Popular topics: black Abuse Contact Validation
Online file storage URL blocklist (diskhash.mail.abusix.zone)
| Status: | Production |
| Type: | SHA-1 Hash |
| Cloud DNS namespace: | <key>.diskhash.mail.abusix.zone. |
| Rsync File: | lists/diskhash.zone |
| Return Codes: | 127.0.3.2 |
| Test Points: | 127.0.0.2, 127.0.3.2, *.test, d2e4345eef7b21a542ed6d7c3dd191585b344461 (abusix.ai/testpoint), 2f07095f95bc86bc310febc625ee9327a69fde0b (abusix.ai/testpoint/hash/disk) |
| Listing Duration: | Approximately 5.2 days after last seen |
We developed this list to list Online file storage URLs seen in the message body of spam sent to our primary traps.
This list compliments the domain blacklist as using Online file storage services like Google Drive and Yandex Disk has become a common way for spam to avoid IP and domain blacklisting by hiding behind these services. Additionally, these services are usually very poor at handling abuse of their services.
Because it is not possible to represent a full URL in a DNS query, the URLs are normalized first, then SHA-1 hashed and the hash value is used for lookup instead of the URL.
To normalize the short URL, remove the scheme, then take only the “hostname” (lowercased) and “pathname” and then calculate the SHA-1 hash of the result:
https://drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view → SHA1(drive.google.com/file/d/0B6aqsaIzsR0CZlpxYUZSWDRyRGc/view) = f947e57d2326ca86ba9bead20696a9208a7acdd6
As this is a completely new type of anti-spam check, it will require support for this to be added to your chosen mail platform. See below for example code for rspamd.
The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone. Note that you should replace "<APIKEY>" with your API key or set the "check_diskurls_dns" variable appropriately for your DNS namespace if you are using rsync.
local rregexp = require "rspamd_regexp"
local rlogger = require "rspamd_logger"
local rhash = require "rspamd_cryptobox_hash"
local rutil = require "lua_util"
local re_disk_urls = rregexp.create_cached('/^(?:drive\\.google\\.com$|yadi\\.sk$|disk\\.yandex\\.)/')
local check_diskurls_dns = '.<APIKEY>.diskhash.mail.abusix.zone.'
local check_diskurls_cb = function (task)
local function find_disk_urls (url)
local host = url:get_host():lower();
if (re_disk_urls:match(host)) then
return true
end
end
local diskurls = rutil.extract_specific_urls({
task = task,
limit = 5,
prefix = 'diskurls',
filter = find_disk_urls
});
if (not diskurls) then return false end
local r = task:get_resolver()
for _, url in pairs(diskurls) do
-- Normalize
local durl = url:get_host():lower() .. '/' .. url:get_path()
local durl_hash = rhash.create_specific('sha1', durl):hex()
local lookup = durl_hash .. check_diskurls_dns
local function dns_cb(_,_,results,err)
if (not results) then return false end
if (tostring(results[1]) == '127.0.3.2') then
rlogger.errx('found URL %s (%s) in Disk URL blacklist', durl, durl_hash)
return task:insert_result('RBL_AMI_DISKURL', 1.0, durl);
end
end
r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
end
end
local check_diskurls = rspamd_config:register_symbol({
name = "RBL_AMI_DISKURL",
score = 3.0,
description = "Disk URL found in Abusix Disk URL blacklist",
group = "abusix",
type = "callback",
callback = check_diskurls_cb
});
Our award-winning customer care team is here for you.
Contact Support