Do not send e-mail to me!

URIBL

URIBL based on SPFBL

 

The abuse database is collected from our customers and contributors, where complaints are made by their own recipients and processed by our URIBL server, which returns:

 

  • 127.0.0.2: listed for inappropriate use of the URL, such as phishing or used by spammer and
  • 127.0.0.3: executable file listed for suspected malware.

 

Host: uribl.spfbl.net

 

To collaborate with this list, please forward the message to abuse@spfbl.net if you receive any SPAM or phishing. We will process any complaint sent to this address.

 

IMPORTANT: We do not provide any guarantees, despite the best efforts to maintain a stable and coherent system. Use at your own risk and take into consideration that our systems works based on complains, without privileges to any system, including Internet providers and email marketing systems. For this reason, we suggest you use our URIBL to mark emails as spam, rather than by rejecting emails. Check your MTA documentation for details or, if it is not feasible, consider use Rspamd.

 

IMPORTANT: Current limit is 10 queries per second for each AS block. Higher frequencies require contribution. Please contact us informing your IP or range, for further details.

 

How to query executable files

 

For query a executable file, you must have these parts:

 

  1. MD5 hexadecimal hash of executable file;
  2. File length in bytes and
  3. File extension.

 

Concatenate these parts with dot separation in order to generate the executable’s signature.

 

Let’s use EICAR executable test as example:

44d88612fea8a8f36de82e1278abb02f.68.com

 

Finally, just make a simple URIBL test with this signature as a conventional hostname. The extensions accepted by this service are: com, vbs, vbe, bat, cmd, pif, scr, prf, lnk, exe, shs, arj, hta, jar, ace, js, msi, sh and doc.

 

To avoid useless URIBL queries for doc files, it is necessary to verify if it contains the VBA script autorun function, when the file is opened by the user. Only Word files with this feature that can be listed in this service. A simple method for checking this is through the following command, which returns 0 if the file has autorun function:

egrep --binary --ignore-case '\b(AutoOpen|Document_Open|word/vbaProject\.bin)\b' 'filename.doc'

 

All compressed files must be extracted, including compressed into compressed, in order to get the executable itself. Generate only the executable signatures inside, and never the full compressed file.

 

In case the compressed file contains some executable, but protected by password, just generate the signature of the compressed file in the same way. The extensions accepted in this case will be: zip, rar, 7z and z.

 

How to query entire URL

 

For query an entire URL, you must have these parts:

 

  1. MD5 hexadecimal hash of not encoded URL;
  2. hostname;
  3. port and
  4. protocol.

 

Concatenate these parts with dot separation in order to generate the executable’s signature.

 

Let’s use EICAR URL test as example:

19cf95dc55434389114c56398c90254e.www.eicar.org.80.http

 

If the URL has an IPv4 host instead, consider the reverse of IPv4 as the host. We use as an example the URL http://203.0.113.91/:

e1fbedfae90a99bb1101eb9d49d7dc35.91.113.0.203.80.http

 

If the URL has an IPv6 host instead, consider the reverse of IPv6 as the host. We use as an example the URL http://[2001:db8::91]/:

92217b0049b8d83035ff2be379389165.1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.80.http

 

Finally, just make a simple URIBL test with this signature as a conventional hostname. Use the default protocol port if it is omitted from the URL. The accepted protocols are HTTP and HTTPS.

 

URLs that have a dangerous executable as a download will be listed, even if they go through multiple redirects.

 

Some spammers and fraudsters use URL shorteners to hide the actual identity of your website from conventional URIBLs. To solve this problem, we created this URIBL query script:

 

https://raw.githubusercontent.com/leonamp/SPFBL/master/client/uribl.pl

 

This is a beta and newer version of the same script:

https://www.dropbox.com/s/5aorrijafw5ygk0/uribl.pl?dl=0

 

Although they use shorteners, the query at our URIBL always considers the last URL of a redirection chain:

ubuntu:~$ ./uribl.pl http://tinyurl.com/ycof439s
www.djmrmagoo.com.br is listed in 'uribl.spfbl.net'.

The script can be used to scan an HTML file by checking each href of this file.

ubuntu:~$ ./uribl.pl test.html
pei.paveito.date is listed in 'uribl.spfbl.net'.

The script will return 0 for unlisted and 1 for listed. Adapt this script to your needs.