You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2005/08/11 21:22:58 UTC

RE: Phishing IP listed in URIBL and SURBL, but not triggering URI rules


> -----Original Message-----
> From: wolfgang [mailto:mewolf1@gmx.net]
> Sent: Thursday, August 11, 2005 2:56 PM
> To: users@spamassassin.apache.org
> Subject: Re: Phishing IP listed in URIBL and SURBL, but not triggering
> URI rules
> 
> 
> In an older episode (Thursday, 11. August 2005 12:31), Jeff 
> Chan wrote:
> > On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
> > > the IP
> > > 219 dot 144 dot 194 dot 158
> > > is shown as listed by 
> http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
> > > phishing mail with
> > > 
> http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb
> /privat/login/login.htm
> > > in it's body does not trigger any uribl rules tho. Why is that so?
> > 
> > What happens if you give the message to SpamAssassin in debug
> > mode:
> > 
> >   spamassassin -D < message
> > 
> 
> I doubt that all the output is important. After running
>  echo -e "Subject: 
> test\\n\\nhttp://219.144.194.158"|spamassassin -D -t > 
> uribl.out 2>&1
> and then
> grep -i URI uribl.out 
> i get:
> debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
> debug: config: read file /usr/share/spamassassin/25_uribl.cf
> debug: config: read file /etc/spamassassin/uribl_jp.cf
> debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
> debug: plugin: registered 
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410)
> debug: plugin: 
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
> 'parse_config'
> debug: plugin: 
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
> 'parsed_metadata'
> debug: uri found: http://219.144.194.158
> debug: URIDNSBL: domains to query: 219.144.194.158
> debug: running uri tests; score so far=-3.181
> debug: registering glue method for check_uridnsbl 
> (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410))
> debug: plugin: 
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
> 'check_tick'
> debug: URIDNSBL: query for 219.144.194.158 took 3 seconds to look up 
> (sbl.spamhaus.org.:158.194.144.219)
> debug: URIDNSBL: queries completed: 1 started: 0
> debug: URIDNSBL: queries active:  at Thu Aug 11 20:42:10 2005
> debug: plugin: 
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
> 'check_post_dnsbl'
> debug: running uri tests; score so far=0.61
> debug: running uri tests; score so far=0.61
> debug: uri found: http://219.144.194.158
>  0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP 
> address in URL
> 
> when i do the same with http://ealzDOTcom instead, i get far 
> more output, 
> including:
> debug: URIDNSBL: domain "ealz.com" listed (URIBL_WS_SURBL): 127.0.0.86
> debug: URIDNSBL: domain "ealz.com" listed (URIBL_JP_SURBL): 127.0.0.86
> debug: URIDNSBL: domain "ealz.com" listed (URIBL_OB_SURBL): 127.0.0.86
> debug: URIDNSBL: domain "ealz.com" listed (URIBL_SC_SURBL): 127.0.0.86
> 
> WS is one of the uribl's where 219.144.194.158 is listed, so 
> at least WS 
> should have returned a "listed" for that IP too, shouldn't it?
> 
> In an older episode (Thursday, 11. August 2005 18:36), Theo 
> Van Dinter wrote:
> > Unless I'm missing something obvious, the URIBL plugin 
> doesn't check IPs,
> > only domains.  (At least I don't see where it 
> differentiates and checks 
> IPs.)
> 
> Theo, I get the impression that you are right about that.

Well, URIBL lists the phish and evil IPs. So is there any future plas for
looking up IPs in URLs?

--Chris

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Dirk Bonengel <di...@bonengel.de>.

Nee,

but the subrl/uribl backoffice does, and, yes, thinking of it they're 
overdoing it:
The phish IP you mentioned was 219.144.194.158
In the zone files it's in reverse notation
extract of multi.surbl.org.rbldnsd (Zonefile for the rbldnsd I host:)

158.194.144.219 :127.0.0.12:Blocked, 158.194.144.219 on lists [ws][ph], 
See: http://www.surbl.org/lists.html
and also
2.0.0.127       :2:multi.surbl.org permanent test point

but just as you can't lookup 127.0.0.2.multi.surbl.org you'll fail with 
219.144.194.158.
So SURBL has to remove the reverse notation thing in their zonefiles.

wolfgang schrieb:

>In an older episode (Thursday, 11. August 2005 22:46), Dirk Bonengel wrote:
>  
>
>>Well, the IP is listed OK, but one needs to do reverse queries:
>>
>>dig 158.194.144.219.multi.surbl.org
>>gives
>>158.194.144.219.multi.surbl.org. 1850 IN A      127.0.0.12
>>which sounds good to me.
>>    
>>
>
>But the uribl plugin doesn't reverse queries, does it?
>
>cheers,
>
>wolfgang
>
>  
>

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by wolfgang <me...@gmx.net>.

