greylisting for tagging purposes (and queries)

Vernon Schryver vjs@calcite.rhyolite.com
Sun Apr 9 03:06:42 UTC 2006


> From: john crawford 

> I'm actually running qmail 

qmail?  well, if it works for you....

I *really* don't like qmail.  An old reason is that many qmail installations
generate mail without Message-ID lines.  Then there is the special case,
kludgy parsing I've had to write to handle qmail's lame Received: headers
without IP addresses to make MX and MXDCC whitelisting work.  There are
others, but never mind.


> The key point is that I don't have the dnsbl (for no-envelope in this case)
> matched information put into a header tag.

By "header tag", do you mean the RFC 2822 X-DCC header that you get
when "header" or "body" is in the first line of the ASCII chitchat
given dccifd and that is visible in the /var/dcc/log file?
If so, don't you see "bulk" and "many" in the X-DCC header for a DNSBL
hit with "option DNSBL-on" in /var/dcc/whiteclnt?
What happens if you use "no-reject" and include "option DNSBL-on" in
/var/dcc/whiteclnt?  Don't you get your "A" and "R"?  That seems 
to happen in with what will be version 1.3.32.


> Okay, that's helpful, I'll probably really use
> some combination of uribl.com and surbl.org
> settings since I'm interested here in
> the uri filtering using no-envelope.

I suspect that sbl-xbl.spamhaus.org,any is approximately a superset
of uribl.com or surbl.org


> >in the man pages.  MX and MXDCC in the whiteclnt file is the better idea.
> >See their discussion in `man dcc`.
>
> I think I need to test this more. In my mind it was whitelisting mail
> through these servers, not skipping to read deeper into the Received: chain.
> We have central campus server forwarding to the department level (depending
> on address used) so I'm ultimately hoping to have dcc figure out the
> off-campus pass-off server ip address for ip scrutiny/testing.

That's the point of "MX" and "MXDCC".   Simple whitelisting is "IP" 
instead of MX or MXDCC.
You don't want to reject mail from one of your MX servers, because that
would force the MX server to either disard or bounce the spam, generating
"blowback."  It's better for the mail system that finally detects the
spam to accept the resposiblities implicit in the detection
and either discard or just tag (and never bounce).
MXDCC is for when the previous hop MX server reports what it sees
to a DCC server, so that you don't want to increase message counts
with extra reports to to DCC servers.



> >Yes, the embargo # seen in log files is used by the DCC client to convert
> >what would otherwise be a report to the DCC server into a query.
>
> Okay. Thanks. Makes sense. If on a subsequent embargo retry
> the message trips positive for an rbl lookup, does the MANY
> report occur?

Yes.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.