You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Thomas Kaehn <tk...@westend.com> on 2004/10/18 16:50:16 UTC

"DoS" against amavisd-new and SA 3.0

Hi,

I am using amavisd-new along with SpamAssassin 3.0. Recently I've
noticed, that a mail couldn't be delivered, because SA timed out as it
had to do many DNS lookups.

The mail had lots of URLs in its body. It is not really SpamAssassin's
or amavisd-new's fault. But is there a solution to this problem? For
example a separate timeout for SURBL or a limit in number of DNS
lookups? 

Thanks in advance!

Ciao,
Thomas
-- 
Thomas Kähn                   WESTEND GmbH  |  Internet-Business-Provider
Technik                       CISCO Systems Partner - Authorized Reseller
                              Lütticher Straße 10      Tel 0241/701333-11
tk@westend.com                D-52064 Aachen              Fax 0241/911879

Re: "DoS" against amavisd-new and SA 3.0

Posted by Thomas Kaehn <tk...@westend.com>.

Hello Matt,

On Mon, Oct 18, 2004 at 11:23:06AM -0400, Matt Kettler wrote:
> man Mail::SpamAssassin::Plugin::URIDNSBL
> 
>     uridnsbl_timeout N (default: 2)
>         Specify the maximum number of seconds to wait for a result before
>         giving up on the lookup. Note that this is in addition to the normal
>         DNS timeout applied for DNSBL lookups on IPs found in the Received
>         headers.
> 
> http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.txt
> 
> So, you can safely reduce that to 0, which will make the URIDNSBL behave 
> just like normal DNSBLs and be subject to the same dynamic timeout 
> algorithm with no extra time.

thanks for your reply. This was the information, I was looking for.

Ciao,
Thomas
-- 
Thomas Kähn                   WESTEND GmbH  |  Internet-Business-Provider
Technik                       CISCO Systems Partner - Authorized Reseller
                              Lütticher Straße 10      Tel 0241/701333-11
tk@westend.com                D-52064 Aachen              Fax 0241/911879

Re: "DoS" against amavisd-new and SA 3.0

Posted by Matt Kettler <mk...@evi-inc.com>.

At 10:50 AM 10/18/2004, Thomas Kaehn wrote:
>Hi,
>
>I am using amavisd-new along with SpamAssassin 3.0. Recently I've
>noticed, that a mail couldn't be delivered, because SA timed out as it
>had to do many DNS lookups.
>
>The mail had lots of URLs in its body. It is not really SpamAssassin's
>or amavisd-new's fault. But is there a solution to this problem? For
>example a separate timeout for SURBL or a limit in number of DNS
>lookups?
>
>Thanks in advance!

man Mail::SpamAssassin::Plugin::URIDNSBL

     uridnsbl_timeout N (default: 2)
         Specify the maximum number of seconds to wait for a result before
         giving up on the lookup. Note that this is in addition to the normal
         DNS timeout applied for DNSBL lookups on IPs found in the Received
         headers.

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.txt

So, you can safely reduce that to 0, which will make the URIDNSBL behave 
just like normal DNSBLs and be subject to the same dynamic timeout 
algorithm with no extra time.

That said, you really shouldn't be having timeout problems due to this, 
unless the URIDNSBL plugin isn't working as-designed. The default should be 
17 seconds max.