DCC Error: dccproc[xxxxx]: continue not asking DCC

Recently, I have these lines in my daily log, many of them.

Jun  8 10:56:24 mail dccproc[13204]: continue not asking DCC 78 seconds after 5
Jun  8 10:56:27 mail dccproc[13207]: continue not asking DCC 75 seconds after 5
Jun  8 10:56:37 mail dccproc[13228]: continue not asking DCC 65 seconds after 5
Jun  8 10:56:44 mail dccproc[13247]: continue not asking DCC 58 seconds after 5
Jun  8 10:56:49 mail dccproc[13251]: continue not asking DCC 53 seconds after 5
Jun  8 10:56:49 mail dccproc[13252]: continue not asking DCC 53 seconds after 5
Jun  8 10:56:58 mail dccproc[13272]: continue not asking DCC 44 seconds after 5
Jun  8 10:57:05 mail dccproc[13288]: continue not asking DCC 37 seconds after 5

Jun  8 10:56:24 mail dccproc[13204]: continue not asking DCC 78 seconds after 5

Jun  8 10:56:27 mail dccproc[13207]: continue not asking DCC 75 seconds after 5

Jun  8 10:56:37 mail dccproc[13228]: continue not asking DCC 65 seconds after 5

Jun  8 10:56:44 mail dccproc[13247]: continue not asking DCC 58 seconds after 5

Jun  8 10:56:49 mail dccproc[13251]: continue not asking DCC 53 seconds after 5

Jun  8 10:56:49 mail dccproc[13252]: continue not asking DCC 53 seconds after 5

Jun  8 10:56:58 mail dccproc[13272]: continue not asking DCC 44 seconds after 5

Jun  8 10:57:05 mail dccproc[13288]: continue not asking DCC 37 seconds after 5

So, there is something wrong with my dcc process. 😉
After several google, there is only two options.
-Problem with firewall/connection
-Problem with configuration

I know, this is not a problem with firewall/connection, because I did not changed anything and the server have direct connection to the internet.

So, there must be some configuration problems.

I run cdcc info from the console, and notice there problem with the map file.
Do some google again, and find this and this.
And I do exactly what it say.

cdcc -q info map.txt
cdcc “load map.txt”

That’s it, and DCC runs again.

How to update DCC with ease

If you using spamassassin to reduce spam to your mail server, there is big possibilities that you are also using DCC (Distributed Checksum Clearinghouses).

If you are not (yet) use DCC in your spamassassin, than you should consider to install one.

DCC is a free software, as long as you don’t sell the device or the service to to others. Reade the DCC license here.

Installation DCC may be confusing for some people (including me 🙂 ), but when it installed and configured properly, it will catch more spam that you already catch.

The good point is, if the DCC already installed, than is easy to update it.  You just need to download  the updatedcc script here, and copied it to /usr/local/bin (might be different with your OS ) with the rest of DCC files.

How to update? Just run the updatedcc and the process will run automatically.

After all the process completed, do a simple check to see if your DCC already updated.

dccproc -V

It will show the version of your DCC software.

Uceprotect, a good guy or a bad guy?

There are some users reported to me that emails to certain domains are being rejected. After further check, I realized that the emails are being blocked by uceprotect.

This is the error message

—– Transcript of session follows —– … while talking to
some.domain.com.:
>>> DATA
<<< 554 5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx]
blocked
using dnsbl-2.uceprotect.net; Net xxx.xxx.0.0/16 is UCEPROTECT-Level2 listed
because of 301 abusers. Your ISP xxx has to fix this. See:

httpx://www.uceprotect.net/rblcheck.php?ipr=xxx.xxx.xxx.xxx
554 5.0.0 Service unavailable
<<< 554 5.5.1 Error: no valid recipients

I heard about uceprotect before, how they block the entire ISP’s IP just because of some users of that ISP sending spam emails, but never though that will happen to me.

Normal rbl (dnsl) usually only block certain IP’s, but this uceprotect “smart” and “brave” enough to block the whole ISP’s IP range.

Simply said that I’m getting punished by uceprotect because somebody else spams. That is stupid.

In their website clearly says that my IP was not, is not involved in a spamrun, but still getting “the punishment”. This is the quote from their website.

