DCC showing whitelist, don't know why

Vernon Schryver vjs@rhyolite.com
Sun Feb 26 01:06:47 UTC 2017


> From: Chris Aseltine <ophidian@newsnation.com>
> To: "'dcc@rhyolite.com'" <dcc@rhyolite.com>

> Lately a lot of spam has been reaching my inbox and upon looking at the headers, I see a line like:
>
> X-DCC--Metrics: <my hostname>; whitelist
>
> However I can not determine the reason as the sender IP address, envelope from address, or other characteristics do not appear in my whiteclnt file.
>
> My maillog shows similarly:
>
> Feb 25 15:39:37 <my hostname> sendmail[53702]: v1PLdb7d053702: Milter delete: header X-DCC--Metrics: <my hostname> 1356; bulk Body=1 Fuz1=1 Fuz2=many
> Feb 25 15:39:37 <my hostname> sendmail[53702]: v1PLdb7d053702: Milter add: header: X-DCC--Metrics: <my hostname>; whitelist

Without a description of your mail system, I cannot really say what
is happening.  My guesses are that:

  - You are somehow forwarding mail from one instance of sendmail to 
     second instance.  They might be on a single computer and might even
     be the same process.

  - The first sendmail instance to discover that the mail
     message looked like spam to DCC and added an
     "X-DCC-...-Metrics: ... Fuz2=many" header, but did not tell to discard
     or reject the message.  Perhaps that instance was running dccm 
     with "IGNORE".

  - The first sendmail instance forwarded the message directly or indirectly
     through yet other MTAs to the 2nd instance.

 - The 2nd sendmail instance deleted the X-DCC header added by the first
     instance to prevent bad guy games.

 - The 2nd sendmail instance and dccm then checked your local
     whitelists, perhaps the whitelist built into your DCC database
     by dbclean from /var/dcc/whitelist, perhaps the site-wide DCC
     client whitelist in /var/dcc/whiteclnt, or perhaps a per-user
     whiteclnt file.  The result of that check was "OK", and so sendmail 
     and dccm added the X-DCC...whitelist" header.

     The whitelist or whiteclnt entry could be one that likes your
     IP addresses, the sendmail mailbox or something else.  Whatever it
     is will be recorded in a file in /var/dcc/log and perhaps also
     a per-user log file if logging is turned on.


Vernon Schryver    vjs@rhyolite.com


More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.