You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Jeremy Rumpf <jr...@heavyload.net> on 2004/11/17 20:03:41 UTC

SURBL and DNS wildcards

I've been having a few spams slip through recently that aren't hitting some of 
the SURBLs. Upon checking them using the tool at:

http://www.rulesemporium.com/cgi-bin/uribl.cgi

I've noticed that some of the root domains are listed, but the full exanded 
domain may not be. For instance one spam has this URL in it:

 http://i.net.helpfulinfobox.com/?ggobwyvaxpngp


Now helpfulinfobox.com is listed on ws ob and multi, but

net.helpfulinfobox.com is not
i.net.helpfulinfobox.com is also not

It appears the spammer is using DNS wildcards as anything you throw before 
helpfulinfobox.com gets resolved.

dig z.foo.helpfulinfobox.com    ->   222.47.122.8
dig yo.momma.helpfulinfobox.com ->   222.47.122.8

Question, is this an effective was to spoof SURBL checkers? Or does the 
checking code check each domain element in order looking for a hit:

i.net.helpfulinfobox.com
net.helpfulinfobox.com
helpfulinfobox.com

Thanks,
Jeremy