Stuck in the greylist

John R Levine johnl@iecc.com
Tue Dec 23 17:04:43 UTC 2003


It looks like some messages are stuck in the greylist forever.  Here's an extract from my smtp
daemon logs.

2003-12-23 02:27:27.201935500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 02:57:28.710461500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 03:27:32.771109500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 03:57:33.079633500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 04:27:35.579880500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 04:57:33.693270500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 05:27:33.236909500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 05:57:37.963437500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 06:27:36.883633500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 06:57:36.946617500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 07:27:44.044278500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 07:57:50.268356500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 08:27:51.804989500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 08:57:57.070170500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 09:27:55.277776500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 09:57:45.448856500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 10:27:57.092236500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G
2003-12-23 10:57:55.474513500 dcc: 165.170.64.111 quick_takes@email2.kodak.com info@CASALARGA.COM G:G

I looked in the log directory, and this is a message that DCC has
tagged as many.  (I don't think it's spam, it's an xmas greeting to
Kodak's mailing list, which due to our proximity to Rochester lots of
people around here are on.)

Here's the info from a typical logfile:

------------------------------------------------------------
VERSION: 3
DATE: 12/23/03 05:57:37 EST
IP: email2.kodak.com ::ffff:165.170.64.111
env_From: quick_takes@email2.kodak.com  mail_host=email2.kodak.com
env_To: info@CASALARGA.COM  addr=pop  dir=userdirs/pop

[ message here, big ugly html thing ]

### end of message body ########################

X-DCC-IECC-Metrics: xuxa.iecc.com 1107; Body=1 Fuz1=2 Fuz2=many
                                                      checksum  server
                       IP: 42f18443 5f94aa4c f40b5af2 232cd4be
                 env_From: 0ec23de8 df220c9a 95d6b729 a9beb126
                     From: fa4dfaab 85532567 0db03ee7 c7b24f35
               Message-ID: 9b9e9eb1 7e801a63 e0bd79e7 b96bbcfb
                 Received: 050b0d1a 86d80b97 e6cb8990 4470180f
                     Body: 6882d8e2 c6319dd4 13b7b5a4 06057435       0
                     Fuz1: 01d7484c 91a00307 f8206fb4 c30958bd       1
                     Fuz2: 1f0e983c 42e11206 9cba5533 8304a293    many

       greylist recipient
       info@CASALARGA.COM: 28be7a38 0649c5fa b41277c4 3ca33a85
                           32a3201c 8feb2094 21f9944e dff19ec1 Embargo #1

result: temporary greylist embargo
------------------------------------------------------------

I wondered why the body and fuz1 counts were so low, so I diffed two
copies of the message and found that Kodak appears to be regenerating the
message on each try, which is a little peculiar but not particularly evil:

------------------------------------------------------------
2c2
< DATE: 12/23/03 10:57:55 EST
---
> DATE: 12/23/03 10:27:57 EST
8c8
<   by w3.iecc.com with SMTP; 23 Dec 2003 15:57:55 -0000
---
>   by w3.iecc.com with SMTP; 23 Dec 2003 15:27:56 -0000
10,11c10,11
< Message-Id: <20031223110100.1C2E.41232-19608@email2.kodak.com>
< Date: Tue, 23 Dec 2003 11:01:00 -0500 (Eastern Standard Time)
---
> Message-Id: <20031223103100.1C45.41232-19608@email2.kodak.com>
> Date: Tue, 23 Dec 2003 10:31:00 -0500 (Eastern Standard Time)
183c183
<  <20031223110100.1C2E.41232-19608@email2.kodak.com></font>
---
>  <20031223103100.1C45.41232-19608@email2.kodak.com></font>
192c192
< X-DCC-IECC-Metrics: xuxa.iecc.com 1107; Body=1 Fuz1=4 Fuz2=many
---
> X-DCC-IECC-Metrics: xuxa.iecc.com 1107; Body=1 Fuz1=7 Fuz2=many
197,200c197,200
<                Message-ID: a7e1a12a 1d6611ed 8ef2d5f2 e285709c
<                  Received: 0cb6e3f5 6a5c33ef cc7b7a55 898b76c0
<                      Body: 2850de7f 10a246f4 9351f8d0 863e1173       0
<                      Fuz1: 2b61dd9a b3773f87 15bc3c1a e2854d65       3
---
>                Message-ID: 8f198b50 ad898ecc 000aadb1 78afed13
>                  Received: e09a0f71 e70ec062 440ed914 9bd2495b
>                      Body: 77b79392 704f16fe ab5cb14b 42e7f6af       0
>                      Fuz1: 8828f6dd f1406def ace3b899 7e027c94       6
204c204
<        info@CASALARGA.COM: f6f36055 19fcdb8e 3810aef8 d173c61e
---
>        info@CASALARGA.COM: 8af2cce7 ac723c7d 8b022135 3c5dcf70
------------------------------------------------------------

But my question is, why isn't this getting through?  The envelope is the
same each time, which is what the doc says the greylist keys on.  Does it
demand an identical body each time, too?

I can whitelist this, of course, but I'm wondering if this is a bug or
a feature.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"I dropped the toothpaste", said Tom, crestfallenly.



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.