You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jeff Chan <je...@surbl.org> on 2005/08/13 06:24:56 UTC

Re: [SURBL-Discuss] Lookup of (phishing) URLs with an IP

On Friday, August 12, 2005, 10:07:47 AM, Dirk Bonengel wrote:
> Given: A (phishing-)mail containg a  link to the IP  219.144.194.158

> The lookup page on rulesemporium.com says it's listed on ws and ph in SURBL

> However, I find that the current SpamAssassin (3.0.4) does not appear to 
> lookup IP-based URLs. Is that correct?

This is more of a SpamAssassin question, but I believe SA 3.1
handles IP URIs correctly, or at least I hope it does.

> Secondly, which form would be correct to lookup that IP via dig (or 
> whatever), and how should SA handle it if it tried to lookup IP-based URIs?
> dig 219.144.194.158.multi.surbl.org gives no results back, but the 
> reversed dotted decimal form does:
> dig 158.194.144.219.multi.surbl.org returns 127.0.0.12.

That's correct.  IPs looked up in RBLs usually have their octets
reversed as in the second example.  We have followed that
convention in SURBLs.

SA should do exactly the same thing as the dig example; when an
IP is found in a URI, reverse the octets and look up the
octet-reversed IP in the SURBL:

  http://www.surbl.org/implementation.html

Jeff C.
--
Don't harm innocent bystanders.