*UPDATE 2*
I have created an API for all sorts of email and ip related info, read more here Api for talos reputation (previous senderbase.org), senderscore, reputation authority and blacklists.
*UPDATE*
Since this no longer work i have created a solution in c# for now, not as “fancy” but it does the job. Go here to read the post Public senderbase dns lookup is closed, here is how to look it up in c# using HttpClient and HtmlAgilityPack
Senderbase is similar to Senderscore it is a reputation score for you IP address and/or domain you can use the website http://www.senderbase.org/ to lookup your IP. But if you just wan’t to check it from the command line this is how you do it.
First little about how the reputation is calculated.
Reputation scores in SenderBase may range from -10 to +10, reflecting the likelihood that a sending IP address is trying to send spam. Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.
SenderBase combines multiple sources of information to determine a “reputation score” for any IP address. This information includes:
- Email volume information provided by tens of thousands of organizations that regularly receive Internet email
- Spam complaints received by the SpamCop service
- Information on other DNS-based blacklists
This is the command to get the score if your IP is 1.2.3.4
|
1 2 3 4 |
nslookup -type=txt 4.3.2.1.rf.senderbase.org Non-authoritative answer: 4.3.2.1.rf.senderbase.org text = "5.5" |
Here is the tricky part, if you do a lookup on the website you will get a grouped reputation Poor, Neutral and Good. So how do you know where the score you get in the dns lookup fits?
This is my findings:
Poor is between -10 and -1
Neutral is between -1 and 2
Good is between 2 and 10
If you have any other knowledge about the classification from the scoring please let me know in the comments.
Hallo,
since 23. March this checking does not function already.
Result is now: DNS Record not found
Yeah i will research and update post with my findings.
Maybe the public service is discontinued.
** server can’t find 4.3.2.1.rf.senderbase.org: NXDOMAIN
This type of query works:
host -t txt 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org descriptive text “|0=5.1|1=0.0|2=0.3336|3=0.5|7=AvNDhNIaN|10=0,0|”
(found digging around this problem)
but I have ho idea how the prefix is calculated.
Yeah, you found that on this blog right? https://refikunver.wordpress.com/2016/05/18/esa-ironport-sender-base-and-dns-how-it-works/
All that they are doing is sniffing the traffic with IronPort installed. Not very public 😉
The response i got from Cisco when reaching out was that they discontinued the public lookup but no answer why. I will continue the discussion and see where it leads.
Btw do you really get a respone using that rf in your comment? I don’t.
i was using this public services myself but also noticed it stopped working recently
i did your test:
host -t txt 1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org
1-1569def8d9137c6f0dfef01fc43c5f39.142.36.123.93.v1x2s.rf-adfe2ko9.senderbase.org descriptive text “|0=5.1|1=0.0|2=0.3336|3=0.5|7=AvNDhNIaN|10=0,0|”
but thats all, i’m not able to query anymore. maybe we need to do some sniffing on the ironport itself
I made a webapi with some nice to have endpoints: https://www.dattaproffs.se/2017/10/29/api-talos-reputation-previous-senderbase-senderscore-reputation-authority-blacklists/
thanks for the API you built. Just an FYI senderbases RDNS address would be for the IP 101.109.184.77:
nslookup -type=txt 77.184.109.101.query.senderbase.org
np, i will give it some more love soon. I know that’s how you query it but they removed the interesting data from that query years ago. Then you could go *.*.*.*.rf.senderbase.org but they removed that to. That’s why i built the api.
/F