On 06.01.23 16:23, Brian Conry wrote:
What I'm looking for is a way to tell SA to only run DNS checks on
names that it finds in the headers of the message, i.e. to not scan
the body of the message for names.
the URIDNSBL does this and it produces very good results.
By disabling this you are lowering SA effectivity.
The motivation for this is that some of the mail addresses we operate
are for security response teams that regularly receive mail that
contains reports about things like signs of malware.
For example a report from a security appliance that it saw a system
doing DNS queries for a known bitcoin mining malware domain.
I remember solving problem like this - malware scanner was reporting our
filter looking for log4j hostname.
It happened because the machine was target of nessus scan...
you should relax such "security" checks, because, yes, SA can check for
domain mentioned in e-mail passing it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
