Hi,
First things first:
* SpamAssassin version: 3.4.2
* Debian 10
* SA is created and invoked as a Perl object by a MIMEDefang filter
What I'm looking for is a way to tell SA to only run DNS checks on names
that it finds in the headers of the message, i.e. to not scan the body
of the message for names.
The motivation for this is that some of the mail addresses we operate
are for security response teams that regularly receive mail that
contains reports about things like signs of malware.
For example a report from a security appliance that it saw a system
doing DNS queries for a known bitcoin mining malware domain.
The problem is that SA is picking that name from the body of the mail
message and running the full set of DNS checks on it. This includes the
various DNSBL lookups, which are fine, as well as things like DKIM that
require records from within the domain.
The result of this is that every time one of our mail servers handles a
message with one of these reports it makes DNS queries that will trigger
monitoring on our network for devices that might be infected with
bitcoin mining malware. Fortunately the servers in question don't also
handle the warnings that we receive about this possible malware so we
don't have a feedback loop.
I've looked through the debug-level logging of the rule processing and
am fairly confident in my assessment of the problem - I can see
information about which rules are being invoked and triggering DNS
queries and all of that seems fine, but what I didn't notice was
anything covering how SA created the list of domains to check from the
mail message.
I don't think that there's any configuration or options to do what I'm
asking, but I wanted to ask some experts before making any changes to
our configs.
Thank you,
Brian Conry
First things first:
* SpamAssassin version: 3.4.2
* Debian 10
* SA is created and invoked as a Perl object by a MIMEDefang filter
What I'm looking for is a way to tell SA to only run DNS checks on names
that it finds in the headers of the message, i.e. to not scan the body
of the message for names.
The motivation for this is that some of the mail addresses we operate
are for security response teams that regularly receive mail that
contains reports about things like signs of malware.
For example a report from a security appliance that it saw a system
doing DNS queries for a known bitcoin mining malware domain.
The problem is that SA is picking that name from the body of the mail
message and running the full set of DNS checks on it. This includes the
various DNSBL lookups, which are fine, as well as things like DKIM that
require records from within the domain.
The result of this is that every time one of our mail servers handles a
message with one of these reports it makes DNS queries that will trigger
monitoring on our network for devices that might be infected with
bitcoin mining malware. Fortunately the servers in question don't also
handle the warnings that we receive about this possible malware so we
don't have a feedback loop.
I've looked through the debug-level logging of the rule processing and
am fairly confident in my assessment of the problem - I can see
information about which rules are being invoked and triggering DNS
queries and all of that seems fine, but what I didn't notice was
anything covering how SA created the list of domains to check from the
mail message.
I don't think that there's any configuration or options to do what I'm
asking, but I wanted to ask some experts before making any changes to
our configs.
Thank you,
Brian Conry