Re: DNS Tests not always getting done

Fri, 18 Jul 2008 07:06:08 -0700 


Kai Schaetzl wrote:

Skip wrote on Thu, 17 Jul 2008 16:19:07 -0400:


  

As for too many connection per day, my domain certainly does not 
generate anywhere near the 100,000 connections spamhaus considers as the 
cutoff, but I'll be my host (bluehost) does.  If all they check is 
originating IP address, then I'm sure I'll fall in that category.
    



Yeah, you actually query the resolver at your hosting provider. As do 
others of his customers. That combined connection pool may well exceed the 
limits. In that case you could set up a local caching nameserver and no 
forwarders. However, this would also impact your other dns queries. It 
might actually be a good idea if SA developers allowed to use a different 
resolver for SA than the system resolver.



  

As for the timeouts, I won't have access to that, since I am on a shared 
hosting system, but are you sure that those errors are what's being 
reported by the local nameserver?  I am surprised that every test would 
fail (that is, not complete) in one case, and then in the next case all 
but the spamhaus test would complete.
    



Intermittant problems mean that a DNS is overloaded. Could be the typical 
sign of "spamassassinating" an RBL. I'm not surprised that many of your 
open-whois.org lookups fail. It wouldn't be the first RBL that falls apart 
after it got promoted to default use in SA.



It's also possible that your forwarder DNS is sometimes overloaded. If you 
get timeouts on five RBLs and next second all of them are well and then 
again on a bunch of them I'd say that the bottleneck could actually be the 
forwarder.



Also, several of these RBL checks do not add any extra value in my eyes. 
For instance habeas and bondedsender. I would get rid at least of these. I 
have been switching off SA RBL checks on all my systems almost right after 
I started using it years ago and still do so. I also don't use any of the 
distributed fingerprint systems. I use three RBLs I trust on MTA level for 
rejection. That's *much* more efficient. In SA I use only the other network 
checks for SURBL etc. as these *are* effective. (Although looking at the 
hit count all but one have declined in accurateness from last year.)


Kai


  

Wow, I wonder how I am going to convince Bluehost that they are having 
issues.



What's the best way to disable individual RBL checks?  I'm also curious 
which tests you consider to be most effective on your system.



I was actually thinking the same thing about configuring SA to use a 
different resolver, but could not find such a configuration option.


Skip

--
Get my PGP Public key here:
http://pelorus.org/[EMAIL PROTECTED]























					Reply via email to