On Fri, 2014-05-16 at 12:14 -0700, Ian Zimmerman wrote: > Just for the fun of it, I did a manual whois on the domain of one random > spam I got today which was not killed by SA. > > Sure enough, the domain was a day old. > > Running SA --debug on the spam I can see that URIBL_RHS_DOB lookup is > attempted but comes back with NXDOMAIN. So I have to question how > effective that rules really is ... I don't know how often the > underlying RBL [1] refreshes - could that be the reason?
Yes, it might be the reason. In which case a subsequent SA debug re-run should eventually hit the DOB rule. I don't know whether DOB limits DNS queries of a single host. However, if you *never* get that rule firing, the NXDOMAIN result may indicate exceeding a query limit. Do you use a local caching DNS resolver, or does SA use your upstream ISP's one, along with a million other SA instances? -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}