How to verify URIBL_SBL blocklist entry?

Matt Kettler mkettler at EVI-INC.COM
Wed Jan 26 22:37:15 GMT 2005 

At 05:15 PM 1/26/2005, Fractal IT Dept. wrote:

>We have a client complaining that an email has been incorrectly tagged as
>spam. One of the "violations" was that the sender's email address is
>showing as appearing in the URIBL_SBL which my client insists is extremely
>unlikely. Any idea how I can manually check via a web page or something
>whether their URL is indeed in the URIBL_SBL?

First, URIBL_SBL won't have anything to do with the senders email address,
or their mailserver IP.

That's a URI blacklist, thus only has anything to do with URI's (more or
less the same as a URL in this discussion)

Thus you need to look at all the weblinks in the body of the email. No part
of the headers is relevant. only body, and only something that might look
like a web link to SA's parser.

In the case of uribl_sbl it's a little less direct than just trying to use
openrbl or something similar, because how this test is implemented is tricky.

First, take the target domain, and find it's nameserver


$dig ns example.com

next resolve the nameserver to an ip:
$host ns1.example.com

now take that, and go to openrbl and check to see if THAT is listed in sbl.
(or do it yourself by reversing the ip)


A real example with a real spamvertized domain, zoldor.com:
-------------------------------------

$ dig ns zoldor.com

; <<>> DiG 9.2.1 <<>> ns zoldor.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64281
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zoldor.com.                    IN      NS

;; ANSWER SECTION:
zoldor.com.             86379   IN      NS      ns1.msmdns.com.
zoldor.com.             86379   IN      NS      ns2.msmdns.com.


$ host ns1.msmdns.com
ns1.msmdns.com has address 209.237.253.171

$ dig txt 171.253.237.209.sbl.spamhaus.org

; <<>> DiG 9.2.1 <<>> txt 171.253.237.209.sbl.spamhaus.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23490
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 17, ADDITIONAL: 7

;; QUESTION SECTION:
;171.253.237.209.sbl.spamhaus.org. IN   TXT

;; ANSWER SECTION:
171.253.237.209.sbl.spamhaus.org. 7200 IN
TXT   "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL16022"

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list