You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Fletcher Mattox <in...@cs.utexas.edu> on 2008/01/05 00:25:04 UTC
DOB timeouts?
Yesterday spamassassin started getting DNS timeouts from the DOB (Day
Old Bread) server at a.support-intelligence.net:
dbg: dns: timeout for URIBL_RHS_DOB, URI-DNSBL, DNSBL:dob.sibl.support-intelligence.net:akoucq.com after 3 seconds
dbg: dns: timeout for dob, DNSBL-A, dns:A:80.109.50.74.dob.sibl.support-intelligence.net. after 3 seconds
dbg: dns: timeout for dob, DNS_FROM_DOB, DNSBL-A, dns:A:akoucq.com.dob.sibl.support-intelligence.net. after 3 seconds
dbg: async: aborting remaining lookups
At about the same time, my name server started logging copious TCP reset
errors:
named: dispatch 309a6f0: shutting down due to TCP receive error: connection reset
It turns out the DOB name server at a.support-intelligence.net is
sending us a premature TCP reset on every DNS query we make.
I wonder why we are using TCP? Is that normal?
More importantly, are DOB lookups failing for anyone else?
Perhaps we have exceeded some threshold query rate and have
been blacklisted by the service?
Thanks
Fletcher
Re: DOB timeouts?
Posted by ram <ra...@netcore.co.in>.
On Fri, 2008-01-04 at 17:25 -0600, Fletcher Mattox wrote:
> Yesterday spamassassin started getting DNS timeouts from the DOB (Day
> Old Bread) server at a.support-intelligence.net:
>
> dbg: dns: timeout for URIBL_RHS_DOB, URI-DNSBL, DNSBL:dob.sibl.support-intelligence.net:akoucq.com after 3 seconds
> dbg: dns: timeout for dob, DNSBL-A, dns:A:80.109.50.74.dob.sibl.support-intelligence.net. after 3 seconds
> dbg: dns: timeout for dob, DNS_FROM_DOB, DNSBL-A, dns:A:akoucq.com.dob.sibl.support-intelligence.net. after 3 seconds
> dbg: async: aborting remaining lookups
>
> At about the same time, my name server started logging copious TCP reset
> errors:
>
> named: dispatch 309a6f0: shutting down due to TCP receive error: connection reset
>
Do they allow rsync of their data. I would prefer having a local RBLDNS
server for the kind of volumes we do
Thanks
Ram
> It turns out the DOB name server at a.support-intelligence.net is
> sending us a premature TCP reset on every DNS query we make.
>
> I wonder why we are using TCP? Is that normal?
>
> More importantly, are DOB lookups failing for anyone else?
> Perhaps we have exceeded some threshold query rate and have
> been blacklisted by the service?
>
> Thanks
> Fletcher
Re: DOB timeouts?
Posted by Michael Scheidell <sc...@secnap.net>.
> From: Fletcher Mattox <in...@cs.utexas.edu>
> Date: Fri, 4 Jan 2008 17:25:04 -0600
> To: <us...@spamassassin.apache.org>
> Subject: DOB timeouts?
>
> Yesterday spamassassin started getting DNS timeouts from the DOB (Day
> Old Bread) server at a.support-intelligence.net:
>
> dbg: dns: timeout for URIBL_RHS_DOB, URI-DNSBL,
> DNSBL:dob.sibl.support-intelligence.net:akoucq.com after 3 seconds
> dbg: dns: timeout for dob, DNSBL-A,
> dns:A:80.109.50.74.dob.sibl.support-intelligence.net. after 3 seconds
> dbg: dns: timeout for dob, DNS_FROM_DOB, DNSBL-A,
> dns:A:akoucq.com.dob.sibl.support-intelligence.net. after 3 seconds
> dbg: async: aborting remaining lookups
>
> At about the same time, my name server started logging copious TCP reset
> errors:
>
> named: dispatch 309a6f0: shutting down due to TCP receive error: connection
> reset
>
> It turns out the DOB name server at a.support-intelligence.net is
> sending us a premature TCP reset on every DNS query we make.
>
> I wonder why we are using TCP? Is that normal?
No.
>
> More importantly, are DOB lookups failing for anyone else?
> Perhaps we have exceeded some threshold query rate and have
> been blacklisted by the service?
>
Looks like it is happening here to us also. We originally through it was a
DOS directed toward us (that is what our IPS said).
Looks like its YABB (yet another Bogus Blacklist) what will go the way of
others that have not been able to keep up with traffic.
I am disableing the DOB tests till I hear different.
I suggest a SA bugzilla entry as well since I suspect many people have same
problem.
--
Michael Scheidell, CTO
>|SECNAP Network Security
> Thanks
> Fletcher
>
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: DOB timeouts?
Posted by Rob McEwen <ro...@invaluement.com>.
Ken Anderson wrote:
> I've found it quite useful simply because nobody else has made this
> data available
Arguably, part of the reason that DOB was needed is because URIBL &
SURBL weren't catching everything and/or were not listing new spammer's
domains fast enough and, certainly, DOB picks up some of that slack.
However, there is now a third major URI blacklist in the same league as
URIBL & SURBL that is more FP-save than DOB... and, in fact, at least as
FP-save as SURBL, and this newer URI blacklist catches many of the spam
domains missed by SURBL & URIBL.
This newer URI dnsbl is called "ivmURI", short for "invaluement URI
blacklist"
ivmURI isn't meant to replace SURBL & URIBL. But it complements them
well. All three lists, ivmURI, SURBL, & URIBL will all catch spammer
domains not found on the other two URI blacklists, which is why I use
all three in my own spam filtering. Frankly, there is not even a close
forth URI blacklist in terms of effectiveness and in terms of low FPs.
I believe that those who originally found a need to use DOB will find
that ivmURI does a better job of picking up the domains missed by both
SURBL & URIBL, while being more FP-safe and more reliable than DOB.
FOR EXAMPLE, SEE:
http://invaluement.com/results.txt
Unlike all of these other dnsbls I've mentioned, ivmURI does requires a
subscription for access. Contact me off-list for more details and for a
free trial.
Rob McEwen
rob@invaluement.com
Re: DOB timeouts?
Posted by Ken Anderson <ka...@pacific.net>.
Michael Scheidell wrote:
> One more thing: email to them, ar.com alices-registery, ANYTHING bounces.
>
> Any DNS blacklist provider who is not transparent and accessible needs to
> stop being used.
> (example: blocked.secnap.net They rules for use are VERY explicit) and we
> are VERY easy go get ahold of
>
>
DOB's home is here: http://support-intelligence.com/dob/
It clearly says it's a BETA service. It's not blocking queries from us,
currently, but it has in the past been a bit unreliable, due to it's own
growing pains. It's a free service, so there's no requirement of
transparency or accessibility. Use it or don't. I've found it quite
useful simply because nobody else has made this data available, so it's
a good thing for use in SA META rules.
Ken
Pacific.Net
Re: DOB timeouts?
Posted by Michael Scheidell <sc...@secnap.net>.
One more thing: email to them, ar.com alices-registery, ANYTHING bounces.
Any DNS blacklist provider who is not transparent and accessible needs to
stop being used.
(example: blocked.secnap.net They rules for use are VERY explicit) and we
are VERY easy go get ahold of
--
Michael Scheidell, CTO
>|SECNAP Network Security
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________