In an older episode (Thursday, 11. August 2005 22:46), Dirk Bonengel wrote:
> Well, the IP is listed OK, but one needs to do reverse queries:
> 
> dig 158.194.144.219.multi.surbl.org
> gives
> 158.194.144.219.multi.surbl.org. 1850 IN A      127.0.0.12
> which sounds good to me.

But the uribl plugin doesn't reverse queries, does it?

cheers,

wolfgang

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Dirk Bonengel <di...@bonengel.de>.

Well, the IP is listed OK, but one needs to do reverse queries:

dig 158.194.144.219.multi.surbl.org
gives
158.194.144.219.multi.surbl.org. 1850 IN A      127.0.0.12
which sounds good to me.

Dirk

Chris Santerre schrieb:

>>-----Original Message-----
>>From: wolfgang [mailto:mewolf1@gmx.net]
>>Sent: Thursday, August 11, 2005 2:56 PM
>>To: users@spamassassin.apache.org
>>Subject: Re: Phishing IP listed in URIBL and SURBL, but not triggering
>>URI rules
>>
>>
>>In an older episode (Thursday, 11. August 2005 12:31), Jeff 
>>Chan wrote:
>>    
>>
>>>On Tuesday, August 9, 2005, 11:52:47 PM, wolfgang wolfgang wrote:
>>>      
>>>
>>>>the IP
>>>>219 dot 144 dot 194 dot 158
>>>>is shown as listed by 
>>>>        
>>>>
>>http://www.rulesemporium.com/cgi-bin/uribl.cgi - a 
>>    
>>
>>>>phishing mail with
>>>>
>>>>        
>>>>
>>http://219dot144dot194dot158:8081/secure.dresdner-privat.de/fb
>>/privat/login/login.htm
>>    
>>
>>>>in it's body does not trigger any uribl rules tho. Why is that so?
>>>>        
>>>>
>>>What happens if you give the message to SpamAssassin in debug
>>>mode:
>>>
>>>  spamassassin -D < message
>>>
>>>      
>>>
>>I doubt that all the output is important. After running
>> echo -e "Subject: 
>>test\\n\\nhttp://219.144.194.158"|spamassassin -D -t > 
>>uribl.out 2>&1
>>and then
>>grep -i URI uribl.out 
>>i get:
>>debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
>>debug: config: read file /usr/share/spamassassin/25_uribl.cf
>>debug: config: read file /etc/spamassassin/uribl_jp.cf
>>debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
>>debug: plugin: registered 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410)
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'parse_config'
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'parsed_metadata'
>>debug: uri found: http://219.144.194.158
>>debug: URIDNSBL: domains to query: 219.144.194.158
>>debug: running uri tests; score so far=-3.181
>>debug: registering glue method for check_uridnsbl 
>>(Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410))
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'check_tick'
>>debug: URIDNSBL: query for 219.144.194.158 took 3 seconds to look up 
>>(sbl.spamhaus.org.:158.194.144.219)
>>debug: URIDNSBL: queries completed: 1 started: 0
>>debug: URIDNSBL: queries active:  at Thu Aug 11 20:42:10 2005
>>debug: plugin: 
>>Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8581410) implements 
>>'check_post_dnsbl'
>>debug: running uri tests; score so far=0.61
>>debug: running uri tests; score so far=0.61
>>debug: uri found: http://219.144.194.158
>> 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP 
>>address in URL
>>
>>when i do the same with http://ealzDOTcom instead, i get far 
>>more output, 
>>including:
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_WS_SURBL): 127.0.0.86
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_JP_SURBL): 127.0.0.86
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_OB_SURBL): 127.0.0.86
>>debug: URIDNSBL: domain "ealz.com" listed (URIBL_SC_SURBL): 127.0.0.86
>>
>>WS is one of the uribl's where 219.144.194.158 is listed, so 
>>at least WS 
>>should have returned a "listed" for that IP too, shouldn't it?
>>
>>In an older episode (Thursday, 11. August 2005 18:36), Theo 
>>Van Dinter wrote:
>>    
>>
>>>Unless I'm missing something obvious, the URIBL plugin 
>>>      
>>>
>>doesn't check IPs,
>>    
>>
>>>only domains.  (At least I don't see where it 
>>>      
>>>
>>differentiates and checks 
>>IPs.)
>>
>>Theo, I get the impression that you are right about that.
>>    
>>
>
>Well, URIBL lists the phish and evil IPs. So is there any future plas for
>looking up IPs in URLs?
>
>--Chris
>  
>

