On Wed, Sep 18, 2019 at 09:19:17AM +0000, Riccardo Alfieri wrote: > On 17/09/19 20:54, Amir Caspi wrote: > > >Based on https://feodotracker.abuse.ch/mitigate/, it looks like both > >Spamhaus DBL and SURBL are fed by URLhaus. Spamhaus returns 127.0.1.105 > >for URLs fed from URLhaus. Doesn't SA already handle this, then, for URLs > >it processes, since it uses the DBL? > > > >I know Riccardo sent an email about a new plugin for SA, but I don't know > >if it's yet implemented in release... but maybe that's not required since > >the DBL doesn't require DQS. > > > You are correct, URLhaus domains enter DBL as abused legit malware, but the > default SA score is not enough to mark the email as spam (and that's correct > as it checks only the domain). > > The recommended way would be to use Clamav signatures, or, if you really > can't, create uri rules based on https://urlhaus.abuse.ch/downloads/csv/
SA 3.4.3 will have HashBL check_hashbl_uris eval function. One can then generate local sha1'd rbldnsd list and use it.