On 17/09/19 20:54, Amir Caspi wrote:
Based on https://feodotracker.abuse.ch/mitigate/, it looks like both
Spamhaus DBL and SURBL are fed by URLhaus. Spamhaus returns
127.0.1.105 for URLs fed from URLhaus. Doesn't SA already handle
this, then, for URLs it processes, since it uses the DBL?
I know Riccardo sent an email about a new plugin for SA, but I don't
know if it's yet implemented in release... but maybe that's not
required since the DBL doesn't require DQS.
You are correct, URLhaus domains enter DBL as abused legit malware, but
the default SA score is not enough to mark the email as spam (and that's
correct as it checks only the domain).
The recommended way would be to use Clamav signatures, or, if you really
can't, create uri rules based on https://urlhaus.abuse.ch/downloads/csv/
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
