DNSBL & FraudBL rule updates

As of 22 October, we have changed the behaviour of message analyzing.

If a message contains known hosts, discard the message as already listed but reset “deleted”-dates and relist if necessary.

Messages are no longer discarded with a “already listed”. This behaviour was built to save data storage. Data storage is a problem, but we have to live with that even if some cases is automatically solved by our orphan-cleaner (DNSBL-46). So, for each message found as “already listed”, we are incrementing the hostcount. This means that, the more hits from a server the harder rules are applied on the host.

Source: DNSBL-54

FraudBL status

FraudBL is currently up and running and while we are typing this post, we are collecting spam from “phishing sites”. As we are counting, approximately 1200 hosts are flagged “phishing” in our database. In short, this database will get a zone update so we can start using it. What we are actually waiting for is dnsbl.tornevall.org and the last migration steps.

To be continued…

What FraudBL is

Den här sidan finns även översatt på svenska.

FraudBL is an open source DNS Blacklist server, a part of the more common dnsbl.tornevall.org DNS Blacklist. FraudBL stands for Fraud Blacklist. This site itself is a landing page for Tornevall Networks blacklisting services and the real site, where most of our information resides can be reached via Tornevall Networks portal (which is currently under construction). FraudBL is, what tornevall.org is: While dnsbl.tornevall.org blocks regular spam, proxies and webabuse, FraudBL explicitly blocks servers known of sending spam based on phishing or anything else that would cause any economic loss for the receiver.

The purpose of FraudBL is about stopping fraudalent/phishinglike e-mail sent from different servers, that looks like they are sent from banks and others. FraudBL uses a separate spamresolver with the suffix bl.fraudbl.org. However, we are also using dnsbl.tornevall.org and hosts that is considered phishy/fraudalent are marked up with an extra TXT-entry.

To report fraudalent e-mail to us, send the mail content (important: with full header) to spam@fraudbl.org. To extract a message header, you may see a few examples at http://docs.tornevall.net/x/ZoBq how to do this (covers gmail, outlook/hotmail/thunderbird/etc). The goal with this, is to block the server sources of the sent mail, not the sender itself, so it’s actually the “Receved”-headers we are looking for primarilly.

Examples on where spoofed e-mail may come from:

  • Paypal
  • Skatteverket (Sweden)
  • Swedbank (Sweden)
  • Apple/itunes
  • Telia Sonera
  • Nordea (Sweden)
  • Bank of America
  • And many many more…

The site FraudBL is located in Sweden.