question about the checksum mechanism of dcc

Vernon Schryver
Sun Nov 17 20:11:20 UTC 2002

> From: "Tony L. Svanstrom" <>

> ...
>  My "problem" with that is that I don't think it's a good idea to autoreport
> from one spamcatching solution to another, since that will just up the number
> of false positives; so I guess my question is if there's an official policy
> regarding reporting 'many' to DCC based on software like SA.

I don't think much of "official policies" whose violations cannot be
detected and that cannot be enforced.  There is nothing that could be
done to discourage any of the 10,000's of people using the DCC from
reporting small amounts of mail with counts of "many."  Someone
reporting 50,000 or 100,000 messages per day as "many" can be detected
and dealt with, if the reporting is bogus, but small quantities are
invisible among the ~900K checksums of bulk messages seen in the last
30 days.  (See )

What false positives are you talking about?  The DCC detects "bulk mail"
instead of "spam."  Any message you receive with a checksum totaling
"many" has been seen by someone who considered definitely "bulk."
Because someone else must have seen it to report it as "many," you can
be sure it is not "private" and so in that sense is "bulk."  Where is
the false positive?  If one of your correspondents is reporting mail
sent to 2 or 3 people as "many," then perhaps you should review your
list of correspondents, but that's not fodder for official DCC policies.

It would be hopeless to try to prevent the reporting of all sorts of
legitimate mail from CERT advisories to someone's Aunt Millie's jokes
as "many."  The only sane course is to deal with the fact that a lot
of "many" mail is seen by only a few people or legitimate.  That's why
the DCC code has so much whitelisting machinery.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.