Internet security & antispam

Using the Enemieslist Classifications

About the classifications used by Enemieslist

Enemieslist works by classifying hostnames (PTR records) in order to allow policy to be applied in various contexts, from inbound SMTP to reputation analysis to simply adding more useful data points to data related to host naming conventions. Each naming convention is captured as a pattern (fully-qualified regular expression based on the PTR in question). A class based on assignment type and other factors is then associated with the pattern in question, along with whatever we can determine regarding the technology likely to be in use by hosts with that naming convention.

As such, it has been implemented and integrated in various ways, whether as a component in a standalone analysis program, as a module hard-wired into high-volume inbound SMTP MTAs, as a factor in risk assessment in antispam appliances, or via the DNSBL query interface. Example integrations for various open source MTA platforms are available, as are two open source C libraries for use in standalone contexts or direct MTA platform integration, or as a reference implementation for other environments.

Explanation of the classifications

The strings below represent classifications of host naming conventions. These classes range from the standard understanding of assignment type in terms of staticity or dynamicity, to generic, provider-assigned rDNS without indicated static or dynamic status, to other, more specific types such as resnet, webhost, or legitimate mail source, to NAT or PAT or proxy hosts (which may be static but likely emit traffic from hosts of various types behind them), to hosts whose naming indicates that the range is unused or otherwise not assigned (but obviously in use, suggesting either hijacked or not well monitored). What follows is a short explanation of each type. (When using the DNSBL, these classes are returned as 127/8 responses if a given query for an "A" record matches a known pattern. Contact us for an explanation of how to query the DNSBL).

generic Provider-assigned, generically named rDNS; naming gives no indication of static or dynamic nature. Could be either end-user/customer space or LAN/WAN space within a telco or isp or corporation or other organization.
static Believed to be statically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with DSL in the Netherlands, which is nearly always statically assigned even to consumer end users).
dynamic Believed to be dynamically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with ADSL in much of the US).
spammer The provider has explicitly marked this host as one from which you should not accept mail because it belongs or belonged to a spammer.
resnet RESidential NETworks, provided to students by universities. The source of a great deal of spam and abuse especially during semester changeovers, when what may be a statically assigned IP in a dorm is now in use by another computer (and more often than not, poorly secured by the new owner). You will often see a random assortment of traffic patterns as friends drop by to use the resident's Wifi network.
unassigned Naming indicates that the host is not assigned by the ISP, and so is either poorly maintained (assigned but name has not been updated to reflect that fact) or possibly hijacked.
natproxy Host is a NAT, PAT, proxy, or other fixed IP with unknown mail and abuse sources behind it. Suffers from poor security in many cases due to lack of preventative measures taken on the LAN side; hosts inside the network are allowed to emit SMTP outbound without restriction.
(mixed static/dynamic)
Host naming reflects static but hosts are known to be dynamically assigned, or vice versa, or naming is generic but provider does not make an effort to indicate and distinguish static versus dynamic hosts.
badrdns Laughably mangled PTRs, invalid or missing top level domains, etc.
compact Regex is left-anchored and only extends to the first 'dot' in name. (currently not implemented in DNSBL).
rightanchor Substring (e.g. "dyn.example.net") that doesn't require regular expressions to match. Longer substrings are MORE specific, so that "dyn.dsl.example.net", if also present with "dsl.example.net", should match BEFORE the latter. (currently not implemented in DNSBL).
Naming in use by mass virtual hosting providers. Likely sources of legitimate mail (so, especially likely to be found in HELO during legitimate mail) but also high probability of phishing scam mail. Also contains hosts that are Web servers; use tech to distinguish.
For dedicated or co-located servers on Web hosting and colo providers with generic naming. Distinct from webhost where possible. Formerly static/colo, may also describe some patterns formerly thought of as webhost.
(legitimate mail source)

