You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ram <ra...@netcore.co.in> on 2007/09/07 14:02:45 UTC
can I specify timeouts for a specific DNS rule
On my SA 3.2.3 servers , I want to timeout all the *.completewhois.com
DNS lookups after 5s
I have seen the mailqs shoot up just because of these lookups
Thanks
Ram
Re: can I specify timeouts for a specific DNS rule
Posted by Matt Kettler <mk...@verizon.net>.
Dale Carstensen wrote:
> Should this rule just be dropped from
> whatever distributes it to me automatically (spamassassin.org,
> and SARE from openprotect)?
Yes.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5632
Re: can I specify timeouts for a specific DNS rule
Posted by Dale Carstensen <dl...@lampinc.com>.
>ram,
>
>> On Fri, 2007-09-07 at 08:36 -0400, Matt Kettler wrote:
[ snip -- discussion of slow response from
combined-HIB.dnsiplists.completewhois.com ]
>
> Mark
It appears from my logs back as far as August 7, 2007, all I get is
SERVFAIL, certainly today there is no routing path to either
64.68.10.10 or 64.68.11.11 from my network. So is completewhois.com
being DDoSed? Do they just have pathologically bad connections
with parts of the internet? Should this rule just be dropped from
whatever distributes it to me automatically (spamassassin.org,
and SARE from openprotect)? Are there routing problems that can
be fixed?
I average one request per two seconds to there, it appears, and they
all fail, so I'm inclined to think I could do without them. They
just generate ICMP time-to-live exceeded responses.
Mr. Dale
Re: can I specify timeouts for a specific DNS rule
Posted by Mark Martinec <Ma...@ijs.si>.
ram,
> On Fri, 2007-09-07 at 08:36 -0400, Matt Kettler wrote:
> > No, because all the DNS tests are run together as a batch.
> > (this way the lookups run in parallel)
> > Besides, if completewhois is the only "slow" RBL, the timeout for it is
> > going to effectively be 4 seconds anyway. (ie: if 90% of the DNS lookups
> > finish in the first second, SA will only wait 3 more for the remaining
> > lookups before dropping them)
True. But if anyone cares to pursue the matter, the current code
in trunk already drags along individual timeouts for each request.
They all default to rbl_timeout, but in principle each one could
have its own individual timeout value, all that is missing is a
configuration front-end to be somehow able to specify these timeouts,
perhaps by a domain name of a zone, or maybe by rule.
> But I am seeing the DNS tests taking more than 10s on my servers
> from the spamassassin -D logs
> Even though I have in my prefs file
> rbl_timeout 5
The 10 s from the time at which the _first_ dns query was launched,
or 10 s from the time this particular query was launched?
If the first, it is normal, not all queries are launched
at the same time, and some of them (specially the URI tests)
are launched quite late.
See also the:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589
and the patch there:
http://issues.apache.org/SpamAssassin/attachment.cgi?id=4081
It is applicable to 3.2.3, and individualizes query timeouts,
benefiting from HiRes::Time perl module (recommended to be
installed). Try it and see if you get a more predictable behaviour.
Mark
Re: can I specify timeouts for a specific DNS rule
Posted by Matt Kettler <mk...@verizon.net>.
ram wrote:
>
>
> But I am seeing the DNS tests taking more than 10s on my servers from
> the spamassassin -D logs
>
> Even though I have in my prefs file
> rbl_timeout 5
>
rbl_timeout is an administrator setting. You can't set in user_prefs.
It's got to be a local.cf thing.
(This protects the server against individual users doing stupid things
like setting it to 2 hours and log jamming the spamd process every time
they get mail and a bunch of DNS lookups fail.)
Re: can I specify timeouts for a specific DNS rule
Posted by ram <ra...@netcore.co.in>.
On Fri, 2007-09-07 at 08:36 -0400, Matt Kettler wrote:
> ram wrote:
> > On my SA 3.2.3 servers , I want to timeout all the *.completewhois.com
> > DNS lookups after 5s
> >
> >
> > I have seen the mailqs shoot up just because of these lookups
> >
>
> No, because all the DNS tests are run together as a batch. (this way the
> lookups run in parallel)
>
> Besides, if completewhois is the only "slow" RBL, the timeout for it is
> going to effectively be 4 seconds anyway. (ie: if 90% of the DNS lookups
> finish in the first second, SA will only wait 3 more for the remaining
> lookups before dropping them)
>
>
But I am seeing the DNS tests taking more than 10s on my servers from
the spamassassin -D logs
Even though I have in my prefs file
rbl_timeout 5
Thanks
Ram
Re: can I specify timeouts for a specific DNS rule
Posted by Matt Kettler <mk...@verizon.net>.
ram wrote:
> On my SA 3.2.3 servers , I want to timeout all the *.completewhois.com
> DNS lookups after 5s
>
>
> I have seen the mailqs shoot up just because of these lookups
>
No, because all the DNS tests are run together as a batch. (this way the
lookups run in parallel)
Besides, if completewhois is the only "slow" RBL, the timeout for it is
going to effectively be 4 seconds anyway. (ie: if 90% of the DNS lookups
finish in the first second, SA will only wait 3 more for the remaining
lookups before dropping them)