[SURBL-Discuss] Re: ANNOUNCE: Mail::SpamAsssassin::SpamCopURI 0.11

Eric Kolve ekolve at comcast.net
Wed Apr 21 20:39:19 CEST 2004 

> whether I was seeing that with 0.10 though. I've seen cases where one 
> message is causing 20 or more lookings for the "same" dns record.
> 
> I think I've worked out what is happening. Basically each different 
> variation of a subdomain URL found in a message is causing a seperate 
> lookup, even though the base domains that are actually being looked up are 
> the same. For example I made a test message that looked like this:
> 
> http://serbserb.testdomain.co.nz/blah
> http://sebserbr.testdomain.co.nz/blah
> http://bsertbse.testdomain.co.nz/blah
> http://srtnsrtn.testdomain.co.nz/blah
> http://nrtnsrtn.testdomain.co.nz/blah
> http://saerbsee.testdomain.co.nz/blah
> http://rtndrtsn.testdomain.co.nz/blah
> http://nrtndrtn.testdomain.co.nz/blah
> http://sdfgserg.testdomain.co.nz/blah
> http://bcvcvbcx.testdomain.co.nz/blah
> http://ergsergh.testdomain.co.nz/blah
> http://qwertybe.testdomain.co.nz/blah
> http://lphtrhtr.testdomain.co.nz/blah
> http://bxdfbgnf.testdomain.co.nz/blah
> http://ergerger.testdomain.co.nz/blah
> http://cbxcvbxc.testdomain.co.nz/blah
> http://tyjftyjt.testdomain.co.nz/blah
> http://awefawfe.testdomain.co.nz/blah
> http://awefawef.testdomain.co.nz/blah
> http://awefawef.testdomain.co.nz/blah
> 
> Where there is a randomized subdomain in front of the actual domain. Many 
> spams with lots of image links (ones selling printer cartridges, etc etc) 
> effectively do this. (Each URL refers to a randomized subdomain)
> 
> Each URL above generated a dns lookup for testdomain.co.nz.sc.surbl.org and 
> co.nz.sc.surbl.org, so a total of 40 dns lookups just for the sc list. I'm 
> also using ws and be lists too, so thats a total of 120 dns lookups 
> generated by an email with 20 randomized URLs :(
> 
> Luckily local dns caching largely offsets the problem but it would be good 
> to avoid in the first place. Somehow as each URL is stripped down, a list 
> of stripped names needs to be created with duplicates removed before doing 
> the DNS queries.... extra coding I guess...

I can add something that will cache on a per test basis the results
from the queries so the above scenario should be knocked down
to just 3 queries instead of 120.  I have been a little hesitant to
cache misses since I could see where a miss could become a hit later on,
but since I would only be caching per test this shouldn't be an issue.

--eric

> 
> Regards,
> Simon

More information about the Discuss mailing list