Juliano - USP - DCC greylist and plugin SA

Vernon Schryver vjs@rhyolite.com
Mon Apr 27 23:10:50 UTC 2015


> From: Juliano Alves Guidini <jguidini@usp.br>

> Apr 27 11:02:40 fspam3 amavis[31148]: (31148-01) SA dbg: dcc: dccifd is not available; no r/w socket at /usr/local/dccdir/dccifd < ---- Yes, not have socket using SMTP proxy 

Why not run dccifd and so have the socket and so use dccifd instead
of dccproc?


> Apr 27 11:02:40 fspam3 amavis[31148]: (31148-01) SA dbg: dcc: opening pipe to /usr/local/bin/dccproc -C -x 0 -Q -a 143.107.71.114 -w whiteclnt </var/amavis/tmp/.spamassassin31148Kr14Cxtmp <-- Using dccproc! I don't want this.. 


> Apr 27 11:02:40 fspam3 amavis[31148]: (31148-01) SA dbg: rules: ran eval rule DCC_CHECK ======> got hit (1) 
>
> SA does the work again, instead parse header on message. 
> If I disable DCC plugin the headers are not parsed by SA. 

I'm wrong about how SpamAssassin checks existing X-DCC headers.
This seems to be the relevant code in DCC.pm

  if ($permsgstatus->get('ALL') =~ /^(X-DCC-.*-Metrics:.*)$/m) {
    $permsgstatus->{dcc_raw_x_dcc} = $1;
    # short-circuit if there is already a X-DCC header with value of
    # "bulk" from an upstream DCC check
    # require "bulk" because then at least one body checksum will be "many"
    # and so we know the X-DCC header is not forged by spammers
    return if $permsgstatus->{dcc_raw_x_dcc} =~ / bulk /;
  }

That says that existing X-DCC headerds are ignored unless they
contain "bulk".  They will contain "bulk" only if the DCC thresholds
are set for dccifd or dccproc and if the DCC counts are above those
thresholds.

If it is impossible in your mail system for a message to bypass dccifd 
and if you do not use `dccifd -A`, then forgery of X-DCC headers
for your system would be impossible.
In that case, you could delete the "bulk" check by replacing the
code above in DCC.pm with this:

  if ($permsgstatus->get('ALL') =~ /^(X-DCC-.*-Metrics:.*)$/m) {
    $permsgstatus->{dcc_raw_x_dcc} = $1;
    return;
  }


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.