DCC and honeypot

Vernon Schryver vjs@calcite.rhyolite.com
Wed Mar 3 00:46:20 UTC 2004 

> From: Thamer Alharbash 

> ...
> Just out of curiousity, does the same apply to ISPs which setup a
> spam reporting e-mail address? Would you prefer it if we didn't
> let the spams reported through our users hit dcc servers outside
> of our network?

If your network might reasonably see more of the same spam, thereby
making a `dccproc -t many` useful to your servers, then it would be
useful to other servers.

That is an intentionally equivocal answer.

I think "legal" spam is best handled by the tactic that underlies the
DCC.  That tactic differs from Vipul's Razor.  If I understand it, Razor
is based on people reporting spam, but the DCC is based on a computer
counting substantially identical messages and checking whitelists.

Having people (or spam traps) report spam with Razor or `dccproc -t many`
means that all of your data is or is supposed to be about spam.  If you
believe that a large group of people is trustworthy and competent, and
if you believe they will react within seconds of a start of a spew,
that is good scheme.  I do not believe in in the first assumption, as
demonstrated by reports that someone receiving messages from the small,
closed DCC-servers mailing list is reporting them as spam.  I also
doubt there will never be enough people watching enough mailboxes 24x7.
Simply counting substantially identical messages and using a DCC bulk
threshold sounds better to me.

The reason for my equivocation is that there are small spam streams
among the big spews surely detected before any human spam target can
awaken.  Those small streams may not be counted enough to trigger a
dccd flooding threshold anywhere and so go recognized.  That is much
less likely with today's use of the DCC, but I think it happens.  For
example, there is no reason to report more of the Zhang Jung/QING
ZHANG/etc spam that floods traps, but I wouldn't be surprised if only
a few copies of "B.L.M., LLC Henderson NV" (itslegalmarketing.com et al)
are seen.

That's what I've meant by saying the DCC is targeted at "mainsleaze"
or more or less legal spam from the Fortune 50,000, and that greylisting
and broad blacklists (e.g. against parts of Asia) are better against
the spam based on violiating old computer crime laws.


Vernon Schryver    vjs@rhyolite.com

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.