Re: How to create a URIBL

Tue, 18 Oct 2016 16:33:07 -0700 

On 10/18/2016 6:21 PM, Alex wrote:

Hi,

I've collected a bunch of URIs that I'd like to incorporate into my
rulebase. I know how to create a DNSBL, but I don't specifically know
how to create a URIBL. Can I use rbldnsd for this? Or would I have to
extract the IP or hostname from the URL, then also use a bunch of uri
rules? If so, is there a way of automating this, given a list of URIs?

For example, I have URIs like:

http://109.73.134.241/dgq01px
http://51steel1.org/s4b5ztgcx
http://amessofblues1.com/m0dqfx

I'm also then not sure which of uri* rule definition should be used.
I've used urirhsbl before for a local host blocklist, but now after
reading the man page again for the first time in a while, I'm not even
sure that's correct.

I'm also unclear about rbldnsd config for dnset, where hostnames would
be used. Here is my current command-line:

/usr/sbin/rbldnsd -n -srbldnsd.stats -r/var/lib/rbldnsd -f -n -b
66.123.123.106/53 uri.example.com:dnset:urilist

My urilist file looks like this:

:127.0.0.2:Blocked System: http://example.com/bl?$
$NS 1w uri.example.com
$SOA 1w uri.example.com admin.uri.example.com 0 2h 2h 1w 1h
@ A 66.123.123.106
@ MX 10 uri.example.com
@ TXT "example hostname blocklist"
25z5g623wpqpdwis.onion1.to:127.0.0.2:Blocked System, Last-Attack: 1476825181
27lelchgcvs2wpm7.3lhjyx1.top:127.0.0.2:Blocked System, Last-Attack: 1476825181
27lelchgcvs2wpm7.7jiff71.top:127.0.0.2:Blocked System, Last-Attack: 1476825181

Using the following (and variations, including dig +short) fail with NXDOMAIN
# host 25z5g623wpqpdwis.onion1.to.uri.example.com 66.123.123.106

Can someone show me an example zone file using the dnset option?

I'm guessing my first attempt at this message being received by the
list was due to the domain samples I've included, so they've been
modified.

Any ideas greatly appreciated.
Thanks,
Alex
rbldnsd is still suitable for this, as the DNS lookups are fundamentally just mapping strings to IPs. Getting too deep into it is outside SA's scope, but the only real difference between an IP rbl and a domain rbl is that IP rbls tend to reverse the IP so the most significant octet is the most significant subdomain.
On the rules side of things there's multiple different ways to write uri rules that match against a dns lookup. Some of them are looking for nxdomain vs anything else, some of them can look for particular IPs, etc. Just look for the existing RBL that's most similar to what you are looking to create.

Reply via email to