[Discussion moved from the users list to the dev list]
Matthias Leisi wrote on 25/09/24 5:38 pm:
process after the first 127.0.0.255 is received you would feel
better about relying on that. Or maybe you can think of another
compromise suggestion.
After I sent that I noticed that the configuration options include
dns_block_time for the number of seconds queries are suppressed, default
300. I would be fine for setting it much higher in the default
configuration for dnswl if that helps more.
I‘m very open to suggestions for a better process / better actions
with fewer collateral damage.
I can suggest that we run a statistical experiment by turning all
non-.255 responses into .255 responses and then compare the rate of
queries.
As soon as you can assure me that there will be no more purposely false
HI responses I can re-enable the rules in the rules update. We can
experiment with any ideas we come up with in addition to the all .255 test.
When I do that I will look at the rule description for
RCVD_IN_DNSWL_BLOCKED to see what I can do to make the wording stronger
to encourage end-users to contact their ISP and sysadmins to properly
configure their nameserver or purchase a subscription.
I'm constrained for these experiments by only being able to make changes
that can be implemented in the rule updates. Anything that requires
changes in the code can't be tested on a large scale and won't be seen
by anyone before there is a new release and it is picked up widely.
One question I have: What is the stress on your resources of queries
that you give a 127.0.0.255 return as compared to SRVFAIL or BLOCKED
responses to the query? If you are able to fail queries more quickly
(with less resource), then it could work to return 127.0.0.255 once,
then fail the response for subsequent queries for some amount of time
that is a little less than the dns_block_time we set for dnswl. That
way, SpamAssassin configurations will only do one query every
dns_block_time seconds, getting the 127.0.0.255 each time, and non-SA
sites that keep querying anyway will mostly get the lower resource query
fail. Of course, if you do not save resources by failing the queries,
then that is not relevant.
Anyway, let me know when you have the test set up and I'll re-enable the
rules.
Thanks,
Sidney
