Mailing List Archive

AskDNS with a DNAME
I'm trying to use a rule like this:

askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A 127.0.0.2

where I have this in my db.local running bind9:

sendgrid-id IN DNAME sendgrid-id.LICENSEKEY.invaluement.com.

where LICENSEKEY is a valid license key. I can query this on the command line:

% host 16582324.sendgrid-id.localhost
sendgrid-id.localhost has DNAME record sendgrid-id.LICENSEKEY.invaluement.com.
16582324.sendgrid-id.localhost is an alias for 16582324.sendgrid-id.LICENSEKEY.invaluement.com.
16582324.sendgrid-id.LICENSEKEY.invaluement.com has address 127.0.0.2

But the AskDNS plugin seems to see only the first alias response and
ignores the actual 127.0.0.2 response. The rule is never hit. If I
put the license key in the cf file directly, it is (and the license
key gets added to the email headers which is what I am trying to
avoid by doing a DNAME record in my .localhost db.local!)

This technique of using a DNAME record works fine for milters.

Ultimately I want the spamassassin report in the headers but I don't
want the license key in there.

Is there some way to get this to work?

Not sure if this isn't actually a bug in AskDNS to be honest.

Michael Grant
AskDNS with a DNAME [ In reply to ]
I don't know about AskDNS, but this technique works with stock spamhaus rules via spamhaustech. I have a local spamhaus.net zone with a DNAME record as their nameservers block me anyway.
You could try with an invaluement.com zone at least temporarily as a comparison to AskDNS.
Re: AskDNS with a DNAME [ In reply to ]
On Sun, Feb 28, 2021 at 02:14:55PM +0000, Damian wrote:
> I don't know about AskDNS, but this technique works with stock spamhaus rules via spamhaustech. I have a local spamhaus.net zone with a DNAME record as their nameservers block me anyway.
> You could try with an invaluement.com zone at least temporarily as a comparison to AskDNS.

As I said, it does work if I do this:

askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.<LICENSEKEY>.invaluement.com A 127.0.0.2

But then, the LICENSEKEY gets embedded in the spamassassin report which I don't want.

I've traced through the AskDNS plugin and it's definitely only looking
at the first response that gets returned in this case. I also tried a regex submatch like:

askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/

and still not working. The AskDNS code which loops through the result
only looks at the alias result that's returned.
Re: AskDNS with a DNAME [ In reply to ]
On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> Ultimately I want the spamassassin report in the headers but I don't
> want the license key in there.
>
you can set 'tflags net nolog' if you are using trunk.
Invaluement uri and license key will be printed as *redacted*.
Giovanni
Re: AskDNS with a DNAME [ In reply to ]
On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote:
> On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> > Ultimately I want the spamassassin report in the headers but I don't
> > want the license key in there.
> >
> you can set 'tflags net nolog' if you are using trunk.
> Invaluement uri and license key will be printed as *redacted*.
> Giovanni
>

Hi Giovanni, unfortunately, this did not work either.

I just pulled from your repo to make sure I was on master. I added
nolog, the pertinent lines look like this:

askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2
describe RBL_SENDGRID_ID Sendgrid Id blacklist
tflags RBL_SENDGRID_ID net nolog

askdns RBL_SENDGRID_DOM _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
describe RBL_SENDGRID_DOM Sendgrid domain blacklist
tflags RBL_SENDGRID_DOM net nolog

And this is what I see in the spamassassin report in the header:
* 1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist
* [16582324.sendgrid-id.MYLICENSE.invaluement.com A:127.0.0.2]

Michael Grant
Re: AskDNS with a DNAME [ In reply to ]
On Sun, 28 Feb 2021, Michael Grant wrote:

> I've traced through the AskDNS plugin and it's definitely only looking
> at the first response that gets returned in this case. I also tried a regex submatch like:
>
> askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/
>
> and still not working. The AskDNS code which loops through the result
> only looks at the alias result that's returned.

I would indeed characterize that as a bug in the AskDNS plugin. The fact
that it is an alias is not useful information to the evaluation of the
message's spamminess, and the information that *is* useful - critical, in
fact - is being discarded.

Please open a bugzilla ticket for this.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Usually Microsoft doesn't develop products, we buy products.
-- Arno Edelmann, Microsoft product manager
-----------------------------------------------------------------------
14 days until Albert Einstein's 142nd Birthday
Re: AskDNS with a DNAME [ In reply to ]
On Sun, 28 Feb 2021 07:42:42 -0800 (PST)
John Hardin wrote:

> On Sun, 28 Feb 2021, Michael Grant wrote:
>
> > I've traced through the AskDNS plugin and it's definitely only
> > looking at the first response that gets returned in this case. I
> > also tried a regex submatch like:
> >
> > askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A
> > /127.0.0.2/
> >
> > and still not working. The AskDNS code which loops through the
> > result only looks at the alias result that's returned.
>
> I would indeed characterize that as a bug in the AskDNS plugin. The
> fact that it is an alias is not useful information to the evaluation
> of the message's spamminess, and the information that *is* useful -
> critical, in fact - is being discarded.
>
> Please open a bugzilla ticket for this.

