Amavisd-new Error Information

Michael Scheidell michael.scheidell at secnap.com
Fri Sep 23 15:28:45 CEST 2011


On 9/22/11 4:23 PM, Jakob Curdes wrote:
> So the remedy would be to open the firewall for the destination port
> 6277 UDP. Then the DCC component of spamassassin can contact the
> checksum servers. If this is not feasible the DCC check should be
> deactivated as it cannot deliver any information without contact to the
> network.
>
> Hope this helps,
> J
ditto on what Jakob says.  Lots of times, outbound udp is blocked on 
firewalls.. if you have a STATEFUL firewall, then thats all you need. if 
you have an older packer filtering firewall, then you need to led udp 
6277 back IN.

one more thing you might consider, depending on your volume.  the 
standard (free) version of DCC contacts DCC's public servers.

(type 'cdcc info' to see their status)

public servers will start to impose rate limiting on large numbers of 
queries.  Further, again, depending on your volumes, once you get past 
100K queries in a day, the bandwidth requirements for query and 
'flooding' (the bydirectional exchange of checksums) gets to the point 
that having a local DCC server makes sense.

There is one more option, and its been available with SA from (3.2?). 
and that is the commercial version of DCC, which not only exchanges bulk 
email checksums, but also exchanges 'hits' on ip addresses.  Lets you 
mark ip addresses that send lots of 'bulk' email  (note: bulk is not 
spam, but spam is bulk :-).

if any of this interests you, pop an email to Vernon Schryver 
<vjs at rhyolite.com>  and explain who you are, your requirements (queries 
per day:  ie: how much email is SA processing once past your initial MTA 
blocks), if you are providing email filtering for only your ISP 
customers, or if you resell to or through third parties.

Even for 10K per day, maybe you don't need a local server, but access to 
the ip reputation database, and no rate limiting might be worth a few bucks.

(I pay about 20% to rhyolite of what SpamHaus quoted me.  No, its not 
the same, SH you would normally use it to block pre-queue, and DCC 
doesn't block, but it does identify, pretty quickly, ip addresses that 
start to send out bulk email).

example:  your ip, looks 100% clean.

<http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=76.74.238.135>

vs one of the 'ESP' s. (exact target)

<http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=207.250.68.26>

68% bulk email. which is what you would expect from an ESP.

*bulk is not spam.


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
______________________________________________________________________  
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110923/035482c7/attachment.html>


More information about the amavis-users mailing list