Reason for rejected message ?

Daniel Gehriger gehriger@linkcad.com
Wed Feb 28 08:29:00 UTC 2007


Vernon Schryver wrote:
>> From: Daniel Gehriger 
> 
>>> The complaints about DNS timeouts are not good.  Is something wrong
>>> with your DNS system?  Dccifd should have at least received NXDOMAIN
>>> for 86.59.190.206.zen.spamhaus.org from your local caching DNS server.
> 
>>                                    There shouldn't be any issues with 
>> the DNS system. Most of the time, dccifd doesn't complain about timeouts 
>> but then I get waves of those messages until a new DCC DNS helper is 
>> started.
> 
> I suspect that is turned around and that extra dns-helper processes
> are not started until enough of the current helpers have gone missing in
> action (and generated complaints) to convince dccifd to start more.
> 
> Dccifd (and dccm) keep track of the numbers of active and free dns-helper
> processes and try to keep at least one spare, inactive.   If according
> to the numbers, another helper is needed, it is created before an
> attempt is made to talk to the herd of helpers.  If the resolver library
> timeouts are working, then the helpers don't get stuck in the resolver
> library code, and there should never be a problem.  If the BIND timeout
> hooks are not present or not working, helpers can be busy waiting
> while dccifd thinks they are idle.  Dccifd should eventually realize
> as much and create more helpers, not immediately.
> So I suspect that your system does not have a normal BIND resolver
> library.  Does it have the "improved" Linux version?

I have bind 9.2.2:

Name        : bind
Version     : 9.2.2
Vendor      : SuSE Linux AG, Nuernberg, Germany
Release     : 31
Build Date  : Thu Oct  2 23:15:13 2003
Install date: Wed Mar  1 21:37:35 2006
Group       : Productivity/Networking/DNS/Servers
Source RPM  : bind-9.2.2-31.src.rpm
Size        : 5359971
Packager    : http://www.suse.de/feedback
URL         : http://www.isc.org/products/BIND/bind9.html
Summary     : BIND - Domain Name Server

> 
> What messages do you see in the system log from the dns-helper processes?

There are only the initial startup messages in the syslog. The mail log 
contains, for instance:

> Feb 28 09:20:14 vps183 dccifd[28510]: DNSBL helper about to exec /var/dcc/libexec/dns-helper -B set:debug=5 -B relays.ordb.org,any -B zen.spamhaus.org,any -B set:helper=4,13,1
> Feb 28 09:20:25 vps183 dccifd[27955]: no DNSBL helper answer
> Feb 28 09:20:25 vps183 dccifd[27955]: 2AORSc DNSBL failed for davecarlson.com, 3.0 msg-secs remaining
> Feb 28 09:20:36 vps183 dccifd[27955]: no DNSBL helper answer
> Feb 28 09:20:36 vps183 dccifd[27955]: 2AORSc DNSBL exhausted 25 msg-secs for bls.hz5mnbmbnpm8wzzonzz6nhhz.acushlagc.com
> Feb 28 09:21:04 vps183 dccifd[29867]: 2AORSe DNSBL answer SMTP client hit for sender 202.54.78.195
> Feb 28 09:21:04 vps183 dccifd[29867]: DNSBL client hit 195.78.54.202.zen.spamhaus.org
> Feb 28 09:21:16 vps183 dccifd[29914]: 2AORSg DNSBL answer SMTP client hit for sender 202.54.78.195
> Feb 28 09:21:16 vps183 dccifd[29914]: DNSBL client hit 195.78.54.202.zen.spamhaus.org
> Feb 28 09:24:04 vps183 dccifd[32522]: no DNSBL helper answer
> Feb 28 09:24:04 vps183 dccifd[32522]: 2AORSi DNSBL failed for sender 206.190.52.120, 14.0 msg-secs remaining
> Feb 28 09:24:15 vps183 dccifd[32522]: no DNSBL helper answer
> Feb 28 09:24:15 vps183 dccifd[32522]: restart DNSBL helpers
> Feb 28 09:24:15 vps183 dccifd[32522]: 2AORSi DNSBL failed for r.leadmailing.com, 3.0 msg-secs remaining
> Feb 28 09:24:15 vps183 dccifd[32764]: DNSBL helper about to exec /var/dcc/libexec/dns-helper -B set:debug=5 -B relays.ordb.org,any -B zen.spamhaus.org,any -B set:helper=4,13,0

>>> However, none of that is not relevant to this case, because dccifd says
>>> that it got no answers from your DNS resolver.  Besides, "DCC-->spam"
> 
>> /var/dcc/libexec/dccifd -Ivscan -tREP,10 -tCMN,50,50 -Bset:debug=5 
>> -Brelays.ordb.org,any -Bzen.spamhaus.org,any -llog -wwhiteclnt 
>> -Uuserdirs -GIPmask/24 -p 127.0.0.1,10023 127.0.0.1/32 -o 
>> 127.0.0.1,10026 -SHELO -Smail_host -SSender -SList-ID
> 
> Is fact is there a comma instead of a blank between "127.0.0.1,10023"
> and "127.0.0.1/32"?

Not in the output of 'ps', but in the config file, yes. I attached the 
dcc_conf file.

> 
> Are you sure those are all of dccifd's args?  The rejection message
> for the problematic messages was
>     550 5.7.1 Service unavailable; Mail rejected as SPAM
> That could have been produced with a -B or -r arg, but not otherwise.

You are correct of course. I removed those arguments for clarity.

> 
> I have tried a bunch of things, but failed to duplicate anything
> like the problem.

I'll try installing a newer 'bind' library and we'll see if this changes 
anything.

- Daniel
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dcc_conf
URL: <http://www.rhyolite.com/pipermail/dcc/attachments/20070228/5a2fbb60/attachment.ksh>


More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.