1792 requests/sec are too many from 32768 127.0.0.1,41617

Vernon Schryver vjs@calcite.rhyolite.com
Wed Jul 18 13:02:05 UTC 2007


> From: Chris Aseltine 

> > The message means that `dccd -G on` is receiving a suspiciously high
> > rate of requests from the `dccm` (or dccifd or dccproc) process at
> > 127.0.0.1 using DCC client-ID 32768.
>
> Yeah, don't know why.  My system does maybe 500 messages per day tops
> (maybe 490 spam, 10 legit).  For each mail that comes in, once this
> problem starts happening, I get "2798 requests/sec are too many from..."
> for every email received, until I restart.
>
> Oddly, restarting also seemed to cause my original email to get resent,
> but I have no idea why that is ... I assume it is unrelated.

That suggests that you have a loop of some sort.  For example, the
sendmail mis-feature of immediately retransmitting after a 4yz temporary
rejection instead of delaying the 15 minutes recommended by RFC 2822
might be involved.   The first thing to do is to look at what is going
on.  Unless turned off, every greylist rejection is logged in the
DCCM_LOGDIR=/var/dcc/log directory specified in /var/dcc/dcc_conf

> Actually the reason I was playing with it is because I want to increase my
> embargo time from the default.  Right now my only option is -G IPweak/16
> or whatever.  If I want to use that, and increase my embargo to say, an
> hour, what would be an example of the syntax for my dcc_conf file?

The current -G option must be "whatever", such as -Gweak-ip.
If you want to increase the embargo to 1 hour and accept all mail
from an SMTP client after any message has passed greylisting, try the
man page suggestion of GREY_DCCD_ARGS="-Gweak-IP,1hour"

> The reason is in about the last month or so, I've seen a huge uptick in
> the amount of greylisting-resistant spamming, usually it's a picture of a
> chick measuring some guy's dong with a tape measure, pushing pills or
> whatever. 

The only increase I've noticed in greylist-resistant spam that I've noticed
is in backscatter.  I wonder if you are using `dccd -Gweak-body`
or `dccm -GIPmask/xx` with too broad a netmask.

>            I'm hoping that after an hour, either the spammer will give up
> or the zombie/proxy/whatever will show up in DNS blocklists by that
> time...

Unless you are using a DNS blacklist that is purely automatic, an embargo
less than several hours or a day sounds optimistic.  Greylisting does
increase the effectiveness of the DCC, but that is because reports of
bulk mail are flooded among DCC servers without waiting for human action.

I don't know, but the CBL, which is included in the ZEN, may be
automatic.  See http://www.spamhaus.org/zen/index.lasso  
The CBL (or XBL) can be used with "-BBsbl-xbl..." in /var/dcc/dcc_conf, but
not the PBL without turning off MX checks.  
Note that if you use something like the PBL or XBL in sendmail directly and
specify a target IP address instead of rejecting on any entry, you will
probably see intermittent failures.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.