I am 99% sure you will be unable to implement that in SA natively and easily without something such as a milter. Using mimedefang, we have significant code to allow people to submit samples to create the KAM ruleset and maintain the RBL. In short, I think we have solved the exact problem you're talking about and happy to give you pointers.
However, you could add the recipient address to a welcome list entry. That would effectively make scanning disabled. I'm assuming that won't work. KAM On Fri, Jan 6, 2023, 17:24 Brian Conry <bco...@bestpractical.com> wrote: > Hi, > > First things first: > * SpamAssassin version: 3.4.2 > * Debian 10 > * SA is created and invoked as a Perl object by a MIMEDefang filter > > What I'm looking for is a way to tell SA to only run DNS checks on names > that it finds in the headers of the message, i.e. to not scan the body > of the message for names. > > The motivation for this is that some of the mail addresses we operate > are for security response teams that regularly receive mail that > contains reports about things like signs of malware. > > For example a report from a security appliance that it saw a system > doing DNS queries for a known bitcoin mining malware domain. > > The problem is that SA is picking that name from the body of the mail > message and running the full set of DNS checks on it. This includes the > various DNSBL lookups, which are fine, as well as things like DKIM that > require records from within the domain. > > The result of this is that every time one of our mail servers handles a > message with one of these reports it makes DNS queries that will trigger > monitoring on our network for devices that might be infected with > bitcoin mining malware. Fortunately the servers in question don't also > handle the warnings that we receive about this possible malware so we > don't have a feedback loop. > > I've looked through the debug-level logging of the rule processing and > am fairly confident in my assessment of the problem - I can see > information about which rules are being invoked and triggering DNS > queries and all of that seems fine, but what I didn't notice was > anything covering how SA created the list of domains to check from the > mail message. > > I don't think that there's any configuration or options to do what I'm > asking, but I wanted to ask some experts before making any changes to > our configs. > > Thank you, > Brian Conry >