Do not send e-mail to me!

URIBL

URIBL based on SPFBL

The abuse database is collected from our customers and contributors, where complaints are made by their own recipients and processed by our URIBL server, which returns:

 

  • 127.0.0.2: listed for inappropriate use of the URL, such as phishing or used by spammer and
  • 127.0.0.3: executable file listed for suspected malware.

 

Host: uribl.spfbl.net

 

To collaborate with this list, please forward the message to abuse@spfbl.net if you receive any SPAM or phishing. We will process any complaint sent to this address.

 

IMPORTANT: We do not provide any guarantees, despite the best efforts to maintain a stable and coherent system. Use at your own risk and take into consideration that our systems works based on complains, without privileges to any system, including Internet providers and email marketing systems. For this reason, we suggest you use our URIBL to mark emails as spam, rather than by rejecting emails. Check your MTA documentation for details or, if it is not feasible, consider using rspamd (see below).

 

IMPORTANT: Current limit is 10 queries per second for each AS block. Higher frequencies require contribution. Please contact us informing your IP or range, for further details.

How to query executable files

 

For query a executable file, you must have these parts:

 

  1. MD5 hexadecimal hash of executable file;
  2. File length in bytes and
  3. File extension.

 

Concatenate these parts with dot separation in order to generate the executable’s signature.

 

Let’s use EICAR executable test as example:

44d88612fea8a8f36de82e1278abb02f.68.com

 

Finally, just make a simple URIBL test with this signature as a conventional hostname. The extensions accepted by this service are: com, vbs, vbe, bat,cmd, pif, scr, prf, lnk, exe, shs, arj, hta, jar, ace, js, msi e sh.

 

All compressed files must be extracted, including compressed into compressed, in order to get the executable itself. Generate only the executable signatures inside, and never the full compressed file.

 

In case the compressed file contains some executable, but protected by password, just generate the signature of the compressed file in the same way. The extensions accepted in this case will be: zip, rar and 7z.

How to query entire URL

 

For query an entire URL, you must have these parts:

 

  1. MD5 hexadecimal hash of not encoded URL;
  2. hostname;
  3. port and
  4. protocol.

 

Concatenate these parts with dot separation in order to generate the executable’s signature.

 

Let’s use EICAR URL test as example:

19cf95dc55434389114c56398c90254e.www.eicar.org.80.http

 

If the URL has an IPv4 host instead, consider the reverse of IPv4 as the host. We use as an example the URL http://203.0.113.91/:

e1fbedfae90a99bb1101eb9d49d7dc35.91.113.0.203.80.http

 

If the URL has an IPv6 host instead, consider the reverse of IPv6 as the host. We use as an example the URL http://[2001:db8::91]/:

92217b0049b8d83035ff2be379389165.1.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.80.http

 

Finally, just make a simple URIBL test with this signature as a conventional hostname. Use the default protocol port if it is omitted from the URL. The accepted protocols are HTTP and HTTPS.

 

URLs that have a dangerous executable as a download will be listed, even if they go through multiple redirects.

Domain queries on rspamd

 

Create a file called /etc/rspamd/local.d/surbl.conf with this:

rules {
"SPFBL_URIBL" {
suffix = "uribl.spfbl.net";
resolve_ip = false;
ips {
URIBL_SPFBL = "127.0.0.2";
}
}
}

in /etc/rspamd/local.d/metrics.conf add

symbol "URIBL_SPFBL" {
weight = 1;
score = 2.5;
}

Sophisticated script query

 

Some spammers and fraudsters use URL shorteners to hide the actual identity of your website from conventional URIBLs. To solve this problem, we created this URIBL query script:

 

https://raw.githubusercontent.com/leonamp/SPFBL/master/client/uribl.pl

 

This is a beta and newer version of the same script:

https://https://www.dropbox.com/s/5aorrijafw5ygk0/uribl.pl?dl=0

 

Although they use shorteners, the query at our URIBL always considers the last URL of a redirection chain:

ubuntu:~$ ./uribl.pl http://tinyurl.com/ycof439s
www.djmrmagoo.com.br is listed in 'uribl.spfbl.net'.

The script can be used to scan an HTML file by checking each href of this file.

ubuntu:~$ ./uribl.pl test.html
pei.paveito.date is listed in 'uribl.spfbl.net'.

The script will return 0 for unlisted and 1 for listed. Adapt this script to your needs.