On Thu, Jan 21, 2010 at 12:59:49PM +0100, Per Jessen wrote:
> Henrik K wrote:
>
> > On Thu, Jan 21, 2010 at 11:59:25AM +0100, Per Jessen wrote:
> >> Henrik K wrote:
> >>
> >> > On Wed, Jan 20, 2010 at 04:16:29PM +1000, Res wrote:
> >> >> On Wed, 20 Jan 2010, Henrik K wrote:
> >> >>
> >> >>>>>> (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}
> >> [3-9]\d\d+)\.\d+\.\d+\.\d+
> >> >>>>>
> >> >>>>> Thats crazy! It's wrong since 1/8 is now allocated, it also
> >> >>>>> does not detect most other bogon ranges, What is the point of
> >> >>>>> this... Another rule I now need to disable.
> >> >>>>
> >> >>>> Please open a bug...
> >> >>>
> >> >>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6295
> >> >>
> >> >> Thanks for logging that.
> >> >>
> >> >> I do think we need a better way to catch them, including the other
> >> >> 20 or so plus bogon ranges it currently ignores. I can see where
> >> >> DNS checks would be better suited (bogons.cymru.com), or, at the
> >> >> very least, a ruleset, which can be updated in the "daily updates
> >> >> run" when new ranges are allocated.
> >> >
> >> > DNS checks would be overkill for a list that doesn't change that
> >> > often.
> >>
> >> Overkill yes, but "affordable", especially with results being cached.
> >> Personally I would favor DNS for data that _does_ change, even if
> >> only very rarely.
> >
> > It just doesn't make sense. Do you know how many requests they would
> > be flooded with if it was default SA option? It would query _all_
> > untrusted ip and by -clauses in Received path? How is that
> > "affordable"?
>
> Well, it obviously depends on your setup, but even if you don't have
> your own DNS, the results can be cached locally (nscd), so the overhead
> is still not a lot (IMHO).
> Anyway, like I said, it's just my personal preference.
If it's your preference, you are free to use it such way and code a plugin
for it (it can't be made to work without mods/plugin currently). They do
offer free zone transfers, so it's not that bad. But disregarding personal
preferences, it makes no sense to use DNS generally for this list.
