URL Blacklisting On MailEnable Standard

[tim299]

This still doesn't work, even in the Pro version. I want to use the very powerful dbl.spamhaus.org but can't because ME does not send URL/domains for checking against the list, But lists it as a feature.

[mcbsys]

Works for me on ME Standard 4.3.

We're getting spam containing links to "spammer.com" (changed here for safety).

I confirmed that this is listed with Barracuda Central (but not Spamcop or Spamhaus).

I registered at www.barracudacentral.org. If you don't give them the IP address from which queries originate, it will appear to work but it won't actually tell you that a spam domain is listed.

As they suggest on their BRBL > How to Use page, I tested from a command prompt:

nslookup com.spammer.b.barracudacentral.org

It's listed. Within five minutes of turning on the Barracude URL DNS filter (and restarting the SMTP service), I saw this in the MailEnable debug log:

Code: Select all

10/04/13 13:43:44    ME-I0101: [612] Local Delivery: Address ([SMTP:user01@mydomain.com]) is local.
10/04/13 13:43:45    ME-I0149: [612] B1EDE093A5E44E1AB5D75364EF049FF6.MAI was received successfully and delivery thread was initiated
10/04/13 13:43:45    Message B1EDE093A5E44E1AB5D75364EF049FF6.MAI has link to blacklisted IP. wwwi.spammer.com (216.21.220.72) was found in blacklist Barracuda Reputation Block List
10/04/13 13:43:45    ME-F0xxx: Inbound message detected as spam and deleted.
10/04/13 13:43:45    ME-I0074: [612] (Debug) End of conversation

And, in fact, the email did not make to the user's inbox.

The one thing I wasn't clear on: the UI makes it sound like the mail will be rejected in real time, whereas from the logs, it looks like the mail is accepted, tested, and then deleted if it contains a know spammer's URL. Is that correct?

Mark Berry
MCB Systems

[telecomputers]

I hate to open this thread back up again - BUT...

I just installed the upgrade --> Version 8. Everything looks great as usual.
Can anyone tell me if the "URL Lookup" discussed here - now works correctly and can do URL lookups through SURBL lists of URL names?
Or is this still looking up IP Addresses (which is pretty much useless)?

Thanks in advance.

[mcbsys]

Still working for me with 7.55 Standard. Lots of lines like this in the debug logs:

Code: Select all

12/18/13 15:22:49	Message 20091BD8420742EDB9DDBC5BED4ED4B1.MAI has link to blacklisted IP. wwwi.spammer.com (216.221.220.72) was found in blacklist Barracuda Reputation Block List

Not sure whether ME is doing the DNS resolution and checking the IP against Barracuda, or whether it is directly passing the domain to Barracuda. Don't see that it matters if it works.

Mark Berry
MCB Systems

[telecomputers]

Doesn't anyone read more than the last thread in these posts?

Yes, the DNS blacklisting part is working - Barracuda Reputation Block List is an IP based block list - works fine. Underneath it in the SMTP Properties settings area is a place claiming to do URL Blacklisting. URL would be domain name look ups NOT IP look ups. The Domain Name/URL in a spam email is the payload!

If you look into SURBL/URIBL you will see it is a way to filter the email messages by text - it looks for the payload URL - the domain name of the web site the spammer is trying to promote - A true URL look up would compares that URL against a list of known spammer URL domain names. If it matches then the email is flagged. We were told that in a future version it would work properly. I am asking to see if it has been FIXED in Version 8.

What the ME URL look up was doing (and may still be doing as far as I can tell) was looking up the domain name URL as text - then looking up the IP address of that domain name and blocking the IP. What spammer sends the spam email from the web site server they are promoting? What TRUE URL look up does is match the URL with a text list of banned URLs. Therein blocking by the payload. The absolute best way to block spam!

These lists are multi.surbl.org and multi.uribl.com - in the ME documentation and pre-sales marketing information it specifically implies that these are used for this URL look up. They are not as they do not contain IP addresses. The really sad part is that all ME needs to do is take out one part of the script - they already have searched for the URL as text - BUT instead of searching for the matching URL text in these text lists they instead find the URL IP address and search for that in a list of IPs.

Could someone who knows about this from ME kindly post to say if this is ever going to happen and if so a time frame please.

[mcbsys]

FWIW I am not using DNS Blacklisting. In the lower half of that dialog, I have checked Enable URL Blacklisting. Then I selected Barracuda Reputation Blacklisting.

What the ME URL look up was doing (and may still be doing as far as I can tell) was looking up the domain name URL as text - then looking up the IP address of that domain name and blocking the IP.

My impression of what it is doing is isolating links in the body of the emails (not what the user sees but the actual hyperlink), doing DNS resolution of the link, then looking it up the IP in Barracuda. If it matches, that email is blocked. It has nothing to do with the IP of the sending server. In other words, if the email contains hyperlinks that resolve to reported bad sites, the email doesn't get through. I guess this is a hybrid approach: it _is_ scraping the message body for URLs, but it is resolving those URLs and using IP-based lookup.

It seems the weakness here is that Barracuda may not be designed to list what you call "payload" sites, but focuses more on sending servers. However it is helping us to block spam that a cloud-based RBL filter was not stopping.

I see that in the Configure Blacklists dialog, the only kind of Lookup Type is "DNSBL (IP) blacklist lookup". So that would seem to exclude the true SURBL lookups that you are asking for.