1.1.6 crashes on OpenBSD 2.8, combining -t's, viruses?

Vernon Schryver vjs@calcite.rhyolite.com
Wed Jul 17 23:12:45 UTC 2002


> From: Rafal Maszkowski <rzm@icm.edu.pl>

> ...
> > If you watch for Message-IDs, then you might also want to watch for
> > Received lines.  However, while both seemed like a good idea, neither
> > by itself catches much spam, with the exception of missing or null
> > Message-IDs.  Except for missing Message-IDs, essentially all spam
> > that they might catch is noticed by the various body checksums.
>
> This way?
> /var/dcc/libexec/dccm -d -d -b -t CMN,25,50 -t Message-ID,25,50 -t Received,25,50 -l 'D?log' -r '4.7.1 451 Access denied by DCC'
> Why combination is much stronger than just Received? In what way these two
> fiels (or all fields specified after -t?) are combined?

I meant to say that Received and Message-ID header counts are weak
instead of strong.  Contrary to what I hoped in 2 years ago, watching
for Message-IDs and Received headers does not catch much spam, except
for the special case of no Message-ID header.  I use the
"many message-id <>" line from the example homedir/whitecommon file
to blacklist mail without Message-IDs.  Beware of the warning about
that entry in the homedir/whitecommon file.

As the `man dccm` page tries to say, "CMN" is merely a shorthand for
IP, env_From, From, Message-ID, Received, Body, Fuz1, and Fuz2.
"ALL" is a shorthand for all of the checksums.

Checksum counts are combined simplistically.  If any checksum mentioned
by `dccm -g` (default IP, env_From, and From) is whitelisted by the
server or if any checksum at all is locally whitelisted, then  the
message is whitelisted.  Otherwise, if any checksum excedes its -t
threshold, the message is rejected or discarded.

>
> Encouraged by answers I dare to invent another question. Can DCC help in
> catching virused mail? During last 12 days it happened only once that I catched
> a virus with Message-ID=many. Other checksums were unique.

That is an intersting idea.  I have no idea if the current crop of
viruses use constant Message-IDs.  If they do, then running your DCC
server with `dccd -K message-id` would be effective.

> Typically the virused e-mail contains some random file with virus at the end.
> Could we invent some other kind of checksum to detect this or it is better to
> use other means against viruses?

The trouble with using the DCC to detect viruses is that viruses tend
to not have constant DCC body checksums.   In some ways, you can view
what the DCC does as watching for checksums typical of spam, while
virus scanners watch for checksums typical of viruses.  The ideas are
similar, but the checksums that ignore the right bits differ.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.