<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 9/22/11 4:23 PM, Jakob Curdes wrote:
<blockquote cite="mid:4E7B995E.2080205@info-systems.de" type="cite">So
the remedy would be to open the firewall for the destination port
<br>
6277 UDP. Then the DCC component of spamassassin can contact the
<br>
checksum servers. If this is not feasible the DCC check should be
<br>
deactivated as it cannot deliver any information without contact
to the
<br>
network.
<br>
<br>
Hope this helps,
<br>
J</blockquote>
ditto on what Jakob says. Lots of times, outbound udp is blocked on
firewalls.. if you have a STATEFUL firewall, then thats all you
need. if you have an older packer filtering firewall, then you need
to led udp 6277 back IN.<br>
<br>
one more thing you might consider, depending on your volume. the
standard (free) version of DCC contacts DCC's public servers.<br>
<br>
(type 'cdcc info' to see their status)<br>
<br>
public servers will start to impose rate limiting on large numbers
of queries. Further, again, depending on your volumes, once you get
past 100K queries in a day, the bandwidth requirements for query and
'flooding' (the bydirectional exchange of checksums) gets to the
point that having a local DCC server makes sense.<br>
<br>
There is one more option, and its been available with SA from
(3.2?). and that is the commercial version of DCC, which not only
exchanges bulk email checksums, but also exchanges 'hits' on ip
addresses. Lets you mark ip addresses that send lots of 'bulk'
email (note: bulk is not spam, but spam is bulk :-).<br>
<br>
if any of this interests you, pop an email to Vernon Schryver
<a class="moz-txt-link-rfc2396E" href="mailto:vjs@rhyolite.com"><vjs@rhyolite.com></a> and explain who you are, your requirements
(queries per day: ie: how much email is SA processing once past
your initial MTA blocks), if you are providing email filtering for
only your ISP customers, or if you resell to or through third
parties.<br>
<br>
Even for 10K per day, maybe you don't need a local server, but
access to the ip reputation database, and no rate limiting might be
worth a few bucks.<br>
<br>
(I pay about 20% to rhyolite of what SpamHaus quoted me. No, its
not the same, SH you would normally use it to block pre-queue, and
DCC doesn't block, but it does identify, pretty quickly, ip
addresses that start to send out bulk email).<br>
<br>
example: your ip, looks 100% clean.<br>
<br>
<a class="moz-txt-link-rfc2396E" href="http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=76.74.238.135"><http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=76.74.238.135></a><br>
<br>
vs one of the 'ESP' s. (exact target)<br>
<br>
<a class="moz-txt-link-rfc2396E" href="http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=207.250.68.26"><http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=207.250.68.26></a><br>
<br>
68% bulk email. which is what you would expect from an ESP.<br>
<br>
*bulk is not spam.<br>
<br>
<br>
<div class="moz-signature">-- <br>
Michael Scheidell, CTO<br>
o: 561-999-5000<br>
d: 561-948-2259<br>
<font color="#999999">></font><font color="#cc0000"> <b>| </b></font>SECNAP
Network Security Corporation
<style type="text/css">
<!--
.unnamed1 {
margin: 1em;
padding: 1px;
} -->
</style>
<ul class="unnamed1">
<li>Best Mobile Solutions Product of 2011</li>
<li>Best Intrusion Prevention Product</li>
<li>Hot Company Finalist 2011</li>
<li>Best Email Security Product</li>
<li>Certified SNORT Integrator</li>
</ul>
</div>
<br>
<div id="disclaimer.secnap.com"><hr />This email has been scanned and certified safe by SpammerTrap®.</div>
<div>For Information please see
<a href="http://www.spammertrap.com/">http://www.spammertrap.com/</a> <hr /></div>
<br>
</body>
</html>