whitelisting mailing lists with dccproc

Vernon Schryver vjs@calcite.rhyolite.com
Tue Sep 11 20:24:42 UTC 2001


> From: "Brian J. Murrell" <dcc-list@interlinx.bc.ca>

> ...
> > It is possible in theory to use only certified spam traps and detect
> > spam with the DCC, but I've doubts about keeping the traps sufficiently
> > secret to make that work in practice.
>
> Really?  I have spamtraps that have been fed for years now.  How do
> you think the spammers would "find them out"?

Spam traps that cause more than the sending of a few complaints to
ISP's been quite rare.  Some have used for body filtering, but they've
been even more rare, and their filtering has not been important in
the larger scheme of things.  They were not important enough to cause
significant false positives, including those of mine at that corporate
gateway that rejected up to 15,000 messages/day, to tempt anyone to
use the potential for false positives for mischief.

How spammers (or more importantly, others) would discover spam traps
feeding major DCC networks is less important than the motive that an
effective body filtering system like the DCC provides for discovering
them.  Secrets are very hard to keep, except when they are like spam
traps have been, of little value.

That's why I keep talking about examples like bad guys forwarding CERT
advisories to DCC spam traps.  If you think about it for a while,
you'll note more plausible, less public, and more serious threats.

It's good engineering, not paranoia or cynicism to assume that Murphy
was an optimist and that "they" will do whatever you make possible.


> > DCC clients only send checksums.  If you have even the slightest
> > doubt about that, and even if you have not doubts, you should
> > check the source to see that it is true.
>
> That is true.  But I trust you Vernon.  :-)  And I don't see it as a
> big deal anyway even though I am a privacy zealot.

I'm a privacy nut, and I think you should trust no one with your privacy,
including me.  I'm not joking but absolutely serious about that.


> ...
> > The words in a message are not the only private things that one 
> > might want to shield.  The fact that something was said can matter.
>
> Yeah, well, if I was in espionage, maybe I would care.  :-)

Do you dabble in the stock market, perhaps through an IRA or 401K account?
If so, you should care enough to worry about such things.  Knowing only
that the CEOs of HP and Compaq are exchanging email could be valuable.
Such knowledge can affect your fortunes even if you don't have it.


> ...
> I don't think so (worth worrying about) but that is my opinion and my
> case.

I think the DCC is sufficiently private to not worry, but everyone
must pay attention to such things.  Liberty and more have often been
lost through inattention and expediency.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.