On 2024-09-23 at 13:08:17 UTC-0400 (Mon, 23 Sep 2024 17:08:17 +0000)
Grega via users <gr...@nabiralnik.eu>
is rumored to have said:
Maybe disable VALIDITY rule as well... They also have 10k limit in 30
days window ..
My understanding is that Validity returns a specific value
(127.255.255.255) for blocked queries. That makes it safe to have the
rules enabled because you then hit the BLOCKED rule for the specific
Validity list, which has a trivial non-zero score. That is a *visible
and harmless* marker on almost every message which should be noticed by
the user, who can correct the underlying configuration error.
DNSWL.org *intentionally causes harm* for people who don't configure it
correctly, in a way that is *almost invisible.* The lower rate limit
which they established in March of this year isn't inherently bad, it
just meant that enough people were hitting the limit that someone
bothered opened a bug about it.
As I noted in my lengthy comment in that bug report, we (the SA
community, particularly committers) are not an organized workforce with
duties and assignments, and we make changes to established
statically-scored rules on an as-noticed and as-needed basis. This is
partly because we are considerate of the fact that we have users who
build on top of the mostly-stable default rules. It is also because we
are all volunteers, with lives and jobs that generally take priority
over making SA better.
Regards,G
________________________________
From: Bill Cole <billc...@apache.org>
Sent: Monday, September 23, 2024 19:03
To: SpamAssassin-Users
Subject: ATTENTION: DNSWL to be disabled by default.
Context:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8193
https://www.dnswl.org/?p=120
TL;DR: Rather than using an in-band signal of a special reply value to
queries from blocked users, as do other DNS-Based List operators,
DNSWL.org sends back a "listed high" response to all queries. I was
unaware of this until bug 8193 was opened and linked to the DNSWL
statement of that policy. As I write in a comment on that bug, no one
should ever be using DNSBLs of any sort blindly and the onus is on the
configuring user of SA to select them prudently as they all have
limits.
I believe this is a problem that needs fixing, but it's a change that
may surprise some users. Consider yourself warned...
Right now, there's a comment in 50_scores.cf (the file for
manually-set scores) that I had not previously seen:
# DNSWL is a commercial service that requires payment for servers over
100K queries daily.
# Unfortunately, they will return true answers for DNS servers they
consider abusive so
# SA Admins must enable these rules manually.
And yet, the scores following that comment *enables* the rules. Note
that as of 2024-03-01 (as documented at the DNSWL link above) they
have reduced the free limit to 10,000 queries per 30 days. A site
feeding 350 messages/day to SpamAssassin will exceed that limit. That
is small even for "personal" systems.
Pending a discussion on the issue reaching some other consensus, I am
immediately changing all those scores to zero in 50_scores.cf so that
the rules WILL BE DISABLED by default as documented in the comment. I
am also correcting the rate cited in that comment. This change should
take effect in the rules distribution in the next couple of days.
Whether or not you want to use DNSWL is very much a local choice. At
10k queries/month, MOST sites will need to either register (and likely
pay DNSWL) or leave the rules disabled.
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
