Introduction

We want to provide the best, most innovative and accurate threat intelligence in Abusix Mail Intelligence as possible.

We believe strongly in the "Release Early, Release Often" methodology and to allow our customers "early access" to what we are working on and so that if they chose, they can also test and provide us feedback on that work.

To that end, we provide access to "beta" lists, delivered as separate DNS zones which as also available to customers who have rsync access in the "beta-lists" module (this needs to be enabled in getabusix.conf).

noip

Description

This list is built by storing every IP address we have seen sending SMTP traffic to our traps or to our partners over the last 30 days. Any new IPs found that have not been seen are then listed for 25 hours.

Being listed doesn't necessarily mean that the IP address is bad, but this is useful for scoring and meta rules, especially when combined with other data.

btc-wallets

Description

We developed this list to list BTC Wallet addresses seen in the message body of spam sent to traps.

Because it is not possible to represent a BTC Wallet in a DNS query, the BTC Wallet is SHA-1 hashed and the hash value is used for lookup instead of the URL.

For example:

SHA-1(15GWKdT8e1o6GcDTZMQZRiZng2Q6dLX8Aw) ->
e108c5b4bde457dcc35f009d05a21fa383eda04c

Rspamd

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone.  

Note that you should replace "<APIKEY>" with your API key or set the "check_btc_dns" variable appropriately for your DNS namespace if you are using rsync.

local btc_wallet_re = rspamd_regexp.create_cached('/(?:^|\\s)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\\s|$)/')
local check_btc_dns = '.<APIKEY>.btc-wallets.mail-beta.abusix.zone.'

local check_btc_cb = function (task)
    local parts = task:get_text_parts()
    if not parts then return false end
    local r = task:get_resolver()
    for _, part in ipairs(parts) do
        local words = part:get_words('raw')
        for _, word in ipairs(words) do
            local match = btc_wallet_re:match(word)
            if match then
                local btc_hash = rhash.create_specific('sha1', word):hex()
        local lookup = btc_hash .. check_btc_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.4.1') then
                        rlogger.errx('found BTC wallet %s (%s) in BTC Wallet blacklist', word, btc_hash)
                        return task:insert_result('RBL_AMI_BTC', 1.0, word);
                    end
                end
                r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
            end
        end
    end
end

local check_btc = rspamd_config:register_symbol({
    name = "RBL_AMI_BTC",
    score = 3.0,
    description = "BTC Wallet found in Abusix BTC Wallet blacklist",
    group = "abusix",
    type = "callback",
    callback = check_btc_cb
})

attachhash

Description

This experimental zone lists the SHA-1 hashes of any attachments seen by our trap network.

forged

Description

This lists IPs we have observed either forging mail from our trap domains or where we are seeing traffic from IPs sending mail from domains that return SPF Fail results.

backscatter

Description

This lists IPs that have sent bounce messages to our traps.Our trap domains are never used to send email, so any bounce messages we receive are because someone else forged our domain, so any host sending us bounce messages is because they incorrectly accepted one of these messages and are therefore sending us "backscatter".

Backscatter can be a big problem if a domain is forged and used for a large spam run and this zone can be used to help mitigate the fallout from this.

Unlike other blacklists our only inclusion criteria is DSN/MDN messages, we do not consider "Sender Verification" or "Sender Callouts" as backscatter.

emailbl

Description

More information on this zone soon....