https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6668
--- Comment #14 from Kevin A. McGrail <[email protected]> 2011-10-03 22:18:28 UTC --- > > But again, I am one vote and this > > is my opinion. > > "Votes on code modifications follow a different model. In this scenario, a > negative vote constitutes a veto , which cannot be overridden." > "...the proposal requires three positive votes and no negative ones in order > to > pass..." > - http://www.apache.org/foundation/voting.html > > By our rules, it's enough on its own to make this not happen. Good point. Well I have not voted formally so I don't need to withdraw a vote. So let's continue the discussion and get more votes and I won't submarine it if others agree with you. > > - the NET result of the rules for the RBL in question in total add up to > > zero > > (or subsequently similar e.g. 0.0001, etc.) So if there is a positive score > > and > > a negative score, the two together = 0. In other words, an RBL can't issue > > a > > response that incorrectly affects scores on purpose due to limits, technical > > errors, etc. > > I believe that requirement would eliminate dnswl.org's interest. Since you're > willing to veto without it, I think that's sufficient to consider this thread > dead. I would strongly try and convince others it is wrong to purposefully give wrong answers from an RBL that lead to skewed scoring. If a patch you are proposing skews the scores plus or minus, expect me to request for it to be revised to a net 0. If DNSWL only wants a case where the scores are skewed to gain attention from admins/users, then it seems they want SA to be a sales lead generator. This is exactly what I want to prevent. > I don't understand why you say that. It's just another way of handing a > 127.0.0.255 within spamassassin. So as far as RBLs and WLs are concerned it's > still just an implementation of providing a .255 response for users who are > over limit. Because to me 255 is a legitimate bit mask for a valid response. - Do older versions of SA contain code that considers .255 as an invalid response for an RBL? - Is there agreement among RBLs that .255 is considered an error code? I would support some standard for an error code but likely it should be something in a different class c such as 192.168.255.X or something similar. And I have more ideas on it I'll add below. > As an example, say an email provider is using spamassassin to filter millions > of emails a day. Some of the rules (RCVD_IN_XBL, RCVD_IN_PBL, RCVD_IN_SBL) > cause queries is to zen.spamhaus.org. That being over their free use > threshold, they start returning (only) 127.0.0.255 for all queries, to > indicate > the over limit condition. SpamAssassin notices the 127.0.0.255 value, and > stops running all rules that hit zen.spamhaus.org. Zen, according to their docs, does not issue a .255. See http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#200 But assuming they did, your ISP uses an old version of SA, Zen responds with .255 and it's considered true and legitimate email gets blocked. In short, an error bitmask will have YEARS of lag in getting an error code in place for RBLs. The only way I see it could happen is to can get an RBL to announce via alternate names so querying zen.spamhaus.org would never give out .255 but querying zenv2.spamhaus.org could implement an error code response that APIs would know how to properly implement. > > but > > this sounds a bit like a DoS ready to happen AND it's a case where the rule > > that implemented this likely couldn't be on by default as shipped by SA. If > > they are smart enough to turn on the feature, they likely know enough about > > RBL > > queries to perform local caching, rsync, etc. > > How is that a DoS ready to happen? Are we having another misunderstanding > here? I just see that as an avenue to figure out how to trick your system into getting a DNS response that changes SA not to query an RBL in order to get all my Spam through. With the number of DNS servers that change responses, this doesn't sound that hard. > > I run quite a number of RBL public nameservers. I don't consider the > > traffic > > to be that big a deal and I can blackhole queries quite easily. > > Are they RBLs that spamassassin has enabled by default? I run one dnswl.org > mirror, and the only reason I can do that is my provider is willing to > overlook > my bandwidth limit due to a belief that dnswl is worth supporting. Mirroring > dnswl.org causes almost all of my bandwidth usage. If DNSWL needs another public mirror, have them email me. The solution to me is to increase public mirrors not to harm the flow of email to try and get people to use the service less. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
