Hi, First things first: * SpamAssassin version: 3.4.2 * Debian 10 * SA is created and invoked as a Perl object by a MIMEDefang filter
What I'm looking for is a way to tell SA to only run DNS checks on names that it finds in the headers of the message, i.e. to not scan the body of the message for names.
The motivation for this is that some of the mail addresses we operate are for security response teams that regularly receive mail that contains reports about things like signs of malware.
For example a report from a security appliance that it saw a system doing DNS queries for a known bitcoin mining malware domain.
The problem is that SA is picking that name from the body of the mail message and running the full set of DNS checks on it. This includes the various DNSBL lookups, which are fine, as well as things like DKIM that require records from within the domain.
The result of this is that every time one of our mail servers handles a message with one of these reports it makes DNS queries that will trigger monitoring on our network for devices that might be infected with bitcoin mining malware. Fortunately the servers in question don't also handle the warnings that we receive about this possible malware so we don't have a feedback loop.
I've looked through the debug-level logging of the rule processing and am fairly confident in my assessment of the problem - I can see information about which rules are being invoked and triggering DNS queries and all of that seems fine, but what I didn't notice was anything covering how SA created the list of domains to check from the mail message.
I don't think that there's any configuration or options to do what I'm asking, but I wanted to ask some experts before making any changes to our configs.
Thank you, Brian Conry
