More spam after disabling local BIND ? - SpamAssassin

This is a discussion on More spam after disabling local BIND ? - SpamAssassin ; Configuration (maybe more than you care to see, sorry) -------------- 1) platform: kubuntu 8.04 2) SA version: 3.2.4 3) options: add_header spam BB score=_SCORE_ report_safe 0 lock_method flock 4) using qmail -> procmail -> spamc -> spamd ps ea | ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: More spam after disabling local BIND ?

  1. More spam after disabling local BIND ?

    Configuration (maybe more than you care to see, sorry)
    --------------
    1) platform: kubuntu 8.04
    2) SA version: 3.2.4
    3) options:
    add_header spam BB score=_SCORE_
    report_safe 0
    lock_method flock
    4) using qmail -> procmail -> spamc -> spamd

    ps ea | grep spam shows ...
    /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir
    --username spamd -s /usr/local/bb/spamassassin/spamd.log -d
    --pidfile=/usr/local/bb/spamassassin/spamd.pid

    this snippit is from /etc/procmailrc
    :0fw: spamassassin.lock
    * < 256000
    | spamc -F /usr/local/bb/spamassassin/bb.spamc.conf

    cat bb.spamc.conf shows
    -u spamd
    -s 1000000
    --headers


    SA has been working great! Very few spam messages get through. Then, we
    made ONE change
    to the machine. We turned off BIND, and just resolve to the ISP name
    servers. After that, lots
    and lots of spam gets through ? Not everything, just a lot more than
    when BIND was running locally

    So, instead of having BIND running locally, and forwarding to the name
    servers provided by our ISP,
    we turned off running BIND, and placed the ISP name servers addresses in
    /etc/resolv.conf. Just
    for clarity, here is what we did to /etc/resolv.conf

    # nameserver 192.168.1.17 comment out our localhost, since bind is no
    longer running
    domain angels.bookus-boulet.com
    nameserver 66.189.0.29
    nameserver 66.189.0.30

    So, really that is all we did. After that, lot's of spam gets through.

    Just to check, we turned our nameserver back on (and adjusted
    /etc/resolv.conf accordingly), and once
    again SAworks great !

    So, please tell me what I am doing wrong here

    Thanks in advance ... jules


  2. Re: More spam after disabling local BIND ?

    Ok - that explains it - thank you very much. Really, many thanks !

    But, is there a way to still not run BIND locally, and continue to
    benefit from the RBL filters?

    Perhaps there is a timeout associated with the RBL filters that can be
    increased? I understand that if
    such a timout option existed and was increased, performance would
    suffer. I'm just fishing here ...

    Turning off BIND was needed for other reasons. It's not mandatory that
    we not run BIND, just one less service
    that we would have to maintain. (we meaning ME!)

    Many thanks for your help, Kevin

    Kevin Parris wrote:
    > You're wasting time and network resources by sending all the RBL query traffic upstream to your ISP. The ISP servers may, or may not, be caching the results. Your spam detection rate may be suffering from delayed (or absent) responses to the queries, thus missing score values that would mark more of your traffic as spam. Keep the local caching DNS running - you've already figured out by observation that it is a valuable tool.
    >
    >
    >>>> Jules Yasuna 09/18/08 1:23 PM >>>
    >>>>

    >
    > Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf accordingly), and once again SAworks great !
    >
    > So, please tell me what I am doing wrong here
    >
    > Thanks in advance ... jules
    >
    >



  3. Re: More spam after disabling local BIND ?

    Jules Yasuna wrote:
    > Configuration (maybe more than you care to see, sorry)
    > --------------
    > 1) platform: kubuntu 8.04
    > 2) SA version: 3.2.4
    > 3) options:
    > add_header spam BB score=_SCORE_
    > report_safe 0
    > lock_method flock
    > 4) using qmail -> procmail -> spamc -> spamd
    >
    > ps ea | grep spam shows ...
    > /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir
    > --username spamd -s /usr/local/bb/spamassassin/spamd.log -d
    > --pidfile=/usr/local/bb/spamassassin/spamd.pid
    >
    > this snippit is from /etc/procmailrc
    > :0fw: spamassassin.lock
    > * < 256000
    > | spamc -F /usr/local/bb/spamassassin/bb.spamc.conf
    >
    > cat bb.spamc.conf shows
    > -u spamd
    > -s 1000000
    > --headers
    >
    >
    > SA has been working great! Very few spam messages get through. Then,
    > we made ONE change
    > to the machine. We turned off BIND, and just resolve to the ISP name
    > servers. After that, lots
    > and lots of spam gets through ? Not everything, just a lot more than
    > when BIND was running locally
    >
    > So, instead of having BIND running locally, and forwarding to the name
    > servers provided by our ISP,
    > we turned off running BIND, and placed the ISP name servers addresses
    > in /etc/resolv.conf. Just
    > for clarity, here is what we did to /etc/resolv.conf
    >
    > # nameserver 192.168.1.17 comment out our localhost, since bind is
    > no longer running
    > domain angels.bookus-boulet.com
    > nameserver 66.189.0.29
    > nameserver 66.189.0.30
    >
    > So, really that is all we did. After that, lot's of spam gets through.
    >
    > Just to check, we turned our nameserver back on (and adjusted
    > /etc/resolv.conf accordingly), and once
    > again SAworks great !
    >
    > So, please tell me what I am doing wrong here
    >
    > Thanks in advance ... jules

    I'm wondering if your DNS servers are running slow or timing out. Have
    you tried running SA in debug mode and looking for DNS related delays or
    issues?

