spamassassin-dev October 2011 archive
Main Archive Page > Month Archives  > spamassassin-dev archives
spamassassin-dev: [Bug 6668] DNSWL is lacking a rule to communic

[Bug 6668] DNSWL is lacking a rule to communicate excessive use to users

From: <bugzilla-daemon_at_nospam>
Date: Mon Oct 03 2011 - 22:18:28 GMT
To: dev@spamassassin.apache.org

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6668

--- Comment #14 from Kevin A. McGrail <kmcgrail@pccc.com> 2011-10-03 22:18:28 UTC ---
> > But again, I am one vote and this
> > is my opinion.
>
> "Votes on code modifications follow a different model. In this scenario, a
> negative vote constitutes a veto , which cannot be overridden."
> "...the proposal requires three positive votes and no negative ones in order to
> pass..."
> - http://www.apache.org/foundation/voting.html
>
> By our rules, it's enough on its own to make this not happen.

Good point. Well I have not voted formally so I don't need to withdraw a vote.
So let's continue the discussion and get more votes and I won't submarine it if
others agree with you.

> > - the NET result of the rules for the RBL in question in total add up to zero
> > (or subsequently similar e.g. 0.0001, etc.) So if there is a positive score and
> > a negative score, the two together = 0. In other words, an RBL can't issue a
> > response that incorrectly affects scores on purpose due to limits, technical
> > errors, etc.
>
> I believe that requirement would eliminate dnswl.org's interest. Since you're
> willing to veto without it, I think that's sufficient to consider this thread
> dead.

I would strongly try and convince others it is wrong to purposefully give wrong
answers from an RBL that lead to skewed scoring. If a patch you are proposing
skews the scores plus or minus, expect me to request for it to be revised to a
net 0.

If DNSWL only wants a case where the scores are skewed to gain attention from
admins/users, then it seems they want SA to be a sales lead generator. This is
exactly what I want to prevent.

> I don't understand why you say that. It's just another way of handing a
> 127.0.0.255 within spamassassin. So as far as RBLs and WLs are concerned it's
> still just an implementation of providing a .255 response for users who are
> over limit.

Because to me 255 is a legitimate bit mask for a valid response.

- Do older versions of SA contain code that considers .255 as an invalid
response for an RBL?

- Is there agreement among RBLs that .255 is considered an error code?

I would support some standard for an error code but likely it should be
something in a different class c such as 192.168.255.X or something similar.

And I have more ideas on it I'll add below.

> As an example, say an email provider is using spamassassin to filter millions
> of emails a day. Some of the rules (RCVD_IN_XBL, RCVD_IN_PBL, RCVD_IN_SBL)
> cause queries is to zen.spamhaus.org. That being over their free use
> threshold, they start returning (only) 127.0.0.255 for all queries, to indicate
> the over limit condition. SpamAssassin notices the 127.0.0.255 value, and
> stops running all rules that hit zen.spamhaus.org.

Zen, according to their docs, does not issue a .255. See
http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#200

But assuming they did, your ISP uses an old version of SA, Zen responds with
.255 and it's considered true and legitimate email gets blocked.

In short, an error bitmask will have YEARS of lag in getting an error code in
place for RBLs.

The only way I see it could happen is to can get an RBL to announce via
alternate names so querying zen.spamhaus.org would never give out .255 but
querying zenv2.spamhaus.org could implement an error code response that APIs
would know how to properly implement.

> > but
> > this sounds a bit like a DoS ready to happen AND it's a case where the rule
> > that implemented this likely couldn't be on by default as shipped by SA. If
> > they are smart enough to turn on the feature, they likely know enough about RBL
> > queries to perform local caching, rsync, etc.
>
> How is that a DoS ready to happen? Are we having another misunderstanding
> here?

I just see that as an avenue to figure out how to trick your system into
getting a DNS response that changes SA not to query an RBL in order to get all
my Spam through. With the number of DNS servers that change responses, this
doesn't sound that hard.

> > I run quite a number of RBL public nameservers. I don't consider the traffic
> > to be that big a deal and I can blackhole queries quite easily.
>
> Are they RBLs that spamassassin has enabled by default? I run one dnswl.org
> mirror, and the only reason I can do that is my provider is willing to overlook
> my bandwidth limit due to a belief that dnswl is worth supporting. Mirroring
> dnswl.org causes almost all of my bandwidth usage.

If DNSWL needs another public mirror, have them email me. The solution to me
is to increase public mirrors not to harm the flow of email to try and get
people to use the service less.

-- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.