Internet security & antispam
Enemieslist works by classifying hostnames (PTR records) in order to allow policy to be applied in various contexts, from inbound SMTP to reputation analysis to simply adding more useful data points to data related to host naming conventions. Each naming convention is captured as a pattern (fully-qualified regular expression based on the PTR in question). A class based on assignment type and other factors is then associated with the pattern in question, along with whatever we can determine regarding the technology likely to be in use by hosts with that naming convention.
As such, it has been implemented and integrated in various ways, whether as a component in a standalone analysis program, as a module hard-wired into high-volume inbound SMTP MTAs, as a factor in risk assessment in antispam appliances, or via the DNSBL query interface. Example integrations for various open source MTA platforms are available, as are two open source C libraries for use in standalone contexts or direct MTA platform integration, or as a reference implementation for other environments.
The strings below represent classifications of host naming conventions. These classes range from the standard understanding of assignment type in terms of staticity or dynamicity, to generic, provider-assigned rDNS without indicated static or dynamic status, to other, more specific types such as resnet, webhost, or legitimate mail source, to NAT or PAT or proxy hosts (which may be static but likely emit traffic from hosts of various types behind them), to hosts whose naming indicates that the range is unused or otherwise not assigned (but obviously in use, suggesting either hijacked or not well monitored). What follows is a short explanation of each type. (When using the DNSBL, these classes are returned as 127/8 responses if a given query for an "A" record matches a known pattern. Contact us for an explanation of how to query the DNSBL).
| generic | Provider-assigned, generically named rDNS; naming gives no indication of static or dynamic nature. Could be either end-user/customer space or LAN/WAN space within a telco or isp or corporation or other organization. | ||||||||||||
| static | Believed to be statically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with DSL in the Netherlands, which is nearly always statically assigned even to consumer end users). | ||||||||||||
| dynamic | Believed to be dynamically assigned, based either on naming or on research such as information found on a Web site or obtained from sources familiar with the nature of assignment (as with ADSL in much of the US). | ||||||||||||
| spammer | The provider has explicitly marked this host as one from which you should not accept mail because it belongs or belonged to a spammer. | ||||||||||||
| resnet | RESidential NETworks, provided to students by universities. The source of a great deal of spam and abuse especially during semester changeovers, when what may be a statically assigned IP in a dorm is now in use by another computer (and more often than not, poorly secured by the new owner). You will often see a random assortment of traffic patterns as friends drop by to use the resident's Wifi network. | ||||||||||||
| unassigned | Naming indicates that the host is not assigned by the ISP, and so is either poorly maintained (assigned but name has not been updated to reflect that fact) or possibly hijacked. | ||||||||||||
| natproxy | Host is a NAT, PAT, proxy, or other fixed IP with unknown mail and abuse sources behind it. Suffers from poor security in many cases due to lack of preventative measures taken on the LAN side; hosts inside the network are allowed to emit SMTP outbound without restriction. | ||||||||||||
| mixed (mixed static/dynamic) |
Host naming reflects static but hosts are known to be dynamically assigned, or vice versa, or naming is generic but provider does not make an effort to indicate and distinguish static versus dynamic hosts. | ||||||||||||
| badrdns | Laughably mangled PTRs, invalid or missing top level domains, etc. | ||||||||||||
| compact | Regex is left-anchored and only extends to the first 'dot' in name. (currently not implemented in DNSBL). | ||||||||||||
| rightanchor | Substring (e.g. "dyn.example.net") that doesn't require regular expressions to match. Longer substrings are MORE specific, so that "dyn.dsl.example.net", if also present with "dsl.example.net", should match BEFORE the latter. (currently not implemented in DNSBL). | ||||||||||||
| webhost (shared) |
Naming in use by mass virtual hosting providers. Likely sources of legitimate mail (so, especially likely to be found in HELO during legitimate mail) but also high probability of phishing scam mail. Also contains hosts that are Web servers; use tech to distinguish. | ||||||||||||
| dedhost (dedicated) |
For dedicated or co-located servers on Web hosting and colo providers with generic naming. Distinct from webhost where possible. Formerly static/colo, may also describe some patterns formerly thought of as webhost. | ||||||||||||
| outmx (legitimate mail source) |
Mass webmail or other hosted mail solution, ISP/telco mail server farm, other large-scale mail hosting operation. As the patterns set grows this pattern class includes more and more smaller-scale mail servers, don't assume large mail farms by default. Also includes high volume senders such as ESPs or transactional servers. NOTE: there is also a version of the dataset that includes another classification for "type", for this class only, that distinguishes between the following:
|
||||||||||||
| cloud | Possibly dynamically allocated "cloud" computing; may also refer to statics. Only separated out here to distinguish between cloud services and more traditional VPS and single-server platforms. |
These classifications, which refer to the technology presumed to be in use by hostnames with an appropriately matching naming convention, are based on various detection methods (such as SMTP banners, Web sites, hostnames, or tokens in the hostnames themselves). When both "class" and "tech" are paired, fine-grained policy applications may be carried out. (These strings are returned by the DNSBL as the result of a "TXT" query, or by the command-line tools ansd libraries during a lookup. Contact us for instructions on how to query the DNSBL).
