https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6048
--- Comment #8 from AXB <[email protected]> 2009-01-22 02:58:32 PST --- (In reply to comment #3) > (In reply to comment #2) > > 1. If WHOIS contact address is correct/reachable, hosts get warned befoe > > they > > get blocked. > > Yes - but in the vast majority of cases; you'll be notifying some ISP and not > their end-users that are probably using their DNS server. Possibly and there's no way around it. End users hardly do 1.5million queries/day, do they? What NS they take is not our concern. > > 2. Inexperienced SA users will hardly hit URIBL.com public mirror > > infrastructure with hundreds of thousands/millions of queries/day, and get > > blocked without a warning. > > Ok - so you haven't blocked the DNS servers of most major providers already > then? Including those dished out to users via the ISPs DHCP scope? Nope - DHCP scopes don't include heavy hitters - nobody sensible will use a hi traffic MTA on a DHCP assigned IP. Amazingly, "major ISPs" haven't been a concern or a problem. (whoever may be meant) > You're thinking a bit one dimensionally - not everyone is using SA on UNIX > gateway. What about SAProxy32 users who are running SA on Windows; they'll be > doing URI lookups too and they won't be able to just install their own > nameserver. somebody using SAproxy doesn't send milliosn of queries/day, EVER! And if so, even Windows boxes can use local recursors... here's several out there, for free. > > 3. You could have used some other NS for your queries. > > Yes - I should have. But it got me thinking more about the ramifications of > this for new installs - if we go by what you are saying; then the SA > installation instructions need to be changed to get users to either 1) install > a local nameserver cache and/or 2) make sure they aren't blocked. Its common practice that hi traffic MTAs use local recursors, if somebody doesn't he lives with the consequences (eg: Spamhaus blocks) > You're also ignoring the many people which will have their own DNS servers but > use their ISPs nameserver cache as forwarders - which is also a common > configuration. SMEs do that, and these are hardly hi traffic. We're talking about corps/ISPs/vendors with hi traffic boxes, not the average 25 user SME box. Uribl.com cannot be made responsible for lack of user's skills. > > 4. You obviously didn't test your system thoroughly before going live, > > otherwise this would have jumped out real fast. > > Granted - doubt that I'm alone in being bitten by this however. But that's > not > the point. The point is that you've been caught TWICE by the same issue and now you are offloading your repeated hurt to URIBL instead of kicking yourself in the butt :-) > > Matt's solution suggestion breaks the URIBL.com's intention of warning the > > admin that he's abusing the mirrors, even AFTER being contacted and the > > query > > hammering would continue. > > Matt's solution is workable if the rules are to remain on in the default > configuration. > > > If this would happen very widescale, it would result in URIBL.com's public > > mirrors get taken down and become a pay-per-use service only, harldy in > > interest of the wider user base. > > And returning a positive result for all lookups is designed to intentionally > harm the users results so they notice quickly is pretty unfriendly too > especially when your rules are default on. it isn't - its an effective FAST way to tell the user something is VERY wrong. If someone gets the positive replies, he's been pushing it too far, for too long. > It would be far more sensible to actually firewall port 53 from these IP > ranges > so that it causes timeouts instead - that would be a far better way to get > people to notice without the collateral damage. Full queues are often harder to debug, a hard fail makes the point very efficiently, which is our last resource to stop abuse and keep donated public mirrors alive. Bottom line is that you as an appliance/services vendor should get a datafeed for your customers/services and not rely on public mirror infrastructure for your business, to your user's benefit, have them query your rbldnsd instances for all BLs you provide per default. Steve, I consider you a friend, but your rant is not an SA issue. Its your personal hurt and it has little to do with the hundres of thousands of SA setups happily querying URIBL.com and other BLs and not getting blocked. Alex -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
