You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by wolfgang <me...@gmx.net> on 2005/08/10 08:52:47 UTC
Phishing IP listed in URIBL and SURBL, but not triggering URI rules
Hi,
the IP
219 dot 144 dot 194 dot 158
is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
phishing mail with
http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
in it's body does not trigger any uribl rules tho. Why is that so?
cheers,
wolfgang
Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules
Posted by wolfgang <me...@gmx.net>.
In an older episode (Thursday, 11. August 2005 12:31), Jeff Chan wrote:
> On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
> > the IP
> > 219 dot 144 dot 194 dot 158
> > is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
> > phishing mail with
> >
http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
> > in it's body does not trigger any uribl rules tho. Why is that so?
>
> What happens if you give the message to SpamAssassin in debug
> mode:
>
> spamassassin -D < message
>
I doubt that all the output is important. After running
echo -e "Subject: test\\n\\nhttp://219.144.194.158"|spamassassin -D -t >
uribl.out 2>&1
and then
grep -i URI uribl.out
i get:
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug: config: read file /etc/spamassassin/uribl_jp.cf
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements
'parsed_metadata'
debug: uri found: http://219.144.194.158
debug: URIDNSBL: domains to query: 219.144.194.158
debug: running uri tests; score so far=-3.181
debug: registering glue method for check_uridnsbl
(Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410))
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements
'check_tick'
debug: URIDNSBL: query for 219.144.194.158 took 3 seconds to look up
(sbl.spamhaus.org.:158.194.144.219)
debug: URIDNSBL: queries completed: 1 started: 0
debug: URIDNSBL: queries active: at Thu Aug 11 20:42:10 2005
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements
'check_post_dnsbl'
debug: running uri tests; score so far=0.61
debug: running uri tests; score so far=0.61
debug: uri found: http://219.144.194.158
0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
when i do the same with http://ealzDOTcom instead, i get far more output,
including:
debug: URIDNSBL: domain "ealz.com" listed (URIBL_WS_SURBL): 127.0.0.86
debug: URIDNSBL: domain "ealz.com" listed (URIBL_JP_SURBL): 127.0.0.86
debug: URIDNSBL: domain "ealz.com" listed (URIBL_OB_SURBL): 127.0.0.86
debug: URIDNSBL: domain "ealz.com" listed (URIBL_SC_SURBL): 127.0.0.86
WS is one of the uribl's where 219.144.194.158 is listed, so at least WS
should have returned a "listed" for that IP too, shouldn't it?
In an older episode (Thursday, 11. August 2005 18:36), Theo Van Dinter wrote:
> Unless I'm missing something obvious, the URIBL plugin doesn't check IPs,
> only domains. (At least I don't see where it differentiates and checks
IPs.)
Theo, I get the impression that you are right about that.
cheers,
wolfgang
Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Aug 12, 2005 at 10:51:23PM -0700, Jeff Chan wrote:
> IIRC 3.1 may do that, right?
According to the debug output and the svn log on the plugin, 3.1 will,
yes. Came in from r160273 via bug 4013.
--
Randomly Generated Tagline:
I like work; it fascinates me; I can sit and look at it funny...
Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules
Posted by Jeff Chan <je...@surbl.org>.
On Thursday, August 11, 2005, 9:36:47 AM, Theo Dinter wrote:
> On Thu, Aug 11, 2005 at 03:31:57AM -0700, Jeff Chan wrote:
>> > the IP
>> > 219 dot 144 dot 194 dot 158
>> > is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
>> > phishing mail with
>> > http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
>> > in it's body does not trigger any uribl rules tho. Why is that so?
>>
>> What happens if you give the message to SpamAssassin in debug
>> mode:
> Unless I'm missing something obvious, the URIBL plugin doesn't check IPs,
> only domains. (At least I don't see where it differentiates and checks IPs.)
We would like the URIBL plugin to check IPs, per #5:
http://www.surbl.org/implementation.html
"Handle numeric IPs in URIs similarly, but reverse the octet
ordering before comparison against the RBL. This is a standard
practice for RBLs. For example, http://10.20.30.40/ is checked as
40.30.20.10.multi.surbl.org. Numeric addresses should be in
base-10 representation."
IIRC 3.1 may do that, right?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Aug 11, 2005 at 03:31:57AM -0700, Jeff Chan wrote:
> > the IP
> > 219 dot 144 dot 194 dot 158
> > is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
> > phishing mail with
> > http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
> > in it's body does not trigger any uribl rules tho. Why is that so?
>
> What happens if you give the message to SpamAssassin in debug
> mode:
Unless I'm missing something obvious, the URIBL plugin doesn't check IPs,
only domains. (At least I don't see where it differentiates and checks IPs.)
--
Randomly Generated Tagline:
I'll give you a definite maybe.
Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules
Posted by Jeff Chan <je...@surbl.org>.
On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
> the IP
> 219 dot 144 dot 194 dot 158
> is shown as listed by http://www.rulesemporium.com/cgi-bin/uribl.cgi - a
> phishing mail with
> http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb/privat/login/login.htm
> in it's body does not trigger any uribl rules tho. Why is that so?
What happens if you give the message to SpamAssassin in debug
mode:
spamassassin -D < message
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/