On Wed, 2011-10-19 at 01:29 +0200, Karsten Bräckelmann wrote:
> On Tue, 2011-10-18 at 23:52 +0100, Martin Gregorie wrote:
> > On Tue, 2011-10-18 at 19:22 +0200, Karsten Bräckelmann wrote:
> > wonder if it would be useful for SA to log the number of BL lookups it
> > does: as it need only involve of writing a log message every hour or day
> > giving the accumulated count for the period, its performance hit should
> > be tiny and, of course, it should have an enable/disable configuration
> > parameter. Output would be a single log message containing a total for
> > all BL lookups or (deluxe version) a total for each configured BL.
Oh, and of course, caching applies here, too.
The number of queries SA performs does NOT tell you the number of
queries actually hitting the URI DNSBL's infrastructure. SURBL has a TTL
of 3 minutes, URIBL even uses 30 minutes.
Thus, a spam run targeting lots of your users within a short time period
will result in more queries (sent by SA) than actually ending up at the
DNSBL's mirrors.
Similar for negative caching and not-blacklisted domains frequently
observed in your mail stream.
I probably should stop replying to self, though. ;)
> Wouldn't grepping the DNS logs already tell the admin about it?
>
> Keep in mind, the actual number of queries isn't relevant unless you're
> at least in the general ball-park of 100,000 messages a day.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
