DCC showing whitelist, don't know why

Chris Aseltine ophidian@newsnation.com
Sun Feb 26 01:26:25 UTC 2017


Here's a longer log excerpt which seems to go along with what you're saying.  For some reason, the spam seems to be resent "from myself" and then gets through, and of course mail from myself is whitelisted.  Note the line "v1PLdZcG053701".  This only happens on a small fraction of the amount of spam that comes in.  It works normally in most other cases.

I'm running as follows BTW.

/var/dcc/libexec/dccd -Gon -i 32702 -Gweak-body -Gweak-IP -G1800seconds,7days,364days

/var/dcc/libexec/dccm -tREP,20 -tCMN,10,20 -wwhiteclnt -Bset:rej-msg=5.7.1 550 %ID %BTYPE http://www.spamhaus.org/query/bl?ip=%BTGT -Bzen.spamhaus.org,127.0.0.0-127.0.0.8 -Bset:no-mail_host -Bset:no-URL -Bset:no-NS -Bzen.spamhaus.org -Bset:URL -Bset:no-client -Bdbl.spamhaus.org,127.0.1.1-127.0.1.59,name -Bset:white -Bset:client -Bset:no-URL -Bset:no-mail_host -Bset:debug -Bset:no-NS -Bset:no-MX -Blist.dnswl.org,127.0.0.3&255.255.0.255 -Uuserdirs -Gon -GIPmask/24 -SHELO -Smail_host -SSender -SList-ID

Feb 25 15:04:21 quantum sendmail[53130]: v1PL4KKb053130: from=<messages@encernal.com>, size=9069, class=0, nrcpts=1, msgid=<bfdfc0fa55fe2aeff983f0b52c964f17@encernal.com>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=198-57-223-108.unifiedlayer.com [198.57.223.108] (may be forged)

Feb 25 15:04:23 quantum sendmail[53130]: v1PL4KKb053130: Milter: data, reject=452 4.2.1 mail v1PL4KKb053130 from 198.57.223.108 temporary greylist embargoed

Feb 25 15:34:43 quantum sendmail[53555]: v1PLYh1U053555: from=<messages@encernal.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=198-57-223-108.unifiedlayer.com [198.57.223.108] (may be forged)

Feb 25 15:39:33 quantum sendmail[53697]: v1PLdX7P053697: from=<messages@encernal.com>, size=9201, class=0, nrcpts=1, msgid=<4e303f8563313fdad13d0733799c4075@encernal.com>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=198-57-223-108.unifiedlayer.com [198.57.223.108] (may be forged)

Feb 25 15:39:35 quantum sendmail[53697]: v1PLdX7P053697: Milter add: header: X-DCC--Metrics: quantum 1356; bulk Body=1 Fuz1=1 Fuz2=many

Feb 25 15:39:35 quantum sendmail[53701]: v1PLdZcG053701: from=ophidian, size=9530, class=0, nrcpts=1, msgid=<4e303f8563313fdad13d0733799c4075@encernal.com>, relay=ophidian@localhost

??? What is this??

Feb 25 15:39:37 quantum sendmail[53702]: v1PLdb7d053702: from=<ophidian@quantum.newsnation.com>, size=9664, class=0, nrcpts=1, msgid=<4e303f8563313fdad13d0733799c4075@encernal.com>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]

Feb 25 15:39:37 quantum sendmail[53702]: v1PLdb7d053702: Milter delete: header X-DCC--Metrics: quantum 1356; bulk Body=1 Fuz1=1 Fuz2=many

Feb 25 15:39:37 quantum sendmail[53702]: v1PLdb7d053702: Milter add: header: X-DCC--Metrics: quantum; whitelist

Feb 25 15:39:37 quantum sendmail[53699]: v1PLdX7P053697: to=<ophidian@newsnation.com>, delay=00:00:04, xdelay=00:00:02, mailer=local, pri=39496, dsn=2.0.0, stat=Sent

-----Original Message-----
From: DCC [mailto:dcc-bounces@rhyolite.com] On Behalf Of Vernon Schryver
Sent: Saturday, February 25, 2017 7:07 PM
To: dcc@rhyolite.com
Subject: Re: DCC showing whitelist, don't know why

> From: Chris Aseltine <ophidian@newsnation.com>
> To: "'dcc@rhyolite.com'" <dcc@rhyolite.com>

> Lately a lot of spam has been reaching my inbox and upon looking at the headers, I see a line like:
>
> X-DCC--Metrics: <my hostname>; whitelist
>
> However I can not determine the reason as the sender IP address, envelope from address, or other characteristics do not appear in my whiteclnt file.
>
> My maillog shows similarly:
>
> Feb 25 15:39:37 <my hostname> sendmail[53702]: v1PLdb7d053702: Milter delete: header X-DCC--Metrics: <my hostname> 1356; bulk Body=1 Fuz1=1 Fuz2=many
> Feb 25 15:39:37 <my hostname> sendmail[53702]: v1PLdb7d053702: Milter add: header: X-DCC--Metrics: <my hostname>; whitelist

Without a description of your mail system, I cannot really say what
is happening.  My guesses are that:

  - You are somehow forwarding mail from one instance of sendmail to 
     second instance.  They might be on a single computer and might even
     be the same process.

  - The first sendmail instance to discover that the mail
     message looked like spam to DCC and added an
     "X-DCC-...-Metrics: ... Fuz2=many" header, but did not tell to discard
     or reject the message.  Perhaps that instance was running dccm 
     with "IGNORE".

  - The first sendmail instance forwarded the message directly or indirectly
     through yet other MTAs to the 2nd instance.

 - The 2nd sendmail instance deleted the X-DCC header added by the first
     instance to prevent bad guy games.

 - The 2nd sendmail instance and dccm then checked your local
     whitelists, perhaps the whitelist built into your DCC database
     by dbclean from /var/dcc/whitelist, perhaps the site-wide DCC
     client whitelist in /var/dcc/whiteclnt, or perhaps a per-user
     whiteclnt file.  The result of that check was "OK", and so sendmail 
     and dccm added the X-DCC...whitelist" header.

     The whitelist or whiteclnt entry could be one that likes your
     IP addresses, the sendmail mailbox or something else.  Whatever it
     is will be recorded in a file in /var/dcc/log and perhaps also
     a per-user log file if logging is turned on.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
DCC mailing list      DCC@rhyolite.com
https://www.rhyolite.com/mailman/listinfo/dcc




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.