On Sunday 15 May 2005 17:51, List Mail User wrote: > >... > > > >wolfgang wrote: [...] > >> > >> I noticed that the WS URIBL does by now recognize various of the > >> URIs in those mails, and a rule like > >> # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/ > >> urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5 > >> body URIBL_RFCI_WHOIS > >> eval:check_uridnsbl('URIBL_RFCI_WHOIS') describe URIBL_RFCI_WHOIS > >> URL listed at rfc-ignorant.org (whois) tflags > >> URIBL_RFCI_WHOIS net > >> also works well here: > >> > >> 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) > >> [URIs: pro-koeln-online.de > >> jungefreiheit.de] [g-d-f.de bewaeltigen.de kopfmord.de] > >> [buergerbewegungen.de wk-institut.de] [das-gibts-doch-nicht.de > >> un-nachrichten.de] [rocknord.de] > > > >And may cause LOTS of false positives as well > > > >Sun 2005-05-15 13:42:18: * 1.0 URIBL_RFCI_WHOIS URL listed at > >rfc-ignorant.org (whois) > >Sun 2005-05-15 13:42:18: * [URIs: spiegel.de npd.de taz.de] > > > >FP: spiegel.de & taz.de > > > >Sun 2005-05-15 13:42:44: * 1.0 URIBL_RFCI_WHOIS URL listed at > >rfc-ignorant.org (whois) > >Sun 2005-05-15 13:42:44: * [URIs: libasoli.de zdf.de] > > > >FP: zdf.de > > > >h2h > > > >Alex > > Basically, this rule is incorrectly written. Unlike SURBLs or > URIBL, RFCI does not use bit masks, but multiple full addresses - so > trying to use a bitmask (5 in this case) will also match the hits for > 127.0.0.7 which is the code for RFC non-compliant TLDs, of which > ".de" is one. Put simply the rule above will match all ".de" > domains, which probably is not desired. Using a rule like > > urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A > 127.0.0.5 > > will probably give results closer to what is desired (i.e. matches > SLDs with invalid whois). So, yes the OP's rule *will* give far too > many FPs, but when written correctly, it will/should still filter out > many/most of the Nazi party sites.
Sorry, RTFM failure on my part for the bitmask vs. whole IP address
error. Please accept my apologies for any inconvenience caused by it.
> P.S. ".de" is interesting in that the Whois server does contain and
> will return the "desired" data, but the method of access is (AFAIK)
> only documented in the rfci entry for ".de"'s TLD invalidity (i.e. a
> bunch of undocumented flags which can be passed using telnet). Most
> 127.0.0.7 entries are for TLDs which are RFC non-compliant, and a
> different code is used just so you can prevent marking every ".de"
> domain (last week someone else mentioned ".co.uk", but that Whois
> server got fixed and removed from listing quite a while ago). As
> another example, the OP's version of the rule will block all ".pl"
> domains also, probably not good either (and a bunch of other TLDs),
> but most American individual users won't notice the problems unless
> they happen to regularly communicate with people in foreign countries
> (".se" is one that would hurt me - though ".de" is probably the most
> significant - many "third world" country codes also have 127.0.0.7
> codes for the TLDs, ex. ".tv").
--
Rob Skedgell <[EMAIL PROTECTED]>
pgp9ypKMilWjr.pgp
Description: PGP signature
