Introduction
We aim to offer the most advanced and precise threat intelligence possible through Guardian Mail.
We strongly advocate the “Release Early, Release Often” approach, which gives our customers early access to our work. This allows them to test and provide feedback on our progress if they so desire.
We provide access to beta lists as separate DNS zones and through rsync. For rsync customers, access is granted in the “beta-lists” module, which can be enabled in the getabusix.conf file.
Zones
btc-wallets (Bit Coin Wallets)
Status:
Beta
Type:
SHA-1 hash
Cloud DNS namespace:
<APIKEY>.btc-wallets.mail-beta.abusix.zone.
Rsync File:
beta-lists/btc-wallets.zone
Return Codes:
127.0.4.1
Test Points:
127.0.0.2
Listing Duration:
Approximately 5.2 days after last seen
Description
We developed this zone to list BTC Wallet addresses seen in the message body of spam sent to traps.
Because it is impossible to represent a BTC Wallet address in a DNS query, they are SHA-1 hashed, and the hash value is used for lookup instead of the URL.
For example:
SHA-1(15GWKdT8e1o6GcDTZMQZRiZng2Q6dLX8Aw) -> e108c5b4bde457dcc35f009d05a21fa383eda04c
attachhash (Attachments)
Status:
Beta
Type:
SHA-1 hash
Cloud DNS namespace:
<APIKEY>.attachhash.mail-beta.abusix.zone.
Rsync File:
beta-lists/attachhash.zone
Return Codes:
127.0.5.1
Test Points:
127.0.0.2, 127.0.5.1, 3395856ce81f2b7382dee72602f798b642f14140 (EICAR with trailing newline), cf8bd9dfddff007f75adf4c2be48005cea317c62 (EICAR)
Listing Duration:
Approximately 5.2 days after last seen
Description
This experimental zone lists the SHA-1 hashes of any attachments our trap network sees.
forged
Status:
Beta
Cloud DNS namespace:
N/A, not currently published
Rsync File:
beta-lists/forged.zone
Return Codes:
127.0.0.5
Test Points:
127.0.0.2, 127.0.0.5
Listing Duration:
Approximately 5.2 days after last seen
Description
This zone lists IP addresses we have observed either forging mail from our trap domains or where we see traffic from IP addresses sending mail from domains that return SPF Fail results.
backscatter
Status:
Beta
Cloud DNS namespace:
N/A, not currently published
Rsync File:
beta-lists/backscatter.zone
Return Codes:
127.0.0.6
Test Points:
127.0.0.2, 127.0.0.6, ::FFFF:7F00:2, ::FFFF:7F00:6
Listing Duration:
Approximately 5.2 days after last seen
Description
This zone lists IP addresses that have sent bounce messages to our traps. Our trap domains are never used to send an email, so any bounce messages we receive are because someone else forged our domain, so any host sending us bounce messages is because they incorrectly accepted one of these messages and are therefore sending us “backscatter.”
Backscatter can be a big problem if a domain is forged and used for a large spam run, and this zone can help mitigate the fallout from this.
Unlike other blacklists, our only inclusion criteria are DSN/MDN messages; we do not consider “Sender Verification” or “Sender Callouts” as backscatter.
emailbl
Status:
Beta
Type:
SHA-1 hash
Cloud DNS namespace:
<APIKEY>.emailbl.mail-beta.abusix.zone
Rsync File:
beta-lists/emailbl.zone
Description
More information on this zone soon….
Learn more about Guardian Mail
Send us a message
Having trouble with your set up or a technical issue? Get in touch with our team of Abusix experts.
Click the chat button at the bottom and send us your questions. Alternatively, you can email us at [email protected]
also, follow our LinkedIn Channel for updates & subscribe to our YouTube Channel for the latest Abusix how-to-videos.