On Wed, 17 Mar 2021, Peter West wrote:
> The most pertinent stuff I found was this this Confluence page:
> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver
>
> So it looks as though I have to install a primary nameserver and a secondary rbldnsd.
>
> I’m trying to translate this –
> Rsync the feed files into /var/lib/rbldnsd
>
> which seems to be this set
> dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net
> http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net
> smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net
> new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net
> dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net
Agh, no, that's *way* too much to just fix URIBL_BLOCKED...
The critical bit from that Confluence page is this:
A local DNS caching server should not forward to other DNS servers to
ensure your queries are not combined with others.
Normally what you do when setting up a computer is you configure it to
forward DNS requests to your ISP for them to handle. Along with the
requests from all the ISP's other customers. Which then exceeds the free
query limits imposed by the various DNSBL providers.
What you need to do is set up a local DNS server that does the name
resolution itself, rather than passing that work off to your ISP.
So:
(1) install a local nameserver,
(2) configure it to do recursive name resolution (vs. "forwarding")
(assuming it doesn't come that way out-of-the-box),
(3) point SpamAssassin (and potentially also your MTA) at that nameserver
rather than at your ISP.
That's it at the most basic level.
*Refinements* include:
- configuring the nameserver so that the DNSBL traffic is resolved locally
and other traffic is forwarded to your ISP to take advantage of their
cache - "split resolution"
- configuring a local authoritative DNS server (like rbldnsd) for
high-volume DNSBL feeds (if your traffic level by itself exceeds their
free-query limits) and for custom blocklists you maintain yourself
So initially, don't get distracted by the rbldnsd stuff. Just pick a DNS
server and install it locally, and run the tests in the Testing section of
that Confluence page. If that works, point SpamAssassin at it as described
in the Using section of that Confluence page.
>> On 15 Mar 2021, at 1:29 am, John Hardin <jhardin@impsec.org> wrote:
>>
>> On Sun, 14 Mar 2021, jwmincy@gmail.com wrote:
>>
>>> Peter West writes:
>>>
>>> And You might want to fix the URIBL_BLOCKED issue. Fixing the
>>> URIBL_BLOCKED issue will do far more to fix your issues than adding
>>> rules.
>>
>> Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS server for SpamAssassin".
>>
>> If that isn't enough to set you on the right path, search the mailing list archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of this topic. If that history isn't enough, feel free to ask for assistance.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority." -- Cringely, 4/8/2004
-----------------------------------------------------------------------
290 days since the first private commercial manned orbital mission (SpaceX)
> The most pertinent stuff I found was this this Confluence page:
> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver
>
> So it looks as though I have to install a primary nameserver and a secondary rbldnsd.
>
> I’m trying to translate this –
> Rsync the feed files into /var/lib/rbldnsd
>
> which seems to be this set
> dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net
> http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net
> smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net
> new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net
> dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net
Agh, no, that's *way* too much to just fix URIBL_BLOCKED...
The critical bit from that Confluence page is this:
A local DNS caching server should not forward to other DNS servers to
ensure your queries are not combined with others.
Normally what you do when setting up a computer is you configure it to
forward DNS requests to your ISP for them to handle. Along with the
requests from all the ISP's other customers. Which then exceeds the free
query limits imposed by the various DNSBL providers.
What you need to do is set up a local DNS server that does the name
resolution itself, rather than passing that work off to your ISP.
So:
(1) install a local nameserver,
(2) configure it to do recursive name resolution (vs. "forwarding")
(assuming it doesn't come that way out-of-the-box),
(3) point SpamAssassin (and potentially also your MTA) at that nameserver
rather than at your ISP.
That's it at the most basic level.
*Refinements* include:
- configuring the nameserver so that the DNSBL traffic is resolved locally
and other traffic is forwarded to your ISP to take advantage of their
cache - "split resolution"
- configuring a local authoritative DNS server (like rbldnsd) for
high-volume DNSBL feeds (if your traffic level by itself exceeds their
free-query limits) and for custom blocklists you maintain yourself
So initially, don't get distracted by the rbldnsd stuff. Just pick a DNS
server and install it locally, and run the tests in the Testing section of
that Confluence page. If that works, point SpamAssassin at it as described
in the Using section of that Confluence page.
>> On 15 Mar 2021, at 1:29 am, John Hardin <jhardin@impsec.org> wrote:
>>
>> On Sun, 14 Mar 2021, jwmincy@gmail.com wrote:
>>
>>> Peter West writes:
>>>
>>> And You might want to fix the URIBL_BLOCKED issue. Fixing the
>>> URIBL_BLOCKED issue will do far more to fix your issues than adding
>>> rules.
>>
>> Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS server for SpamAssassin".
>>
>> If that isn't enough to set you on the right path, search the mailing list archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of this topic. If that history isn't enough, feel free to ask for assistance.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority." -- Cringely, 4/8/2004
-----------------------------------------------------------------------
290 days since the first private commercial manned orbital mission (SpaceX)