On Wed, May 12, 2021 at 10:26 PM Arne Jensen <darkde...@darkdevil.dk> wrote: > Den 13-05-2021 kl. 02:19 skrev Michael B Allen: > > On Wed, May 12, 2021 at 6:10 PM Matthias Leisi <matth...@leisi.net> wrote: > >>> That is unfortunate. It's not entirely crystal clear to me that > >>> deliberately returning false positives that allow potentially > >>> destructive SPAM to get through filters is a good way to enforce usage > >>> policy. > >> We use the „return hi“ in cases where long times of using other methods > >> does not reduce the query load on the free nameservers. > > I don't understand the technical details of all of this but what about > > sending an error response just under the typical retry interval? If > > you want to annoy someone, make it the one DNS server operator and not > > the hundreds of SA endpoints using it. A lot of smaller companies like > > me (I'm just me!) just use their hosting company DNS (linode for me) > > and are completely oblivious as to what dnswl even is. > > See: > https://www.mail-archive.com/users@spamassassin.apache.org/msg107949.html > <https://www.mail-archive.com/users@spamassassin.apache.org/msg107949.html> > > And then try to understand how DNS works:
I understand how DNS works as well as most I at least. I do not understand why the default SA configuration uses dnswl but then when someone does not read every minutia of documentation about every possible option, SPAM is then used as a stick to get people to change or pay for the service but not before being browbeaten about not knowing how this convoluted mess works. It is not completely trivial setup a caching name server. I literally have two accounts so it's at least a serious nuisance. > In the past, I saw Spamhaus being criticized, apparently for something > that sounded like dropping queries with a firewall, which would lead to > long timeouts, causing the originating mail server to give up before the > responses were received, essentially leading to mails being deferred and > (sometimes) lost. > > Such query dropping does (unfortunately) also means the queries often > will be magnified, as e.g. Linode's resolver in your case, will just try > another authoritative server for the zone. Then like I suggested, instead of dropping entirely, maybe a delay just under the retry interval would make all the difference. Presumably dnswl is custom code? You could have a large array of structs with ip and stats pre populated with pass entries for the paid folk. When a request comes in, you hash the addr to get the right bucket. If they're paid they pass. If not, you update the stats and if they're over whatever limit everything from that server goes into a 500ms delay queue. You respond with success to keep the offensive DNS server at arms length but passivated but the SA endpoint gets an answer of "blocked". Sending false positives that allows SPAM though is a bad way to enforce policy. Mike