Mass webmail or other hosted mail solution, ISP/telco mail server farm, other large-scale mail hosting operation. As the patterns set grows this pattern class includes more and more smaller-scale mail servers, don't assume large mail farms by default. Also includes high volume senders such as ESPs or transactional servers. NOTE: there is also a version of the dataset that includes another classification for "type", for this class only, that distinguishes between the following:

broadcastconsends bulk mail targetting consumers
broadcastbizsends bulk mail targetting businesses
broadcasttradservers providing traditional mailing lists
transactionalmail systems sending specifically transactional mail
organizationmail systems sending from businesses and organizations
ispmail systems sending from ISPs and telcos
cloud Possibly dynamically allocated "cloud" computing; may also refer to statics. Only separated out here to distinguish between cloud services and more traditional VPS and single-server platforms.

Explanation of "tech" classifications

These classifications, which refer to the technology presumed to be in use by hostnames with an appropriately matching naming convention, are based on various detection methods (such as SMTP banners, Web sites, hostnames, or tokens in the hostnames themselves). When both "class" and "tech" are paired, fine-grained policy applications may be carried out. (These strings are returned by the DNSBL as the result of a "TXT" query, or by the command-line tools ansd libraries during a lookup. Contact us for instructions on how to query the DNSBL).

activehunterthis outmx is running ActiveHunter antispam software
antivirusthis IP is running antivirus software
argosoftthis outmx is running ArGoSoft Mail Server
atmthis IP is an ATM link
avasthis outmx is running antivirus/antispam software
barracudathis IP is running a Barracuda appliance
borderwarethis IP is running Borderware
broadbandthis IP is generic broadband
cablethis IP is a cable link
canitthis outmx is running a CanIT SMTP server
cellopointthis outmx is a Cellopoint Email Firewall
ciscothis IP is running a Cisco appliance
cobaltthis IP is a Cobalt firewall appliance
colothis IP is allocated to a colocation service
communigateprothis outmx is running CommuniGate Pro mail server
confixxthis webhost is using Parallels Confixx
copierthis IP is a copier
cpanelthis webhost is running the cPanel Web hosting software
davthis IP is serving DAV (distributed authoring and versioning) clients
dialupthis IP is a dialup
directadminthis webhost is running the DirectAdmin control panel for Red Hat Enterprise Linux and FreeBSD
dslthis IP is a DSL line
edgewavethis IP is an EdgeWave security filtering appliance
eimsthis outmx is running the Eudora Internet Mail Server
ensimthis webhost is running Ensim
ethernetthis IP is an ethernet link (probably Metro Ethernet)
eximthis outmx is running Exim
expressmailthis outmx is running Express Mail Server
fiberthis IP is a fiber link
framerelaythis IP is a frame relay link
froxlorthis webhost is running the Froxlor control panel
fsecurethis outmx is running F-Secure SMTP server
ftththis IP is a residential fiber link
gprsthis IP is a mobile phone
gridserverthis IP is a "cloud" computing webhost
groupwisethis outmx is running Novell Groupwise
hspherethis webhost is running the HSphere control panel
icecapthis IP is running Icecap IDS
imailthis outmx is running IPSwitch IMail
imsvathis outmx is running Trend Micro's InterScan Messaging Security Virtual Appliance
indimailthis outmx is running IndiMail
infrastructurethis IP is network infrastructure (router, switch, etc.)
interscanthis outmx is running Trend Micro Interscan server
iplanetthis outmx is running the Sun iPlanet server
ironportthis outmx is an Ironport antispam appliance
isdnthis IP is ISDN
ispcpthis webhost is running ispCP Omega hosting control panel
javamailthis outmx is running Sun JavaMail
joomlathis webhost is running Joomla
keriothis IP is running a Kerio security appliance
lanthis IP is on a LAN
leasedlinethis IP is on a leased line
linuxthis webhost is running Linux
litemailthis outmx is running the LiteMail mail server