| activehunter | this outmx is running ActiveHunter antispam software |
| antivirus | this IP is running antivirus software |
| argosoft | this outmx is running ArGoSoft Mail Server |
| atm | this IP is an ATM link |
| avas | this outmx is running antivirus/antispam software |
| barracuda | this IP is running a Barracuda appliance |
| borderware | this IP is running Borderware |
| broadband | this IP is generic broadband |
| cable | this IP is a cable link |
| canit | this outmx is running a CanIT SMTP server |
| cellopoint | this outmx is a Cellopoint Email Firewall |
| cisco | this IP is running a Cisco appliance |
| cobalt | this IP is a Cobalt firewall appliance |
| colo | this IP is allocated to a colocation service |
| communigatepro | this outmx is running CommuniGate Pro mail server |
| confixx | this webhost is using Parallels Confixx |
| copier | this IP is a copier |
| cpanel | this webhost is running the cPanel Web hosting software |
| dav | this IP is serving DAV (distributed authoring and versioning) clients |
| dialup | this IP is a dialup |
| directadmin | this webhost is running the DirectAdmin control panel for Red Hat Enterprise Linux and FreeBSD |
| dsl | this IP is a DSL line |
| edgewave | this IP is an EdgeWave security filtering appliance |
| eims | this outmx is running the Eudora Internet Mail Server |
| ensim | this webhost is running Ensim |
| ethernet | this IP is an ethernet link (probably Metro Ethernet) |
| exim | this outmx is running Exim |
| expressmail | this outmx is running Express Mail Server |
| fiber | this IP is a fiber link |
| framerelay | this IP is a frame relay link |
| froxlor | this webhost is running the Froxlor control panel |
| fsecure | this outmx is running F-Secure SMTP server |
| ftth | this IP is a residential fiber link |
| gprs | this IP is a mobile phone |
| gridserver | this IP is a "cloud" computing webhost |
| groupwise | this outmx is running Novell Groupwise |
| hsphere | this webhost is running the HSphere control panel |
| icecap | this IP is running Icecap IDS |
| imail | this outmx is running IPSwitch IMail |
| imsva | this outmx is running Trend Micro's InterScan Messaging Security Virtual Appliance |
| indimail | this outmx is running IndiMail |
| infrastructure | this IP is network infrastructure (router, switch, etc.) |
| interscan | this outmx is running Trend Micro Interscan server |
| iplanet | this outmx is running the Sun iPlanet server |
| ironport | this outmx is an Ironport antispam appliance |
| isdn | this IP is ISDN |
| ispcp | this webhost is running ispCP Omega hosting control panel |
| javamail | this outmx is running Sun JavaMail |
| joomla | this webhost is running Joomla |
| kerio | this IP is running a Kerio security appliance |
| lan | this IP is on a LAN |
| leasedline | this IP is on a leased line |
| linux | this webhost is running Linux |
| litemail | this outmx is running the LiteMail mail server |
| lotusdomino | this outmx is running Lotus Domino |
| lotusnotes | this outmx is running Lotus Notes |
| lyris | this outmx is running Lyris mailing list software |
| mail2000 | this outmx is running Mail2000 SMTP server |
| mailcleaner | this outmx is running Mailcleaner SMTP server |
| mailenable | this outmx is running MailEnable SMTP server |
| mailmarshal | this outmx is running MailMarshal mail server software |
| mailmax | this outmx is running MailMax mail server software |
| mailsite | this outmx is running the MailSite Fusion mail server software |
| mplus | this outmx is running the M+ mail server software |
| mdaemon | this outmx is running the MDaemon mail server |
| merak | this outmx is running Merak mail server |
| microsoftmail | this IP is running Microsoft Mail Service |
| mirapoint | this outmx is a Mirapoint appliance |
| modusmail | this outmx is running ModusMail mail server |
