https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6048
--- Comment #23 from Dallas Engelken <[email protected]> 2009-01-22 11:03:50 PST --- (In reply to comment #3) > (In reply to comment #2) > > It would be far more sensible to actually firewall port 53 from these IP > ranges > so that it causes timeouts instead - that would be a far better way to get > people to notice without the collateral damage. > We have no management of most of the mirrors as they are set up my the owner, and many of them are not just serving zones for uribl, so filtering heavy users from querying *.uribl.com at the packet level is not possible. rbldnsd acl's actually has an 'ignore' option which is the next closest thing to packet level filtering, and we initially went with that option. Shortly after we found the mirrors had a 300% increase in traffic, as the non-response actually caused a client side timeout and the dns retry features in the resolver code caused resends of the query multiple times. So we've settled on the 'empty' option, which results in NXDOMAIN being returned to all queries. We also make every attempt to notify the end user. If no action is taken, only then would it change to a positive response. We have over 40k unique IPs hitting our mirrors, and just 120 positive ACLs for the heaviest users who never took action on the negative ACL. I'm okay with whatever SA wants to do. I dont think URIBL ACL policy needs to change. With the public DNS infastructure we have, I dont see any other effective way to stem the abuse, unless we take all the donated public mirrors offline and only serve mirrors which are controlled by us. Then we could put packet filtering in place. If we did that, I know there are some donated mirrors that would be upset to loose those public queries. Cant make everyone happy I suppose. D -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
