Amavisd-new Error Information
Michael Scheidell
michael.scheidell at secnap.com
Fri Sep 23 15:28:45 CEST 2011
On 9/22/11 4:23 PM, Jakob Curdes wrote:
> So the remedy would be to open the firewall for the destination port
> 6277 UDP. Then the DCC component of spamassassin can contact the
> checksum servers. If this is not feasible the DCC check should be
> deactivated as it cannot deliver any information without contact to the
> network.
>
> Hope this helps,
> J
ditto on what Jakob says. Lots of times, outbound udp is blocked on
firewalls.. if you have a STATEFUL firewall, then thats all you need. if
you have an older packer filtering firewall, then you need to led udp
6277 back IN.
one more thing you might consider, depending on your volume. the
standard (free) version of DCC contacts DCC's public servers.
(type 'cdcc info' to see their status)
public servers will start to impose rate limiting on large numbers of
queries. Further, again, depending on your volumes, once you get past
100K queries in a day, the bandwidth requirements for query and
'flooding' (the bydirectional exchange of checksums) gets to the point
that having a local DCC server makes sense.
There is one more option, and its been available with SA from (3.2?).
and that is the commercial version of DCC, which not only exchanges bulk
email checksums, but also exchanges 'hits' on ip addresses. Lets you
mark ip addresses that send lots of 'bulk' email (note: bulk is not
spam, but spam is bulk :-).
if any of this interests you, pop an email to Vernon Schryver
<vjs at rhyolite.com> and explain who you are, your requirements (queries
per day: ie: how much email is SA processing once past your initial MTA
blocks), if you are providing email filtering for only your ISP
customers, or if you resell to or through third parties.
Even for 10K per day, maybe you don't need a local server, but access to
the ip reputation database, and no rate limiting might be worth a few bucks.
(I pay about 20% to rhyolite of what SpamHaus quoted me. No, its not
the same, SH you would normally use it to block pre-queue, and DCC
doesn't block, but it does identify, pretty quickly, ip addresses that
start to send out bulk email).
example: your ip, looks 100% clean.
<http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=76.74.238.135>
vs one of the 'ESP' s. (exact target)
<http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=207.250.68.26>
68% bulk email. which is what you would expect from an ESP.
*bulk is not spam.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110923/035482c7/attachment.html>
More information about the amavis-users
mailing list