On 3/23/2011 9:56 AM, dar...@chaosreigns.com wrote: > In the recent sa-updates, the Spam Eating Monkey rules were > inappropriately enabled. If you hit them too much, they start returning > 100% false positives. Their listed limits are "more than 100,000 queries > per day or more than 5 queries per second for more than a few minutes".
As soon as the bug was reported on the dev list I disabled the 127.0.0.255 response code to avoid any additional issues. I will be turning this functionality back on as soon as the SA rules are updated which I assume will be soon. The response code of 127.0.0.255 only happens when someone has performed at least 100 million queries per day for 48 hours straight. During the first 48 hours the queries are simply ignored. Attempts were also made to contact several of the large (300M+) query sources but so far only one has responded with anything more than an autoresponder. Turns out that even large companies don't watch their systems close enough to notice long delays and query failures against a blacklist. If this had been a planned action then policies would have been changed to reflect the nature of most SA users in regards to default blacklists. Unfortunately, the substantial traffic was just dropped on SEM and the automatic policies did what they are designed to do: They protected the system. The result was another very stressed SEM admin calling me at 3AM. Personally, I don't think it is unreasonable to start returning this response code for someone that is performing well over 100M queries/day against a free list with a limit of 100K/day. This policy would most likely change if SEM rules were ever part of the default SA rules. --Blaine
