Beta Zones

Introduction

We aim to offer the most advanced and precise threat intelligence possible through Guardian Mail.

We strongly advocate the “Release Early, Release Often” approach, which gives our customers early access to our work. This allows them to test and provide feedback on our progress if they so desire.

We provide access to beta lists as separate DNS zones and through rsync. For rsync customers, access is granted in the “beta-lists” module, which can be enabled in the getabusix.conf file.

Important Note Beta lists may be incomplete, inaccurate, or poorly tested, and may be removed at any time. Therefore, it is strongly advised not to use these beta lists in production or to reject mail; they should only be used for reporting or for weak scoring.

Zones


btc-wallets (Bit Coin Wallets)

Status:

Beta

Type:

SHA-1 hash

Cloud DNS namespace:

<APIKEY>.btc-wallets.mail-beta.abusix.zone.

Rsync File:

beta-lists/btc-wallets.zone

Return Codes:

127.0.4.1

Test Points:

127.0.0.2

Listing Duration:

Approximately 5.2 days after last seen

Description

We developed this zone to list BTC Wallet addresses seen in the message body of spam sent to traps.

Because it is impossible to represent a BTC Wallet address in a DNS query, they are SHA-1 hashed, and the hash value is used for lookup instead of the URL.

For example:

SHA-1(15GWKdT8e1o6GcDTZMQZRiZng2Q6dLX8Aw) ->
e108c5b4bde457dcc35f009d05a21fa383eda04c
💡
Info As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform.   Rspamd Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See Getting Started

attachhash (Attachments)

Status:

Beta

Type:

SHA-1 hash

Cloud DNS namespace:

<APIKEY>.attachhash.mail-beta.abusix.zone.

Rsync File:

beta-lists/attachhash.zone

Return Codes:

127.0.5.1

Test Points:

127.0.0.2, 127.0.5.1, 3395856ce81f2b7382dee72602f798b642f14140 (EICAR with trailing newline), cf8bd9dfddff007f75adf4c2be48005cea317c62 (EICAR)

Listing Duration:

Approximately 5.2 days after last seen

Description

This experimental zone lists the SHA-1 hashes of any attachments our trap network sees.

💡
Info As this is an entirely new type of anti-spam check, it will require support to be added to your chosen mail platform.   Rspamd Please look at our set-up instructions for rspamd, which contains the necessary code to do these lookups. See Getting Started

forged

Status:

Beta

Type:

Cloud DNS namespace:

N/A, not currently published

Rsync File:

beta-lists/forged.zone

Return Codes:

127.0.0.5

Test Points:

127.0.0.2, 127.0.0.5

Listing Duration:

Approximately 5.2 days after last seen

Description

This zone lists IP addresses we have observed either forging mail from our trap domains or where we see traffic from IP addresses sending mail from domains that return SPF Fail results.

Important Note This list is not currently well-tested and is very much a work in progress, so it is not recommended to use this for anything other than scoring or testing.

backscatter

Status:

Beta

Type:

Cloud DNS namespace:

N/A, not currently published

Rsync File:

beta-lists/backscatter.zone

Return Codes:

127.0.0.6

Test Points:

127.0.0.2, 127.0.0.6, ::FFFF:7F00:2, ::FFFF:7F00:6

Listing Duration:

Approximately 5.2 days after last seen

Description

This zone lists IP addresses that have sent bounce messages to our traps. Our trap domains are never used to send an email, so any bounce messages we receive are because someone else forged our domain, so any host sending us bounce messages is because they incorrectly accepted one of these messages and are therefore sending us “backscatter.”

Backscatter can be a big problem if a domain is forged and used for a large spam run, and this zone can help mitigate the fallout from this.

Unlike other blacklists, our only inclusion criteria are DSN/MDN messages; we do not consider “Sender Verification” or “Sender Callouts” as backscatter.

Warning This zone should NEVER be used as a regular DNSBL; it should only ever be applied to messages that have a null Return-Path (e.g., MAIL FROM:<>)

emailbl

Status:

Beta

Type:

SHA-1 hash

Cloud DNS namespace:

<APIKEY>.emailbl.mail-beta.abusix.zone

Rsync File:

beta-lists/emailbl.zone

Description

More information on this zone soon….

Learn more about Guardian Mail

Send us a message

Having trouble with your set up or a technical issue? Get in touch with our team of Abusix experts.

Click the chat button at the bottom and send us your questions. Alternatively, you can email us at [email protected]

also, follow our LinkedIn Channel for updates & subscribe to our YouTube Channel for the latest Abusix how-to-videos.