lotusdominothis outmx is running Lotus Domino
lotusnotesthis outmx is running Lotus Notes
lyristhis outmx is running Lyris mailing list software
mail2000this outmx is running Mail2000 SMTP server
mailcleanerthis outmx is running Mailcleaner SMTP server
mailenablethis outmx is running MailEnable SMTP server
mailmarshalthis outmx is running MailMarshal mail server software
mailmaxthis outmx is running MailMax mail server software
mailsitethis outmx is running the MailSite Fusion mail server software
mplusthis outmx is running the M+ mail server software
mdaemonthis outmx is running the MDaemon mail server
merakthis outmx is running Merak mail server
microsoftmailthis IP is running Microsoft Mail Service
mirapointthis outmx is a Mirapoint appliance
modusmailthis outmx is running ModusMail mail server
msexchangethis outmx is running Microsoft Exchange
nameserverthis IP is a DNS nameserver
natproxythis IP is a NAT, PAT or proxy
netscalerthis IP is running the Citrix NetScaler load balancing software
netstationthis outmx is running the NetStation Mailer mail server software
networkthis IP is on a LAN or VLAN
novonyxthis outmx is running the Netscape/Novell Novonyx server
ntmailthis outmx is running NTMail
outlookwebaccessthis IP is running the Microsoft Outlook Web Access service
p2pthis IP is running a peer-to-peer server
patthis IP is providing PAT service
pixthis IP is a Cisco PiX firewall device
pleskthis webhost is running the Plesk Web hosting software
pmdfthis outmx is running the Process Software PMDF mail server software
postfixthis outmx is running Postfix
postofficethis outmx is running Post.Office SMTP server
powermtathis outmx is running the PowerMTA mail server gateway
pppoethis IP is a PPP over ethernet link
pptpthis IP is a Point to Point Tunneling Protocol endpoint
printerthis IP is a printer
proxmoxthis IP is running proxmox
proxythis IP is running proxy software
qmailthis outmx is running qmail
qpsmtpdthis outmx is running the qpsmtpd mail server software
raqthis IP is a Cobalt / Sun RaQ server
redcondorthis outmx is a RedCondor appliance
resnetthis IP is a university residential network
routerthis IP is a router
satellitethis IP is a satellite link
sendmailthis outmx is running sendmail
serialthis IP is a serial line
serverthis IP is a server
smarthostthis outmx is an SMTP smarthost
smoothzapthis outmx is running SmoothZap SMTP server
sonicwallthis IP is a SonicWall firewall appliance
sophosmailthis outmx is running Sophos Mail server
spanelthis webhost is running the Spanel control panel
stalkerthis outmx is running the Stalker mail server
strongmailthis outmx is a Strongmail mail appliance
surgemailthis outmx is running the Surgemail mail server
symantecmailthis outmx is running the Symantec mail server
t1this IP is a trunk line
torthis IP is a TOR node
trendmicrothis outmx is running Trend Micro mail software
unixthis IP is running a variety of Unix
unknownthe technology in use on hosts with this naming is unknown
virtuozzothis webhost is running the Parallels Virtuozzo control panel
voipthis IP is providing Voice over IP service
vpnthis IP is a VPN gateway
vpsthis IP is a Virtual Private Server
wanthis IP is part of a Wide Area Network
webhostthis IP is allocated to a Web hosting provider
webmailthis outmx is a webmail gateway
webshieldthis outmx is running the McAfee Webshield antivirus mail server software
wifithis IP is provided via Wifi
wimaxthis IP is a WiMax node
windowsthis IP is running a Microsoft Windows OS
windowsxpthis IP is running Microsoft Windows XP OS
wirelessthis IP is a wireless link
xwallthis outmx is running the XWall mail server software
zmailerthis outmx is running the ZMailer mail server software

Occasionally, as needs warrant, we will further subdivide or introduce new classifications for this portion of the dataset. For now, lookups for HELO/EHLO strings and lookups for PTR strings share a backend patterns dataset in common. (The reason for differentiating which zone to query for which string type is to allow for differentiation during logging between valid PTR records and possibly fictional HELO string creation, so we don't muddy the dataset with bogus new pattern candidates.)