Mods to Fuz2 seem to make it less effective

Tim Wicinski
Tue Mar 11 22:57:08 UTC 2003

Vernon Schryver wrote:

> I think one must not assume that a message with DCC counts of "many"
> is more "bulky" than a message with counts of 10.  "Many" only means
> "definitely 'bulk' according to one or more reporters."   
> To put it another way, you did not get false positives from the DCC
> when you lowered the thresholds, because a message with a count of 50
> or 100 is no less "bulk" mail than a message with a count of "many."
> Instead, you got false positives from the system that determines
> "unsolicited," your whitelists.

I wanted to look at some data of our own and double check.  I processed 
a number of messages I received, plus a number fed to us by customers. 
These numbers are about from Friday.  This is running dccproc -H prior 
to marking them as bulk.

Total: 522      Many: 194       > 50: 73        < 50: 255

It seems that a good percentage of them were already flagged by 
hardworking dcc servers.  But the number of messages with counts > 50 
but less than many was lower than expected, only 73.   Changing this to 
look for counts > 20 and the number rises to 86.  That still leaves 
close to half of the spam received containing a lower checksum.

Perhaps the new version you announced will help.

> I realize that building whitelists is hard for organizations with many
> users.  Perhaps dccm and dccifd need two sets of thresholds, one for
> users without per-user whitelists and other set of much lower thesholds
> for users with individual whitelists.  What do you (plural) think?

We have not had a major issue yet with whitelisting. The major 
whitelisting is for our customers. If that works, most of our 
customers are happy.

But the idea of mutliple thresholds is interesting.

More information about the DCC mailing list

Contact by mail or use the form.