Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Using the SBL and XBL against spamvertized URLs

2008-06-27 13:55:00 GMT, by Vincent Hanna
Recent News Articles

Second arrest in response to DDoS attack on Spamhaus

New IPv6 CIDR searching tools released: grepcidrs

Changes in Spamhaus DBL DNSBL return codes

Summer Break arrives early for Malware & Botnet Gang

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report

ICANN SSAC on DDoS, DNS and BCP 38


Older News Articles:
Spamhaus News INDEX

A lot of people are using our SBL and XBL lists to guard their mail infrastructure against the incoming floods of spam. While we encourage all SBL-XBL users to switch to ZEN to check the connecting IP, the SBL-XBL combination still has a very powerful, but lesser-known application area: use it against spamvertized URLs in the message content.

While the spam emitting bots move around at a high pace, most websites that are mentioned in spam are a lot easier to pin down because there are not much networks that want to host these. You will find that the majority of the IP addresses that host spamvertized websites (or do DNS for them) are listed in the SBL. So if a mail gets sent from a yet unlisted infected machine you can still check whether the spamvertized URL is hosted on or gets DNS service from a SBL'ed IP address. The same goes for spamvertized domains that are not yet on the URL based blacklists like SURBL: If they're hosted on SBL-listed IP addresses you can safely assume it's spam.

If you plan to do this, please make sure that you only use the SBL or the SBL-XBL combination for this. Checking website addresses against Zen might produce false positives, because some legitimate websites are hosted on PBL listed addresses, and PBL is included in Zen. Why? Simply because the PBL policy states that no mail will be emitted from those addresses. That does not mean that those IP addresses should not run web or DNS servers. So it's best to use the SBL or the SBL-XBL combination for this.
Adding XBL is particularly interesting in this case to catch fast-flux hosted websites. Our users report very good results in catching fast-flux hosted URLs when adding XBL to the URL checks.

Lots of spam filtering software already has the ability to check spamvertized URLs against our lists. SpamAssassin and its URI_SBL rule are widely used for this, as is SpamBouncer. (Aug 2008: rule now called URIBL_SBLXBL.) Also see our page on Effective Spam Filtering and our FAQ on DNSBL Usage.

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Using the SBL and XBL against spamvertized URLs
http://www.spamhaus.org/news/article/633/using-the-sbl-and-xbl-against-spamvertized-urls

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy