Libin, will the feature to download a slice of Senderbase be carried forward onto the new site?

Currently we've only got the option to download the entire blacklist, without any additional volume or hostname information. For relatively short ranges a copy and paste from the GUI doesn't give terribly graceful results though it seems that a few of the brighter editors can make some repair.

As per the notification we received the functionality should be integrated into the new website one way or another.

Haven't had a chance to test everything myself.

- Libin V

Thanks for the response.  It's not obvious that the functionality is all there (yet) so if you're testing the system you might want to look at this area.  FWIW searching for our main address range, 129.215.0.0/16, shows the same 50 hosts as searching for ed.ac.uk, none of which is a significant email system.

Thanks,

Sam

Thank you for your interest in the former "Export" feature of senderbase.org.  We are currently studying the use case for this feature as many people were using it in violation of our Terms of Service.

We do not have an estimated time period of when or if this feature will return.

Also, that IP list is not the entire blacklist, that list is for Open Source Snort users.  We are currently looking at removing it from TalosIntelligence.com and moving it to Snort.org.

It's a very very small subject of our total list.  Approximately 1%.

I'm not sure whether using this forum as a support channel is entirely appropriate, but the functionality seems to have changed from senderbase.org.  Previously when I looked up my domain, ed.ac.uk, it showed me several hundred host entries.  Now it shows me exactly 50, none of which is any of the high volume email servers in my domain and none of which has anything other than 0.0 traffic in the last day.  This seems wrong.

I would think that grouses via TAC or your account manager wouldn't achieve a lot, unless you buy a lot of tin or keys from Cisco. The best place to lobby for improvement is probably here in the semi-public eye.

For myself I'd noticed the 50-record cut out, which is dangerously misleading if it presents mainly the bulk senders out of a large range of otherwise well-behaved customers. Yes, I should do my own diligence before making a manual HAT entry but sometimes there just isn't time to do that.

That brings me to the second problem; it appears that the new reputation check only coughs up information when checking an IP if the IP already appears on the "blacklist". Given that some senders (ESPs?) don't appear to be eligible for a blacklisting, the old senderbase.org was very useful for tracking down those who don't publish their IP ranges or an SPF mechanism that amounts to the same. I'm now back to using Geektools for rDNS lookups or MX Toolbox followed by an excursion to Hurricane to chew the ASN, and none of this is giving the same insight into volumes and reputations that Senderbase did.

If you are not getting an answer, that means we are having a problem with the site (or something else) you should be getting the same answers with the new site as you did with the old.  Please provide an example?

Joel, Senderbase has always been highly dynamic (and rightly so) so a TalosIntelligence check now can't really be compared with a Senderbase listing from early May. Is there a legacy URL that allows use of the old site?

If we were to begin discussing specific senders I'd presume that you'd sooner the details be handled through TAC rather than the forum? That will be difficult for me this week as I'm on leave and currently battling with very rural bandwidths.

We have internal access to it.  But as far as the information that is returned, it's *exactly* the same.

I'm not getting anything like the same answers for what I use the site for, though I realise that may not be what you're talking about above.  I put 129.215.0.0/16 into the search box.  The table that is returned is headed "Top IP Addresses used to send emails in 129.215.0.0" and then has a drop down box for netmasks set to /24.  Of the 50 hosts that are returned only three are in 129.215.0.0/24.  Changing the drop down to choose a different netmask doesn't have any visible effect.  Your colleague Libin Varghese refers to functionality being integrated into the new website.  It clearly hasn't been yet.

Why have you broken such a useful service?

As with any new site or service, there are always issues to be found.  We are working to resolve them, and will soon.  

I've entered your issue into our bug system.

We've documented this issue for fixes.  It should be fixed in the next couple weeks.