👋 How can we help you?

Beta Zones

A list of our Beta Zone lists

Introduction

We want to provide the best, most innovative and accurate threat intelligence in Abusix Mail Intelligence as possible.

We believe strongly in the "Release Early, Release Often" methodology and to allow our customers "early access" to what we are working on and so that if they chose, they can also test and provide us feedback on that work.

To that end, we provide access to "beta" lists, delivered as separate DNS zones which as also available to customers who have rsync access in the "beta-lists" module (this needs to be enabled in getabusix.conf).

 
Important Note Beta lists are sometimes incomplete, inaccurate, poorly tested and could be removed at any time. Please don't use these beta lists in production or to reject mail, they should only be used for reporting or for weak scoring. We also ask that if you do test any of these lists, that you check back on this page frequently to keep an eye out on any changes, so that you don't get caught out if we remove a list from service or have some other issue with it. We would also love any feedback that you can provide on these lists, please contact us via the Intercom chat, or by sending us an email to support@abusix.ai
 

 
 

noip

Status:

Beta

Type:

IPv4, IPv6

Cloud DNS namespace:

<key>.noip.mail-beta.abusix.zone.

Rsync File:

beta-lists/noip.zone

Return Codes:

127.0.0.100

Test Points:

127.0.0.2, 127.0.0.100

Listing Duration:

25 hours

 

Description

This list is built by storing every IP address we have seen sending SMTP traffic to our traps or to our partners over the last 30 days. Any new IPs found that have not been seen are then listed for 25 hours.

Being listed doesn't necessarily mean that the IP address is bad, but this is useful for scoring and meta rules, especially when combined with other data.

 

 
 

btc-wallets

Status:

Beta

Type:

SHA-1 hash

Cloud DNS namespace:

<key>.btc-wallets.mail-beta.abusix.zone.

Rsync File:

beta-lists/btc-wallets.zone

Return Codes:

127.0.4.1

Test Points:

127.0.0.2

Listing Duration:

Approximately 5.2 days after last seen

 

Description

We developed this list to list BTC Wallet addresses seen in the message body of spam sent to traps.

Because it is not possible to represent a BTC Wallet in a DNS query, the BTC Wallet is SHA-1 hashed and the hash value is used for lookup instead of the URL.

 

For example:

SHA-1(15GWKdT8e1o6GcDTZMQZRiZng2Q6dLX8Aw) ->
e108c5b4bde457dcc35f009d05a21fa383eda04c
 
💡
Info As this is a completely new type of anti-spam check, it will require support for this to be added to your chosen mail platform.   See below for example code for rspamd.
 

Rspamd

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone.  

Note that you should replace "<APIKEY>" with your API key or set the "check_btc_dns" variable appropriately for your DNS namespace if you are using rsync.

 
local btc_wallet_re = rspamd_regexp.create_cached('/(?:^|\\s)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\\s|$)/')
local check_btc_dns = '.<APIKEY>.btc-wallets.mail-beta.abusix.zone.'

local check_btc_cb = function (task)
    local parts = task:get_text_parts()
    if not parts then return false end
    local r = task:get_resolver()
    for _, part in ipairs(parts) do
        local words = part:get_words('raw')
        for _, word in ipairs(words) do
            local match = btc_wallet_re:match(word)
            if match then
                local btc_hash = rhash.create_specific('sha1', word):hex()
        local lookup = btc_hash .. check_btc_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.4.1') then
                        rlogger.errx('found BTC wallet %s (%s) in BTC Wallet blacklist', word, btc_hash)
                        return task:insert_result('RBL_AMI_BTC', 1.0, word);
                    end
                end
                r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
            end
        end
    end
end

local check_btc = rspamd_config:register_symbol({
    name = "RBL_AMI_BTC",
    score = 3.0,
    description = "BTC Wallet found in Abusix BTC Wallet blacklist",
    group = "abusix",
    type = "callback",
    callback = check_btc_cb
})
 

 
 

attachhash

Status:

Beta

Type:

SHA-1 hash

Cloud DNS namespace:

attachhash.mail-beta.abusix.zone.

Rsync File:

beta-lists/attachhash.zone

Return Codes:

127.0.5.1

Test Points:

127.0.0.2, 127.0.5.1, 3395856ce81f2b7382dee72602f798b642f14140 (EICAR with trailing newline), cf8bd9dfddff007f75adf4c2be48005cea317c62 (EICAR)

Listing Duration:

Approximately 5.2 days after last seen

 

Description

This experimental zone lists the SHA-1 hashes of any attachments seen by our trap network.

 

 
 

forged

Status:

Beta

Type:

IPv4, IPv6

Cloud DNS namespace:

N/A, not currently published

Rsync File:

beta-lists/forged.zone

Return Codes:

127.0.0.5

Test Points:

127.0.0.2, 127.0.0.5

Listing Duration:

Approximately 5.2 days after last seen

 

Description

This lists IPs we have observed either forging mail from our trap domains or where we are seeing traffic from IPs sending mail from domains that return SPF Fail results.

 
Important Note This list is not currently well tested and is very much a work in progress, so it is not recommended to use this for anything other than scoring or testing.
 

 
 

backscatter

Status:

Beta

Type:

IPv4, IPv6

Cloud DNS namespace:

N/A, not currently published

Rsync File:

beta-lists/backscatter.zone

Return Codes:

127.0.0.6

Test Points:

127.0.0.2, 127.0.0.6, ::FFFF:7F00:2, ::FFFF:7F00:6

Listing Duration:

Approximately 5.2 days after last seen

 

Description

This lists IPs that have sent bounce messages to our traps.Our trap domains are never used to send email, so any bounce messages we receive are because someone else forged our domain, so any host sending us bounce messages is because they incorrectly accepted one of these messages and are therefore sending us "backscatter".

Backscatter can be a big problem if a domain is forged and used for a large spam run and this zone can be used to help mitigate the fallout from this.

Unlike other blacklists our only inclusion criteria is DSN/MDN messages, we do not consider "Sender Verification" or "Sender Callouts" as backscatter.

 
Warning This zone should NEVER be used as a regular DNSBL, it should only ever be applied to messages that have a null Return-Path (e.g. MAIL FROM:<>)
 

 
 

emailbl

Status:

Beta

Type:

SHA-1 hash

Cloud DNS namespace:

N/A, not currently published

Rsync File:

beta-lists/emailbl.zone

 

Description

More information on this zone soon....

 
Did this answer your question?
😞
😐
🤩