On 06.01.23 16:23, Brian Conry wrote:
What I'm looking for is a way to tell SA to only run DNS checks on names that it finds in the headers of the message, i.e. to not scan the body of the message for names.

the URIDNSBL does this and it produces very good results.
By disabling this you are lowering SA effectivity.

The motivation for this is that some of the mail addresses we operate are for security response teams that regularly receive mail that contains reports about things like signs of malware.

For example a report from a security appliance that it saw a system doing DNS queries for a known bitcoin mining malware domain.

I remember solving problem like this - malware scanner was reporting our filter looking for log4j hostname.
It happened because the machine was target of nessus scan...

you should relax such "security" checks, because, yes, SA can check for domain mentioned in e-mail passing it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Reply via email to