Odd DCC Hit

[David Goldsmith <dg...@sans.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just got a posting from the pen-test Security Focus mailing list.
Here are the scores it got:

X-Spam-Level: ******
X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME,
        UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3
X-Spam-Pyzor: Reported 0 times.
X-Spam-DD: EATSERVER:iceman12.giac.net 1166; Body=many Fuz1=many Fuz2=many
X-Spam-Report:
        *  1.0 NO_REAL_NAME From: does not include a real name
        *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay
        *      lines
        *  2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
        *  3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
        *      [URIs: cenzic.com]

I can possibly understand the "list sponsored by <XXX>" website URL
being in a URIBL and generating a hit but how could this messages have
generated "many" hits from DCC?

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhw9x417vU8/9QfkRAi6sAJ4x+YEjJdTlh5ePwc9pbxktof3iYwCgtHvH
Xsee+hJZ17K+IUkzOP4eblA=
=zbDj
-----END PGP SIGNATURE-----

Re: Odd DCC Hit

[David Goldsmith <dg...@sans.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Goldsmith wrote:
> Running my sample message thru 'dccproc < foo | more', I still see it
> appears to query DCC since it is adding the 'X-DCC-######-Metrics:' header.
> 
> I looked through the 'dcc_conf' file and saw that for the DCCM_ARGS and
> DCCIFD_ARGS variables, it was only adding '-SList-ID' by default so I
> added '-SList-Id' but the message is apparently still being submitted.
> 
> Can you provide any pointers as to what I am missing in order to make
> DCC apply the whitelisting rules?
> 
> Thanks,
> Dave

I haven't got the whitelisting to work yet but I did find that I can add
'dcc_options -Q' to my SA config and then I will only query rather than
report and query so at least I wouldn't be contributing to the
over-reporting.

However, I would still like to get whitelisting working so I can ignore
valid bulk mail and report the checksums for spam messages.

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEiJWj417vU8/9QfkRAvWQAJ9HkE+9bo/IphvVRu0Y1VlzYUdGYQCghZ6h
I3e9bRrGl51ogGuHHmafEEs=
=GURI
-----END PGP SIGNATURE-----

Re: Odd DCC Hit

[David Goldsmith <dg...@sans.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Kettler wrote:
> David Goldsmith wrote:
>> I just got a posting from the pen-test Security Focus mailing list.
>> Here are the scores it got:
>>
>> X-Spam-Level: ******
>> X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME,
>>         UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3
> 
> <snip>
>> I can possibly understand the "list sponsored by <XXX>" website URL
>> being in a URIBL and generating a hit but how could this messages have
>> generated "many" hits from DCC?
> 
> That's quite normal for really large mailing lists. DCC does NOT
> strictly match spam. It matches bulk mail. Period.

I realized that.

> DCC does not care if that bulk is a result of spamming, or merely
> large-scale distribution. The security focus mailing lists have a truly
> huge scale of distribution, and many subscribers there use DCC. Most of
> those subscribers, such as yourself, are not using DCC correctly.
> 
> By default, every message received by your site is reported to the DCC
> system. Every message. Spam or not.

I hadn't realized that.  I thought I was just querying.

> In general, to DCC there's no difference between checking and reporting.
> Thus, you must to configure DCC to explicitly whitelist messages from
> your legitamate bulk senders, as otherwise they will be reported as soon
> as you receive the message.

Ok, so I have dcc-1.3.35 installed from source tarball. The config files
are under /var/dcc.  This specific mailing list adds the following
List-Id header:

  List-Id: <pen-test.list-id.securityfocus.com>

I created a new whitelist-sans file and added "include whitelist-sans"
to both the 'whiteclnt' and 'whitelist' file right after the include
directive for the 'whitecommon' file.  In my 'whitelist-sans' file, I
added the following lines:

  # SecurityFocus
  ok      substitute List-Id: <pen-test.list-id.securityfocus.com>

Running my sample message thru 'dccproc < foo | more', I still see it
appears to query DCC since it is adding the 'X-DCC-######-Metrics:' header.

I looked through the 'dcc_conf' file and saw that for the DCCM_ARGS and
DCCIFD_ARGS variables, it was only adding '-SList-ID' by default so I
added '-SList-Id' but the message is apparently still being submitted.

Can you provide any pointers as to what I am missing in order to make
DCC apply the whitelisting rules?

Thanks,
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEiIjw417vU8/9QfkRAn8sAKCN8OnoF31JMwOeH0/IIYMg8RU45ACgsEyV
hdVRasH5qwPCbhcaQbd1khA=
=NIQ0
-----END PGP SIGNATURE-----

Re: Odd DCC Hit

[Matt Kettler <mk...@comcast.net>]

David Goldsmith wrote:
> I just got a posting from the pen-test Security Focus mailing list.
> Here are the scores it got:
>
> X-Spam-Level: ******
> X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME,
>         UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3

<snip>
> I can possibly understand the "list sponsored by <XXX>" website URL
> being in a URIBL and generating a hit but how could this messages have
> generated "many" hits from DCC?

That's quite normal for really large mailing lists. DCC does NOT
strictly match spam. It matches bulk mail. Period.

DCC does not care if that bulk is a result of spamming, or merely
large-scale distribution. The security focus mailing lists have a truly
huge scale of distribution, and many subscribers there use DCC. Most of
those subscribers, such as yourself, are not using DCC correctly.

By default, every message received by your site is reported to the DCC
system. Every message. Spam or not.



In general, to DCC there's no difference between checking and reporting.
Thus, you must to configure DCC to explicitly whitelist messages from
your legitamate bulk senders, as otherwise they will be reported as soon
as you receive the message.