| msexchange | this outmx is running Microsoft Exchange |
| nameserver | this IP is a DNS nameserver |
| natproxy | this IP is a NAT, PAT or proxy |
| netscaler | this IP is running the Citrix NetScaler load balancing software |
| netstation | this outmx is running the NetStation Mailer mail server software |
| network | this IP is on a LAN or VLAN |
| novonyx | this outmx is running the Netscape/Novell Novonyx server |
| ntmail | this outmx is running NTMail |
| outlookwebaccess | this IP is running the Microsoft Outlook Web Access service |
| p2p | this IP is running a peer-to-peer server |
| pat | this IP is providing PAT service |
| pix | this IP is a Cisco PiX firewall device |
| plesk | this webhost is running the Plesk Web hosting software |
| pmdf | this outmx is running the Process Software PMDF mail server software |
| postfix | this outmx is running Postfix |
| postoffice | this outmx is running Post.Office SMTP server |
| powermta | this outmx is running the PowerMTA mail server gateway |
| pppoe | this IP is a PPP over ethernet link |
| pptp | this IP is a Point to Point Tunneling Protocol endpoint |
| printer | this IP is a printer |
| proxmox | this IP is running proxmox |
| proxy | this IP is running proxy software |
| qmail | this outmx is running qmail |
| qpsmtpd | this outmx is running the qpsmtpd mail server software |
| raq | this IP is a Cobalt / Sun RaQ server |
| redcondor | this outmx is a RedCondor appliance |
| resnet | this IP is a university residential network |
| router | this IP is a router |
| satellite | this IP is a satellite link |
| sendmail | this outmx is running sendmail |
| serial | this IP is a serial line |
| server | this IP is a server |
| smarthost | this outmx is an SMTP smarthost |
| smoothzap | this outmx is running SmoothZap SMTP server |
| sonicwall | this IP is a SonicWall firewall appliance |
| sophosmail | this outmx is running Sophos Mail server |
| spanel | this webhost is running the Spanel control panel |
| stalker | this outmx is running the Stalker mail server |
| strongmail | this outmx is a Strongmail mail appliance |
| surgemail | this outmx is running the Surgemail mail server |
| symantecmail | this outmx is running the Symantec mail server |
| t1 | this IP is a trunk line |
| tor | this IP is a TOR node |
| trendmicro | this outmx is running Trend Micro mail software |
| unix | this IP is running a variety of Unix |
| unknown | the technology in use on hosts with this naming is unknown |
| virtuozzo | this webhost is running the Parallels Virtuozzo control panel |
| voip | this IP is providing Voice over IP service |
| vpn | this IP is a VPN gateway |
| vps | this IP is a Virtual Private Server |
| wan | this IP is part of a Wide Area Network |
| webhost | this IP is allocated to a Web hosting provider |
| webmail | this outmx is a webmail gateway |
| webshield | this outmx is running the McAfee Webshield antivirus mail server software |
| wifi | this IP is provided via Wifi |
| wimax | this IP is a WiMax node |
| windows | this IP is running a Microsoft Windows OS |
| windowsxp | this IP is running Microsoft Windows XP OS |
| wireless | this IP is a wireless link |
| xwall | this outmx is running the XWall mail server software |
| zmailer | this outmx is running the ZMailer mail server software |
Occasionally, as needs warrant, we will further subdivide or introduce new classifications for this portion of the dataset. For now, lookups for HELO/EHLO strings and lookups for PTR strings share a backend patterns dataset in common. (The reason for differentiating which zone to query for which string type is to allow for differentiation during logging between valid PTR records and possibly fictional HELO string creation, so we don't muddy the dataset with bogus new pattern candidates.)