Hello, all...

dcc@kstone.win.net dcc@kstone.win.net
Mon Jan 14 17:13:03 UTC 2002


This is my first post to the list.  Let me fill you in quickly on what
I've done.  I've hacked dccproc and qmail-qfilter to provide DCC
checksumming in qmail.  The DCC comparison/rejection/acception of the
message occurs at the SMTP level that way.

Anyways my mailserver handles a lot of mail, and I'm seeing a rather large
number of checksums.

 291362 records containing 1755585 checksums
 291159 non-whitelist records containing 1755382 checksums

And that's for a run 4 days.  /var/dcc/libexec/dbclean -i <myserver>
doesn't seem to eliminate anything.

Using an awk script to match the output of dblist -v, I'm seeing a lot of
checksums that are identical.

$2  > 300 && $1 ~ "Body" {print $1 " " $4 " " $5 " " $6}

Is what im using to pull out any checksum that matches a count of more
then 300...I was going to feed those to dccsight -t many, as the many tag
is the onlything I wrote in support to reject email on in the above
qmail-qfilter/dccproc hack. The thing I noticed is that after processing
dblist -v with the above awk script, I get roughly 50,000 records
returned, but when uniqed, it winds up being about 80 unique checksums.

1.  What gives?  Why is there checksums the server is identifing as being
seperate, although they probably shouldn't be?  Is that because of the
mutated from/to/subjects?

2. If I feed the uniqed list above into dccsight with a -t many, is it
going to set every one of those (including the extra ones) to many?

3.  What arguments should I use with dbclean to erase every entry except
ones with a body tag of many?

4.  I run the crontab example and it doesn't seem to ever erase anything
and I'm assuming because the default time to live for a record is one week.
Am I correct in assuming that?


Anyways, I've been fighting a rumplestiltskin attack for 3 years now, and
my blacklist has grown to around 100,000 entries.  Don't ask... I had
to write a blacklist that did RCPT TO lookups against an LDAP database to
make that even possible. Qmail's badrcptto support hits a IO bottleneck
when you approach 10+ entries.  I'm going to take several of these blacklisted
addresses and shove them straight into the dcc with dccproc -t many, to
eliminate a lot of the spam I get from these guys.  I'm getting around
80-100K messages per day from 1000+ open relays per day, all with mutated
subjects, froms, tos, environments, msg-ids, small rcpt to lists, coming
from multiple dial-up ISPs with fake information... So even if I did get
a court order for them to hand over the users information it doesn't do
much good.  The FBI isn't help for beans either, since I can't prove the
damages incurred has come from the same person, and the Federal Attourney's
don't really go after spammer, mostly just high profile hackers.


On that note, I'd like to thank everyone who has ever contributed to the
DCC project.  Thank you all.



Kyle Stone
kstone@win.net






More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.