On 12/13/2011 10:37 AM, Kevin A. McGrail wrote:
This system would result in one query per BL per SA restart, or per
ruleset reload or per hour or whatever, rather than one or more
queries per processed message. That's a step forward to DNSBL
operators, but more importantly, it would avoid the situation where
users are negatively impacted by BL failures.
Definitely on the same page. My thoughts are to build on the block
notification rules to implement code that blocks the DNSBL queries for
1 hour. However, that's kind of a phase II. And since I doubt there
will be consensus from DNSBL operators, it'll really be a one off
thing per DNSBL to implement unless some alignment of planets occurs
that I doubt is even in motion ;-)
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6724
I don't think there really needs to be consensus. I've yet to see one
that blocks 127.0.0.1, and they all have some sort of test address
(usually 127.0.0.x)
Given that the worst that happens if this system fails is that SA stops
using the list until sa-update updates the check rule, as long as the
test IPs can be configured on a per-DNSBL basis, there shouldn't really
be a problem.
* DNSBL includes DNSWLs, domain based lists, etc... All we need is a
"this entry should cause a result" and "this entry should not", whether
it's positive or negative, an IP or domain, etc, shouldn't matter.
--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren