|Main Archive Page > Month Archives > spamassassin-dev archives|
Bug #: 6724
Summary: DNS Blacklistsreturning purposefully wrong answers as
part of Anti-Abuse / Free for Some Policies
Version: SVN Trunk (Latest Devel Version)
OS/Version: Windows 7
Bug 6668 referenced a policy in URIBL that will return purposefully wrong
answers. Therefore, this ticket is open to clarify the policy on use of BLs in
SA by default that might purposefully respond with wrong answers.
For URIBL, the define this policy: http://uribl.com/about.shtml#abuse
"BLOCKED - POSITIVE RESPONSE ACL
# host -tA 22.214.171.124.multi.uribl.com
126.96.36.199.multi.uribl.com has address 127.0.0.255
# host -tTXT 188.8.131.52.multi.uribl.com
184.108.40.206.multi.uribl.com descriptive text "220.127.116.11 has been block due to
* Positive ACLs will only be used for extreme cases."
This policy is similar to DNSWL's that led to disabling DNSWL by default
recently as discussed beginning in October when they started implementing the
Abuse is a reality of running a DNS-based BL and needing to block resources
from hogs makes administrative sense.
However, if this policy is implemented at URIBL to purposefully give wrong
answers, URIBL needs to also be considered for disabling by default.
1 - Are any other BLs doing this that are supported by SA by default?
2 - What is a policy that SA can support to protect the Nameservers from Abuse.
I propose only the following two solutions:
1 - Block/do not respond to queries so that no rules misfire purposefully.
This is the current policy.
2 - For DNS blacklists using a multi/combined lists, a rule for an octet that
is a blocked answer could be implemented with a simple rule.
- The must return only the bit for the block with no bits that provide
purposefully wrong answers.
- The score on the rule that acknowledges a block should be minimal i.e. 0.001
- The message on the rule would have to link to a generic page on SA's wiki
regarding "free for some" services and would be uniform for all BLs. It will
specifically NOT lead to a subscription page for a vendor as SA is not an
This solution could be implemented in current SA releases with a rules update
The bad part is that this answer doesn't appear to achieve much because it
still responds to each query but apparently it might lower traffic from
retries. Hopefully, they can also give a high TTL on the blocked query answer
so caching is more effective.
-- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.