On Thu, Jan 21, 2010 at 12:59:49PM +0100, Per Jessen wrote: > Henrik K wrote: > > > On Thu, Jan 21, 2010 at 11:59:25AM +0100, Per Jessen wrote: > >> Henrik K wrote: > >> > >> > On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote: > >> >> On Wed, 20 Jan 2010, Henrik K wrote: > >> >> > >> >>>>>> (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,} > >> [3-9]\d\d+)\.\d+\.\d+\.\d+ > >> >>>>> > >> >>>>> Thats crazy! It's wrong since 1/8 is now allocated, it also > >> >>>>> does not detect most other bogon ranges, What is the point of > >> >>>>> this... Another rule I now need to disable. > >> >>>> > >> >>>> Please open a bug... > >> >>> > >> >>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295 > >> >> > >> >> Thanks for logging that. > >> >> > >> >> I do think we need a better way to catch them, including the other > >> >> 20 or so plus bogon ranges it currently ignores. I can see where > >> >> DNS checks would be better suited (bogons.cymru.com), or, at the > >> >> very least, a ruleset, which can be updated in the "daily updates > >> >> run" when new ranges are allocated. > >> > > >> > DNS checks would be overkill for a list that doesn't change that > >> > often. > >> > >> Overkill yes, but "affordable", especially with results being cached. > >> Personally I would favor DNS for data that _does_ change, even if > >> only very rarely. > > > > It just doesn't make sense. Do you know how many requests they would > > be flooded with if it was default SA option? It would query _all_ > > untrusted ip and by -clauses in Received path? How is that > > "affordable"? > > Well, it obviously depends on your setup, but even if you don't have > your own DNS, the results can be cached locally (nscd), so the overhead > is still not a lot (IMHO). > Anyway, like I said, it's just my personal preference.
If it's your preference, you are free to use it such way and code a plugin for it (it can't be made to work without mods/plugin currently). They do offer free zone transfers, so it's not that bad. But disregarding personal preferences, it makes no sense to use DNS generally for this list.