Change in whitelist behavior with 1.3.49

Vernon Schryver vjs@calcite.rhyolite.com
Wed Feb 7 20:19:25 UTC 2007


> From: John L <johnl@iecc.com>

> I just upgraded from 1.3.25 to 1.3.49, and the IP whitelisting has 
> changed, marking a whole lot of mail as whitelisted that never used to be. 
> I use a perl script that feeds incoming mail through dccifd, and I'm 
> seeing reports like this:
>
> X-DCC-IECC-Metrics: tom.iecc.com 1107; IP=ok Body=1 Fuz1=many Fuz2=many
>
> As far as I can tell, none of the IPs in the message headers match any of 
> the IPs in the whitelist files.  How can I even tell what IP it thinks 
> it's whitelisting?

To see what the DCC client thinks it is doing, check the log files.
dccifd discloses what it thinks is the SMTP client IP address
in /var/dcc/log/... files.  It may be necessary to set DCCM_LOG_AT=0
in /var/dcc/dcc_conf (or DCCIFD_LOG_AT) to generate the necessary log files.

One can also use dccproc to guess what dccifd is doing.  For example,
I put modified copies of John's message in /tmp/q and tried
  dccproc -QCi /tmp/q -El /tmp -call,0 -R -wwhiteclnt
to see if I could figure out anything from the resulting /tmp/msg.* files.

I wonder if the relevant change between 1.3.25 and 1.3.49 is related to
thise CHANGES file note for 1.3.32:

    Recognize some more qmail variations of Received headers for obtaining
        IP addresses.

If not told the SMTP client IP explicitly, dccifd tries to guess from
Received headers.  It skips Received headers with IP addresses that are
listed as MX as MXDCC in /var/dcc/whiteclnt.  Perhaps by skipping more
of qmail's useless noise Received: heades, dccifd is now reaching a
Received: header with an IP address marked "OK" in /var/dcc/whiteclnt.

  ....

Note that instead of "OK", local SMTP client IP address should often be
marked with the "SUBMIT" instead of "OK."   The `man dcc` page now says:

       MX
       MXDCC
	     marks an IP address or block of addresses that are
	     SMTP MX servers for your mail system.  The DCC
	     clients dccm(8), dccifd(8), and dccproc(8) skip ini-
	     tial Received: headers added by listed MX servers to
	     determine the external sources of mail messages.
	     Unsolicited bulk mail that has been forwarded through
	     listed addresses is discarded by dccm(8) and
	     dccifd(8) as if with -a DISCARD instead of rejected.
	     MXDCC marks addresses that are MX servers that run
	     DCC clients.  The checksums for a mail message that
	     has been forwarded through an address listed as MXDCC
	     queried as if -Q had been used instead of reported.
       submit
	     marks an IP address or CIDR block addresses of SMTP
	     submission clients such as web browsers that cannot
	     tolerate 4yz temporary rejections but that cannot be
	     trusted to not send spam.  This does the equivalent
	     of the whiteclnt option forced-discard-ok.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.