You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by wolfgang <me...@gmx.net> on 2005/08/10 08:52:47 UTC

Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Hi,

the IP
219 dot 144 dot 194 dot 158
is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
phishing mail with
http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
in it's body does not trigger any uribl rules tho. Why is that so?

cheers,

wolfgang

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by wolfgang <me...@gmx.net>.

In an older episode (Thursday, 11. August 2005 12:31), Jeff Chan wrote:
> On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
> > the IP
> > 219 dot 144 dot 194 dot 158
> > is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
> > phishing mail with
> > 
http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
> > in it's body does not trigger any uribl rules tho. Why is that so?
> 
> What happens if you give the message to SpamAssassin in debug
> mode:
> 
>   spamassassin -D < message
> 

I doubt that all the output is important. After running
 echo -e "Subject: test\\n\\nhttp://219.144.194.158"|spamassassin -D -t > 
uribl.out 2>&1
and then
grep -i URI uribl.out 
i get:
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug: config: read file /etc/spamassassin/uribl_jp.cf
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
'parsed_metadata'
debug: uri found: http://219.144.194.158
debug: URIDNSBL: domains to query: 219.144.194.158
debug: running uri tests; score so far=-3.181
debug: registering glue method for check_uridnsbl 
(Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410))
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
'check_tick'
debug: URIDNSBL: query for 219.144.194.158 took 3 seconds to look up 
(sbl.spamhaus.org.:158.194.144.219)
debug: URIDNSBL: queries completed: 1 started: 0
debug: URIDNSBL: queries active:  at Thu Aug 11 20:42:10 2005
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
'check_post_dnsbl'
debug: running uri tests; score so far=0.61
debug: running uri tests; score so far=0.61
debug: uri found: http://219.144.194.158
 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP address in URL

when i do the same with http://ealzDOTcom instead, i get far more output, 
including:
debug: URIDNSBL: domain "ealz.com" listed (URIBL_WS_SURBL): 127.0.0.86
debug: URIDNSBL: domain "ealz.com" listed (URIBL_JP_SURBL): 127.0.0.86
debug: URIDNSBL: domain "ealz.com" listed (URIBL_OB_SURBL): 127.0.0.86
debug: URIDNSBL: domain "ealz.com" listed (URIBL_SC_SURBL): 127.0.0.86

WS is one of the uribl's where 219.144.194.158 is listed, so at least WS 
should have returned a "listed" for that IP too, shouldn't it?

In an older episode (Thursday, 11. August 2005 18:36), Theo Van Dinter wrote:
> Unless I'm missing something obvious, the URIBL plugin doesn't check IPs,
> only domains.  (At least I don't see where it differentiates and checks 
IPs.)

Theo, I get the impression that you are right about that.

cheers,

wolfgang

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Theo Van Dinter <fe...@apache.org>.

On Fri, Aug 12, 2005 at 10:51:23PM -0700, Jeff Chan wrote:
> IIRC 3.1 may do that, right?

According to the debug output and the svn log on the plugin, 3.1 will,
yes.  Came in from r160273 via bug 4013.

-- 
Randomly Generated Tagline:
I like work; it fascinates me; I can sit and look at it funny...

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Jeff Chan <je...@surbl.org>.

On Thursday, August 11, 2005, 9:36:47 AM, Theo Dinter wrote:
> On Thu, Aug 11, 2005 at 03:31:57AM -0700, Jeff Chan wrote:
>> > the IP
>> > 219 dot 144 dot 194 dot 158
>> > is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
>> > phishing mail with
>> > http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
>> > in it's body does not trigger any uribl rules tho. Why is that so?
>> 
>> What happens if you give the message to SpamAssassin in debug
>> mode:

> Unless I'm missing something obvious, the URIBL plugin doesn't check IPs,
> only domains.  (At least I don't see where it differentiates and checks IPs.)

We would like the URIBL plugin to check IPs, per #5:

  http://www.surbl.org/implementation.html

"Handle numeric IPs in URIs similarly, but reverse the octet
ordering before comparison against the RBL. This is a standard
practice for RBLs. For example, http://10.20.30.40/ is checked as
40.30.20.10.multi.surbl.org. Numeric addresses should be in
base-10 representation."

IIRC 3.1 may do that, right?

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Theo Van Dinter <fe...@apache.org>.

On Thu, Aug 11, 2005 at 03:31:57AM -0700, Jeff Chan wrote:
> > the IP
> > 219 dot 144 dot 194 dot 158
> > is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
> > phishing mail with
> > http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
> > in it's body does not trigger any uribl rules tho. Why is that so?
> 
> What happens if you give the message to SpamAssassin in debug
> mode:

Unless I'm missing something obvious, the URIBL plugin doesn't check IPs,
only domains.  (At least I don't see where it differentiates and checks IPs.)

-- 
Randomly Generated Tagline:
I'll give you a definite maybe.

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Jeff Chan <je...@surbl.org>.

On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
> the IP
> 219 dot 144 dot 194 dot 158
> is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
> phishing mail with
> http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
> in it's body does not trigger any uribl rules tho. Why is that so?

What happens if you give the message to SpamAssassin in debug
mode:

  spamassassin -D < message

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/