spamhaus check not working

Chris Aseltine
Sat Jul 1 19:04:27 UTC 2017

Just to follow up on this.  I finally realized the problem was that the machine in question was set up to use as its local DNS resolver and not, i.e. recurse all the way to Spamhaus via its own bind/named instance.  This was causing false negatives, i.e. would not resolve to 127.0.0.x for some reason.  I guess this isn't supported for whatever reason?

-----Original Message-----
From: Vernon Schryver [] 
Sent: Monday, June 12, 2017 9:08 AM
To:; Chris Aseltine
Subject: Re: spamhaus check not working

> From: Chris Aseltine <>
> To: "" <>

> Lately some obvious spam has been getting past the Spamhaus check in DCC.

By "the Spamhaus check in DCC", do you mean that you are using dccm or dccifd with -B and a Spamhaus DNSBL?  If so, what?

> Lately some obvious spam has been getting past the Spamhaus check in DCC.  The headers look like this:
> =========================
> DATE: 06/12/17 06:19:59 CDT
> IP: ::ffff:

This appears to be from a DCC log file, format version #3.  
The DCC client program you are using (dccm, dccifd, or dccproc) is saying that the mail message was received from at  The SMTP client identified itself in its HELO command as

> Received: from [] ([]) by 
> with MailEnable ESMTP; Mon, 12 Jun 2017 13:19:48 +0200
> From:
> X-DCC--Metrics: quantum 1102; Body=1 Fuz1=1 Fuz2=1
>        greylist recipient
> f35a0557 2b5f56ad 2d2fe2ca a1e7d100
>                            ba3482a7 c0d02932 255da318 947b54c6 Embargo 
> #1
> rejection message: 452 4.2.1 mail v5CBJxNw056714 from 
> temporary greylist embargoed
> =========================
> What exactly do those headers mean? is heavily listed in the Spamhaus CBL, but is not.
> I don't think is the real IP address of the host delivering the message, and that is?

If you have reason to believe that Received: header, perhaps because you operate the SMTP system at, then the SMTP server at received the message from an SMTP client at claimed in its HELO command that it was at, which if true would be very unusual. apparently relayed the message to your system.

Based on that fragment of a DCC log file, the most that can be confidently said is that your system received spam from
My guess is that is an insufficiently secured SMTP relay.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.