On 2026-04-23 at 15:42:33 UTC-0400 (Thu, 23 Apr 2026 15:42:33 -0400)
Charles Sprickman <[email protected]>
is rumored to have said:
Hi all,
Recently another sysadmin friend and I were toying with various
(conflicting and quite old) suggestions from the Google about how to
disable all the RBLs/URIBLs that are included in spamassassin that
require payment. Most of the things we saw involved setting the score
of various spamhaus tests to "0", and as best I can tell that doesn't
work (I still see queries going out even if i don't see the warning in
the score summary of the scanned emails).
That SHOULD work. You may need to recycle spamd or any other persistent
tool (e.g. mimedefang) that has the old rules.
For example, we had something similar to this:
# remove spamhaus tests, they want $thousands
# need to include the first base rule or DNS still triggers but is
ignored
## commented out for trial
score __RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0
score URIBL_CSS_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_PHISH 0
score URIBL_DBL_MALWARE 0
score URIBL_DBL_BOTNETCC 0
score URIBL_DBL_ABUSE_SPAM 0
score URIBL_DBL_ABUSE_REDIR 0
score URIBL_DBL_ABUSE_PHISH 0
score URIBL_DBL_ABUSE_MALW 0
score URIBL_DBL_ABUSE_BOTCC 0
If you score all dns_block_rule rules at zero *as well as any rules
referencing them* you should not be querying the related DNS zones. That
should be true for all versions of SA.
Another variation is this:
dns_query_restriction deny spamhaus.org
That should work going back to 3.4.0, except that you need to deny
zen.spamhaus.org, which is the domain actually used in the relevant
dns_block_rule.
We were both working with really dated versions though, so maybe
things changed somewhere along the way.
Lots of bugs fixed since the 3.4.x branch was retired. Some major fixes
were backported into distro packages, many not.
So two hopefully very simple questions:
1 - I could have sworn there was discussion on here that resulted in
the default being to NOT query any lists that are not free or any
lists that require an account. Did I dream that?
You must have.
We include services like Spamhaus that have free tiers usable by real
mailsystems. We have those like MAPS and Validity which have had usable
free tiers in the past but no longer do keep present in the rules but
disabled.
If we didn't include rules for DNSBLs with limits on unregistered free
usage we'd likely have none in the default ruleset. There's no real cost
to leaving the rules there but zero'ed and very little cost (beyond
confusion) with ignoring them altogether and letting SA notice the
blockage and disabling lookup ephemerally by itself.
And if so, I highly suggest you look at what Spamhaus is charging
these days and reconsider. And also at that 1 second TTL they use that
sort of... inflates the number of queries generated.
Most if not all caching resolvers will allow you to set a minimum TTL if
you wish to trade precision for robustness. :)
For a small ISP where email is just like a free add-on for other
services or legacy customers, it was just close to being the same we'd
pay to simply outsource all email. And it's not a full spam filtering
service, just an RBL.
I don't think anyone on the PMC is interested in analyzing DNSBL pricing
in depth beyond the existing squishy criteria of "has a usable-for-many
free tier."
2 - In 4.x what is the proper method to disable spamhaus (and anything
else lurking in there I'm not aware of that will start popping
messages about query limits)? And where is that documented?
SA is Perl, so TMTOWTDI...
According to 'perldoc Mail::SpamAssassin::Conf':
dns_query_restriction (allow|deny) domain1 domain2 ...
Option allows disabling of rules which would result in a DNS
query
to one of the listed domains. The first argument must be a
literal
"allow" or "deny", remaining arguments are domains names.
Zero'ing out rules should also work, but only if you're sure that you
get them all and any meta-rules including the actual block test rules.
I keep thinking that a feature that I might want to write would be a way
to specifically chase dependencies amongst the many meta- and sub-rules
and let you see what the actual impact of zeroing various rules would
be.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Please keep discussion mailing list replies *on-list*
Not Currently Available For Hire
