29 October, 2017 by Fredrik Berggren on email, reputation, senderscore

Api for talos reputation (previous senderbase.org), senderscore, reputation authority and blacklists.

*UPDATE*
Updated with a swagger docs page here http://emailstuff.io/api-docs/
——

So with the senderbase rdns lookup discontinued i needed a way to check it by code. Earlier i wrote a post about how to query it with c# and HttpClient that was not a very solid solution. So i created emailstuff.io a api for checking, senderbase (now talos reputation), senderscore, reputation authority and some blacklists.

For now it is not documented and a lot of features missing but it will be updated frequently next couple of weeks. Please add feature requests in the comments.

For now you can use these endpoints:

http://emailstuff.io/api/senderbase/[ipaddress] returns Bad, Neutral or Good
http://emailstuff.io/api/senderscore/[ipaddress] returns an int. -9999 = no data
http://emailstuff.io/api/reputationauthority/[ipaddress] returns an int. -9999 = no data
http://emailstuff.io/api/blacklist/[ipaddress] returns an object with the following information:

{
    "fwdReverseDnsMatch": true,
    "ptr": "mail1.mydomain.se.",
    "blacklistResult": [
        {
            "blacklist": "zen.spamhaus.org",
            "blacklist_url": "https://www.spamhaus.org/zen/",
            "listed": false,
            "ms": 36
        }]
}

{

"fwdReverseDnsMatch": true,

"ptr": "mail1.mydomain.se.",

"blacklistResult": [

{

"blacklist": "zen.spamhaus.org",

"blacklist_url": "https://www.spamhaus.org/zen/",

"listed": false,

"ms": 36

}]

}

http://emailstuff.io/api/emailinfo/[emailaddress] returns an object with the following information:

{
    "emailAddress": "fredrik@dattaproffs.se",
    "name": "fredrik",
    "domain": "dattaproffs.se",
    "isValid": true,
    "isRoleAddress": false,
    "isDisposable": false,
    "hasMx": true
}

{

"emailAddress": "fredrik@dattaproffs.se",

"name": "fredrik",

"domain": "dattaproffs.se",

"isValid": true,

"isRoleAddress": false,

"isDisposable": false,

"hasMx": true

}

These are subject to change both the endpoints and the data returned. But i will keep you posted on the blog and soon there will be a docs page for the API.

23 February, 2017 by Fredrik Berggren on dns, email, reputation

How to check Cisco Senderbase reputation from commandline

*UPDATE 2*
I have created an API for all sorts of email and ip related info, read more here Api for talos reputation (previous senderbase.org), senderscore, reputation authority and blacklists.

*UPDATE*
Since this no longer work i have created a solution in c# for now, not as “fancy” but it does the job. Go here to read the post Public senderbase dns lookup is closed, here is how to look it up in c# using HttpClient and HtmlAgilityPack

Senderbase is similar to Senderscore it is a reputation score for you IP address and/or domain you can use the website http://www.senderbase.org/ to lookup your IP. But if you just wan’t to check it from the command line this is how you do it.

First little about how the reputation is calculated.

Reputation scores in SenderBase may range from -10 to +10, reflecting the likelihood that a sending IP address is trying to send spam. Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.

SenderBase combines multiple sources of information to determine a “reputation score” for any IP address. This information includes:

Email volume information provided by tens of thousands of organizations that regularly receive Internet email

Spam complaints received by the SpamCop service

Information on other DNS-based blacklists

This is the command to get the score if your IP is 1.2.3.4

nslookup -type=txt 4.3.2.1.rf.senderbase.org

Non-authoritative answer:
4.3.2.1.rf.senderbase.org        text = "5.5"

nslookup -type=txt 4.3.2.1.rf.senderbase.org

Non-authoritative answer:

4.3.2.1.rf.senderbase.org text = "5.5"

Here is the tricky part, if you do a lookup on the website you will get a grouped reputation Poor, Neutral and Good. So how do you know where the score you get in the dns lookup fits?

This is my findings:

Poor is between -10 and -1

Neutral is between -1 and 2

Good is between 2 and 10

If you have any other knowledge about the classification from the scoring please let me know in the comments.

22 February, 2017 by Fredrik Berggren on dns, reputation, senderscore

Check your IPs senderscore from the commandline

So you have heard about senderscore but you think it’s tedious work to go to the website and log in and/or verifying the captcha..

Don’t worry you can the same way as checking dns blacklists (DNSBL) you can check your score from the command line.

Just reverse your IP and do a dns lookup, like this:

nslookup 4.3.2.1.score.senderscore.com

This is a success response:
------------------------------
Non-authoritative answer:
Name:    4.3.2.1.score.senderscore.com
Address:  127.0.4.99

This is a error response:
------------------------------
*** 4.3.2.1.score.senderscore.com: Non-existent domain

nslookup 4.3.2.1.score.senderscore.com

This is a success response:

------------------------------

Non-authoritative answer:

Name: 4.3.2.1.score.senderscore.com

Address: 127.0.4.99

This is a error response:

------------------------------

*** 4.3.2.1.score.senderscore.com: Non-existent domain

Unlike the DNSBL lookup where you where listed if you got a response the score is part of the Address response. So in the exemple above my score is 99.

You take the last part of the response address and that is your score. When you get Non-existent domain as an answer your IP hasn’t sent out enough email for senderscore to do a measure.

This can be done with dig exactly the same way as done in this post about DNSBL

Update:
This is updated twice a day at ~12:00 GMT and ~22:00 GMT so no need to look more than once after these times.