YOU ARE NOT!. Your IP xxx.xxx.xxx.xxx was NOT involved in a spamrun, but has a spammy neighborhood. Other customers within this range did not care about their security and got hacked and started spamming, while your provider has possibly not even noticed that there is a serious problem.
We are sorry for you, but you have chosen an provider not acting fast enough on spammers.

I try so hard to make my IP’s clean, by removing viruses and make sure that no spam going outside through my mail servers. But my hard work is not enough, I still got blocked by uceprotect because somebody else spams.

Uceprotect in their website suggest that I should change ISP, that not that easy, and certainly not cheap.

So, I use a shortcut. I contact the admin of the domain that use uceprotect, and asked politely if it possible for them not to use uceprotect for emails from my domains. I gave them every information they need and explain my situations, and thankfully they agreed and approved my request.

Uceprotect may be want to be a good guy in spam fighter, but to me, uceprotect simply a bad guy.

RulesDuJour Problem

After recently spammer attack on http://www.rulesemporium.com/, I got the following error when trying to update the RulesDuJour rules. The error similar like this:

Lint output:

[23588] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf”: <HTML><HEAD><META HTTP-EQUIV=”Refresh” CONTENT=”0.1″>

[23588] warn: config: failed to parse line, skipping, in “/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf”: <META HTTP-EQUIV=”Pragma” CONTENT=”no-cache”>

[23588] warn: config: failed to parse line, skipping, in “/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf”: <META HTTP-EQUIV=”Expires” CONTENT=”-1″>

[23588] warn: config: failed to parse line, skipping, in “/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf”: </HEAD></HTML>

[23588] warn: lint: 4 issues detected, please rerun with debug enabled
for more information =================

This error because of some of the rules are corrupted.

To fix it is simple.

You can check each rules in RulesDuJour directory for corrupted rules, or simply delete all the rules and also backup rules, then run the rules_du_jour program again.

Rules_du_Jour program will simply download all the rules based on your RulesDujour config, for CentOS the config file is in /etc/rulesdujour/config

The default RulesDuJour directory for CentOS is in /etc/mail/spamassassin/RulesDuJour/.

Spammers Strike Back: Under Attack!

Yesterday, I saw that my rules_du_jour program not running as usual. I can’t connect to http://www.rulesemporium.com/, and my rules_du_jour command return “Got 504 from SARE Abused Redirect Subject Ruleset for SpamAssassin (post3.0.0) at http://www.rulesemporium.com/…”

From the mailscanner mailing list, I found out that rulesemporium is not the only one who under attack, so is spamhaus.org, uribl.com, surbl.com.

Official news release from spamhaus about this attack at here

Storm is the ‘nightmare’ botnet, capable of taking out government facilities and causing much mayhem on the internet. It has 3 functions; sending spam, fast-flux web and dns hosting mainly for stock scams, and DDoS. There is a hefty international effort underway by cyber-forensics teams in a joint effort by law enforcement and private sector botnet and malware analysts to trace the perpetrators.

They really hate spamhaus, that give me more reason to use spamhaus services. They hate spamhaus mean only one thing. Spamhaus really works.

I don’t see much of timeout on spamhaus, so I think the attack on spamhaus is not very succesfull.

You can see many kind attack, and how spamhaus aware of it at http://www.spamhaus.org/attacks/

But the attack against rulesemporium really hit. It down almost two days, and still down as I write this blog. I still got 504 when I tried to update my rules_du_jour this morning.

I hope rulesemporium.com will soon up and running again as usual, because they give us excellent services to handle spam.

All the Best.

Network World: ‘Spam King’ arrested in Seattle

A Good news to start the day.

A Seattle man was arrested Wednesday morning for illegal spamming activities.

I think all spamming activities is illegal.

The indictment charges Robert Alan Soloway and his company, Newport Internet Marketing, with fraudulently selling broadcast e-mail products and services that amounted to spam. The U.S. attorney’s office for the Western District of Washington refers to Soloway as a “spam king,” for the volume of unsolicited commercial e-mail his company produced. He is charged with mail fraud, identity theft, fraud and money laundering.

That plenty of charges, but he is the king.

If convicted, Soloway faces fines of over $772,000, which is the amount he illegally obtained from his activities, as well as forfeiture of other money and property.

Maybe not just fines, several months or years in prison will do just fine.

There are plenty of spammers out there, waiting to be arrested.

Read the original news at Network World

A new great feature in MailScanner (beta)

Julian Field (the author of MailScanner) now recently releasing a new beta version of MailScanner, the new beta version is 4.60.6.

