greylisting for tagging purposes (and queries)

john crawford jmc-dcc@sociology.osu.edu
Sat Apr 8 04:25:46 UTC 2006


Hi.

Thanks for Vernon for some fine software. We've been using dcc for
bulk tagging for some time.

I am testing the greylist functionality. I'm initially considering
using dcc to delay grey inbound messages (no rejection or discard, but
tagging for bulk and dnsbl is desired).

I'm working with dccifd options and dcc_conf settings and not getting
dnsbl feedback on the headers. I'd like tag DCC/DNSBL results once the
embargo ends. If I get a MANY or DNSBL match the message enters
immediately. I'd kind of rather have it retry longer but maybe I have
to live with that. I do get MANY condition (rej-thold) header tagging
which is good, but I've not seen any dnsbl information at all on a tag
header when dnsbl does match (as shown in the log).  How can I get a
dnsbl report into the headers?  (dccifd returns result A, oks R).
I'll append my current dccipd options and dcc_conf settings and a log
tail below.

Another question is about header analysis.  I'd like to have dcc's
header analysis locate the ip address for analysis of the first server
not in a specified local group set. I know I can whitelist a set of
servers, but that just prevents the message being analyzed if that is
the ip in the analyzed receive line. I know I can specify rcvd-nxt for
a specific offset, but I might want to inspect with messages incoming
with varying hop counts within campus, depending on entry point and
forwarding path. I don't mind embargoing (at least for testing
purposes) with a local queuing server playing the storage/retry
role. The delay gives me a hypothetical chance to have the embargoed
messages flag dirty via rbl, bulk or updated virus scan. I have
implemented this logic, adding the flexibility to force feed to dcc
the correct ip address of the foreign-handoffipserver, within an
external header analysis program and passing the parsed ip address to
dccifd but I'm wondering if I'm missing a feature within dcc's logic
for this.

As a matter of curiosity, if I turn off the query flag and use
greylisting, when does the dcc logic return the metrics to the queried
server for the message being analyzed? How does it increment the "I've
seen this" counter? It shouldn't increment by one for each time the
greylisted message is retried (reseen). Does it increment the first
time it sees that fingerprint and not increment for similar
fingerprints in the near future? Thanks.

an example log where dnsbl matches but doesn't appear as a header/tag
(and doesn't embargo) is at the very end.

Thanks,
John


dccifd send options and parameters: body no-reject no-reject 
58.77.34.161jfqjfdadi@... opts helo clnt

dcc_conf cleaned up =

DCC_CONF_VERSION=3
DCC_LIBEXEC=/usr/local/dcc/libexec
DCC_RUNDIR=/var/run
DCCUID=dcc
DCCD_ENABLE=off
SRVR_ID=
BRAND=
DCCD_ARGS=
GREY_CLIENT_ARGS=ON
GREY_ENABLE=ON
GREY_SRVR_ID=$SRVR_ID
GREY_DCCD_ARGS="-G 50minutes,7days,63days"
REP_ARGS=
DNSBL_ARGS="-B env:no-envelope -B sbl-xbl.spamhaus.org"
XFLTR_ARGS=
DCCM_ENABLE=off
DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
DCCM_LOGDIR=log
DCCM_WHITECLNT=whiteclnt
DCCM_USERDIRS=userdirs/local
DCCM_LOG_AT=0
DCCM_REJECT_AT=
DCCM_CKSUMS=
DCCM_XTRA_CKSUMS=
DCCIFD_ENABLE=on
DCCIFD_ARGS="-SHELO -Smail_host -SSender -SList-ID -aIGNORE -Q -A -t 
ALL,0,MANY"
DCCIFD_LOGDIR="$DCCM_LOGDIR"
DCCIFD_WHITECLNT="$DCCM_WHITECLNT"
DCCIFD_USERDIRS="$DCCM_USERDIRS"
DCCIFD_LOG_AT="$DCCM_LOG_AT"
DCCIFD_REJECT_AT="$DCCM_REJECT_AT"
DCCIFD_CKSUMS="$DCCM_CKSUMS"
DCCIFD_XTRA_CKSUMS="$DCCM_XTRA_CKSUMS"
DBCLEAN_LOGDAYS=14
DBCLEAN_ARGS=
DCC_INFO_LOG_FACILITY=local5.info
DCC_ERROR_LOG_FACILITY=local5.err
if test -n "$DCC_INFO_LOG_FACILITY"; then
     if expr "X$DCC_INFO_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
         :
     else
         DCC_INFO_LOG_FACILITY="$DCC_INFO_LOG_FACILITY.notice"
     fi
     DCC_LOG_ARGS="$DCC_LOG_ARGS -Linfo,$DCC_INFO_LOG_FACILITY"
fi
if test -z "$DCC_ERROR_LOG_FACILITY"; then
     DCC_ERROR_LOG_FACILITY=mail.err
else
     if expr "X$DCC_ERROR_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
         :
     else
         DCC_ERROR_LOG_FACILITY="$DCC_ERROR_LOG_FACILITY.err"
     fi
     DCC_LOG_ARGS="$DCC_LOG_ARGS -Lerror,$DCC_ERROR_LOG_FACILITY"
fi
DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} 
-t  ${LOGGER_TAG-DCC}"
Configure_DCC_LIBEXEC=/usr/local/dcc/libexec
Configure_DCC_RUNDIR=/var/run
Configure_DCCUID=dcc
Configure_DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} 
-t  ${LOGGER_TAG-DCC}"

==
  result A
  oks R
==

a log
DNSBL failed for hotmail.com, 24.5 msg-secs remaining
body URL search.msn.click-url.com DNSBL hit 75.69.39.216.sbl-xbl.spamhaus.org
DNSBL-->spam  dccifd  per-user

X-DCC-Misty-Metrics: ss51.sociology.ohio-state.edu 1170; bulk Body=0 Fuz1=0
                             reported: 0               checksum  server
                        IP: cf5e6f35 2084fa93 b600de39 96235c1d
                  env_From: a3484c7d 19e71e2d 52dd6a6a bea8e040
                      From: 7d88702f 987d7b29 15c4b342 bd15e60a
           substitute helo: c3557ca2 2ada1cca fcc43f80 13ef0251
                Message-ID: 20e04b16 1f802ad9 c7137b59 4f597ade
                  Received: 056d3d9d 41fe9da2 15fd825a 74c82f49
                      Body: 4945af07 793185ef 4433dc87 7d6ff47f       0
                      Fuz1: 6f98686a a7bdd7b5 1b172b74 815c80de       0
      substitute mail_host: f77684a4 b02ce0de 0cb79348 7fbf33a1

        greylist recipient
xxxxxxxx@xxxxxxxxxxxxx...: 573250e5 c4cfb0d7 bc12d6f4 1fe43bc5
                            e5d77c7d de1eba9e b5dd6292 dd400947 
Embargo #1 reset

result: ignore and accept

-end of email-




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.