https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6048
--- Comment #3 from Steve Freegard <[email protected]> 2009-01-22 01:47:47 PST --- (In reply to comment #2) > 1. If WHOIS contact address is correct/reachable, hosts get warned befoe they > get blocked. Yes - but in the vast majority of cases; you'll be notifying some ISP and not their end-users that are probably using their DNS server. > 2. Inexperienced SA users will hardly hit URIBL.com public mirror > infrastructure with hundreds of thousands/millions of queries/day, and get > blocked without a warning. Ok - so you haven't blocked the DNS servers of most major providers already then? Including those dished out to users via the ISPs DHCP scope? You're thinking a bit one dimensionally - not everyone is using SA on UNIX gateway. What about SAProxy32 users who are running SA on Windows; they'll be doing URI lookups too and they won't be able to just install their own nameserver. > 3. You could have used some other NS for your queries. Yes - I should have. But it got me thinking more about the ramifications of this for new installs - if we go by what you are saying; then the SA installation instructions need to be changed to get users to either 1) install a local nameserver cache and/or 2) make sure they aren't blocked. You're also ignoring the many people which will have their own DNS servers but use their ISPs nameserver cache as forwarders - which is also a common configuration. > 4. You obviously didn't test your system thoroughly before going live, > otherwise this would have jumped out real fast. Granted - doubt that I'm alone in being bitten by this however. But that's not the point. > Matt's solution suggestion breaks the URIBL.com's intention of warning the > admin that he's abusing the mirrors, even AFTER being contacted and the query > hammering would continue. Matt's solution is workable if the rules are to remain on in the default configuration. > If this would happen very widescale, it would result in URIBL.com's public > mirrors get taken down and become a pay-per-use service only, harldy in > interest of the wider user base. And returning a positive result for all lookups is designed to intentionally harm the users results so they notice quickly is pretty unfriendly too especially when your rules are default on. It would be far more sensible to actually firewall port 53 from these IP ranges so that it causes timeouts instead - that would be a far better way to get people to notice without the collateral damage. Regards, Steve. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