    --Blaine


  4. Re: More spam after disabling local BIND ?

    On Thu, 18 Sep 2008, Jules Yasuna wrote:

    [snip..]
    > SA has been working great! Very few spam messages get through. Then, we
    > made ONE change
    > to the machine. We turned off BIND, and just resolve to the ISP name
    > servers. After that, lots
    > and lots of spam gets through ? Not everything, just a lot more than
    > when BIND was running locally
    >

    [snip..]
    > So, really that is all we did. After that, lot's of spam gets through.
    >
    > Just to check, we turned our nameserver back on (and adjusted
    > /etc/resolv.conf accordingly), and once
    > again SAworks great !
    >
    > So, please tell me what I am doing wrong here
    >
    > Thanks in advance ... jules


    To paraphrase an old joke:
    Patient: "Doctor Doctor, it hurts when I poke a stick into my eye.
    What should I do to stop the pain?"
    Doctor: "Don't poke a stick into your eye".

    It's considered generally good advice for spamassassin sites to run a
    local DNS server to reduce network traffic and timeouts. Is there a
    compelling reason not to follow this advice?

    Probably your ISP's DNS servers are busy and prone to delays, causing
    timeouts and loss of DNS based rules (RBLS, etc).

    Either run a local DNS server, find a better off-site server that doesn't
    suffer from delays (ask for permission to use them tho), or increase your
    network test timeout settings and expect delays in processing mail.

    --
    Dave Funk University of Iowa
    College of Engineering
    319/335-5751 FAX: 319/384-0549 1256 Seamans Center
    Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
    #include
    Better is not better, 'standard' is better. B{


  5. Re: More spam after disabling local BIND ?

    Jules Yasuna wrote:
    > Ok - that explains it - thank you very much. Really, many thanks !
    >
    > But, is there a way to still not run BIND locally, and continue to
    > benefit from the RBL filters?


    Take a look at djbdns. We run dnscache on all servers that require the
    ability to do a DNS lookup and have for several years. It also uses a
    minuscule amount of resources, if you cannot run dnscache you have
    bigger problems to deal with.

    http://cr.yp.to/djbdns.html

    dnscache setup,

    http://cr.yp.to/djbdns/run-cache.html

    It makes a noticeable difference in RBL performance on your end, and
    provides a great reduction in traffic for the RBL provider.

    DAve

    >
    > Perhaps there is a timeout associated with the RBL filters that can
    > be increased? I understand that if such a timout option existed and
    > was increased, performance would suffer. I'm just fishing here ...
    >
    > Turning off BIND was needed for other reasons. It's not mandatory
    > that we not run BIND, just one less service that we would have to
    > maintain. (we meaning ME!)
    >
    > Many thanks for your help, Kevin
    >
    > Kevin Parris wrote:
    >> You're wasting time and network resources by sending all the RBL
    >> query traffic upstream to your ISP. The ISP servers may, or may
    >> not, be caching the results. Your spam detection rate may be
    >> suffering from delayed (or absent) responses to the queries, thus
    >> missing score values that would mark more of your traffic as spam.
    >> Keep the local caching DNS running - you've already figured out by
    >> observation that it is a valuable tool.
    >>
    >>
    >>>>> Jules Yasuna 09/18/08 1:23 PM >>>
    >>>>>

    >>
    >> Just to check, we turned our nameserver back on (and adjusted
    >> /etc/resolv.conf accordingly), and once again SAworks great !
    >>
    >> So, please tell me what I am doing wrong here
    >>
    >> Thanks in advance ... jules
    >>




    --
    Don't tell me I'm driving the cart!


  6. Re: More spam after disabling local BIND ?

    Jules Yasuna wrote:
    > Ok - that explains it - thank you very much. Really, many thanks !
    >
    > But, is there a way to still not run BIND locally, and continue to
    > benefit from the RBL filters?
    >
    > Perhaps there is a timeout associated with the RBL filters that can be
    > increased? I understand that if
    > such a timout option existed and was increased, performance would
    > suffer. I'm just fishing here ...
    >
    > Turning off BIND was needed for other reasons. It's not mandatory that
    > we not run BIND, just one less service
    > that we would have to maintain. (we meaning ME!)
    >


    running BIND in "cache only" mode doesn't really require a lot of
    maintenance. you can firewall it as much as your security policy requires.

    and if you don't want bind, try one of the available alternatives. but a
    local DNS is recommended on a mail server or spam filter that uses DNS.


  7. Re: More spam after disabling local BIND ?

    mouss wrote:

    > and if you don't want bind, try one of the available alternatives. but a
    > local DNS is recommended on a mail server or spam filter that uses DNS.


    Regarding alternatives, we use djbdns here; highly recommended.

    --
    Sahil Tandon


+ Reply to Thread