> Henrik Nordstrom wrote:
>> sön 2007-06-24 klockan 23:49 +0200 skrev Andreas Pettersson
>>> I'm not sure I follow you here..
>>> If phisher has control of evil.com he could send out send out unique
>>> urls in each and every spam, all pointing to the same physical host.
>>> Sure, MD5 hashes is efficient, but the number of possible urls is
>>> nearly
>>> unlimited. It would be much easier to list the host instead.
>>>
>> And the Google SafeBrowsing lookup algorithm allows just that.. It's not
>> just an MD5 of the complete URL. The URL is processed in many steps of
>> varying granularity, each producing an MD5 to look up in the blacklist.
>>
>> http://code.google.com/apis/safebrowsing/developers_guide.html#PerformingLookups
>>
>> Note: In the worst case there is 5 * 6 = 30 different lookups per URL.
>> Normally less than 10 however
>
> [walks away and stands in the corner]
> Believe it or not, I actually read that guide before making my initial
> post, but apparently it completely vanished from my memory...
> Perhaps It happened when Phishtank was brought up.
>
If you're going to take that route the most efficient way to do it is to
allow an admin-configured RHSBL or RBL with an ACL on the dst or
dstdomain, (lookup the SURBL query algorithm). Rather than any single
custom API. rbldnsd can be setup and used easily by anyone in conjunction
with a squid.
I currently use external helpers to check against ~30 RBL and ~3 RHSBL.
Making a built-in ACL is on my wishlist, but way down since external
helpers do it okay for now.
Amos
Received on Sun Jun 24 2007 - 17:34:16 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT