Abusive use of dnswl.org infrastructure – new method to enforce limits

Our previous method of enforcing limits caused some concern, both in public and private conversations. The main argument is that causing false negatives is not acceptable in principle, not even for cases of obvious abusive use.

We listened to these thoughts, and have now changed our approach. The criteria for blocking such abusive nameservers are still the same: repeated use way above the 100k / 24 hours limit and no response to reasonable attempts at contacting them. Also, most of the things in our previous news item referenced above are still valid.

However, the technical handling has changed to reduce the number of queries that a legitimate client will actually perform. The new handling has the following technical effects:

  • Affected nameservers see a different “view” of the dnswl.org data.
  • This view will not return any useful data other than the regular entries for “www.dnswl.org” etc.
  • Some additional changes to make it as easy as possible to identify that your nameserver is blocked.

To see whether you are affected, use “dig -t txt amiblocked.dnswl.org” on the mailserver (or other machine which uses the same nameserver setup).

There is an additional change under discussion with the SpamAssassin team to define a dedicated return value to indicate “blocked for excessive usage” (see this discussion on Bugzilla). With this specific return value, the application (SA in this case) will know to not attempt any more queries until the TTL has expired.

We will continue to watch the situation on our public nameserver infrastructure and will work to ensure that it remains accessible and usable for free for most users.