dccm timeout lets some spam through

Gary Mills mills@cc.UManitoba.CA
Tue Apr 22 14:48:59 UTC 2003


I'm running dcc-dccd-1.1.35 with one dccm and two dccd servers.  `dccm'
runs under Solaris 8, with 2048 file descriptors.  The host electra,
running dccm and one dccd had been up about four days when this incident
occured.  It began while `dccd' was doing database cleaning.  Here are
the dccd log messages from both hosts:

Apr 22 02:45:05 electra dccd[389]: [ID 287260 mail.notice] database cleaning begun
Apr 22 02:48:41 electra dccd[389]: [ID 271588 mail.notice] 1.1.35 database /usr/local/dcc/dcc_db reopened

Apr 22 02:15:05 naos dccd[12012]: database cleaning begun
Apr 22 02:21:55 naos dccd[12012]: 1.1.35 database /usr/local/dcc/dcc_db reopened

Here's the beginning of the dccm log messages:

Apr 22 02:46:38 electra dccm[401]: [ID 125918 mail.error] DCC: accept() returned invalid socket (Result too large), try again
Apr 22 02:46:39 electra dccm[401]: [ID 125918 mail.error] DCC: accept() returned invalid socket (Result too large), try again
Apr 22 02:46:40 electra dccm[401]: [ID 702911 mail.error] no answer from naos.cc.umanitoba.ca (130.179.16.122,6277) after 0 ms
Apr 22 02:46:40 electra dccm[401]: [ID 702911 mail.error] skip asking DCC 1.000 seconds more after failure

The result was that `dccm' would time out attempting to contact `dccd'.
Here's an example from a DCC log file several hours after the beginning
of the incident:

  skip asking DCC 160.704 seconds more after failure
  ...
  result: accept

Apparently, dccm was unable to recover from the accept() failure.  This
error, by the way, was reported by libmilter from sendmail-8.12.8.  The
spam that got through had no X-DCC header.  This was accompanied by some
legitimate e-mail that did have X-DCC header, which suggests that dccm
was still functioning to some extent.  A restart fixed the problem.

What happened here?

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.