You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2011/08/21 23:38:04 UTC

[Bug 6652] New: Enable/disable DNS lookups by domain

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6652

             Bug #: 6652
           Summary: Enable/disable DNS lookups by domain
           Product: Spamassassin
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: spamassassin
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: jhardin@impsec.org
    Classification: Unclassified


As an alternative to disabling individual DNS rules, add a configuration option
like:

  nodnsquery  spamhaus.org

which would disable any DNS lookup against any spamhaus,org subdomain.

A corresponding "enable" config would probably be prudent:

  dnsquery    spamhaus,org

...in case dev feel certain DNS lookups should be shipped as part of the base
rules but disabled by default, and require the end-user admin to explicitly
enable them.

Rationale: it's tedious to find all of the individual DNS lookup rules, and
more could be added via sa-update at any time.

Inspired by Marc Perkel.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6652] Enable/disable DNS lookups by domain

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6652

Mark Martinec <Ma...@ijs.si> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|Undefined                   |3.4.0

--- Comment #2 from Mark Martinec <Ma...@ijs.si> ---
This was made possible by option dns_query_restriction,
probably in version 3.4.0.  Closing.



dns_query_restriction (allow|deny) domain1 domain2 ...
  Option allows disabling of rules which would result in a DNS query
  to one of the listed domains. The first argument must be a literal
  "allow" or "deny", remaining arguments are domains names.

  Most DNS queries (with some exceptions) are subject to
  dns_query_restriction.  A domain to be queried is successively
  stripped-off of its leading labels (thus yielding a series of its
  parent domains), and on each iteration a check is made against an
  associative array generated by dns_query_restriction options.
  Search stops at the first match (i.e. the tightest match), and the
  matching entry with its "allow" or "deny" value then controls
  whether a DNS query is allowed to be launched.

  If no match is found an implicit default is to allow a query. The
  purpose of an explicit "allow" entry is to be able to override a
  previously configured "deny" on the same domain or to override an
  entry (possibly yet to be configured in subsequent config
  directives) on one of its parent domains.  Thus an 'allow
  zen.spamhaus.org' with a 'deny spamhaus.org' would permit DNS
  queries on a specific DNS BL zone but deny queries to other zones
  under the same parent domain.

  Domains are matched case-insensitively, no wildcards are
  recognized, there should be no leading or trailing dot.

  Specifying a block on querying a domain name has a similar effect
  as setting a score of corresponding DNSBL and URIBL rules to zero,
  and can be a handy alternative to hunting for such rules when a
  site policy does not allow certain DNS block lists to be queried.

  Example:
    dns_query_restriction deny  dnswl.org surbl.org
    dns_query_restriction allow zen.spamhaus.org
    dns_query_restriction deny  spamhaus.org mailspike.net spamcop.net

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 6652] Enable/disable DNS lookups by domain

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6652

Frank Urban <fr...@commerzbank.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |frank.urban@commerzbank.com

--- Comment #1 from Frank Urban <fr...@commerzbank.com> 2011-12-14 12:28:19 UTC ---
Good idear.

I have the same problem to disable spamhaus

Today I need to put this all in my local.cf
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score RCVD_IN_ZEN 0
score __RCVD_IN_ZEN 0
score URIBL_SBL 0
score URIBL_SBL_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_REDIR 0
score URIBL_DBL_ERROR 0
to disable spamhaus

in the last rule update it seemed taht the rule URIBL_SBL was renamed to
URIBL_SBL_A and a new rule was added.
So I needed again to add new lines for that

score URIBL_SBL_A 0
score URIBL_DBL_REDIR 0

this all would be much easyer is there would be a way to disable the whole DNS
lookup to *.spamhaus.org

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.