For low volume end users, we provide public DNS mirrors distributed around the world to answer your queries through products like SpamAssassin which have built in support for URIBL.COM. Many other commercial anti-spam products support realtime DNS blacklists. Consult your documentation on how to configure your software to utilize multi.uribl.com for domain reputation.
URIBL provides an abundance of information on its RSS Feeds Website, in both HTML and XML formats for automation purpose. Our summary reports track the most abused nameservers, IP addresses, MX Records, Whois Nameservers and Whois Registrars for the last 8 hours, 24 hours, 7 days, and 14 days.
Blacklisted domains by Nameserver allow nameserver operators to track abuse on their networks by simply subscribing to the RSS Feed for the nameservers they are responsible for. We also provide lists of blacklisted domains by Registrar, so abuse managers can subscribe to these feeds and easily action domains that are abusing their Terms of Service, as well as Freeweb abuse for sites like Geocities and Tripod which have a good amount of abuse to keep track of.
The URIBL website offers a lookup page to check domains listing status, and submission services to delist domains from URIBL. A login is required to submit delist requests, you can Register for one here.
For high volume users (see info on abuse), we offer commerical Data Feed Services over RSYNC and DNS. Datafeed over RSYNC allows companies to run URIBL.COM data in-house, increasing speed and spam accuracy both. Datafeed service also provides extra datasets and prelist data that is not available in public DNS, improving spam accuracy even more! Datafeed over DNS provides the same great information over existing public DNS, without the need for setting up or maintaining your own hardware to download and serve the zone data.
To utilize these lists, please see the Usage page
Our lists only have the top level domain information. We strip all hostparts from URIs before addition, with the exception of a few domain names which tend to be heavily abused (see https://rss.uribl.com/hosters/). In those cases, we do list the subdomain prior to the abused domain name. So when you query our lists, make sure you have done proper scrubbing of the URI before submitting the query, or you may not get the results you expect.
We do list IP addresses! Not where the mail was sent from, but where the URI in the body is trying to take you. To query a IP address on our list, we use the reversed ipv4 dotted decimal address. For example, 1.2.3.4 should be queried as 4.3.2.1.multi.uribl.com.
multi.uribl.com list contains all of the list data, and is the list that we recommend you query to produce your results instead of making seperate requests to each list. If a domain is found on multi, it will return a IP address of 127.0.0.X where X is the value for what list it is on. See the following reference..
X Binary On List --------------------------------------------------------- 1 00000001 Query blocked, possibly due to high volume 2 00000010 black 4 00000100 grey 8 00001000 red 14 00001110 black,grey,red (for testpoints) ---------------------------------------------------------
Other bitmasked values, such as 6, 10, and 12 should no longer occur, as we have no reason to cross-list domains on multiple lists. Our testpoints (2.0.0.127 and test.uribl.com) are the only items that are cross listed, and they should return the bitmasked value for the combined hits, currently 127.0.0.14.
To test functionality of the lists, we have published test points on each zone. 2.0.0.127 and test.uribl.com. Using the host or dig command can be your friend... If you need to lookup a domain in our database and do not want to mess with a DNS call, please use our Lookup Form .
LISTED TEST RESULTS # host -tA 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com has address 127.0.0.14 # ping 2.0.0.127.multi.uribl.com PING 2.0.0.127.multi.uribl.com (127.0.0.2) 56(84) bytes of data. 64 bytes from 127.0.0.14: icmp_seq=0 ttl=64 time=0.033 ms NOT LISTED TEST RESULTS # host -tA domain.tld.multi.uribl.com Host domain.tld.multi.uribl.com not found: 3(NXDOMAIN) # ping domain.tld.multi.uribl.com ping: unknown host domain.tld.multi.uribl.com TEST POINTS # host -tTXT test.uribl.com.multi.uribl.com test.uribl.com.multi.uribl.com text "permanent testpoint" # host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com text "permanent testpoint"
Our public mirror infastructure consists of donated hardware and bandwidth. If you abuse it, we will block your IP, or your nameserver IP that is producing the excessive queries.
Disable DNSBL Queries in SpamAssassin
To prevent SpamAssassin from sending DNS queries to our public mirrors, one should zero out the following URIBL tests by adding them to your local.cf
score URIBL_BLACK 0 score URIBL_RED 0 score URIBL_GREY 0 score URIBL_BLOCKED 0
NOT BLOCKED # host -tA 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com has address 127.0.0.14 BLOCKED - NEGATIVE RESPONSE ACL # host -tA 2.0.0.127.multi.uribl.com Host 2.0.0.127.multi.uribl.com not found: 3(NXDOMAIN) * Negative response ACLs will be converted to split-horizon filtering if no action is taken. BLOCKED - SPLIT-HORIZON DNS FILTER # host -tA blocked.uribl.com blocked.uribl.com has address 127.0.0.255 * A 'ping' instead of 'host -tA' will also work. * A negative response means the NS is not bLocked at this level. BLOCKED - POSITIVE RESPONSE ACL # host -tA 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com has addressIf you use your ISP Nameservers for resolution, and they are blocked, consider running your own caching nameserver. Otherwise, consider the commercial datafeed service to run local copies of the URIBL zones and keep your queries on your own network.(削除) 127.0.0.255 (削除ここまで)127.0.0.1 (As supported by SpamAssassin) # host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "1.2.3.4 has been block due to excessive queries." * Positive ACLs will only be used for extreme cases.