Jump to content
Sign in to follow this  
ronbaby

Checking an entire block against the blacklist

Recommended Posts

I suppose that this might perhaps be an FAQ, but I haven't been able to find the answer in any of the Spamcop FAQ files I've looked in, so I'll just ask.

I would like to check to see if there are any single IPv4 addresses within a given range that are currently listed on the Spamcop blocklist. What is the proper way to do this? Note that I am _not_ either the owner or the administrator of the IP address range in question, but I still do want to get the information for analysis. (No, I am not a spammer. I am an anti- who is trying to do research on certain blocks that I feel are exceptionally "dirty".)

Obviously, I could just write a trivial little scri_pt that would generate each of the IP addresses in the range in turn and then I could also write another trivial little scri_pt that would check each one of those individual IP addresses, in turn, against bl.spamcop.net, but that does seem rather horribly inefficient, and if the block is big... say like fer instance a /16 or something like that... then I feel that I would be needlessly taxing Spamcop's DNS resources if I did it this way (which would involve making 65536 separate individual DNS lookups against bl.spamcop.net).

So basically, is there a proper, recommended, and _polite_ way of checking an entire block against the blacklist, I mean, ya know, even if the party who wants the info is not the owner of the block in question?

Also and separately I'd like to know what additional information Spamcop provides to the general public about individual entries in/on the Spamcop blacklist. Specifically, if I have an address, A.B.C.D and I have checked and seen that it is in fact currently listed on the Spamcop BL, then what information about the causes for that listing can I, an interested third party, get from Spamcop about those causes? Can I see the spam message that caused or or maybe even a redacted version thereof? If so, where and how would I find that?

Edited by ronbaby

Share this post


Link to post
Share on other sites

Hi, ronbaby,

...If no one comes by soon with an answer, I'd suggest that you refer your questions directly to the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net.

...Good luck!

Share this post


Link to post
Share on other sites

There are a number of presentations which touch on this though perhaps none of them are exactly what you are after. These can be separately consulted or links followed in sequence, you can start from http://www.spamcop.net/spamstats.shtml or:

  • Browseable map of IPv4 netspace (from which one can "drill down" to the CIDR /24 level, all sortable in various ways),
  • The SenderBase search also linked from the previous showing bl.spamcop.net and 4 other RBLs (including the CBL) for any queried IP address, the network or CIDR (selectable),
  • The SCbl lookup also linked from the previous (when listed) which includes a listing Other hosts in this "neighborhood" with spam reports.

The SCbl lookup on a listed IP address will include detail like

Causes of listing
  • System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
  • SpamCop users have reported system as a source of spam less than 10 times in the past week

Spamtrap hits account for a good many listings on the SCbl and SpamCop cannot reveal detail about those without compromising the trap. Member reports, in contrast, are very detailed (even when munged) and an ISP with a timely report who can't burrow down to the individual customer account that is the source of the spam armed with that detail either isn't trying or has a revenue model that ignores resource usage (and any lack of such detailed resource logging/monitoring at the provider-level is possibly in contravention of local/national security directives/"arrangements").

Another use of the "additional information" has been discussed elsewhere by member petzl, and that is to add detail found to the user (reporter) notes passed on to report recipients. The CBL listings are particularly useful to any responsive ISP as the links to them often specify particular exploits responsible for botnet activity on the part of IP addresses and/or networks and include detailed guides for "disinfection". And reporters might get to "report" a whole lot of IP addresses in "one hit".

HTH

Share this post


Link to post
Share on other sites

So basically, is there a proper, recommended, and _polite_ way of checking an entire block against the blacklist, I mean, ya know, even if the party who wants the info is not the owner of the block in question?

SenderBase shows all

Go to SpamCop Block List (SCBL)

http://www.spamcop.net/bl.shtml

put in an IP

Example

http://www.spamcop.net/w3m?action=checkblo...p=37.213.140.74

Scroll down to see "Other hosts in this "neighborhood" with spam reports"

Then click the "SenderBase Lookup" button (will ask to accept terms)

http://www.senderbase.org/senderbase_queri...g=37.213.140.74

Scroll down and you will see the /24 block default (selectable) and "red flag" on those blocked by SCBL, PBL, CBL Hover your mouse over the "red flag" and you will be shown the blocklist/s name with a clickable link to the SCBL

Easy as

Share this post


Link to post
Share on other sites

Thank you everyone. All the replies have provided me with good and useful information.

I did/do want to know more about each spam that is causing that certain subset of Spamcop BL listings of interest to me, but I see that Senderbase is at least publishing the reverse DNS for the IPs that actually are seen to send something, which is good. I am an information addict however and I'd like to see more, like in particular the "metadata" for the spams that trigger Spamcop BL listings. You know, like in particular the HELO/EHLO strings and the envelope sender addresses, or perhaps at least just the domain part of the envelope sender addresses.

But having said that I can well and truly understand how such additional disclosures could perhaps be gamed by spammers as a means of outing Spamcop's spamtraps. And none of us wants that. Well, none of us good guys anyway.

Edited by ronbaby

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×