will query the fourth level,
in this case conteudo.nibo.com.br will be the domain queried.
> I could perhaps auto generate some file via DNSBL data... But Im
> thinking it
> might be easier to create body rules that check URIs/hosts/subdomains
> explicitly, not best in terms of processing though and updates.
If it's a fairly small number of domains and they don't change very often
then that would possibly be more efficient. RBLs are good for large
volumes and rapid changes. Static rules work fairly well for simpler
situations and it cuts back on maintaining the RBL and the DNS queries on
every mail.
Re: eval:check_uridnsbl to check subdomains
Posted by robertboyl <ro...@gmail.com>.
Hi Matheus
Thanks a lot for your help! What I dont understand is why I have to specify
domains, subdomains... Cant I just query the DNSBL and if it has a URI that
hits, then consider it?
Or else, it might just be easier to create a rule rawbody/body with certain
spamvertised URLs to catch, when we cant block by IP.
For example, further on one example you advised on.
Consider this rule
urirhssub SPFBL_GREY dnsbl.spfbl.net. A 2
body SPFBL_GREY eval:check_uridnsbl('SPFBL_GREY')
describe SPFBL_GREY Contains an URL listed in the SPFBL greylist
tflags SPFBL_GREY net
score SPFBL_GREY 0.1
If you check here: http://matrix.spfbl.net/dnsbl/conteudo.nibo.com.br
You will see that it is listed.
But my SA rule doesn't catch emails that have such subdomain in the body. We
want to block just conteudo.nibo.com.br not any other .nibo.com.br subdomain
just exactly that one.
.com.br afaik is TLD
nibo.com.br is a 2tld
conteudo.nibo.com.br a 3tld
You said .com.br is in the 20_aux_tlds file, but I dont see it. Only .br I
see is just blogspot.com.br in 3tld at the end of the file.
So I have to add conteudo.nibo.com.br to the file, 3ld section, right?
why you say to add util_rb_3tld nibo.com.br?
Isnt nibo.com.br 2tld?
I think I understand reading here again
http://www.gossamer-threads.com/lists/spamassassin/users/194077
subdomains -> "Using the URIBL plugin you can't unless you use util_rb_2tld
/ util_rb_3tld to create pseudo TLDs."
Oh, I see so youre like faking the system, since it only understands
TLD/2tld, for example nibo.com.br, you tell the system that its a 3rd level
domain so it understands conteudo.nibo.com.br which itself is the 3tld and
only that, nibo.com.br wouldnt be considered?
I could perhaps auto generate some file via DNSBL data... But Im thinking it
might be easier to create body rules that check URIs/hosts/subdomains
explicitly, not best in terms of processing though and updates.
Thanks!
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/eval-check-uridnsbl-to-check-subdomains-tp121922p122018.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: eval:check_uridnsbl to check subdomains
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 04.08.16 10:48, robertboyl wrote:
>Can you detail when you say to check util_rb_2tld and util_rb_3tld
>directives?
check their documentation to see what are they doing
> I have to manually add all 2tld manually in this file...?
no. most of them are already configured in SA rules
(you do keep them up to date, don't you?)
you only needto specify domains that are supposed to apply but are not in
the list.
Maybe you could even post SA bugreport to add them to stock SA rules.
>Subdomains would be nice to be supported, as its a way we have to block
>spams that are spamvertised, when we cant block the IP since its some mailer
>company that also sends legit mails. So we try to find a URL that we can
>block. Sometimes, many times, its a subdomain. For example, a company that
>sends email marketing called sendmarketing.com might have a customer that
>sends spam and there are URLs in body of email such as
>spammer123.domain.com.sendmarketing.com...
here you could util_rb_3tld com.sendmarketing.com
>some examples, testing on a qmail and also on an icewarp mail server.
>
>1) conteudo.nibo.com.br in a URL of a spam body.
com.br is in util_rb_2tld but maybe you could add "util_rb_3tld nibo.com.br"
provided there are different subdomains in nibo.com.br
>It does not catch it, but its blacklisted in the DNSBL.
and which domain exactly is blacklisted? That is also important question!
>2) A certain legit email has this in the body:
>
>https://cdn-lojaglobo.s3.amazonaws.com/emailmarketing
>
>It causes a false positive, since it considers amazonaws.com (which for some
>reason is listed on the DNSBL blacklist), but what we want to block is the
>subdomain only, not the domain...
util_rb_3tld s3.amazonaws.com
note that blacklist must know those domains too.
There's no use in checking for spammer123.domain.com.sendmarketing.com if
blacklists lists sendmarketing.com
etc.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Re: eval:check_uridnsbl to check subdomains
Posted by robertboyl <ro...@gmail.com>.
Hi, guys
Thanks a lot for replies!! First of all, sorry for long mail! Let me try to
detail a bit, as this has been confusing for us to understand.
Can you detail when you say to check util_rb_2tld and util_rb_3tld
directives? I have to manually add all 2tld manually in this file...?
Sorry we have very little SA experience. But this is basically about a
Brazilian DNSBL (www.spfbl.net, currently site only in Portuguese but they
promise one in English) that has helped many systems in Brazil to catch a
lot of spam other DNSBLs and SA doesn't catch.
They list IPs as other DNSBL, but also started testing to add URIs. So we
adapted the check_uridnsbl check and look for result code 127.0.0.1.
