On Thu, 14 Sep 2006, Dhaval Patel wrote:
SpamAssassin comes with a whole bunch of rules by default.
The best thing is to look at those rules and see what they're
doing. There's probably real documentation somewhere, but
there is so much example code that you may not need it.
I did not see much in the local.cf after a fresh installation. I went to
http://www.yrex.com/spam/spamconfig.php to generate my config file.
SpamAssassin installs a whole bunch of rules files that it
references. It may depend on the system, but on my machine,
they're in /usr/share/spamassassin.
So to see if an ip or hostname is in the RBL it would make a request to the RBL
servers
on port 53 just like DNS queries?
It's not just like regular DNS queries. It *is* a regular DNS
query. It doesn't go against any extra, third-party servers.
I believe SpamAssassin uses its own resolver code, but it
looks at /etc/resolv.conf just like anything else and uses
the nameserver (nameservers?) it finds in there.
Thanks for the clear up. But one more question about this. If it users my DNS
servers,
how does it query the RBL servers and give them the hostname or ip?
It encodes them as paths within the DNS namespace. This is
sort of a hack, but it works.
For example, suppose you decide to set up your own DNSBL,
and you decide you hate Google and Apple and you want to put
them on your blacklist. Maybe you own the domain dhaval.org
and you decide to call your DNSBL the "dpbl" (for Dhaval Patel
Black-List). To create this blacklist, you would simply create
two DNS entries[1]:
google.com.dpbl.dhaval.org. IN A 127.0.0.1
apple.com.dpbl.dhaval.org. IN A 127.0.0.1
Now, let's say I want to check whether google.com is on
your blacklist. I take the string "google.com" and I append
".dpbl.dhaval.org" onto it. Then I do a regular DNS lookup to
see if "google.com.dpbl.dhaval.org" exists. If I get a record
back, you've blacklisted them. If I get back a reply that says
it's a non-existent domain, you haven't. (The fact that the
address 127.0.0.1 is returned isn't really relevant, usually;
that's just there because a DNS "A" record has to include some
sort of address.) To do an IP-address-based blacklist instead
of (textual) domain-based one, you can use a similar mechanism.
If I want to know if 10.20.30.40 is on your blacklist, I just
look up 10.20.30.40.dpbl.dhaval.org.
From your Linux machine's point of view and from the point
of view of the caching nameserver at your ISP, there isn't
any difference at all between this and a regular DNS lookup.
The DNS server that does the lookup has to chase IN NS records
from the root servers all the way down the hierarchy to know
which servers to consult, but it always has to do that, even
if you are looking up www.cs.berkeley.edu or something.
- Logan
[1] Well, actually more than two. You'd need the supporting
entries like SOA and NS entries for each level of the
DNS namespace. But we only care about two of them.
