Relay thru sys in whitelist

Rose, Bobby brose@med.wayne.edu
Sat Jun 29 03:14:47 UTC 2002


I understand dccs function... Here's an example...

Spammer sends message from ipA(domainA) to user@domainB.  DomainA notes
that user@domainA has a mailForwardAddress set to user@domainC.  domainC
has dcc running and whitelists domainB. Message comes thru.  DomainC
also has the opensource SpamAssassin product running which runs various
spam checks on the messasge.  One of those tests is to see if it's
body,fuz1,fuz2 dcc scores are over a certain threshold.  Since the spam
message is listed on dcc as many,many,many Spamassassin reports it has
been tagged by DCC.

If Spammer sents message from ipA(domainA) to user@domainC, dcc rejects
it.

Does this help? DomainB isn't the source of the message that was sent
out to the internet in bulk, domainA is so it would seem that dcc would
want to look for domainA.  DomainB has to be whitelisted because it does
send internal bulk messages. 



-----Original Message-----
From: Vernon Schryver [mailto:vjs@calcite.rhyolite.com] 
Sent: Friday, June 28, 2002 10:30 PM
To: dcc@calcite.rhyolite.com
Subject: RE: Relay thru sys in whitelist


> From: "Rose, Bobby" <brose@med.wayne.edu>

> Well I think I answered my own question.  It does let it thru. I check

> /var/dcc/logs and found spam messages were forwarded from that system 
> that have a many tag but was allowed thru because the host was in the 
> whitelist.
>
> Why doesn't dcc use the original host?  Sendmail's access map is able 
> to reject mail that originated from a system that is blocked even it's

> relayed thru another.

> > Should DCCM let a message registered as many thru if the message was

> > forwarded from a system in your whitelist?  I've seen messages get 
> > thru that Spamassassin shows and being listed in DCC and after 
> > looking at the headers, I see that it's was forwarded on from a 
> > system in my whitelist.

I don't understand the references to SpamAssassin, "forwarded on", "use
the original host," "a system that is blocked," and so on.

The DCC is a system for detecting bulk mail and rejecting or discarding
bulk mail that is unsolicited according to local white lists.  Mail that
has been seen elsewhere and so has a total recipient count above your
local rejection threshold (DCCM_REJECT_AT in dcc_conf for dccm or -c
values for dccproc) is what you consider bulk.  Whether it is solicited
depends on whether at least one (or two for "OK2") of its dozen
checksums is in your white list.

If it is solicited bulk mail, whether a CERT Advisory, a note about your
high school class reunion, or a department-wide note from your boss,
then you wouldn't want to reject or discard it.

That the DCC system by default (`dccd -K` and no relevant IP, From,
env_From, or other white list entries) does not care about the source of
a bulk message is a desirable feature.  For example, it means that bulk
mail sent from new SMTP relays or proxies is also detected and can be
rejected.

Spam filtering and MX forwarders is an awkward combination and not just
for the DCC but for any filtering system including sendmail access
databases.  If you white-list your MX forwarders by name or IP address,
then you'll not reject any spam they send.  In that case, you probably
need to install your filters on your MX forwarders.  If you don't white
list your MX forwarders, you probably need to white-list any legitimate
bulk mail they send, again for any filtering scheme.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
DCC mailing list
DCC@rhyolite.com
http://www.rhyolite.com/mailman/listinfo/dcc




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.