There is already a very similar one:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875
Re: AskDNS with a DNAME [ In reply to ]
On Sun, 28 Feb 2021, RW wrote:

> On Sun, 28 Feb 2021 07:42:42 -0800 (PST)
> John Hardin wrote:
>
>> On Sun, 28 Feb 2021, Michael Grant wrote:
>>
>>> I've traced through the AskDNS plugin and it's definitely only
>>> looking at the first response that gets returned in this case. I
>>> also tried a regex submatch like:
>>>
>>> askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A
>>> /127.0.0.2/
>>>
>>> and still not working. The AskDNS code which loops through the
>>> result only looks at the alias result that's returned.
>>
>> I would indeed characterize that as a bug in the AskDNS plugin. The
>> fact that it is an alias is not useful information to the evaluation
>> of the message's spamminess, and the information that *is* useful -
>> critical, in fact - is being discarded.
>>
>> Please open a bugzilla ticket for this.
>
> There is already a very similar one:
>
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875

Ok, good.

The AskDNS plugin code on trunk has had several changes that have not been
merged to the 3.4 branch for release.

I just ran a quick test on trunk with an askdns rule for a host that is a
CNAME and it appeared to work properly - it went through all the
responses and the rule did hit on the final resolved IP address.

Feb 28 08:18:40.625 [29038] dbg: dns: bgread: received 860 bytes from 10.1.0.254
Feb 28 08:18:40.628 [29038] dbg: dns: dns reply 39497 is OK, 2 answer records
Feb 28 08:18:40.628 [29038] dbg: askdns: answer received (__ASKDNS_DNAME_TEST), rcode NOERROR, query IN/A/ftp.impsec.org, answer
has 2 records
Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = CNAME
Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = A
Feb 28 08:18:40.628 [29038] dbg: askdns: domain "ftp.impsec.org" listed (__ASKDNS_DNAME_TEST): 108.161.139.220

I don't know whether these changes, or just the recommended fix in 7875,
will make it into the pending 3.4 release.

Michael, you might consider using trunk for your SA install, or if that's
too risky, potentially pulling just the AskDNS plugin from trunk.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
14 days until Albert Einstein's 142nd Birthday
Re: AskDNS with a DNAME [ In reply to ]
On Sun, 28 Feb 2021 10:33:15 -0500
Michael Grant wrote:

> On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote:
> > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> > > Ultimately I want the spamassassin report in the headers but I
> > > don't want the license key in there.
> > >
> > you can set 'tflags net nolog' if you are using trunk.
> > Invaluement uri and license key will be printed as *redacted*.
> > Giovanni
> >
>
> Hi Giovanni, unfortunately, this did not work either.
>
> I just pulled from your repo to make sure I was on master. I added
> nolog, the pertinent lines look like this:
>
> askdns RBL_SENDGRID_ID
> _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2
> describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags
> RBL_SENDGRID_ID net nolog
>
> askdns RBL_SENDGRID_DOM
> _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
> describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags
> RBL_SENDGRID_DOM net nolog
>
> And this is what I see in the spamassassin report in the header:
> * 1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist
> * [16582324.sendgrid-id.MYLICENSE.invaluement.com
> A:127.0.0.2]

I think what you need, at least in the short term, is:

askdns __RBL_SENDGRID_ID ...

meta RBL_SENDGRID_ID __RBL_SENDGRID_ID
Re: AskDNS with a DNAME [ In reply to ]
> > askdns RBL_SENDGRID_ID
> > _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2
> > describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags
> > RBL_SENDGRID_ID net nolog
> >
> > askdns RBL_SENDGRID_DOM
> > _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
> > describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags
> > RBL_SENDGRID_DOM net nolog
> >
> > And this is what I see in the spamassassin report in the header:
> > * 1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist
> > * [16582324.sendgrid-id.MYLICENSE.invaluement.com
> > A:127.0.0.2]
>
> I think what you need, at least in the short term, is:
>
> askdns __RBL_SENDGRID_ID ...
>
> meta RBL_SENDGRID_ID __RBL_SENDGRID_ID

Ah hah! Thank you, this works. And it has an added benefit that the
RBL_SENDGRID_ID rule doesn't add a default 1.0 score to the total, so
this is definitely the right way to do it.

_SENDGRIDID_ is set as a variable in the Esp.pm module. Is there some
way to log this when the meta rule triggers?

Michael Grant
Re: AskDNS with a DNAME [ In reply to ]
On Sun, Feb 28, 2021 at 10:33:15AM -0500, Michael Grant wrote:
> On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote:
> > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> > > Ultimately I want the spamassassin report in the headers but I don't
> > > want the license key in there.
> > >
> > you can set 'tflags net nolog' if you are using trunk.
> > Invaluement uri and license key will be printed as *redacted*.
> > Giovanni
> >
>
> Hi Giovanni, unfortunately, this did not work either.
>
> I just pulled from your repo to make sure I was on master. I added
> nolog, the pertinent lines look like this:
>
> askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2
> describe RBL_SENDGRID_ID Sendgrid Id blacklist
> tflags RBL_SENDGRID_ID net nolog
>
> askdns RBL_SENDGRID_DOM _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
> describe RBL_SENDGRID_DOM Sendgrid domain blacklist
> tflags RBL_SENDGRID_DOM net nolog
>
With SpamAssassin trunk (sorry I probably was not clear) you will have:

1.0 RBL_SENDGRID_ID ASKDNS: Invaluement Sendgrid Id blacklist
[*REDACTED*]

Giovanni