DCC -- how do I effectively use it?

Vernon Schryver vjs@calcite.rhyolite.com
Mon Sep 3 04:31:43 UTC 2001


> From: "Mediratta, Bharat" <bharat@fusionone.com>

> ...
> My problem is that I'm not getting very many positive hits from 
> DCC.  I know that I'm connected to DCC properly because it does
> identify certain spam messages correctly, but unfortunately it
> misses a large percentage of them.  I ran it against a folder 
> containing spam detected with spambouncer and other tools and
> in some (admittedly) small trials it had about a 25% hit rate.
>
> Perhaps I'm using DCC incorrectly?  Since I'm in development, I've 
> been using dcc.rhyolite.com in anonymous mode.  I hope that I'm not 
> imposing too much of a load there.

The load is fine.  The DCC client chitchat is about the same as a DNS
lookup.

However, you'd be better served with your own DCC server exchanging
"floods" of checksums with other DCC server servers.  Besides being
more robust, faster, and using even less bandwidth, with your own server
you could look at your copy of the database of checksums with dblist.


..................................................................


] From: "Brian J. Murrell" <dcc-list@interlinx.bc.ca>

] ...
] > I ran it against a folder 
] > containing spam detected with spambouncer and other tools and
] > in some (admittedly) small trials it had about a 25% hit rate.
]
] That would seem about right right now.

Other people with access to the same checksums have seem to have
had better luck.  However, I think 25% is nothing to sneeze at.


] > Perhaps I'm using DCC incorrectly?
]
] Well, if you are getting some >1 counts then you are most likely using
] it correctly.

There are various pssibilities:

  - bugs in the IMAP client code might be changing the messages so
   that their checksums don't match.  

  - I'm still fighting hassles with quoted-printable and making
   dccproc get the same checksums as dccm.  One often sees messages
   converted from convereted from quoted-printable and with CRLF
   converted to CR while the other doesn't.

  - as part of those hassles, I've changed the fuz1 checksum in
   version 1.0.28 to not ignore the last line.  Until everyone starts
   using that code, the effectiveness of the fuz1 checksum will be reduced.

  - the spammers who like you differ from those who like DCC users

  - your name is early in the typical spammer's somewhat alphabetical
   lists 

  - you are rejecting only on "many" instead of a threshold approprate
   for the number of your local users.  (Yes, that wouldn't apply to
   checksums with counts of 1.)

> ...
] Will you also support a mode of operation where the MTA has already
] "dcc"ed the message and put it's (DCC's) header in the message?  i.e.
] simply parse the IMAP INBOX for messages with existing DCC headers
] with values of n>1 where n is some configurable values (rather than
] using dccproc on the messages)?

It makes sense to have more than one X-DCC header on a message, with
each header reflecting the counts seen by a different network of DCC
servers.  For example, one network of DCC servers might count only
mail sent to secret spam traps and so not need much or any whitelisting,
while another might accept reports from anyone (e.g. bad guys unhappy
about CERT advisories) and so need a good whitelist.

If all expected X-DCC headers are for a single DCC server network,
it's probably best to ignore the existing header.  You would not want
to be fooled by a spammer adding an X-DCC header.  Asking the DCC
servers again costs little and can give higher checksum counts.  The
only real problem with asking multiple times is that each query
increases the counts for a message (unless you use -Q).


] > Most of my results indicate
] > that DCC has never seen the message before (ie, I get counts of
] > 1 for all of the metrics).
]
] Critical mass is not there yet.  Be patient.  Spread the word.  The
] more users DCC has the more effective it's going to be.

Yes.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.