neil
neil@supanet.net.uk
Mon Dec 1 08:36:52 UTC 2008
Hi; Vernon Schryver wrote: <snip> >The checksum of two different messages both with the same fixed footer >or other string appended are practically certain to differ if the >checksums of the original messages differ. The odds of the checksums >of the modified messages being the same are on the order of 1 in 10 to >38th power. <snip> Cheers for that. I wasn't aware of how fuzzy the fuzzy matching was, especially on short messages, so I put 2+2 together and made 5. Some times I need the clue stick for things to sink in ;-) Rgds Neil Vernon Schryver wrote: >> From: neil <neil@supanet.net.uk> >> > > >> Is there a way to exclude a string from being included in DCC hashing ? >> > > no, but as far as I understand description of the problem, excluding > strings from the checksums would not be useful. > > > >> We add a footer to webmail, then DCC on other boxes as part of >> spamassassin, but I think it is registering as a hit as the footer is >> constant. >> I want to just test the body as we do get some hijacked accounts >> spamming, but the majority or our web mail traffic is person to person >> and not bulk. >> >> I have had a read of whiteclnt and seen the testmsg-whitelist, but that >> does not do what I want. Is there a way to make a checksum of our footer >> and exclude just that? >> I could have exim add the footer after spam scanning I suppose. We have >> to add the footer at management insistence, so I cant just remove it at >> source :-) >> >> Apologies in advance if this has been asked or answered before I >> did a quick search of the list and FAQ but couldn't find anything. >> > > The checksum of two different messages both with the same fixed footer > or other string appended are practically certain to differ if the > checksums of the original messages differ. The odds of the checksums > of the modified messages being the same are on the order of 1 in 10 to > 38th power. There is a vastly larger danger that your computers will > suffer undetected data errors in RAM or on buses and so compute wrong > and equal checksums. > > Exactly what problem needs solving? > > If you have found that tiny messages consisting of nothing, "yes", > "no," "test," etc. and with your footer are being detected as bulk, > then a local equivalent to testmsg-whitelist is the solution. > > All copies of z message consisting of "test" and your footer are identical > and so "bulk." There is no way that the DCC client code can know that > such small but not tiny messages should be ignored unless you say so > with white list entries. As far as the DCC client code can tell, the > copies of "test" and your footter might be small advertisements for > herbal viagra. > > The solution is to look add the hex checksums for such messages to > your /var/dcc/whiteclnt file. You can get the checksums from log > files in /var/dcc/log. Look for a line like the following in the > log file a test message that should be ignore: > > Fuz2: 67bcbe1f 0ddf6c3b c2da2ec2 6bd3e844 0 > > Then add a line like this to /var/dcc/whiteclnt > > ok hex Fuz2 67bcbe1f 0ddf6c3b c2da2ec2 6bd3e844 > > > You will need to ensure that /var/dcc/whiteclnt is being used by > dccproc or dccifd. If you are using dccifd, you probably need not > do anything. If you are using dccproc, you should enable and > use dccifd instead. If you must use dccproc, tell SpamAssassin to > run dccproc with -w/var/dcc/whiteclnt (or wherever you put your whiteclnt > file). > > > Vernon Schryver vjs@rhyolite.com > _______________________________________________ > DCC mailing list DCC@rhyolite.com > http://www.rhyolite.com/mailman/listinfo/dcc >
More information about the DCC
mailing list
