Isn’t the “fix” simple? In URIBL checking, test if you are querying SURBL or DBL and if so do not shorten the host name.
> On Aug 12, 2015, at 5:16 AM, Thomas Eckardt <thomas.ecka...@thockar.com> > wrote: > >> A possible tweak may be writing an ASSP module to deal with SURBL > > First I had the same nice idea. But this is very complicated because of > two things. > > 1. as a level 1 plugin (after SMTP handshake, after DATA) it gets no mail > data - as a level 2 plugin (complete mail) , the plugin would cause assp > to queue the complete mail, even it is not nessesary for checking URI's in > 'maxBytes' > > 2. the OCR plugin forces an URIBL check for the extracted data - in case > this would force a call from a plugin to a plugin. The plugins and the > assp.pl plugin check code does not support recursion. This would break too > many things. > > There is another issue I have to deal with. At this time URI's to check > must have an IP as hostpart or a hostname which ends with a TLD of a valid > level (1,2,3). > Yes - cracked DNS will currently bypass the URIBL check in assp (in case > the local DNS server is hacked - nothing will ever help). > But removing the TLD check will cause assp to collect and check all the > possible (looks like URI) parts in the header lines (most of them are > useless). Also several misspelled parts of the mail text will be detected > as an URI - like 'This is a test.But this is another test' - here > 'test.But' looks like a hostname (ignoring TLD), because the space after > the dot is missing. > OK - there is no link behind the possible host name. But it is common to > make such a nonsense hostname looking like a link - with the hint: "use > this link, if does not work copy and paste it in to your browser". Or > another example: > ... this.is.a.cracked.dns ... > Now the spammer makes a valid link behind the URI , like 'maps.google.com' > , which will fail because the ISP-DNS is hacked - but it looks innocent > for everyone - now the hint 'use this ....' . > It can be possible, that assp reached the count limit of URI's , because > TLD is ignored, before this dangerous part. > > My question is: Can we assume, that we will get correct answers for our > URIBL DNS-queries, if a local or ISP DNS-server is hacked? - IMHO, NO! > > The only way to step in to such a trap is, if the DNS-servers of the > domain, where an URI points to, are hacked. > Is it worth the effort to deal with such rarely cases? Where the effort is > querying 500%-1000% of the current URI's nearly completely in vain - not > to forget the coding and testing. > > Thomas > > > > > > > > > > > > > Von: grayhat <gray...@gmx.net> > An: assp-test@lists.sourceforge.net > Datum: 12.08.2015 09:29 > Betreff: Re: [Assp-test] SURBL changes > > > > It was Tue, 11 Aug 2015 08:47:55 +0200 when > Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >> Thank you for the information -Tom. At this time I'm unable to use >> these very nice new features of SURBL in assp. Implementing them in >> the current URIBL-code, will make the code too complex. >> The current code has to be redesigned, or a new code and logic must >> be written for SURBL. >> I'll put it on the TODO list. > > A possible tweak may be writing an ASSP module to deal with SURBL > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test