false positives

Vernon Schryver vjs@calcite.rhyolite.com
Thu Oct 20 14:26:33 UTC 2005


> From: Jeff Mincy 

> In SpamAssassin user_prefs I have
>    dcc_path /usr/local/bin/dccproc
>    dcc_options -Q -S mail_host -S Sender -S List-ID -S From -l /home/jeff/.dcc -w /var/dcc/whiteclnt -R
>
> Spamassassin calls DCC using the command line  [dcc_path] -H [dcc_options] < [tmpfile]
> I added -Q to keep from reporting messages until I get to the bottom
> of this.

Is SpamAssassin using dccproc or dccifd?  If you are using dccifd
(it's faster), then you should use -Q -w etc. in /var/dcc/dcc_conf
and use /var/dcc/libexec/start-dccifd to tell dccifd about changes.


> Here are the headers for a sample Barron's Online newsletter message
> that I can't seem to get whitelisted.  Can somebody who understands
> the DCC whitelist more than I do suggest what rule should be added to
> whitelist this message.


>    From owner-nolist-WEEKDAYTRADERLIST-051019AS-p70w0se3*MINCY**RCN*-COM@RETURNS.DOWJONES.COM  Wed Oct 19 19:20:26 2005
>    Return-Path: <owner-nolist-WEEKDAYTRADERLIST-051019AS-p70w0se3*MINCY**RCN*-COM@RETURNS.DOWJONES.COM>

>    From: "Barron's Online" <access@interactive.wsj.com>
>    Subject: Barron's Online Daily Features -- October 19, 2005

The easiest way to answer such questions is also the most reliable way
to set /var/dcc/whiteclnt.  That is to install and run (something like)
the proof of concept CGI scripts in /var/dcc/cgi-bin on your web server
and then point-and-click through dccifd log files in /var/dcc/log
or /var/dcc/userdirs/*/log  
The former needs the symbolic /var/dcc/userdirs/%postmaster sym-link
described in /var/dcc/cgi-bin/README or similar kludges.  See
http://www.dcc-servers.net/dcc/dcc-tree/cgi-bin/

I suspect that envelope sender or Mail_From value changes every time,
and so whitelisting with that value would not be effective.  The sender
domain is probably constant.  I would probably ensure that dccifd is
running with -Smail_host in DCCIFD_ARGS in /var/dcc/dcc_conf and use
this line:

   ok  substitute mail_host  RETURNS.DOWJONES.COM

Another possibility is the following line in /var/dcc/whiteclnt.
It should work for dccproc, dccifd, or dccm.  Notice the entire from
header is present.
   ok   from  "Barron's Online" <access@interactive.wsj.com>


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.