Jump to content

Checking an entire block against the blacklist


ronbaby
 Share

Recommended Posts

I suppose that this might perhaps be an FAQ, but I haven't been able to find the answer in any of the Spamcop FAQ files I've looked in, so I'll just ask.

I would like to check to see if there are any single IPv4 addresses within a given range that are currently listed on the Spamcop blocklist. What is the proper way to do this? Note that I am _not_ either the owner or the administrator of the IP address range in question, but I still do want to get the information for analysis. (No, I am not a spammer. I am an anti- who is trying to do research on certain blocks that I feel are exceptionally "dirty".)

Obviously, I could just write a trivial little scri_pt that would generate each of the IP addresses in the range in turn and then I could also write another trivial little scri_pt that would check each one of those individual IP addresses, in turn, against bl.spamcop.net, but that does seem rather horribly inefficient, and if the block is big... say like fer instance a /16 or something like that... then I feel that I would be needlessly taxing Spamcop's DNS resources if I did it this way (which would involve making 65536 separate individual DNS lookups against bl.spamcop.net).

So basically, is there a proper, recommended, and _polite_ way of checking an entire block against the blacklist, I mean, ya know, even if the party who wants the info is not the owner of the block in question?

Also and separately I'd like to know what additional information Spamcop provides to the general public about individual entries in/on the Spamcop blacklist. Specifically, if I have an address, A.B.C.D and I have checked and seen that it is in fact currently listed on the Spamcop BL, then what information about the causes for that listing can I, an interested third party, get from Spamcop about those causes? Can I see the spam message that caused or or maybe even a redacted version thereof? If so, where and how would I find that?

Edited by ronbaby
Link to comment
Share on other sites

There are a number of presentations which touch on this though perhaps none of them are exactly what you are after. These can be separately consulted or links followed in sequence, you can start from http://www.spamcop.net/spamstats.shtml or:

  • Browseable map of IPv4 netspace (from which one can "drill down" to the CIDR /24 level, all sortable in various ways),
  • The SenderBase search also linked from the previous showing bl.spamcop.net and 4 other RBLs (including the CBL) for any queried IP address, the network or CIDR (selectable),
  • The SCbl lookup also linked from the previous (when listed) which includes a listing Other hosts in this "neighborhood" with spam reports.

The SCbl lookup on a listed IP address will include detail like

Causes of listing
  • System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
  • SpamCop users have reported system as a source of spam less than 10 times in the past week

Spamtrap hits account for a good many listings on the SCbl and SpamCop cannot reveal detail about those without compromising the trap. Member reports, in contrast, are very detailed (even when munged) and an ISP with a timely report who can't burrow down to the individual customer account that is the source of the spam armed with that detail either isn't trying or has a revenue model that ignores resource usage (and any lack of such detailed resource logging/monitoring at the provider-level is possibly in contravention of local/national security directives/"arrangements").

Another use of the "additional information" has been discussed elsewhere by member petzl, and that is to add detail found to the user (reporter) notes passed on to report recipients. The CBL listings are particularly useful to any responsive ISP as the links to them often specify particular exploits responsible for botnet activity on the part of IP addresses and/or networks and include detailed guides for "disinfection". And reporters might get to "report" a whole lot of IP addresses in "one hit".

HTH

Link to comment
Share on other sites

So basically, is there a proper, recommended, and _polite_ way of checking an entire block against the blacklist, I mean, ya know, even if the party who wants the info is not the owner of the block in question?

SenderBase shows all

Go to SpamCop Block List (SCBL)

http://www.spamcop.net/bl.shtml

put in an IP

Example

http://www.spamcop.net/w3m?action=checkblo...p=37.213.140.74

Scroll down to see "Other hosts in this "neighborhood" with spam reports"

Then click the "SenderBase Lookup" button (will ask to accept terms)

http://www.senderbase.org/senderbase_queri...g=37.213.140.74

Scroll down and you will see the /24 block default (selectable) and "red flag" on those blocked by SCBL, PBL, CBL Hover your mouse over the "red flag" and you will be shown the blocklist/s name with a clickable link to the SCBL

Easy as

Link to comment
Share on other sites

Thank you everyone. All the replies have provided me with good and useful information.

I did/do want to know more about each spam that is causing that certain subset of Spamcop BL listings of interest to me, but I see that Senderbase is at least publishing the reverse DNS for the IPs that actually are seen to send something, which is good. I am an information addict however and I'd like to see more, like in particular the "metadata" for the spams that trigger Spamcop BL listings. You know, like in particular the HELO/EHLO strings and the envelope sender addresses, or perhaps at least just the domain part of the envelope sender addresses.

But having said that I can well and truly understand how such additional disclosures could perhaps be gamed by spammers as a means of outing Spamcop's spamtraps. And none of us wants that. Well, none of us good guys anyway.

Edited by ronbaby
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...