Able to compress attachments into a zip file.

This feature can work on both incoming and outgoing emails.

There are many third party software that sells this kind of features with expensive prices, but MailScanner will do it for free. Now I’m feel sorry for those third party softwares.

Benefits that we can have with this feature.

  • For incoming emails, it will save Mail Server harddisk space.
  • For outgoing emails, it will save bandwith.

This feature also can be customized.

  • You can set it only for incoming emails or only for outgoing emails or both.
  • You can compress attachment if the total file size more that e.g 100 kb.
  • You can tell MailScanner not to compress already compressed file e.g zip, rar, jpg, mpg, etc.
  • This feature can be enable for certain recipients, domains, etc with rule(s) file.

I can’t wait until it reach stable version.

About MailWatch

MailScanner is a very good tool to detect spam and viruses, but MailScanner is lack of reporting tools. It only relay on maillog for logging. Even if maillog file is most comprehensive, for most people it difficult to ‘read’.

But there is MailWacth. A web based reporting tool for MailScanner and much more. If you already installed MailScanner, than it a must that you have to install MailWatch too. It simply a must. Runing MailScanner without MailWatch is simply like to have linux without gnome.

Live Report
With MailWatch you can have better understanding on what is going on in your mail server right now. Much more easier than watching your maillog with tail -f command.

Custom reports with graphs and charts
Create reports with graphs, charts based on mail traffic, viruses, spam and many more.

User Management
You can create users and let them manage their own spam.

There are three levels of user in MailWatch user management.

  1. Admin
  2. Domain Admin
  3. user

The most powerfull user level is Admin, where admin can manage all the domain and all the users. Admin can see all the emails in every domains.

Domain Admin can manage all users under it admin. Domain Admin can see all emails within their domain. This is very usefull if we manage multiple domains, and each domain have their own admin.

User can only manage their own user. They can create their own white list or black list, or change their spam score level or high spam score level.

MySQL database
Because MailWatch store it data in mySQL database, it easy to create our custom report with our prefered third party reporting tools like Crystal Report or even MS Excel.

MailWatch simply the best pair for MailScanner.

You can download the latest MailWatch in here or read the official documentation about MailWatch in here.

MailScanner 4.59.4 released

There are new stable release of MailScanner, version 4.59.4. The new release now support clamscan and clamd anti virus. It also support avast anti virus. For more detailed what new in MailScanner 5.59.4, you can read it here.

With the new clamd support, we hope that we can have significant improvement in virus scanning.

– – support for the clamd virus scanner, with the result that you can have
fast virus scanning without relying on the 3rd party Mail::ClamAV perl
module. (Julian Field )

If you are using MailWatch, than you need to modify the functions.php in your MailWatch web folder (ie /var/www/html/mailscanner) – thanks to Rick Cooper.

Find this line

case ‘clamav’:
define(VIRUS_REGEX, ‘/(.+) contains (\S+)/’);
break
;

Then insert below the “break;” line:

case ‘clamd’:
define(VIRUS_REGEX, ‘/(.+) contains (\S+)/’);
break;

Now Mailwatch will recognize the new Anti Virus.

A new way for fighting spam, will this help?

There are many ways for fighting spam and we have many tools for it. But still, we receives many spams in our inbox, it just a matter how many spams we can tolerate. For some people having 10 spam emails in their inbox will not be a problem, but for others it become a big problem.

I found an interesting page when I surf the net.

http://www.iwebtool.com/

I think this is a way for fighting spam, BUT will this effective?

Quote from http://www.iwebtool.com/webmasters/antispam/

This page is generated to attempt to slow down Spam bots from collecting e-mail addresses off the web via spam programs. The purpose of this page is to try and fill the Spam bots with worthless non-existing emails which will force them to clean out their list which will clear all the emails including all the real emails it’s collected.

Everytime a spambots visits that page, the spambots will collect around 50 random non-existing emails, and hopely will fills their database with junk email addresses, and finally the spammers will spend more time to clean up the junk email addresses.

I’m not really sure if this method is effective or will give big contribution for fighting spam, specially agains spambots. If I’m a spammer, I just prevent my spambots from visiting that page.

But, if we have many pages like that, than it might be become a big problem for spambots and spammers.

So not just create a link to that page (but we still create a link to that page), maybe we should create another page similar like that. Than that will give spammers real headache.