Body Checksum Calculation

Vernon Schryver vjs@calcite.rhyolite.com
Mon Apr 1 20:36:25 UTC 2002


> From: "Tony L. Svanstrom" <tony@svanstrom.org>

>> That may conflict with the fundamental idea of the DCC.  That idea is that by
> > reporting cryptographic checksums of lots of mail to clearinghouses
> > regardless of whether it matches some pattern or came from some blacklisted
> > source, bulk mail can be detected by all except the first first few targets.
>
>  Yes, and I love the idea behind it all, but I have to use my lil compromise
>until I feel that I can trust the system. I intend to apply whatever my idea of
> a working solution is when done to a situation where a successfull attack just
> isn't an option; and right now DCC is, to me, a high risk-thing.

I do not understand what is meant by a "successfull attack" in this
context.  Have you read  
http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dcc.html#Security ?

If the concern is about false positives or rejecting mail that is not
spam, then that is a non sequitur and suggests a continued misunderstanding
of the nature of the DCC.  Report checksums of all external mail is
independent of enabling mechanisms to reject mail.  I think minimal
pruduence includes not enabling mail rejection for a month or two
while monitoring what would have been rejected.

If the concern is about privacy or security, whether trojan horses or
leaking private information about the contents of mail, then the best
and only reliable way to procede is to read and understand the code.


>  My biggest consern right now is the lack of information regarding how it
> works.

The primary information is all there in plain sight in the C source.

I can see how the large number of English words might be too much
of a good thing, but I don't know what to delete.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.