On 4/10/2012 3:16 PM, Axb wrote: > On 04/10/2012 08:07 PM, Rob McEwen wrote: > >> (b) If anyone programs this idea into SA, or anywhere else, then >> this should be a separate step AFTER regular URI checking....giving >> the message a chance to "short circuit" out of processing if it >> already scored high enough after URI checking. Why? Because this >> would defeat some of the benefits of fast URI checking if it was >> done in tandem with the URI checking. Basically, URI checking >> can be >> lightening fast... especially if you are checking the extracted >> URIs >> against a local rbldnsd server. In contrast, anytime you do a name >> server lookup to some stranger's domain, you're subjecting yourself >> to the mercy of their reply speed... and many of those spammers use >> screwed up and/or overloaded equipment. (even if your DNS timeout >> setting becomes a "safety net", that is still order of magnitudes >> slower than rbldnsd checking!) > > afaik, SA does async lookups so you have next to no delay - negligible
sounds good.. except... consider this scenario... A person uses the system I described above, but where the name server fetches, & lookups on domains contained within those nameserver hosts... all happen async. But the domains themselves are HEAVILY blacklisted.... found on SURBL, URIBL, DBL, and ivmURI... and the end users subscribes to datafeeds from ALL of those... so THOSE lookups are to a local rbldnsd server running on a dedicated machine.. which means... super fast queries... as in <1ms. With those domains in that message getting MANY hits, and with other things already having hit... suddenly... the spam score jumps super high in extremely little time. Meanwhile, the snowshoe spammer's DNS server happens to be messed up, overloaded, and returns answers within about 4 seconds. in this scenario... which, though rare... might actually be MORE common percentage-wise than the number of times an actual domain-blacklist "hit" on a domains' nameserver actually causes a spam to be blocked.... again, in this scenario, async or not... doesn't that whole mail session then get "bottled up" on waiting on the nameserver lookups? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032