urlscan.io logo urlscan.io
SecurityTrails logo

www.usenix.org.uk Open in urlscan Pro
2001:ba8:1f1:f1cb::2  Public Scan

Back to summary
Submitted URL: http://all.s5h.net/
Effective URL: http://www.usenix.org.uk/content/rbl.html
Submission: On December 03 via manual from US — Scanned from GB

Form analysis 1 forms found in the DOM

POST https://www.paypal.com/donate

<form action="https://www.paypal.com/donate" method="post" target="_top">
  <input type="hidden" name="hosted_button_id" value="RMTQJU7VPTA6L">
  <input type="image" src="https://www.paypalobjects.com/en_GB/i/btn/btn_donate_SM.gif" border="0" name="submit" title="PayPal - The safer, easier way to pay online!" alt="Donate with PayPal button">
  <img alt="" border="0" src="https://www.paypal.com/en_GB/i/scr/pixel.gif" width="1" height="1">
</form>

Text Content

We use cookies for personalised adverts on this site. PayPal donation is another
mechanism for support if you prefer.


HOSTED SERVICES

 * why unix
 * wet shaving
 * unix beards
 * about this site
 * books
 * RBL service
 * forum

This site needs your support




NEWS

Ads help server costs, we rely on their revenue (and donations, too) to fund
hosting.


RBL PAGE

RBL removal information

 * how do i delist
 * what is held on all.s5h.net?
 * ipv6
 * listing status
 * multihomed setups
 * usage
   * mediawiki
   * qmail
   * exim
   * postfix
   * spamassassin
   * sendmail
 * donations


HOW DO I DELIST

To request removal, simply go to the web page rblremove. You will need to visit
this page from the IP address of the offending computer. If you do this, you
will get delisted immediately.

There are a number of ways to do this, using telnet, curl, wget, lynx or a web
browser. All you need to do is make one request from the IPv4/IPv6 address that
was listed. If you wanted to delist your IPv4 address using curl, just log into
the listed mail server and run:

$ curl -4 http://www.usenix.org.uk/content/rblremove


You can do just the same using telnet from a Windows/Linux host, just issue the
normal HTTP headers, (you need to enter the GET/host lines below).

$ telnet www.usenix.org.uk 80
GET /content/rblremove HTTP/1.1
Host: www.usenix.org.uk
(press enter twice)


Failing automatic removal, please fill out the form for removal assistance
(English only please until we get translators). We will remove anyone from this
list providing they can show proof that they have addressed all potential
security problems and are willing to communicate openly to resolve any issues.
Do be aware, expect this to take much longer than using the automatic process
above, exhaust all automatic possibilities first.

Please supply us with your IP address and what you have done so far to address
the problem. A decision will be made as to the listing status, should you
satisfy the removal criteria then the listing will be removed within 30minutes
of the decision being made.

Listings are not simple work, there was a solid reason for the entry being
added, so hostility towards the support team will not be tolerated and may end
up with you being lucky to receive any response from us at all, so please be
polite when communicating with the support team.


WHAT IS HELD ON ALL.S5H.NET?

The all.s5h.net list is fully RFC 5782 compliant.

All the spam sources are recorded and kept on a RBL server named all.s5h.net.
The all represents a collated list of all sources and attack vectors, that send
spam in one form or another to any of our server addresses.


IPV6

We've found a fair amount of spam to originate from IPv6 hosts, so these are
added to the list using the same namespace.

For example, if you want to check for 2001:DB8::1 in the database you will need
to look up:



1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.all.s5h.net


The NS records have IPv4 and IPv6 glue, making lookups a little more efficient
for you. Of course, if you're using this RBL service on your mail server, then
chances are those records would be cached for you already.


LISTING STATUS

If you wish to check the status of a IP address in many RBL servers then you may
wish to try the RBL tool, which checks many RBL servers.

All the TTL values for the DNS queries are set to five seconds, the change
should appear immediately for you once data has propagated.


MULTIHOMED SETUPS

If you have a network of machines and several v4/v6 addresses were listed, so
long as you can alias the IPv{4,6} addresses on your machine you can tell curl
to bind to this address when using the automation.

Test with curl to make sure that it us using the correct address:

$ curl -I -6 --interface 2001:DB8::10 http://www.usenix.org.uk/content/whatismyip


You should a reply header that looks similar to the below with your expected
address:

HTTP/1.1 200 OK
Date: Wed, 03 May 2017 18:18:20 GMT
IPv6: 2001:DB8::10
Content-Type: text/html;charset=UTF-8


Once you have confirmed that this works and the correct address is being used,
you may then adjust the URL to match the automatic removal page,
http://www.usenix.org.uk/content/rblremove.

You can do the same using telnet, the syntax is slightly more complex. The
example below shows the conversation between the client and server, the first
three lines are entered by the client, everything after the blank line is the
sever reply.



$ telnet -b 2001:DB8::10 www.usenix.org.uk 80
Trying 2001:ba8:1f1:f1cb::2...
Connected to www.usenix.org.uk.
Escape character is '^]'.
HEAD /content/whatismyip HTTP/1.1
Host:www.usenix.org.uk

HTTP/1.1 200 OK
Date: Wed, 03 May 2017 18:25:29 GMT
IPv6: 2001:DB8::10
Content-Type: text/html;charset=UTF-8



USAGE

You may use this RBL list free of charge, currently without limit and we intend
to keep it that way. Please consider donating if you find this service useful
and it helps pay for the honeypot addresses.


MEDIAWIKI

If you wish to use this in MediaWiki blog, make the following changes:

LocalSettings.php:
$wgDnsBlacklistUrls = array(
        'all.s5h.net.',
);



QMAIL

qmail:

/var/service/qmail-smtpd/run, add the below to the tcpserver arguments, just
prior to qmail-smtpd being called

rblsmtpd -r all.s5h.net



EXIM

Add the following to your config:

deny dnslists = all.s5h.net



POSTFIX

Insert reject_rbl_client all.s5h.net prior to permit in your
smtpd_recipient_restrictions rule.


SPAMASSASSIN

In your .cf file:

header          RCVD_IN_S5HBL   eval:check_rbl_txt('s5hbl', 'all.s5h.net')
describe        RCVD_IN_S5HBL   Listed at all.s5h.net
tflags          RCVD_IN_S5HBL   net
score           RCVD_IN_S5HBL   0 3.0 0 3.0



SENDMAIL

Add the following, then rebuild:

FEATURE(`enhdnsbl', `all.s5h.net', ``Mail from $&{client_addr} rejected, see http://s5h.net/rbl'',`t')dnl


Should you wish to use this in PHP script (perhaps your web form is getting some
spam) then you could use a function like this:

function is_blacklisted($ip) {
    $dnsbl_check=array( "all.s5h.net", "sbl.spamhaus.org" );
    if( $ip ) {
        $quads=explode( ".", $ip );
        $rip=$quads[3].".".$quads[2].".".$quads[1].".".$quads[0];
        for( $i=0; $i&lt;count($dnsbl_check); $i++ ) {
            if( checkdnsrr( $rip.".".$dnsbl_check[$i], "A" ) ) {
                return( true ); // return on first match
            }
        }
    }
    return( false );
}



DONATIONS

This cost of the hardware running this service is currently funded privately. If
you wish to help support the service please consider donating using the paypal
donation paypal. Donations will go towards bringing new servers online to
collect network abuse and funnel the information back into the database in
realtime.