Tue Mar 11 22:57:08 UTC 2003
Vernon Schryver wrote: > > I think one must not assume that a message with DCC counts of "many" > is more "bulky" than a message with counts of 10. "Many" only means > "definitely 'bulk' according to one or more reporters." > > To put it another way, you did not get false positives from the DCC > when you lowered the thresholds, because a message with a count of 50 > or 100 is no less "bulk" mail than a message with a count of "many." > Instead, you got false positives from the system that determines > "unsolicited," your whitelists. I wanted to look at some data of our own and double check. I processed a number of messages I received, plus a number fed to us by customers. These numbers are about from Friday. This is running dccproc -H prior to marking them as bulk. Total: 522 Many: 194 > 50: 73 < 50: 255 It seems that a good percentage of them were already flagged by hardworking dcc servers. But the number of messages with counts > 50 but less than many was lower than expected, only 73. Changing this to look for counts > 20 and the number rises to 86. That still leaves close to half of the spam received containing a lower checksum. Perhaps the new version you announced will help. > > I realize that building whitelists is hard for organizations with many > users. Perhaps dccm and dccifd need two sets of thresholds, one for > users without per-user whitelists and other set of much lower thesholds > for users with individual whitelists. What do you (plural) think? We have not had a major issue yet with whitelisting. The major whitelisting is yahoo.com for our customers. If that works, most of our customers are happy. But the idea of mutliple thresholds is interesting.
More information about the DCC