Vernon Schryver
vjs@calcite.rhyolite.com
Wed, 17 Jul 2002 17:12:45 -0600 (MDT)
> From: Rafal Maszkowski <rzm@icm.edu.pl> > ... > > If you watch for Message-IDs, then you might also want to watch for > > Received lines. However, while both seemed like a good idea, neither > > by itself catches much spam, with the exception of missing or null > > Message-IDs. Except for missing Message-IDs, essentially all spam > > that they might catch is noticed by the various body checksums. > > This way? > /var/dcc/libexec/dccm -d -d -b -t CMN,25,50 -t Message-ID,25,50 -t Received,25,50 -l 'D?log' -r '4.7.1 451 Access denied by DCC' > Why combination is much stronger than just Received? In what way these two > fiels (or all fields specified after -t?) are combined? I meant to say that Received and Message-ID header counts are weak instead of strong. Contrary to what I hoped in 2 years ago, watching for Message-IDs and Received headers does not catch much spam, except for the special case of no Message-ID header. I use the "many message-id <>" line from the example homedir/whitecommon file to blacklist mail without Message-IDs. Beware of the warning about that entry in the homedir/whitecommon file. As the `man dccm` page tries to say, "CMN" is merely a shorthand for IP, env_From, From, Message-ID, Received, Body, Fuz1, and Fuz2. "ALL" is a shorthand for all of the checksums. Checksum counts are combined simplistically. If any checksum mentioned by `dccm -g` (default IP, env_From, and From) is whitelisted by the server or if any checksum at all is locally whitelisted, then the message is whitelisted. Otherwise, if any checksum excedes its -t threshold, the message is rejected or discarded. > > Encouraged by answers I dare to invent another question. Can DCC help in > catching virused mail? During last 12 days it happened only once that I catched > a virus with Message-ID=many. Other checksums were unique. That is an intersting idea. I have no idea if the current crop of viruses use constant Message-IDs. If they do, then running your DCC server with `dccd -K message-id` would be effective. > Typically the virused e-mail contains some random file with virus at the end. > Could we invent some other kind of checksum to detect this or it is better to > use other means against viruses? The trouble with using the DCC to detect viruses is that viruses tend to not have constant DCC body checksums. In some ways, you can view what the DCC does as watching for checksums typical of spam, while virus scanners watch for checksums typical of viruses. The ideas are similar, but the checksums that ignore the right bits differ. Vernon Schryver vjs@rhyolite.com