On Fri, 2014-05-16 at 12:14 -0700, Ian Zimmerman wrote:
> Just for the fun of it, I did a manual whois on the domain of one random
> spam I got today which was not killed by SA.
>
> Sure enough, the domain was a day old.
>
> Running SA --debug on the spam I can see that URIBL_RHS_DOB lookup is
> attempted but comes back with NXDOMAIN. So I have to question how
> effective that rules really is ... I don't know how often the
> underlying RBL [1] refreshes - could that be the reason?
Yes, it might be the reason. In which case a subsequent SA debug re-run
should eventually hit the DOB rule.
I don't know whether DOB limits DNS queries of a single host.
However, if you *never* get that rule firing, the NXDOMAIN result may
indicate exceeding a query limit. Do you use a local caching DNS
resolver, or does SA use your upstream ISP's one, along with a million
other SA instances?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
