Mods to Fuz2 seem to make it less effective

Vernon Schryver vjs@calcite.rhyolite.com
Fri Mar 7 23:18:01 UTC 2003


> From: Brandon Long <blong@fiction.net>

> There is a decided difference from the default code allowing -t many, or
> -t for any number greater than 1 (I guess maybe there is a reason for
> more than one, but it could be capped at 10 then). 

(You couln't cap it at 10 for SMTP servers at big ISPs receiving
mail from big mailing lists.)

>                                                     One could even make
> it the servers who only allow a single request from the client to count
> the message once.

Only with machinery to detect very similar but not duplicate requests
from the client.

> Yes, someone could modify the source, or someone could just call
> dccproc multiple times... and that could have worse affects on the
> server than allowing them to just specify "many"... but will that be the
> common case?

According to my textbooks, you make security decisions based whether
attacks are the common case.

> With "many" today, what you get is pyzor by fiat instead of by design,

That's true only if you refuse to use white lists.

> since if someone uses a former account as a spam trap to mark all
> messages with -t many, and some friend of mine mails that account and
> me, boom.  So, in effect, the count doesn't matter, it could instead
> just be "seen already" and the limit case becomes "bulk is anything
> greater than 1."
>
> And yes, the answer to that is whitelists, but in reality DCC's
> whitelist mechanism is extremely limited, and I don't want to have to
> whitelist everyone I ever correspond or expect to correspond with.

Why would you need to whitelist anyone who doesn't send bulk mail?
How many times have your friends first mailed to an old account of
yours that has been rewired as a spam trap, received the bounce, and
then sent a substantially identical copy of the message to you?  If
that unlikely combination of events has happened, has your friend not
sent a completely different message asking what's going on?

> That said, given that I understand this, I chose to use it anyways, but
> I have to use procmail to actually whitelist things, and I have to
> periodically check my spam boxes to see if there's anything new I have
> to add to my whitelist.

That last sounds necessary no matter what "many" might mean.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.