spamhaus check not working

Vernon Schryver vjs@rhyolite.com
Mon Jun 12 14:08:05 UTC 2017


> From: Chris Aseltine <ophidian@newsnation.com>
> To: "dcc@rhyolite.com" <dcc@rhyolite.com>

> Lately some obvious spam has been getting past the Spamhaus check in DCC.

By "the Spamhaus check in DCC", do you mean that you are using
dccm or dccifd with -B and a Spamhaus DNSBL?  If so, what?

> Lately some obvious spam has been getting past the Spamhaus check in DCC.  The headers look like this:
>
> =========================
>
> VERSION: 3
> DATE: 06/12/17 06:19:59 CDT
> IP: stigma3.gslcomunicacion.com ::ffff:92.48.91.248
> HELO: mail.gslcomunicacion.com

This appears to be from a DCC log file, format version #3.  
The DCC client program you are using (dccm, dccifd, or dccproc) is
saying that the mail message was received from stigma3.gslcomunicacion.com
at 92.48.91.248.  The SMTP client identified itself in its HELO
command as mail.gslcomunicacion.com


> Received: from [127.0.0.1] ([177.91.117.244]) by gslcomunicacion.com with MailEnable ESMTP; Mon, 12 Jun 2017 13:19:48 +0200
>
> From: martinpeces@biesmartin.com
>
> X-DCC--Metrics: quantum 1102; Body=1 Fuz1=1 Fuz2=1
>        greylist recipient
>   ophidian@newsnation.com: f35a0557 2b5f56ad 2d2fe2ca a1e7d100
>                            ba3482a7 c0d02932 255da318 947b54c6 Embargo #1
>
> rejection message: 452 4.2.1 mail v5CBJxNw056714 from 92.48.91.248 temporary greylist embargoed
>
> =========================
>
> What exactly do those headers mean?  177.91.117.244 is heavily listed in the Spamhaus CBL, but 92.48.91.248 is not.
>
> I don't think 92.48.91.248 is the real IP address of the host delivering the message, and that 177.91.117.244 is?

If you have reason to believe that Received: header, perhaps because
you operate the SMTP system at 92.48.91.248, then the SMTP server
at 92.48.91.248 received the message from an SMTP client at
177.91.117.244.  177.91.117.244 claimed in its HELO command that
it was at 127.0.0.1, which if true would be very unusual.  92.48.91.248
apparently relayed the message to your system.

Based on that fragment of a DCC log file, the most that can be
confidently said is that your system received spam from 92.48.91.248.
My guess is that 92.48.91.248 is an insufficiently secured SMTP relay.


Vernon Schryver    vjs@rhyolite.com


More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.