spamhaus check not working

Chris Aseltine ophidian@newsnation.com
Sat Jul 1 19:04:27 UTC 2017


Just to follow up on this.  I finally realized the problem was that the machine in question was set up to use 8.8.8.8 as its local DNS resolver and not 127.0.0.1, i.e. recurse all the way to Spamhaus via its own bind/named instance.  This was causing false negatives, i.e. z.y.x.w.zen.spamhaus.org would not resolve to 127.0.0.x for some reason.  I guess this isn't supported for whatever reason?

-----Original Message-----
From: Vernon Schryver [mailto:vjs@rhyolite.com] 
Sent: Monday, June 12, 2017 9:08 AM
To: dcc@rhyolite.com; Chris Aseltine
Subject: Re: spamhaus check not working

> From: Chris Aseltine <ophidian@newsnation.com>
> To: "dcc@rhyolite.com" <dcc@rhyolite.com>

> Lately some obvious spam has been getting past the Spamhaus check in DCC.

By "the Spamhaus check in DCC", do you mean that you are using dccm or dccifd with -B and a Spamhaus DNSBL?  If so, what?

> Lately some obvious spam has been getting past the Spamhaus check in DCC.  The headers look like this:
>
> =========================
>
> VERSION: 3
> DATE: 06/12/17 06:19:59 CDT
> IP: stigma3.gslcomunicacion.com ::ffff:92.48.91.248
> HELO: mail.gslcomunicacion.com

This appears to be from a DCC log file, format version #3.  
The DCC client program you are using (dccm, dccifd, or dccproc) is saying that the mail message was received from stigma3.gslcomunicacion.com at 92.48.91.248.  The SMTP client identified itself in its HELO command as mail.gslcomunicacion.com


> Received: from [127.0.0.1] ([177.91.117.244]) by gslcomunicacion.com 
> with MailEnable ESMTP; Mon, 12 Jun 2017 13:19:48 +0200
>
> From: martinpeces@biesmartin.com
>
> X-DCC--Metrics: quantum 1102; Body=1 Fuz1=1 Fuz2=1
>        greylist recipient
>   ophidian@newsnation.com: f35a0557 2b5f56ad 2d2fe2ca a1e7d100
>                            ba3482a7 c0d02932 255da318 947b54c6 Embargo 
> #1
>
> rejection message: 452 4.2.1 mail v5CBJxNw056714 from 92.48.91.248 
> temporary greylist embargoed
>
> =========================
>
> What exactly do those headers mean?  177.91.117.244 is heavily listed in the Spamhaus CBL, but 92.48.91.248 is not.
>
> I don't think 92.48.91.248 is the real IP address of the host delivering the message, and that 177.91.117.244 is?

If you have reason to believe that Received: header, perhaps because you operate the SMTP system at 92.48.91.248, then the SMTP server at 92.48.91.248 received the message from an SMTP client at 177.91.117.244.  177.91.117.244 claimed in its HELO command that it was at 127.0.0.1, which if true would be very unusual.  92.48.91.248 apparently relayed the message to your system.

Based on that fragment of a DCC log file, the most that can be confidently said is that your system received spam from 92.48.91.248.
My guess is that 92.48.91.248 is an insufficiently secured SMTP relay.


Vernon Schryver    vjs@rhyolite.com




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.