Vernon Schryver
vjs@calcite.rhyolite.com
Mon, 19 Sep 2005 08:32:17 -0600 (MDT)
> From: Georg Graf <georg.graf@wu-wien.ac.at> > To: dcc-reputations@rhyolite.com > Cc: oskar.schoepf@wu-wien.ac.at > A Report of my reputation experiences: > > At first I ran dcc with -t rep,10. This yielded lots of false > reputations positives. Quite some of them had reputations of 50% and > above. > > Then I switched to -t rep,80. This went quite well for 2 weeks or so. > Today I again got a false positive. One of them that hurt ;( Were the false positives bulk mail? If so, the sender or the messages should be whitelisted or those messages will be detected as bulk and rejected by the classic DCC mechanism. > || X-DCC-wuwien-Metrics: samantha.wu-wien.ac.at 1290; bulk rep Body=many > || Fuz1=many Fuz2=many rep=84% > || reported: 11 checksum server > || rep-total: 9f5d8e4e ff6f2dd0 0340200b 4112e97b 2 > || rep: 9f5d8e4e ff6f2dd0 0340200b 4112e97b 0 That message must have been sent to at least 11 mailboxes and so was somewhat bulk. > Ok. Since without setting rep-total manually, it takes as default > the reject_at value, I think I'll set it to a higher value. But > this is not very logical. Because when I raise the rep-total > value, then I can be even more sure about the correctness of the > reputation value. Hmm. I'm kind of clueless. I'll give this a > try: > || REP_ARGS="-t rep,90 -t rep-total,1000" 90% and 1000 seem rather high. There is another parameter that is hard-coded inside dccd. That is the number of substantially identical copies of a message that must be seen to make it "bulk" and so increase the "rep" count for an IP address. It is currently 10. Would your false positives have happened if it were 20? What threshold do you use for bulk mail? Vernon Schryver vjs@rhyolite.com