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Magnus Holmgren <ho...@lysator.liu.se>.

Greg Allen wrote:
> This is a very, very dangerous road to go down. You would see a lot of
> collateral damage by doing a URIBL by IP. A lot of domain hosts these days
> use shared IPs. I could host any number of legit websites on one virtual
> IP…and I do. I share IPs with any number of other websites at the web
> hosting companies where I have websites. There is nothing wrong with this
> practice. It is common place on the Internet and is very cost efective. I
> don’t want other people's spam baggage thank you. It would be much better
> to stick with URIBLs by name and let RBLs do the IP lookups like we
> already do.

OTOH: How often would you send an URI with the IP address of a 
multi-domain-serving webserver in a legit mail? You'd have to use a 
domain name to get to the right website. So, looking up IP addresses in 
URIs, which I think is what Chris meant, shouldn't be too dangerous. 
Looking up the address of each domain found and filter on it would be 
bad, however.

-- 
Magnus Holmgren
holmgren@lysator.liu.se

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Dirk Bonengel <di...@bonengel.de>.

Greg,

given you speak of name-based virtual hosts, your concerns do not apply.
You'd not be affected if the IP of one of your web servers would be 
listed in an URIB list..The plugin does not resolve the IP of an URL.
The only thing that matters is the actual domain. The case in question 
here is special only in that there is only the IP given as a type of 
surrogate domain name.

Dirk
wolfgang schrieb:

>In an older episode (Thursday, 11. August 2005 22:58), Greg Allen wrote:
>  
>
>>This is a very, very dangerous road to go down. You would see a lot of
>>collateral damage by doing a URIBL by IP. A lot of domain hosts these days
>>use shared IPs. I could host any number of legit websites on one virtual
>>IP…and I do. I share IPs with any number of other websites at the web
>>hosting companies where I have websites. There is nothing wrong with this
>>practice. It is common place on the Internet and is very cost efective. I
>>don't want other people's spam baggage thank you. It would be much better
>>to stick with URIBLs by name and let RBLs do the IP lookups like we
>>already do.
>>    
>>
>
>Good point, thanks! I hadn't thought of that.
>
>cheers,
>
>wolfgang
>
>  
>

Re: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by wolfgang <me...@gmx.net>.

In an older episode (Thursday, 11. August 2005 22:58), Greg Allen wrote:
> This is a very, very dangerous road to go down. You would see a lot of
> collateral damage by doing a URIBL by IP. A lot of domain hosts these days
> use shared IPs. I could host any number of legit websites on one virtual
> IP…and I do. I share IPs with any number of other websites at the web
> hosting companies where I have websites. There is nothing wrong with this
> practice. It is common place on the Internet and is very cost efective. I
> don't want other people's spam baggage thank you. It would be much better
> to stick with URIBLs by name and let RBLs do the IP lookups like we
> already do.

Good point, thanks! I hadn't thought of that.

cheers,

wolfgang

RE: Phishing IP listed in URIBL and SURBL, but not triggering URI rules

Posted by Greg Allen <sa...@floridacpu.com>.

This is a very, very dangerous road to go down. You would see a lot of
collateral damage by doing a URIBL by IP. A lot of domain hosts these days
use shared IPs. I could host any number of legit websites on one virtual
IPand I do. I share IPs with any number of other websites at the web
hosting companies where I have websites. There is nothing wrong with this
practice. It is common place on the Internet and is very cost efective. I
dont want other people's spam baggage thank you. It would be much better
to stick with URIBLs by name and let RBLs do the IP lookups like we
already do.




>
> Well, URIBL lists the phish and evil IPs. So is there any future plas for
> looking up IPs in URLs?
>
> --Chris
>