Introduction
We want to provide the best, most innovative and accurate threat intelligence in Abusix Mail Intelligence as possible.
We believe strongly in the "Release Early, Release Often" methodology and to allow our customers "early access" to what we are working on and so that if they chose, they can also test and provide us feedback on that work.
To that end, we provide access to "beta" lists, delivered as separate DNS zones which as also available to customers who have rsync access in the "beta-lists" module (this needs to be enabled in getabusix.conf).
noip
Status:
Beta
Type:
IPv4, IPv6
Cloud DNS namespace:
<key>.noip.mail-beta.abusix.zone.
Rsync File:
beta-lists/noip.zone
Return Codes:
127.0.0.100
Test Points:
127.0.0.2, 127.0.0.100
Listing Duration:
25 hours
Description
This list is built by storing every IP address we have seen sending SMTP traffic to our traps or to our partners over the last 30 days. Any new IPs found that have not been seen are then listed for 25 hours.
Being listed doesn't necessarily mean that the IP address is bad, but this is useful for scoring and meta rules, especially when combined with other data.
btc-wallets
Status:
Beta
Type:
SHA-1 hash
Cloud DNS namespace:
<key>.btc-wallets.mail-beta.abusix.zone.
Rsync File:
beta-lists/btc-wallets.zone
Return Codes:
127.0.4.1
Test Points:
127.0.0.2
Listing Duration:
Approximately 5.2 days after last seen
Description
We developed this list to list BTC Wallet addresses seen in the message body of spam sent to traps.
Because it is not possible to represent a BTC Wallet in a DNS query, the BTC Wallet is SHA-1 hashed and the hash value is used for lookup instead of the URL.
For example:
SHA-1(15GWKdT8e1o6GcDTZMQZRiZng2Q6dLX8Aw) ->
e108c5b4bde457dcc35f009d05a21fa383eda04c
Rspamd
The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone.
Note that you should replace "<APIKEY>" with your API key or set the "check_btc_dns" variable appropriately for your DNS namespace if you are using rsync.
local btc_wallet_re = rspamd_regexp.create_cached('/(?:^|\\s)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\\s|$)/')
local check_btc_dns = '.<APIKEY>.btc-wallets.mail-beta.abusix.zone.'
local check_btc_cb = function (task)
local parts = task:get_text_parts()
if not parts then return false end
local r = task:get_resolver()
for _, part in ipairs(parts) do
local words = part:get_words('raw')
for _, word in ipairs(words) do
local match = btc_wallet_re:match(word)
if match then
local btc_hash = rhash.create_specific('sha1', word):hex()
local lookup = btc_hash .. check_btc_dns
local function dns_cb(_,_,results,err)
if (not results) then return false end
if (tostring(results[1]) == '127.0.4.1') then
rlogger.errx('found BTC wallet %s (%s) in BTC Wallet blacklist', word, btc_hash)
return task:insert_result('RBL_AMI_BTC', 1.0, word);
end
end
r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
end
end
end
end
local check_btc = rspamd_config:register_symbol({
name = "RBL_AMI_BTC",
score = 3.0,
description = "BTC Wallet found in Abusix BTC Wallet blacklist",
group = "abusix",
type = "callback",
callback = check_btc_cb
})
attachhash
Status:
Beta
Type:
SHA-1 hash
Cloud DNS namespace:
attachhash.mail-beta.abusix.zone.
Rsync File:
beta-lists/attachhash.zone
Return Codes:
127.0.5.1
Test Points:
127.0.0.2, 127.0.5.1, 3395856ce81f2b7382dee72602f798b642f14140 (EICAR with trailing newline), cf8bd9dfddff007f75adf4c2be48005cea317c62 (EICAR)
Listing Duration:
Approximately 5.2 days after last seen
Description
This experimental zone lists the SHA-1 hashes of any attachments seen by our trap network.
forged
Status:
Beta
Type:
IPv4, IPv6
Cloud DNS namespace:
N/A, not currently published
Rsync File:
beta-lists/forged.zone
Return Codes:
127.0.0.5
Test Points:
127.0.0.2, 127.0.0.5
Listing Duration:
Approximately 5.2 days after last seen
Description
This lists IPs we have observed either forging mail from our trap domains or where we are seeing traffic from IPs sending mail from domains that return SPF Fail results.
backscatter
Status:
Beta
Type:
IPv4, IPv6
Cloud DNS namespace:
N/A, not currently published
Rsync File:
beta-lists/backscatter.zone
Return Codes:
127.0.0.6
Test Points:
127.0.0.2, 127.0.0.6, ::FFFF:7F00:2, ::FFFF:7F00:6
Listing Duration:
Approximately 5.2 days after last seen
Description
This lists IPs that have sent bounce messages to our traps.Our trap domains are never used to send email, so any bounce messages we receive are because someone else forged our domain, so any host sending us bounce messages is because they incorrectly accepted one of these messages and are therefore sending us "backscatter".
Backscatter can be a big problem if a domain is forged and used for a large spam run and this zone can be used to help mitigate the fallout from this.
Unlike other blacklists our only inclusion criteria is DSN/MDN messages, we do not consider "Sender Verification" or "Sender Callouts" as backscatter.
emailbl
Status:
Beta
Type:
SHA-1 hash
Cloud DNS namespace:
N/A, not currently published
Rsync File:
beta-lists/emailbl.zone
Description
More information on this zone soon....