Subdomains would be nice to be supported, as its a way we have to block
spams that are spamvertised, when we cant block the IP since its some mailer
company that also sends legit mails. So we try to find a URL that we can
block. Sometimes, many times, its a subdomain. For example, a company that
sends email marketing called sendmarketing.com might have a customer that
sends spam and there are URLs in body of email such as
spammer123.domain.com.sendmarketing.com...
What is strange is, testing the rule just like the one I posted, but
checking the Brasilian DNSBL, it does work, but sometimes strange things
happen or it doesnt catch subdomains, but sometimes it does.
some examples, testing on a qmail and also on an icewarp mail server.
1) conteudo.nibo.com.br in a URL of a spam body.
It does not catch it, but its blacklisted in the DNSBL.
2) A certain legit email has this in the body:
https://cdn-lojaglobo.s3.amazonaws.com/emailmarketing
It causes a false positive, since it considers amazonaws.com (which for some
reason is listed on the DNSBL blacklist), but what we want to block is the
subdomain only, not the domain...
I have some DNS logging that should a hit to amazonaws.com, it splits the
request, see:
SYSTEM [28BC] 11:08:43 multirequest (2)-> res=1, 15 ms
amazonaws.com.dnsbl.spfbl.net(A)->
res=1, responsecode=0, ancount=1, length=100, cache=0
com.br.dnsbl.spfbl.net(A)-> res=1,
responsecode=3, ancount=0, length=76, cache=1
respondecode=0 means a hit.
3) A certain legit email has this in body
It hits. But strangely, it checked cloudflare.p on the DNSBL (which is
listed there). But we want it to check entire URLs (so cloudfare.pw) and not
part of it.
SYSTEM [0D74] 09:40:16 multirequest (2)-> res=1, 202 ms
cloudflare.p.dnsbl.spfbl.net(A)->
res=1, responsecode=0, ancount=1, length=99, cache=0
org.br.dnsbl.spfbl.net(A)-> res=1,
responsecode=3, ancount=0, length=76, cache=0
this is not even a subdomain case, just strange suffix. but strange it
considers cloudflare.p instead of .pw as we wanted it to (as thats what the
URL is...)
4) What is strange is many times it works fine even with subdomains.
example, this URL is listed in the DNSBL.
http://d-click.contato.emktpme.com.br
and it does detect it just fine, even being a subdomain. Why? Because
"click" (regex) is defined in that file 20_aux_tlds.cf you guys mentioned?
All we wanted is to be able to consistantly check a full URI, not just base
domain.
I saw someone suggesting that for URIBL PH list also, for similar reason,
sometimes you cant block a root domain, but you can block a subdomain...
Thanks a lot!
Rob
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/eval-check-uridnsbl-to-check-subdomains-tp121922p121991.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: eval:check_uridnsbl to check subdomains
Posted by Reindl Harald <h....@thelounge.net>.
Am 03.08.2016 um 01:43 schrieb Benny Pedersen:
> On 2016-08-02 17:03, Matus UHLAR - fantomas wrote:
>
>> you can not, but you could check util_rb_2tld and util_rb_3tld
>> directives
>> to see if it fits your needs
>
> use them will disable spam test on this tld aswell
just look at
/var/lib/spamassassin/3.004001/updates_spamassassin_org/20_aux_tlds.cf
and try to understand what it does instead comment everything blindly
util_rb_2tld no-ip.biz
util_rb_2tld no-ip.ca
util_rb_2tld no-ip.com
util_rb_2tld no-ip.info
util_rb_2tld no-ip.net
util_rb_2tld no-ip.org
util_rb_2tld gotdns.ch
util_rb_2tld ddnsking.com
util_rb_2tld ddns.net
guess what - that's exactly what i describe below and the only thing it
needs is that SA and URIBL agree for which cases they handle the
subdomain instead the pure domain
and no you don't want to block anything ending with "ddns.net" just
because "benny.ddns.net" has a hacked website
Am 03.08.2016 um 01:37 schrieb Benny Pedersen:
> On 2016-08-02 16:36, Robert Boyl wrote:
>
>> How can I make it work with subdomains also?
>
> why would you like this to happen?
because URIBL are not tied to the public one and everybody can setup his
own with rbldnsd and list there specific subdomains which makes a lot of
sense when customers get something like "username.hoster.tld" as webspace
Re: eval:check_uridnsbl to check subdomains
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-08-02 17:03, Matus UHLAR - fantomas wrote:
> you can not, but you could check util_rb_2tld and util_rb_3tld
> directives
> to see if it fits your needs
use them will disable spam test on this tld aswell
Re: eval:check_uridnsbl to check subdomains
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 02.08.16 11:36, Robert Boyl wrote:
>We are trying to query subdomains of a DNSBL in body of message, but
>learned that the default plugin we use, used by URIBL, caps off subdomains.
>
>This is the rule we based ourselves on... it works fine, except for
>subdomains... it considers the domain part...
>
>urirhssub URIBL_GREY multi.uribl.com. A 2
>body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
>describe URIBL_GREY Contains an URL listed in the URIBL greylist
>tflags URIBL_GREY net
>score URIBL_GREY 0.25
>How can I make it work with subdomains also?
you can not, but you could check util_rb_2tld and util_rb_3tld directives
to see if it fits your needs
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Re: eval:check_uridnsbl to check subdomains
Posted by Benny Pedersen <me...@junc.eu>.
On 2016-08-02 16:36, Robert Boyl wrote:
> How can I make it work with subdomains also?
why would you like this to happen ?