-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > David Goldsmith wrote: >> I just got a posting from the pen-test Security Focus mailing list. >> Here are the scores it got: >> >> X-Spam-Level: ****** >> X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME, >> UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3 > > <snip> >> I can possibly understand the "list sponsored by <XXX>" website URL >> being in a URIBL and generating a hit but how could this messages have >> generated "many" hits from DCC? > > That's quite normal for really large mailing lists. DCC does NOT > strictly match spam. It matches bulk mail. Period.
I realized that. > DCC does not care if that bulk is a result of spamming, or merely > large-scale distribution. The security focus mailing lists have a truly > huge scale of distribution, and many subscribers there use DCC. Most of > those subscribers, such as yourself, are not using DCC correctly. > > By default, every message received by your site is reported to the DCC > system. Every message. Spam or not. I hadn't realized that. I thought I was just querying. > In general, to DCC there's no difference between checking and reporting. > Thus, you must to configure DCC to explicitly whitelist messages from > your legitamate bulk senders, as otherwise they will be reported as soon > as you receive the message. Ok, so I have dcc-1.3.35 installed from source tarball. The config files are under /var/dcc. This specific mailing list adds the following List-Id header: List-Id: <pen-test.list-id.securityfocus.com> I created a new whitelist-sans file and added "include whitelist-sans" to both the 'whiteclnt' and 'whitelist' file right after the include directive for the 'whitecommon' file. In my 'whitelist-sans' file, I added the following lines: # SecurityFocus ok substitute List-Id: <pen-test.list-id.securityfocus.com> Running my sample message thru 'dccproc < foo | more', I still see it appears to query DCC since it is adding the 'X-DCC-######-Metrics:' header. I looked through the 'dcc_conf' file and saw that for the DCCM_ARGS and DCCIFD_ARGS variables, it was only adding '-SList-ID' by default so I added '-SList-Id' but the message is apparently still being submitted. Can you provide any pointers as to what I am missing in order to make DCC apply the whitelisting rules? Thanks, Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiIjw417vU8/9QfkRAn8sAKCN8OnoF31JMwOeH0/IIYMg8RU45ACgsEyV hdVRasH5qwPCbhcaQbd1khA= =NIQ0 -----END PGP SIGNATURE-----
