One other question

Vernon Schryver
Fri Nov 29 21:15:42 UTC 2002

> From: Dave Lugo <>
> To: John R Levine <>

> > Yes, although there is still a lot of 419 and porn spam that DCC hasn't
> > seen yet an SA catches.  Dunno whether I'm not swapping checksums often
> > enough or what.
> No, you're probably swapping checksums fine.

Agreed; unlessyou're doing something that would be unusual and
currently unique, bulk checkums flow accross the network within
seconds....well, except for the DCC servers that are running old

>                                               419s (and possibly some
> porn spams) are more likely low-volume enough that they don't hit many
> spamtraps.

419s to seem to have more variation than other spam.

Spam traps are not required for the DCC to detect spam.  That's
demonstrated by the red that has covered the pink in the "Spam Ratio
at Commercial Sites" in
Much of the data in that graph is from an organization that is using
the DCC for about 1,000,000 msgs/day at a bunch of its customers.  Its
single DCC server got boggled down and so they temporarily turned off
flooding in early November.  They don't seem to use any spam traps of
their own, so the counts of their spam went from "many" to whatever they
really are.  The shape of the graphs don't seem to have changed, which
implies that about the same messages get tagged as bulk with a threshold
of >=10 as >=many.

> > I suppose I could try that, although catching with DNSBLs is a lot faster
> > even than DCC.
> Agreed.  ...

I don't understand that.  Do you have measurements? 
DNSBLs require as much or more network traffic than the DCC does.
The DCC checksumming is not free, but as far as I can tell, it is down
in the noise.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.